By Gabe Maldoff
The General Data Protection Regulation (GDPR) will come into effect in the spring of 2018, replacing the Data Protection Directive 95/46/EC and imposing new obligations on organizations that process the personal data of European Union residents.
While the Regulation aims to bolster privacy rights, it arrives as a centerpiece of the EU Digital Single Market, an initiative designed to boost digital innovation within the EU. By harmonizing privacy legislation across the EU member states and carving out exemptions for scientific, historical and health research, the GDPR seeks to reconcile the often competing values of privacy and innovation.
Research occupies a privileged position within the Regulation. Organizations that process personal data for research purposes may avoid restrictions on secondary processing and on processing sensitive categories of data (Article 6(4); Recital 50). As long as they implement appropriate safeguards, these organizations also may override a data subject’s right to object to processing and to seek the erasure of personal data (Article 89).
Additionally, the GDPR may permit organizations to process personal data for research purposes without the data subject’s consent (Article 6(1)(f); Recitals 47, 157). In isolated cases, these organizations may be able to transfer personal data to third countries for research purposes, without any other transfer mechanism in place (Article 49(h); Recital 113).
The GDPR adopts a “broad” definition of research, encompassing the activities of public and private entities alike (Recital 159). In the age of big data, where the data analytics activities of many organizations may qualify as research (see Omer Tene and Jules Polonetsky’s, “Beyond IRBs: Ethical Guidelines for Data Research”), it is unclear exactly how far the GDPR’s research exemption will extend. One thing is clear, however: The GDPR aims to encourage innovation, as long as organizations implement the appropriate safeguards.
Research as a basis for processing
Organizations that process personal data (“controllers”) must have a lawful basis for any processing activity. Article 6(1) delineates the lawful bases for processing, which include the data subject’s consent and processing that is necessary for the legitimate interests of the controller. Where a controller collects personal data under a lawful basis, such as consent, Article 6(4) allows it to process the data for a secondary research purpose. Research, however, is not explicitly designated as its own lawful basis for processing, but, in some cases, it may qualify under Article 6(1)(f) as a legitimate interest of the controller. Thus, while the GDPR explicitly permits re-purposing collected data for research, it also may permit a controller to collect personal data initially for research purposes, without requiring the data subject’s consent.
Article 6(4): Further processing of personal data for research purposes
One way a controller can process personal data is by obtaining the data subject’s consent. Under the GDPR, consent must be “unambiguous” and specific to the processing operation. This poses a challenge for research because “[i]t is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of collection” (Recital 33). To address this challenge, Article 6(4) allows for subsequent processing operations that are “compatible.” Recital 50 specifies that further processing for research purposes “should be considered to be compatible.”
Under the Directive, secondary processing for research purposes was permissible only if the Member States “furnish[ed] suitable safeguards” (Recital 29). Thus, the presumption was that a controller could not further process personal data beyond the purposes for which it was collected, unless the relevant member state had enacted legislation permitting such processing activities for research purposes.
The GDPR reverses this presumption, creating an exemption to the principle of purpose limitation for research. Article 5(1)(b) states, “further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.” Article 89 sets out the safeguards that controllers must implement in order to further process personal data for research.
Research as a legitimate basis for processing?
The GDPR clearly intends to relax restrictions on furtherprocessing personal data for research purposes. What about where research is the primary purpose? The Regulation suggests that, at least in some circumstances, research itself may furnish a legitimate basis for processing personal data, even in the absence of the data subject’s consent.
Controllers may process personal data, without consent, when “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject” (Article 6(1)(f)).
The concept of “legitimate interests” is further explained in Recital 47, which provides that controllers should take into account “the reasonable expectations of data subjects based on their relationship with the controller.” Determining the existence of a legitimate interest requires a “careful assessment” of whether there is “a relevant and appropriate relationship” and “whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place” (Recital 47). This is a highly fact- and context-specific analysis.
Under the Directive, which contained a similar basis for processing, the Article 29 Working Party found, in its opinion on the notion of legitimate interests, that “processing for research purposes (including marketing research)” could constitute a legitimate interest, provided the controller implemented sufficient safeguards.
The GDPR likewise may permit processing for research purposes as a legitimate interest. Although research is not specifically mentioned as a legitimate interest, Recital 157 identifies the benefits associated with personal data research, including the potential for new knowledge about “widespread medical conditions” and the “long-term correlation of a number of social conditions.” The results of research can “provide the basis for the formulation and implementation of knowledge-based policy, improve the quality of life for a number of people, and improve the efficiency of social services.” Moreover, Recital 47 explicitly provides that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Note, however, that the legitimate interest basis sets out a balancing test, where even if a controller has a legitimate interest in research, it may be “overridden” by the data subject’s rights. Additionally, this basis applies only to private entities. A public entity may process personal data without consent under Article 6(e) – “the performance of a task carried out in the public interest” – which requires a legislative mandate from the Member State or the EU for the processing operation.
Conditions for research exemptions (Article 89 protections)
Controllers that process personal data for research purposes must implement “appropriate safeguards” (Article 89(1)). These controllers must put in place “technical and organizational measures” to ensure that they process only the personal data necessary for the research purposes, in accordance with the principle of data minimization outlined in Article 5(c). When processing personal data for research purposes, Recital 33 states that controllers should act “in keeping with recognized ethical standards for scientific research.” It is worth noting that in the context of data research, as opposed to more traditional human subject research, those very ethical standards are still being debated.
Article 89(1) provides that one way for a controller to comply with the mandate for technical and organizational measures is through deployment of “pseudonymization.” Pseudonymization is “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual” (Article 4(3b)). Pseudonymization is not always required but rather its use is encouraged “as long as [the research purposes] can be fulfilled in this manner” (Article 89(1)).
Unlike anonymous data, pseudonymous data remains subject to the remit of the Regulation. Many of the techniques traditionally used to protect privacy in research settings, such as key-coding, fall within the definition of pseudonymization and therefore remain subject to the Regulation. Anonymous data, by contrast, falls outside the scope of the Regulation. Although this creates an incentive for controllers to anonymize data, determining whether data is anonymous is a fact-specific inquiry. Unlike the U.S. Health Insurance Portability and Accountability Act (HIPAA), which sets forth a rule exempting data from regulation if 18 specific identifiers are removed, the GDPR applies a standard, considering data anonymous only when it cannot be identified by any means “reasonably likely to be used … either by the controller or by another person” (Recital 26). Thus, even if a researcher no longer has the ability to re-identify a data set, such data set may still be regulated under the GDPR if it could be re-identified with reasonable effort.
Although controllers are not required to obtain the data subject’s consent for all processing for research purposes, they remain bound by the GDPR’s notice requirements. Article 12(1) requires controllers to “take appropriate measures” to inform data subjects of the nature of the processing activities and the rights available to them. Controllers are required to provide this information in all circumstances, regardless of whether consent is the basis for processing, “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12(1)).
Notice should be provided at the time when the data is first collected and it must include the controller’s identity and contact information, the intended purposes of the processing activities, and, where applicable, that the data will be transferred to another entity or to a third country. Additionally, a controller must provide, under Article 13(2), notice of the data subject’s rights to access, rectification, erasure and to object to processing, as well as notice of “the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.”
An updated notice should be provided where a controller intends to further process data for a different purpose, including for research. Under Article 13(3), the subsequent notice must include both the new research purpose and the elements laid out in Article 13(2), which mainly concern the data subject’s rights with regard to her data.
Providing up front notice about research at the point of collection poses a challenge for researchers because of the difficulty in identifying research purposes in advance, especially in the context of big data. Unlike traditional research, where a researcher identifies a hypothesis and tests it against a data set, data mining techniques often search for correlations within data sets without the baseline of a specific test hypothesis (see Tal Z. Zarsky’s “Desperately Seeking Solutions: Using Implementation-Based Solutions for the Troubles of Information Privacy in the Age of Data Mining and the Internet Society”). Thus, a researcher may not know the scope of her research until after the data is collected and used. The GDPR accounts for this challenge in Recital 33, providing that data subjects should be able to “consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.” This demonstrates that the Regulation permits more relaxed specificity in the notice provided for research processing.
Additionally, a researcher may be exempt from the notice requirement if she received the personal data from someone other than the data subject, such as where the data came from a publicly available source. Article 14 exempts controllers in these circumstances, if “the provision of such information proves impossible or would involve a disproportionate effort,” which “could in particular be the case” in the research context (Recital 62). A researcher also may claim exemption if providing notice would be “likely to render impossible or seriously impair the achievement of the [research] objectives,” provided there are appropriate safeguards in place, “including making the information publicly available” (Article 14(5)(b)).
Exemptions from data subject rights
The GDPR creates a host of data subject rights that controllers are bound to uphold when they process personal data. Consistent with exemptions from the purpose limitation and storage limitation principles for research processing, the Regulation carves out exceptions to data subject rights for processing related to research. Exemptions from the right to erasure and the right to object stem directly from the text of the Regulation. Additionally, member states may craft exemptions to a number of other rights by appropriate legislation.
Exemptions directly provided in the GDPR
Article 17 supplies each data subject with the right to have her personal data erased when she withdraws consent or objects to the processing, as well as when the data are no longer needed for the purpose for which they were first collected. In many cases, complying with this right threatens the integrity of a researcher’s dataset. To address this concern, the Regulation exempts research from the right to erasure insofar as it is “likely to render impossible or seriously impair the achievement of the [research] objectives” (Article 17(3)(d)). Thus, at least in some cases, researchers may further process personal data for research purposes in spite of a data subject’s request for erasure.
Under Article 21, data subjects retain a right to object to processing, even for research purposes. However, a researcher may override a data subject’s objection if “the processing is necessary for the performance of a task carried out for reasons of public interest” (Article 21(6)). For a task to be justified by public interest, Recital 45 specifies that it “should have a basis in Union or Member State law.”
Exemptions requiring member state legislative action
Article 89(2) allows member states or the EU to limit data subject rights to access, rectification, restriction, and the right to object where processing is for research purposes subject to the appropriate safeguards. However, this is not a blanket authority to derogate from these rights. The derogations must be “necessary for the fulfillment of [the research] purposes” and they are only permissible if allowing data subjects to exercise their rights likely would “render impossible or seriously impair the achievement of the specific purposes.”
For processing for archiving purposes in the public interest, in addition to the exemptions above, member states may provide derogations from the right to data portability and the right to notification that data have been rectified, restricted or erased (Article 89(3)).
Transferring personal data to third countries for research purposes
The GDPR prohibits the transfer of personal data to countries outside of the EU unless they offer an “adequate level of protection” as determined by the European Commission (Article 45(1)). A controller also may transfer personal data to a third country if it has implemented specific safeguards, including Binding Corporate Rules and standard contractual clauses, or if the data subject has provided explicit consent after being informed of the risks related to the transfer (Article 46(2); Article 49(1)(a)).
In the absence of any of the above measures, the GDPR introduces a new basis for transferring data which is particularly relevant for researchers and did not exist under the Directive. Under Article 49(1), a controller may transfer data to a third country when “necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject.” Recital 113 makes clear that “the legitimate expectations of society for an increase of knowledge” should be taken into account when determining whether a “compelling legitimate interest” exists.
To make use of this transfer mechanism, however, researchers must meet stringent requirements. The transfer may be based on this ground only if it is not repetitive, it concerns a limited number of data subjects, and “the controller has assessed all the circumstances surrounding the data transfer and has on the basis on that assessment provided suitable safeguards” (Article 49(1)). Moreover, the controller must inform the data subject as well as the data protection authority of the relevant member state of the international transfer.
Due to the onerous nature of these requirements, however, researchers may find the other bases for transfer more convenient.
Under the Directive, further processing for research was permissible only if member states furnished suitable safeguards that “in particular rule out the use of the data in support of measures or decisions regarding any particular individual” (Recital 29). In its opinion on purpose limitation, the Article 29 Working Party found that “‘measures or decisions’ should be interpreted in the broadest sense,” to cover “any relevant impact on particular individuals – either negative or positive.”
The GDPR eliminates this restriction, thereby allowing further processing for research that impacts individuals. However, the GDPR also creates additional safeguards to protect individuals from this type of processing. Article 35(2)(a) requires controllers to conduct a privacy impact assessment (PIA) any time “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.”
Profiling is defined as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements” Article 4(4)). Article 22(1) prohibits controllers from subjecting a data subject to a decision “based solely on automated processing, including profiling,” as a result of processing sensitive data, as defined in Article 9, except in limited circumstances.
Thus, while on the one hand the GDPR removes the restriction on research that produces impacts for individuals, on the other hand it introduces stringent safeguards for such processing. Controllers that conduct this type of research may have to conduct a PIA and they nonetheless may be prohibited from research that impacts individuals on the basis of their sensitive personal data.
Research concerning sensitive personal data
The GDPR forbids a controller from processing “special categories of data” – sensitive data revealing racial or ethnic origin, religious or political beliefs, as well as genetic, biometric, and health data – except in certain enumerated circumstances, such as where the data subject provides “explicit consent” or where the data that was “manifestly made public by the data subject” (Article 9(2)(a); Article 9(2)(e)).
In addition to allowing researchers to process sensitive data where the data subject explicitly consents or makes her data public, the GDPR also permits a controller to process sensitive data for research purposes. Article 9(2)(j) allows a researcher to process sensitive data where “processing is necessary for [research] purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.” Thus, as clarified in Recital 52, research serves as a basis for processing sensitive data only “when provided by Union or Member State law and subject to suitable safeguards.”
Moreover, article 6(4) implies that a researcher may furtherprocess sensitive data for a research purpose, even if research was not the purpose for the initial collection. Recall that further processing is permissible when the subsequent processing is “compatible,” such as for research (Recital 50). Among the factors to consider in determining compatibility is “the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9” (Article 6(4)). The inclusion of sensitive data among the factors suggests that controllers are permitted to re-purpose sensitive data for research.
This marks a departure from the Directive. Under the Directive, as interpreted by the Article 29 Working Party, “further processing of personal data concerning health, data about children, other vulnerable individuals, or other highly sensitive information should, in principle, be permitted only with the consent of the data subject” (emphasis added). The GDPR, by contrast, does not require consent for such further processing.
Although not explicitly stated in Article 9, Recital 51 makes clear that “the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing.” Researchers that process sensitive data, therefore, are subject to the same obligations as researchers that process non-sensitive personal data, as described above. One distinction, however, is that profiling on the basis of sensitive data is forbidden, unless there are “suitable safeguards” and the processing was based on Article 9(2)(a) or (g), which include the data subject’s explicit consent and substantial public interest (Article 22(4)). If the primary purpose for initially collecting sensitive data was for research under Article 9(2)(j), or if the data was “manifestly made public by the data subject” under Article 9(2)(e), profiling is not permitted.
The research exemptions apply to processing personal data for scientific and historical research, statistical research, and archiving in the public interest. The recitals treat each type of research separately.
Scientific research is defined “in a broad manner” (Recital 159). The recital supplies examples, such as “technological development and demonstration, fundamental research, applied research, and privately funded research,” as well as public health research. The recital cites Article 179(1) of the Treaty on the Functioning of the European Union, which promotes “the objective of strengthening its scientific and technological bases by achieving a European research area in which researchers, scientific knowledge and technology circulate freely.” This suggests that although private research for technological development qualifies as research, there may be a requirement that the research be published or otherwise made available outside the private entity. An important interpretative question concerns the application of the research provisions to corporate contexts such as research for product improvement or marketing purposes, as opposed to “big-r” research in academic institutions, which is geared at publication and contribution to generalizable knowledge.
Additionally, “specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes” (Recital 159). Although not expressly stated, these “specific conditions” may refer to “recognized ethical standards for scientific research,” which are discussed in Recital 33, as well as the safeguards outlined in Article 89.
Historical research includes genealogical research, but the GDPR generally does not apply to deceased persons (Recital 160). The exception for archiving in the public interest applies to public and private entities that “hold records of public interest,” provided they are under a legal obligation “to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest” (Recital 158). The Regulation also includes a reference to “specific information related to the political behaviour under former totalitarian state regimes,” likely to facilitate research surrounding the Holocaust.
Statistical research is “any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results” (Recital 162). Generally, statistical research “implies that the result of processing for statistical purposes is not personal data, but aggregate data.” While statistical research may be used in support of scientific research, it usually is “not used in support of measures or decisions regarding any particular natural person.” The Recital specifies that the EU or the member states should legislate around the scope of the statistical research exemptions, including defining the appropriate safeguards for assuring “statistical confidentiality.”
Although the GDPR creates heightened obligations for entities that process personal data, it also creates new exemptions for research as part of its mandate to facilitate a Digital Single Market across the EU. Specifically, the GDPR exempts research from the principles of storage limitation and purpose limitation so as to allow researchers to further process personal data beyond the purposes for which they were first collected. Research may furnish a legitimate basis for processing without a data subject’s consent. The Regulation also allows researchers to process sensitive data and, in limited circumstances, to transfer personal data to third countries that do not provide an adequate level of protection. To benefit from these exemptions, researchers must implement appropriate safeguards, in keeping with recognized ethical standards, that lower the risks of research for the rights of individuals.
Gabe Maldoff is a privacy and data protection lawyer at Bird & Bird LLP in London and formerly a Westin Fellow at the International Association of Privacy Professionals (IAPP). You can follow him on Twitter: @gmaldoff
This article was originally published on The International Association of Privacy Professionals (IAPP) website. Republished here with permission from the author.