The European Data Protection Board (EDPB) recently responded to questions submitted by the EU Commission seeking clarification on the consistent application of the GDPR to health research. The responses cover 21 questions and provide clarity on issues such as: the legal basis for processing health data; processing of special categories of data on a large scale; and further processing of previously collected health data. While it is clear that many questions remain unanswered, further responses are expected in forthcoming guidance currently being prepared by the EDPB.
Legal basis for processing
All processing of personal data concerning health must comply with the data protection principles set out in Article 5 of the GDPR, along with one of the legal grounds set out in Article 6 and Article 9 of the GDPR.
The EDPB acknowledges that a number of legal bases may be relied upon for processing health data. While explicit consent can be used, reliance on this legal basis requires confirmation that no imbalance of power exists between data subjects and researchers.
The EDPB notes “Member State and/or Union law is needed in order to stipulate a legal obligation (c) and/or a task carried out in the public interest (e) under Article 6 GDPR and to stipulate reasons of substantial public interest (g), reasons of public interest in the area of public health (i) and/or scientific research purposes (j) under Article 9 GDPR”. This means there is a divergence in national rules for the processing of genetic, biometric, and health data. In recognising the issues with GDPR compliance when conducting a health research project in multiple Member States, the EDPB recommends the use of the same legal basis for processing data associated with the project. The EDPB calls on the EU Commission to introduce a common framework for the exchange of health data as part of the European Health Data Space.
The notion of broad consent
In responding to questions relating to “broad consent“, the EDPB suggest that while Recital 33 of the GDPR opens up a possibility to mitigate the requirement of specificity of consent, it is subject to a stricter interpretation and requires a high degree of scrutiny as it relates to special categories of data. When the purposes cannot be fully specified, a controller is expected to ensure transparency and have adequate safeguards in place for example, allowing data subjects to withdraw or further specify their consent.
Processing of special categories of data on a large scale
In determining whether it is mandatory for the controller to carry out a Data Protection Impact Assessment (DPIA) prior to processing health data for scientific research purposes, the EDPB recommends that the controller should not solely focus on Article 35(2)(b) of the GDPR (which requires a DPIA prior to processing special category data on a large scale), but to take into account Article 35 of the GDPR as a whole. The EDPB point out that the Guidelines on DPIA provide a useful set of criteria and examples for determining whether processing is “likely to result in a high risk”, and thus require a DPIA to be carried out. It is important to note that variations exist between Member States in relation to the types of processing that warrant a mandatory DPIA.
When addressing the above questions relating to the possible legal basis for processing, the concept of broad consent, and the meaning of “large scale” processing the EDPB refers the Commission to its previously published guidelines on the interplay between the GDPR and the Clinical Trials Regulation (previously discussed here) and its updated guidance on consent.
Transparency of data processing
In repose to the EU Commissions question on exemptions available from transparency, the EDPB highlight the obligations for controllers set out in Articles 13 (data obtained from the data subject) and 14 (data not obtained from the data subject) of the GDPR as key element of transparency. Before further processing takes place, the controller should provide the data subject with information on that other purpose and with any relevant further information (Article 13(3) and Article 14(4)). Article 14(5)(b) of the GDPR, which should be interpreted in a restricted way, provides an exception to this obligation for scientific research. In confirming that no exception exists for Article 13 of the GDPR, the EDPB suggest that controllers should act appropriately at the time of collection of the data and implement ‘more dynamic ways’ of informing data subjects about future research.
In relation to retention of data, the EDPB confirms that personal data could be stored for longer than is necessary for the initial purpose if retained solely for scientific research purposes. Such scientific research much be performed in accordance with Article 89(1) of the GDPR.
Further processing of previously collected health data
The presumption of compatibility under Article 5(1)(b) of the GDPR can only be used under the condition that in such further processing for scientific research purposes adequate safeguards as required by Article 89(1) of the GDPR are respected. When further processing of health data relies on the presumption of compatible use, the controller must take Article 9 of the GDPR into account. This is important, as the exemption to the prohibition on the processing of health data that a health care provider relied on for the original purpose may not extend to the further processing of health data for scientific research purposes.
The EDPB makes clear that numerous questions could not be comprehensively answered and called for more time for “in-depth analysis and/or a search for examples and best practices”. In relation to questions on further processing of previously collected health data, anonymization of data, and international cooperation the EDPB did not provide full answers and instead refers to its forthcoming guidelines on the processing of personal data for scientific research purposes.
In addition to having a legal basis under Article 6 and Article 9 of the GDPR, researchers subject to Irish data protection laws must also comply with the Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2018 (S.I. No. 314/2018) (discussed here), as well as the new Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2021 (S.I. No. 18/2021) (the 2021 Regulations). Amongst other things, the 2021 Regulations reformulate the definition of explicit consent, introduce the concept of “deferred consent”, and provide clarification on the appeals process and pre-screening. The Department of Health has produced useful guidance on the 2021 Regulations, which is available here.
The EDPB is currently developing further guidelines on the processing of personal data for scientific research purposes, which we hope will elaborate further on the above issues. The EDPB aims to publish these guidelines in the course of 2021. In the meantime, the responses provide welcome clarity on the consistent application of the GDPR to health research.