The European Data Protection Regulation and research Graham Love Chief Executive Health Research Board 1
Background to the Regulation Proposal from Commission in January 2012 Regulation = directly binding Covers use of personal data across most sectors except for law enforcement Under Commission’s proposal, consent is not required to legitimise the use of data in research – vital exemption. 2
Legislative process Council (Member States ) Parliament (LIBE) Commission TRILOGUE 3
Legislative procedure for EU Data Protection Regulation 4
The political context 5
The European Parliament’s position LIBE committee agreed 91 compromise amendments from over 3000 tabled European Parliament voted on 12 March in a ‘block vote’ all amendments. Almost unanimous in favour of the amendments because agreed by political groups in advance. 6
Debate in the European Parliament We cannot allow people to run into doctors’ offices and take our personalised, private profiles It is vital that the changes to Articles 81 and 83 are reconsidered and that expert advice is taken 7
Impact Special provisions for the use of data concerning health in research Member States able to create an exemption from specific consent, but very narrow. Only: –for pseudonymous data; –in “high public interest”; and –where the research “cannot possibly be carried out otherwise” Much research using routine data, biobanks, registries or cohorts could become impossible or unworkable 8
Article 81 (2) Research using data concerning health Amendment outline Processing of personal data concerning health which is necessary for historical, statistical or scientific research purposes, such as patient registries set up for improving diagnoses and differentiating between similar types of diseases and preparing studies for therapies, is shall be permitted only with the consent of the data subject, and shall be subject to the conditions and safeguards referred to in Article 83. Analysis This amendment makes the exemption from consent for the use of data concerning health in research very narrow. This will prevent valuable health research that is currently legal and already tightly regulated under European and Member State law. 9 KEY Text added by the LIBE committee is in bold italics Text deleted by the LIBE committee is struck through bold italics Text of proposed amendments is in bold underlined italics
Article 81 (2a) Research using data concerning health Amendment outline Member States law may provide for exceptions to the requirement of consent for research, as referred to in paragraph 2, with regard to research that serves a high public interests, if that research cannot possibly be carried out otherwise. The data in question shall be anonymised, or if that is not possible for the research purposes, pseudonymised under the highest technical standards, and all necessary measures shall be taken to prevent unwarranted re- identification of the data subjects. However, the data subject shall have the right to object at any time in accordance with Article 19. Analysis While the amendment enables Member States to legislate for an exemption, the permitted exemption is very narrow: The exemption could only apply to the use of pseudonymised, not identifiable, data. A very high bar is set for research using pseudonymised data to be eligible for the exemption, which lacks any assessment of proportionality or reasonableness. 10
Article 81 (2a) Further Analysis Particular concerns include: “High public interest” suggests the exemption is to be used only in a very limited set of circumstances. This is likely to be problematic for many studies, particularly because the results and impact of the study are not known at the outset. “Cannot possibly be carried out otherwise” creates a strict test that does not take into account the nature of research, for example, it is not clear how one could show that a particular research project “cannot possibly be carried out otherwise” where it is theoretically possible, but not practicable (because of the sample size needed), to seek consent. The requirement for pseudonymisation to be at “the highest technical standards” lacks an assessment of reasonableness. This is problematic because research resources are often used over many years. Even where a study can demonstrate “highest technical standards” when it is first established, it would be impractical to ensure compliance with this requirement every single time data are used in the future, as this would require continual updating of standards and processes. These amendments also produce an overlap between Articles 81 and 83, creating legal uncertainty. Research is an international activity and would benefit from clear and harmonised rules that facilitate research across Member States. However, Member State-based exemptions will limit the potential for harmonisation. 11
Recital 123a Processing of personal data concerning health Amendment outline The processing of personal data concerning health, as a special category of data, may be necessary for reasons of historical, statistical or scientific research. Therefore this Regulation foresees an exemption from the requirement of consent in cases of research that serves a high public interest. Analysis The concept of “high public interest” is problematic. “High public interest” suggests the exemption is to be used only in a very limited set of circumstances. This is likely to be problematic for many studies, particularly because the results and impact of the study are not known at the outset. 12
Article 83 (1) Processing for historical, statistical or scientific research purposes Amendment outline Analysis This amendment makes the exemption from consent for the use of health data in research very narrow, which will prevent valuable research that is currently legal. The amendment only applies to the use of pseudonymised, not identifiable, data. In addition, the requirement for pseudonymisation to be at “the highest technical standards” lacks an assessment of reasonableness. This is problematic because research resources are often used over many years. Even where a study can demonstrate “highest technical standards” when it is first established, it would be impractical to ensure compliance with this requirement every single time data are used in the future, as this would require continual updating of standards and processes. 13 In accordance with the rules set out in this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if: (a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject; (b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as theses purposes can be fulfilled in this manner under the highest technical standards, and all necessary measures are taken to prevent unwarranted re-identification of the data subjects.
The Council’s position Council of Ministers still considering Commission’s proposal Research has been discussed in Council working group in January and February Unclear when Council’s position (‘general approach’) will be agreed 14
Next steps Council Parliament Commission TRILOGUE Impact of elections? 15
What is being done? 16
“Regulation should be sufficiently flexible to continue to facilitate processing of personal data for health historical, statistical and scientific research purposes while providing appropriate safeguards for the protection of personal data”. Irish Department of Justice What are we doing in Ireland ? HRB alignment with the EU Wellcome Trust-led approach Engaging with the Department of Justice, other government Departments and with Irish MEPs Informing the research community 17
In order to protect valuable research while protecting privacy, we urge: Council of Ministers to maintain the EU Commission’s text on Articles 81 and 83 and associated provisions when agreeing its general approach MEPs to seek a more positive outcome for research in trilogue negotiations Council of Ministers and EU Commission to oppose the EU Parliament’s amendments to Articles 81 and 83 in trilogue negotiations. 18
Further information or guidelines-and-grant-conditions/eu-data-protection- regulation/ guidelines-and-grant-conditions/eu-data-protection- regulation/ Any questions? Contact Dr Patricia Clarke, HRB Senior Policy Analyst, Tel: Special thanks to Dr Beth Thompson, Wellcome Trust for all of her assistance and advice. 19