Post on 22-Jan-2018
Big Data Europe Hangout:
How does the research community benefit from the new
EU General Data Protection Regulation?
May 25th 2016 Vigdis Kvalheim, CESSDA Deputy Director, NSD
• The European Parliament adopted the General Data Protection
Regulation (GDPR) on 14 April. (National implementation by 2018).
• Parliament’s vote ends more than four years of work
• Complete overhaul of EU data protection rules.
• Replace the current data protection directive, dating back to 1995.
• Aim to give citizens back control of their personal data in a digitised
world of smartphones, social media, internet banking and global
transfers.
• Aim to create a high, uniform level of data protection across the EU fit
for the digital era
EU Data Protection Reform Approved
CESSDA©2016 2
• Make Europe fit for the digital age
• Put an end to the patch work of data protection rules
that currently exists in the EU
• Remove barriers and unlock opportunities
• Remove unjustified barriers which limit cross border
data flow
CESSDA©2016
European Commission Press Release, December 15, 2015
3
Why does this concern us?
«Data has always been a key
resource to tackle the big
challenges in the world.»
4 CESSDA©2016
Law and legal practice in relation to various types of data do affect possibilities to collect, analyse, preserve and share data. A legal framework that ensure a good balance between research interests and data protection interests is crucial to secure access to personal data for scientific uses. Building a sustainable trust relationship in a digital world of open science and open access
5 CESSDA©2016
Why does this concern us?
• Collect data directly from the data subject
• Collect data from various data sources and data holders
• Adequate legal and ethical framework to safeguard
legitimate research interests and needs regarding use of
personal data
• Adequate legal and ethical framework to allow data
producers and data holders to share their data.
Why does this concern us?
6 CESSDA©2016
• How will the new legislation affect the possibilities to collect, process, use and share various types of data?
• Will the conditions be tightened, stay the same or be improved for various data types and data collections methods?
• Will the various fields of science exploring research topics and questions that can only be answered by analysing individual level and very sensitive data achieve good, predictable and harmonised working conditions?
• Will society get the knowledge needed to tackle the big challenges in the world?
New EU-legislation – The Big Question
CESSDA©2016 7
Current State of Affairs:
The Data Protection Directive* - a legal instrument that
works well for sciences
• Further processing of personal data for historical,
statistical or scientific purposes is not incompatible with
the original purposes.
• The prohibition against storing unnecessary personal
data is lifted for historical, statistical or scientific
purposes.
Exemption from purpose limitation principle is the
fundamental research guarantee, in particular for
register based research!
*EU Directive 95/46/EC
8 CESSDA©2016
Commission Proposed a Comprehensive Reform of the
Data Protection Rules, January 2012
• The rights of the data subjects are strengthened
• Consent as the most important mechanism to safeguard
privacy is strengthened
• The role and responsibilities of the data controller
(institution) are strengthened
• The Data Protection Officer institution is made mandatory
9 CESSDA©2016
• For most parts the proposal protected basic research interests
• Good balance between the public interest in information privacy and
research access
• New research provision, Article 89 and it’s associated provisions
contain research exemptions and guarantees and protected the
public interest in research with one important exception!
• The exemption that allow use of personal data for new purposes
different from those for which it was collected had been omitted in
the law text and moved to recital 40
Commission’s Proposal -
More continuity than change in conditions
CESSDA©2016 10
Moving Through the Parliament – the Balance
Shifted in Favor of Privacy*
• Drop all important research
provisions.
• Scientific research is not special
with regard to its public interest
• Scientific research do not deserve
a privileged position within the
legal framework
*December 2012, the Committee on Civil Liberties, Justice and Home Affairs, contains
proposals for amendments to the European Commission's proposal. The Albrecht
Report. 11 CESSDA©2016
The Albrecht Proposal
Argues e.g. in regard to consent requirements;
Processing of sensitive data for historical, statistical and
scientific research purposes is not as urgent or compelling as
public health or social protection. Consequently, there is no
need to introduce an exception which would put them on the
same level as the other listed justifications.
This was devastating and caused widespread worries
concern among stakeholders across Europe
12 CESSDA©2016
Modifies the Albrecht proposal but several provisions that
'protect' research are removed and/or tightened.
Again the primarily concerns was lack of exemptions for research from the
main requirement for specific and explicit consent for the (re)use and
storage of personal data' as formulated in the European Commission's
proposal in Articles 81 and 83.
The Council’s General Approach, June 15, 2015 Restore the balance, incorporating “old” and a new research right under
Article 6 (2) “Lawful processing”..
Parliament Vote in March 2014
CESSDA©2016 13
The New GDPR 2016 – Implications for Research
• Research friendly – the balance is restored!
• Data subjects rights are strengthened
• (control, consent, information requirements, erasure, right
to object/be forgotten, access)
• Consent requirements are not absolute, which was not the
case in earlier drafts of the Regulation.
• Consent still a key mechanism for protecting privacy
• However, there are exemptions for scientific and historical
research.
14 CESSDA©2016
Article 5 principles relating to personal data
processing
(b) collected for specified, explicit and legitimate
purposes and not further processed in a way
incompatible with those purposes; further processing
of personal data for archiving purposes in the public
interest or scientific, statistical or historical
purposes shall in accordance with Article 89 not be
considered incompatible with the initial purposes;
15 CESSDA©2016
Article 5…..
(e) kept in a form which permits identification of data
subjects for no longer than is necessary for the purposes
for which the personal data are processed (…);
personal data may be stored for longer periods
insofar as the data will be processed for archiving
purposes in the public interest or scientific,
statistical, or historical purposes in accordance with
Article 89 (1)
16 CESSDA©2016
17
Article 9 (j) Processing of special categories of personal data
is prohibited unless…..
• the data subject has given explicit consent.. (freely given,
informed, specific and unambiguous)
• the processing relates to personal data which are manifestly
made public by the data subject
• processing is necessary for archiving purposes in the public
interest, or scientific and historical research purposes
according with Article 89 (1)
• “Member states may maintain or introduce further conditions, with regard to the
processing of genetic data, biometric data or health data including limitations,
limitations with regard to the processing of special categories of data, health data”.
(Art. 9, 4.)
CESSDA©2016
Article 17 Right to erasure and “to be forgotten”
Paragraphs 1, 1a and 2a shall not apply to the extent that
processing of the personal data is necessary:
d. for archiving purposes in the public interest or for
scientific, statistical and historical purposes in accordance
with Article 89 (1)
Article 81 in the proposal restricting the use of health
data without consent data for research purposes is
dropped, however, member states may introduce
further conditions, including limitations health,
biometric and genetic data
18 CESSDA©2016
19
Article 89 “Safeguards and derogations for the processing
of personal data for archiving purposes in the public
interest, or scientific and historical research purposes or
statistical purposes”
Appropriate safeguards to protect the right and
freedoms of the data subject,
Technical and organisational measures,
The principle of data minimisation
Pseudonymisation if possible
CESSDA©2016
New Regulatory Mechanism - Duty to notify
is abolished
• Research institutions (data controller) more
responsibilities and duties.
• Public authorities and public bodies, as well as
enterprises with more than 250 employees, must
designate a data protection officer
• The data protection officer an instrument for the
institution, conducting impact assessments,
controlling and documenting the processing of
personal data
• Simplify procedures and increase protection!
20 CESSDA©2016
Signals…
• Research is always compatible (Art.5, Recital 50)
• Improved conditions and increased possibilities for register
based research. The legal basis for using new types of data in
the social survey context, including biomarker, social media
and administrative data, is in place, but
• “Member states may maintain or introduce further
conditions, with regard to the processing of genetic
data, biometric data or health data including limitations,
limitations with regard to the processing of special
categories of data, health data”. (Art. 9, 4.)
21 CESSDA©2016
The message - Research Friendly -
Continuity More than Change
Will the GDPR succeed given the scope for member
states to introduce further conditions/limitations?
The Norwegian Data Protection Inspectorate states:
“we will advocate the individual right to privacy and push
for Member States to introduce more limitations on
scientific use of special categories of data”
If successful, will this contradict efforts to achieve similar
conditions for research across Europe?
22 CESSDA©2016
The Message – Building trust in a world of big data and open access
We have to understand that we need;
• An adequate legal framework to safeguard both
privacy and access to personal data for scientific
purposes.
• An adequate procedural framework that
safeguard information privacy as well as the
legitimate interests of research to access and
use personal data.
23 CESSDA©2016