Big Data Europe Hangout:

How does the research community benefit from the new

EU General Data Protection Regulation?

May 25th 2016 Vigdis Kvalheim, CESSDA Deputy Director, NSD

• The European Parliament adopted the General Data Protection

Regulation (GDPR) on 14 April. (National implementation by 2018).

• Parliament’s vote ends more than four years of work

• Complete overhaul of EU data protection rules.

• Replace the current data protection directive, dating back to 1995.

• Aim to give citizens back control of their personal data in a digitised

world of smartphones, social media, internet banking and global

transfers.

• Aim to create a high, uniform level of data protection across the EU fit

for the digital era

EU Data Protection Reform Approved

CESSDA©2016 2

• Make Europe fit for the digital age

• Put an end to the patch work of data protection rules

that currently exists in the EU

• Remove barriers and unlock opportunities

• Remove unjustified barriers which limit cross border

data flow

CESSDA©2016

European Commission Press Release, December 15, 2015

3

Why does this concern us?

«Data has always been a key

resource to tackle the big

challenges in the world.»

4 CESSDA©2016

Law and legal practice in relation to various types of data do affect possibilities to collect, analyse, preserve and share data. A legal framework that ensure a good balance between research interests and data protection interests is crucial to secure access to personal data for scientific uses. Building a sustainable trust relationship in a digital world of open science and open access

5 CESSDA©2016

Why does this concern us?

• Collect data directly from the data subject

• Collect data from various data sources and data holders

• Adequate legal and ethical framework to safeguard

legitimate research interests and needs regarding use of

personal data

• Adequate legal and ethical framework to allow data

producers and data holders to share their data.

Why does this concern us?

6 CESSDA©2016

• How will the new legislation affect the possibilities to collect, process, use and share various types of data?

• Will the conditions be tightened, stay the same or be improved for various data types and data collections methods?

• Will the various fields of science exploring research topics and questions that can only be answered by analysing individual level and very sensitive data achieve good, predictable and harmonised working conditions?

• Will society get the knowledge needed to tackle the big challenges in the world?

New EU-legislation – The Big Question

CESSDA©2016 7

Current State of Affairs:

The Data Protection Directive* - a legal instrument that

works well for sciences

• Further processing of personal data for historical,

statistical or scientific purposes is not incompatible with

the original purposes.

• The prohibition against storing unnecessary personal

data is lifted for historical, statistical or scientific

purposes.

Exemption from purpose limitation principle is the

fundamental research guarantee, in particular for

register based research!

*EU Directive 95/46/EC

8 CESSDA©2016

Commission Proposed a Comprehensive Reform of the

Data Protection Rules, January 2012

• The rights of the data subjects are strengthened

• Consent as the most important mechanism to safeguard

privacy is strengthened

• The role and responsibilities of the data controller

(institution) are strengthened

• The Data Protection Officer institution is made mandatory

9 CESSDA©2016

• For most parts the proposal protected basic research interests

• Good balance between the public interest in information privacy and

research access

• New research provision, Article 89 and it’s associated provisions

contain research exemptions and guarantees and protected the

public interest in research with one important exception!

• The exemption that allow use of personal data for new purposes

different from those for which it was collected had been omitted in

the law text and moved to recital 40

Commission’s Proposal -

More continuity than change in conditions

CESSDA©2016 10

Moving Through the Parliament – the Balance

Shifted in Favor of Privacy*

• Drop all important research

provisions.

• Scientific research is not special

with regard to its public interest

• Scientific research do not deserve

a privileged position within the

legal framework

*December 2012, the Committee on Civil Liberties, Justice and Home Affairs, contains

proposals for amendments to the European Commission's proposal. The Albrecht

Report. 11 CESSDA©2016

The Albrecht Proposal

Argues e.g. in regard to consent requirements;

Processing of sensitive data for historical, statistical and

scientific research purposes is not as urgent or compelling as

public health or social protection. Consequently, there is no

need to introduce an exception which would put them on the

same level as the other listed justifications.

This was devastating and caused widespread worries

concern among stakeholders across Europe

12 CESSDA©2016

Modifies the Albrecht proposal but several provisions that

'protect' research are removed and/or tightened.

Again the primarily concerns was lack of exemptions for research from the

main requirement for specific and explicit consent for the (re)use and

storage of personal data' as formulated in the European Commission's

proposal in Articles 81 and 83.

The Council’s General Approach, June 15, 2015 Restore the balance, incorporating “old” and a new research right under

Article 6 (2) “Lawful processing”..

Parliament Vote in March 2014

CESSDA©2016 13

The New GDPR 2016 – Implications for Research

• Research friendly – the balance is restored!

• Data subjects rights are strengthened

• (control, consent, information requirements, erasure, right

to object/be forgotten, access)

• Consent requirements are not absolute, which was not the

case in earlier drafts of the Regulation.

• Consent still a key mechanism for protecting privacy

• However, there are exemptions for scientific and historical

research.

14 CESSDA©2016

Article 5 principles relating to personal data

processing

(b) collected for specified, explicit and legitimate

purposes and not further processed in a way

incompatible with those purposes; further processing

of personal data for archiving purposes in the public

interest or scientific, statistical or historical

purposes shall in accordance with Article 89 not be

considered incompatible with the initial purposes;

15 CESSDA©2016

Article 5…..

(e) kept in a form which permits identification of data

subjects for no longer than is necessary for the purposes

for which the personal data are processed (…);

personal data may be stored for longer periods

insofar as the data will be processed for archiving

purposes in the public interest or scientific,

statistical, or historical purposes in accordance with

Article 89 (1)

16 CESSDA©2016

17

Article 9 (j) Processing of special categories of personal data

is prohibited unless…..

• the data subject has given explicit consent.. (freely given,

informed, specific and unambiguous)

• the processing relates to personal data which are manifestly

made public by the data subject

• processing is necessary for archiving purposes in the public

interest, or scientific and historical research purposes

according with Article 89 (1)

• “Member states may maintain or introduce further conditions, with regard to the

processing of genetic data, biometric data or health data including limitations,

limitations with regard to the processing of special categories of data, health data”.

(Art. 9, 4.)

CESSDA©2016

Article 17 Right to erasure and “to be forgotten”

Paragraphs 1, 1a and 2a shall not apply to the extent that

processing of the personal data is necessary:

d. for archiving purposes in the public interest or for

scientific, statistical and historical purposes in accordance

with Article 89 (1)

Article 81 in the proposal restricting the use of health

data without consent data for research purposes is

dropped, however, member states may introduce

further conditions, including limitations health,

biometric and genetic data

18 CESSDA©2016

19

Article 89 “Safeguards and derogations for the processing

of personal data for archiving purposes in the public

interest, or scientific and historical research purposes or

statistical purposes”

Appropriate safeguards to protect the right and

freedoms of the data subject,

Technical and organisational measures,

The principle of data minimisation

Pseudonymisation if possible

CESSDA©2016

New Regulatory Mechanism - Duty to notify

is abolished

• Research institutions (data controller) more

responsibilities and duties.

• Public authorities and public bodies, as well as

enterprises with more than 250 employees, must

designate a data protection officer

• The data protection officer an instrument for the

institution, conducting impact assessments,

controlling and documenting the processing of

personal data

• Simplify procedures and increase protection!

20 CESSDA©2016

Signals…

• Research is always compatible (Art.5, Recital 50)

• Improved conditions and increased possibilities for register

based research. The legal basis for using new types of data in

the social survey context, including biomarker, social media

and administrative data, is in place, but

• “Member states may maintain or introduce further

conditions, with regard to the processing of genetic

data, biometric data or health data including limitations,

limitations with regard to the processing of special

categories of data, health data”. (Art. 9, 4.)

21 CESSDA©2016

The message - Research Friendly -

Continuity More than Change

Will the GDPR succeed given the scope for member

states to introduce further conditions/limitations?

The Norwegian Data Protection Inspectorate states:

“we will advocate the individual right to privacy and push

for Member States to introduce more limitations on

scientific use of special categories of data”

If successful, will this contradict efforts to achieve similar

conditions for research across Europe?

22 CESSDA©2016

The Message – Building trust in a world of big data and open access

We have to understand that we need;

• An adequate legal framework to safeguard both

privacy and access to personal data for scientific

purposes.

• An adequate procedural framework that

safeguard information privacy as well as the

legitimate interests of research to access and

use personal data.

23 CESSDA©2016

• Participants in research need protection

• Researchers need protection

• Institutions need protection

• Society need access

Building a sustainable trust relationship in a

digital world of open science and open access

24

WHY?

CESSDA©2016