Published on Jan 6th, the European Data Protection Supervisor's preliminary opinion on data protection and scientific research ("Opinion") is a sensible analysis of the issues faced by the medical and pharmaceutical industry. 

Key takeaways

Our top 10 takeaways are as follows: 

  1. No new solutions:  The solutions proposed in the Opinion echo previous advice and opinions issued by Working Party 29 and the European Data Protection Board (especially the clinical trials Q&As). The Opinion however does serve as a compendium of items to be addressed and sets placeholders for issues where further guidance is necessary.  
  2. The aim of the research is the key: The EDPS makes the distinction between research for private interests and research with the "aim of growing society's collective knowledge and well-being". This is a key point, as the validity of the scientific exceptions under GDPR will rely on it. Note it doesn't matter who is carrying out the research, but rather, the why. 
  3. Corporate secrecy as a barrier to research: Whereas EDPS acknowledges the mixed nature of most research, it expresses sceptical views about the private sector's motivations and encourages the sharing of scientific knowledge as a public good.  It makes particularly sceptical statements about technology companies being able to process health data adequately and criticises their lack of transparency which, in the EDPS' view, is a barrier to research. 
  4. Ethics at the heart of all research:  The EDPS expresses its concern that errors of the past should not be repeated by reflecting on the origins and purposes of health regulations, especially those around clinical trials. It reiterates the importance of "genuine research for the common good."
  5. Behavioural experiments are not scientific research under GDPR: The EDPS moreover questions if "persuasive design" practices are ethical.
  6. Data protection requires transparency and it is not a tool to enable corporate secrecy: The EDPS heavily criticises companies for being vague in their notices and the risk based approach they take and their reluctance to share data with "genuine researchers". It highlights this point by stating "It would appear therefore that the reluctance to give access to genuine researchers is motivated no so much by data protection concerns as by the absence of business incentive to invest effort in disclosing or being transparent about the volume and nature of data they control."
  7. Scientific purposes exceptions only apply in very specific cases: The special data protection regime for scientific research is understood to apply where each of the three criteria are met: 1) personal data are processed; 2) relevant sector standards of methodology and ethics apply, including the notion of informed consent, accountability and oversight; and 3) the research is carried out with the aim of growing society‚Äôs collective knowledge and well-being, as opposed to serving primarily one or several private interests.
  8. Deception trials are not compatible with GDPR: Debriefing of the research participants and retrospective informed consent along with specific ethics approval before the start of the research would not be enough to comply with Article 13 GDPR. The possible derogation for the purposes of scientific research under Article 14 is not relevant for these specific cases of deception, since the derogation only applies in case of indirect collection. 
  9. An EU code of conduct could be the best solution: The EDPS states that "To achieve sufficient levels of harmonisation, codes of conduct at EU rather than national level may be preferable. They would also be beneficial for the free movement of researchers, a key aim of the European Research Area."
  10. More guidance to follow: The Opinion states that more guidance will be issued data protection and scientific research, specifically around the issue of Clinical Trials and GDPR and to clarify if a private sponsor can act in a public interest. 

Our two cents

It is this writer's view that the Opinion holds an underlying message of "please use your common sense" about it. The EDPS is also clearly stating that we must not loose sight of the aim of scientific research: to work for the good of humanity. This aim would be much aided by the sharing of knowledge which is not, in the EDPS' view, incompatible with the GDPR; quite the opposite, the GDPR helps to enable transparency and data sharing. 

It is fair to say that the EDPS is putting all private stakeholders on the same boat in its Opinion which is, in this writer's view, slightly unfair. Experience tells me that heavily regulated companies are not likely to use the GDPR as an excuse not to be transparent, but rather follow the letter of the law too closely. They are likely to take very limited risks for fear that any contravention of the GDPR will jeopardise a study (and as a result the investment and the potential cure will be lost).  Having said that, recent events around misuse of sensitive data and profiling (for example,Cambridge Analytica or Emma's Diary) are solid reasons for the regulator to be slightly sceptical about private companies' ethics when making decisions about how to process sensitive data. 

Overall, the problem seems to be one of trust - patients and regulators need to trust the companies processing sensitive data. At the moment, the lack of transparency is, in many cases, being interpreted as corporate secrecy. It is therefore essential for companies to gain that trust. 

Some key steps to gain trust include: 

  • making sure the research and the processing is ethical; 
  • carrying out impact assessments to make sure they are fully aware of what risks are being taken; and
  • communicating with individuals: giving clear notices to individuals and asking people if they can share their data.

In short, complying with the GDPR and using good old fashioned common sense.