1 February 2021
This brief will discuss, with specific reference to genomic and health-related research, the three ways in which the public interest features in the GDPR: a legal basis, a derogation for the processing of genomic and health data, and a transfer mechanism. In none of these cases can a controller invoke the public interest at their plain discretion. It is always up to either EU or national law to specify the public interest. This unfortunately means that, failing a public interest defined in EU law, the contours of the public interest vary across the EU / European Economic Area (EEA).
Controllers may process personal data if “processing is necessary for the performance of a task carried out in the public interest”. Necessity is interpreted under proportionality – the data processed must have a close link to the attainment of the processing’s objectives. National law, for example, may specify that certain entities are able to rely on the public interest legal basis, e.g., public-authority research organizations (UK) or that processing necessary for scientific research may rely on the public interest legal basis but with additional safeguards (Norway). Relying on this legal basis also allows for potentially curtailing the right to object.
Derogation for the processing of genomic and health data
For the processing of genomic and health data, there are two relevant derogations (justifications) that exist. One, where the processing is “necessary for reasons of substantial public interest”. Similar to the public interest basis, proportionality informs the necessity analysis. Beyond this, the public interest must be substantial, which aims to balance the public interest with the risks that processing genomic and health data poses. Distinguishing between a substantial public interest from a “normal” one is not (yet) precisely defined. The substantial public interest derogation is the only justification available for automated decision-making with respect to genomic and health data, other than the data subject’s explicit consent.
Secondly, the processing of genomic and health data may be legitimated where the “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices”. Such a justification is, of course, very relevant during a pandemic. However, given the article’s public health focus, it is not suitable for general biomedical research in normal circumstances, e.g., basic research into the genetic factors related to breast cancer, unless otherwise specified in national law. Indeed, distinguishing biomedical research from public health monitoring and quality assurance of medicines can be difficult.
In absence of an adequacy decision or other suitable safeguards (e.g., standard contractual clauses), controllers may nevertheless export data out of the EU/EEA where “the transfer is necessary for important reasons of public interest”. Unlike the above examples, the GDPR specifies that either public or private entities may rely on this transfer mechanism. The European Data Protection Board has, for example, stated that scientific research related to the COVID-19 pandemic is one such recognized public interests for the purposes of this transfer mechanism (albeit halfheartedly). In a similar vein, we have seen the French Conseil d’État decline to outright suspend data transfers connected to the Health Data Hub partially on the basis of the public interest in the continued occurrence of the data transfers in relation to the pandemic response.
The public interest under the GDPR is largely a question for national law to determine both which purposes are properly considered to be in the public interest and the additional conditions to which relying on such provisions is subject. A reasonable approach is to then first verify the public interest conditions under applicable national law before relying upon the public interest for data processing.
Relevant GDPR Provisions
Michael Beauvais is an academic associate at McGill University’s Centre of Genomics and Policy.
For a list of previous briefs, please consult here.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.