News

GA4GH GDPR Brief: The Public Interest and the GDPR (February 2021)


1 February 2021

GDPR, regulatory and ethics

 

Introduction

This brief will discuss, with specific reference to genomic and health-related research, the three ways in which the public interest features in the GDPR: a legal basis, a derogation for the processing of genomic and health data, and a transfer mechanism. In none of these cases can a controller invoke the public interest at their plain discretion. It is always up to either EU or national law to specify the public interest. This unfortunately means that, failing a public interest defined in EU law, the contours of the public interest vary across the EU / European Economic Area (EEA).

 

Legal basis

Controllers may process personal data if processing is necessary for the performance of a task carried out in the public interest”. Necessity is interpreted under proportionality – the data processed must have a close link to the attainment of the processing’s objectives. National law, for example, may specify that certain entities are able to rely on the public interest legal basis, e.g., public-authority research organizations (UK) or that processing necessary for scientific research may rely on the public interest legal basis but with additional safeguards (Norway). Relying on this legal basis also allows for potentially curtailing the right to object.

 

Derogation for the processing of genomic and health data

For the processing of genomic and health data, there are two relevant derogations (justifications) that exist. One, where the processing is “necessary for reasons of substantial public interest”. Similar to the public interest basis, proportionality informs the necessity analysis. Beyond this, the public interest must be substantial, which aims to balance the public interest with the risks that processing genomic and health data poses. Distinguishing between a substantial public interest from a “normal” one is not (yet) precisely defined. The substantial public interest derogation is the only justification available for automated decision-making with respect to genomic and health data, other than the data subject’s explicit consent.

Secondly, the processing of genomic and health data may be legitimated where the “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices”. Such a justification is, of course, very relevant during a pandemic. However, given the article’s public health focus, it is not suitable for general biomedical research in normal circumstances, e.g., basic research into the genetic factors related to breast cancer, unless otherwise specified in national law. Indeed, distinguishing biomedical research from public health monitoring and quality assurance of medicines can be difficult.

 

Transfer mechanism

In absence of an adequacy decision or other suitable safeguards (e.g., standard contractual clauses), controllers may nevertheless export data out of the EU/EEA where “the transfer is necessary for important reasons of public interest. Unlike the above examples, the GDPR specifies that either public or private entities may rely on this transfer mechanism. The European Data Protection Board has, for example, stated that scientific research related to the COVID-19 pandemic is one such recognized public interests for the purposes of this transfer mechanism (albeit halfheartedly). In a similar vein, we have seen the French Conseil d’État decline to outright suspend data transfers connected to the Health Data Hub partially on the basis of the public interest in the continued occurrence of the data transfers in relation to the pandemic response.

 

Conclusion

The public interest under the GDPR is largely a question for national law to determine both which purposes are properly considered to be in the public interest and the additional conditions to which relying on such provisions is subject. A reasonable approach is to then first verify the public interest conditions under applicable national law before relying upon the public interest for data processing.

 

Further Reading

  • Becker, Regina, Adrian Thorogood, Johan Ordish, and Michael J.S. Beauvais. “COVID-19 Research: Navigating the European General Data Protection Regulation.” Journal of Medical Internet Research 22, no. 8 (2020): e19799. https://doi.org/10.2196/19799.
  • Mitchell, Colin, Johan Ordish, Emma Johnson, Tanya Brigden, and Alison Hall. “The GDPR and Genomic Data – the Impact of the GDPR and DPA 2018 on Genomic Healthcare and Research.” Cambridge, United Kingdom: PHG Foundation, May 2020. https://www.phgfoundation.org/report/the-gdpr-and-genomic-data.
  • Slokenberga, Santa, Olga Tzortzatou, and Jane Reichel, eds. GDPR and Biobanking: Individual Rights, Public Interest and Research Regulation across Europe. Vol. 43. Law, Governance and Technology Series. Cham: Springer International Publishing, 2021. https://doi.org/10.1007/978-3-030-49388-2.
  • Taylor, Mark J., and Tess Whitton. “Public Interest, Health Research and Data Protection Law: Establishing a Legitimate Trade-Off between Individual Control and Research Access to Health Data.” Laws 9, no. 1 (March 2020): 6. https://doi.org/10.3390/laws9010006.

Relevant GDPR Provisions

  • Recital 45 – specific law is not required for each task in the public interest
  • Recital 46 – processing in the name of the vital interests of the data subject may also serve important goals of public interest, e.g., monitoring epidemics
  • Recital 54 – processing special-category data in the areas of public health
  • Recital 112 – either public or private entities may rely on art 49(1)(d)
  • Article 6 – lawful bases for processing personal data
    Article 9 – derogations to process special-category data, e.g., genomic and health data
  • Article 49 – derogatory transfer mechanisms

Michael Beauvais is an academic associate at McGill University’s Centre of Genomics and Policy.

For a list of previous briefs, please consult here.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.