The General Data Protection Regulation
(GDPR), which took full legal effect across the European Union (EU) on 25 May 2018, has a number of implications for international health research involving
the collection, use, and cross-border sharing of people’s personal data. Such research includes genomics research.
The GDPR seeks to change the ways in which organizations both within and outside Europe collect, use, and share personal data. The GDPR is drafted in a way
that recognizes that rapid developments in digital technology have increased the scale, scope, and speed at which personal data are collected, used, analyzed, and distributed, thereby necessitating a stronger legal framework that enhances the rights of “data subjects.”
The GDPR regulates the processing activities of two key actors – (i) data controllers, meaning persons or entities that determine the purposes and means of processing personal data, e.g. companies, researchers, universities, and (ii) data processors, which refers to persons or entities that process personal data on behalf of a data controller, e.g. cloud providers and research collaborators, in many circumstances. The GDPR
defends the data protection rights of data subjects, who in the health research context are most likely to be research participants.
This introductory primer highlights ten key areas of the GDPR that affect international health research and data sharing:
- Territorial scope. There is expanded territorial scope of the GDPR: under Article 3,
the law applies to establishments of controllers or processors in the EU, and to non-EU established organizations which monitor behavior of individuals in the
where it is apparent that such organizations intend to offer goods or services to individuals in the EU.
- Transparency and accountability. Requirements for demonstrating transparency and accountability have increased. Accountability is
one of the core
principles relating to processing of personal data under the GDPR in Article 5,
and data controllers must, among other things, be able to demonstrate that they have a lawful basis for each processing operation. Likewise,
provisions require that controllers inform data subjects, in advance of processing and in clear language, that they a) intend to process the
data and b) identify which of the lawful bases under Article 6
allows that processing. For special category data, they must identify which exception under Article 9(2) permits processing such data.
- “Data protection by design” and data protection impact assessments. Under Article 25, the GDPR requires data controllers, both at the time of the determination of the means for processing and at the time of the processing itself, to implement appropriate technical and organisational measures that implement data protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. This is known as “data protection by design.”
- Data protection impact assessments. Under Article 35, where a type of
processing, in particular one using new technologies, is likely to result in a high risk to the rights and freedoms of data subjects (taking into account
the nature, scope, context, and purposes of the processing), the controller must, prior to the processing, carry out an assessment of the impact of the
envisaged processing operations on the protection of personal data.
- Data Protection Officers. Under Article 37, Data Protection Officer (DPO)
appointment will be mandatory for controllers and processors which are public authorities or whose core activities consist of processing on a “large scale”
of special categories of data (e.g. health-related data or genetic data). As the UK’s Information Commissioner’s Office (ICO) points out, a DPO will be necessary for hospitals that process patient data; it will also likely be necessary for many universities and scientific research and medical organizations.
- Consent. The conditions for consent have been strengthened to facilitate data subjects’ comprehension of what they are consenting to
with regard to data processing. The conditions for consent also enhance individuals’ rights; for example, separate consent must be given for different
purposes of processing in some situations, and consent will only be valid if it can be revoked without detriment. Under Article 7, a “request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language,” and under Article 6, the “specific purpose” for processing (including sharing) data should be clearly explained. Recital 33 of the GDPR suggests that broad consent nonetheless may be possible in the scientific research context. Importantly for the research context, consent is only one of several lawful bases for processing personal data.
- Processing special categories of data. Processing special (i.e. sensitive) categories of data such as health-related data and genetic
data is prohibited under the GDPR unless the processor meets a special category condition listed in Article 9. Among these are conditions specific to the health context, such as processing for medical diagnosis, for the provision of health or social care, for treatment, for management of health or social care systems in accordance with EU or Member State law or professional obligations, or for public health and public interest purposes on the basis of EU or Member State law. When processing special categories of data for scientific research, the most likely relevant exception will be Article 9(2)(j): that such processing is necessary for scientific research in accordance with Article 89(1) and that appropriate safeguards are provided for. The processing must also be consistent with EU or Member State law (such as laws relating to clinical trials). These safeguards require that technical and organizational measures be in place, in particular, to ensure that processing complies with the principle of data minimization (limiting personal data collection, storage, and usage to data that are relevant, adequate, and absolutely necessary for carrying out the purpose for which the data are processed). This means that anonymization or pseudonymization (including key-coding) should be used wherever possible.
- Data subject rights derogations. Article 89(2) allows member countries
to create derogations from (i.e. exceptions to) the otherwise core data subject rights of data access, to rectification, to erasure, to be forgotten,
to restriction of processing, and to object, whenever these data subject rights “are likely to render impossible or seriously impair the achievement”
of scientific research purposes. Such a derogation must be essential for the fulfillment of these purposes. These derogations are subject to the conditions
and safeguards laid out in Article 89(1), such as
data minimization and pseudonymization. Additionally, under Article 21(6), where personal data are processed for scientific research purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, has a “right to object” to processing of personal data concerning him or her, unless “the processing is necessary for the performance of a task carried out for reasons of public interest.”
- Secondary use. According to Recital 50, the processing of personal
data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with
the purposes for which the personal data were initially collected. However, Article 5(1)(b) states that further processing for scientific research purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial data processing purposes. If the same or another organization were conducting the further processing (i.e. secondary use) of the data, then there is a rebuttable presumption that further processing for the purpose of scientific research is compatible with the original stated purpose of the processing. The derogations from data subject rights that the scientific research exception permits under Article 89(2) would apply in such a scenario, as permitted by applicable Member State law.
- International data transfer. International scientific research collaboration is affected by the GDPR rules on transferring personal
data from the EU to a non-EU country, known as a “third country.” Data controllers that plan to transfer Europeans’ personal data to a third country
or international organization, be it for
cloud computing purposes or otherwise, must be mindful of the GDPR’s provisions on international data transfers. There are four basic avenues for lawful transfer of
personal data outside the EU: 1) an adequacy decision; 2) appropriate safeguards, as described in Article 46,
or binding corporate rules, as described in Article 47; 3) specific derogations; and 4)
one-off (or infrequent) transfers. A controller must inform data subjects, at the time that personal data are collected from them, that the controller intends
to transfer this personal data to a third country or to international organization, and that either a) an adequacy decision either exists or is absent, or b)
in the case of transfers referred to in Article 46
or 47, or one-off (or infrequent) transfers, reference to the appropriate or suitable
safeguards and the means by which to obtain a copy of them or where they have been made available.
Further Resources to Consult
- Kärt Pormeister, “Genetic data and the research exemption: is the GDPR going too far?” (2017) 7 International Data Privacy Law 137–146 (open access)
- Mahsa Shabani and Pascal Borry, “Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation” (2018) 26 European Journal of Human Genetics 149–156 (commercial access)
- Miranda Mourby et al., “Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK” (2018) 34 Computer Law & Security Review 222–233 (open access)
- Mark Phillips, “International data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR)” (2018) Human Genetics, doi.org/10.1007/s00439-018-1919-7 (open access)
Subscribe to Our Monthly GDPR Briefs!
Beginning in October 2018, the GDPR and International Health Data Sharing Forum will publish monthly “GDPR Briefs” that answer important questions about the GDPR’s impact on various aspects of international health research and genomic and health-related data sharing, and that further explore the various issues raised in the GDPR Primer.
If you have further questions about this Primer or the GDPR, please email the Forum’s Editor, Edward Dove (University of Edinburgh) at email@example.com, and/or Co-Editor, Mark Phillips (McGill University) at firstname.lastname@example.org.
This GDPR Primer was published by the GA4GH–GDPR and International Health Data Sharing Forum, which is hosted and supported by the
GA4GH Regulatory and Ethics Work Stream (REWS).
For a list of previous briefs, please consult here.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.