The GDPR’s Implications on Processing Personal Data for Health Research

In early February 2021, the European Data Protection Board (EDPB) issued a paper clarifying some of the GDPR’s implications on processing personal data for health-related research, in response to the European Commission’s questions on this topic.

The EDPB’s document is a preliminary one. It offers a partial, rather than a comprehensive, overview of the topic. The EDPB indicates that the questions posed by the EU Commission require a deeper review and that the whole topic will be addressed in the EDPB’s guidelines on the processing personal data for scientific research purposes, due later this year.

The following are the key takeaways from the EDPB’s preliminary document

1. Legal basis for processing health data for scientific research

  • Although informed consent is one of the GDPR’s legal bases for processing personal data, it also provides other alternative bases codified in Article 6(1) and 9 of the GDPR. The ethical requirement for a trial subject’s informed consent should not be construed as also requiring consent as the sole legal basis for processing personal data under the GDPR.
  • When a legal basis other than consent is used for processing personal data for scientific research, the “ethical” requirement for consent as a condition to the subject’s participation in the research will be considered an additional safeguard to protect the rights of data subjects, as required by Article 89 of the GDPR. That Article permits a certain degree of derogation from data subjects’ rights when the data is processed for scientific research purposes, provided that additional safeguards are implemented.
  • A previous document regarding the interplay between the GDPR and the clinical trial regulation, published by the European privacy regulators in the past, stated that consent cannot be used as the legal basis for processing personal data in clinical trials when there is an imbalance of power between the data subject and the controller (the trial sponsor or investigator). For example, when the clinical trial is a patient’s only access to medical treatment for their condition. The EDPB now clarifies that its prior guidance was given in the specific context of clinical trials, and that it does not entirely preclude consent as a legal basis for processing personal data in scientific research, including medical research. Consent can be used as the legal basis if the absence of imbalanced power can be proven and the conditions for explicit consent are satisfied. This must be analyzed on a case-by-case basis.
  • EU member state law can also impact the ability to use consent as a legal basis for processing health data for research purposes.
  • Can different legal bases be used for processing personal data in different EU member states for the same research project? The laws of EU member states may impact some of the legal bases for processing personal data. For example, the legal basis of compliance with a legal obligation (Article 6(1)(c) of the GDPR), and the legal bases for processing health data under Article 9 of the GDPR. In addition, the GDPR provides EU member states the authority to restrict the processing of genetic data, biometric data and health related data, in accordance with Article 9(4) of the GDPR. Therefore, the EDPB recognizes the inevitability of using different legal bases in certain cases, but nevertheless recommends this be avoided as much as possible. The EDPB also recommends restricting the implications of the diverse state-level laws regarding personal data processing for scientific research, for example by expanding the rights of participants according to the highest standard without regard to the specific laws of the state they reside in.

2. Secondary processing of health data

  • Article 5(1)(b) of the GDPR provides an exception to the purpose-limitation principle: subsequent processing of personal data for scientific research, pursuant to Article 89 of the GDPR, would not be considered processing incompatible with the initial purpose for which the data was collected and processed. Secondary processing of personal data under this exception is subject to appropriate safeguards as per Article 89 of the GDPR.
  • The EDPB will provide further guidance on the legal basis for secondary processing of personal data for scientific research in the guidelines it plans to issue later this year.
  • A data controller who is a researcher will have to analyze the legal basis for processing personal data collected by a health care provider. The legal basis suitable for processing by the health care provider may be unsuitable for processing that information for research purposes.

3. The notion of “broad consent”

  • The concept of “broad consent” is not found in the GDPR, but the EDPB assumes that it refers to Recital 33 of the GDPR. That recital suggests that in some cases of processing data for scientific research, when the purpose of processing cannot be precisely articulated when the data is initially collected, a broadly defined purpose will suffice (for example, a reference to the research area), in order to establish explicit consent as the legal basis for processing.
  • The EDPB explains that it will address this topic in the forthcoming guidelines, but that the recital cannot be construed so as to workaround the essential principle of articulating the precise purpose for which the personal data is collected. Therefore, the purpose should be detailed as much as possible, at least with regard to the initial phases of the research which are already known and defined at the time the data is collected.
  • In addition, processing health information on the basis of consent under Article 9 of the GDPR (special categories of data) pursuant to Recital 33 will be closely scrutinized, and it should not be prioritized over the conditions for explicit consent.
  • Notably, the laws in certain EU member states regarding processing health data may impact the ability to rely on “broad consent”.

4. Transparency and data retention

  • The duty to provide complete information to the data subject when the data is collected is the touchstone of the transparency principle. Any exception to this duty must be narrowly construed. Before personal data is processed for a secondary purpose, the controller must provide information on the secondary purpose. The exception to this requirement, codified in Article 14(5)(b) of the GDPR, only covers instances where the personal data is not collected directly from the data subject, and providing the information to the data subject is impossible or exceptionally difficult.
  • When the personal data is collected directly from the data subject and it is used for secondary purposes, the EDPB recommends taking measures to satisfy the obligation of notifying the data subjects at the time of collection also in regard to the secondary use.
  • If the legal basis for the secondary use changes, the controller is obligated to inform the data subject of the change.
  • In principle, personal data should be retained so long as it necessary for the purpose for which it was collected. The GDPR established an exception to this rule with regard to secondary use of personal data for scientific research purposes, so long as the processing satisfies Article 89(1) of the GDPR and safeguards are implemented to protect the rights of the data subjects.

5. Anonymization and Pseudonymization

  • Anonymization proves to be exceedingly difficult with the advances in technology. A controller that considers that it is using anonymous data must be able to prove the data’s anonymity and periodically re-assess whether the conclusion has changed.
  • Whether genetic data can be anonymized remains an open question. For the sake of protecting the rights of data subjects, the EDPB warmly recommends that genetic data be treated as personal data in any case and processed in accordance with the GDPR.
  • What safeguards should be implemented according to Article 89(1) in processing personal data for scientific research? At this time, the EDPB does not provide a substantive response to this question. But it does recognize that the absence of guidance as to what these measures constitute could raise a problem for those seeking to leverage the GDPR’s relaxed approach to processing personal data for scientific purposes. Arguably, use of the GDPR’s research exceptions would not be legitimate absent appropriate safeguards (whose nature is yet to be clarified).