Medical research provides unique and critical public benefits but also necessarily involves the processing of some of the most sensitive and private data - which European Data Protection is rightly concerned with safeguarding. Looking at the law across all European Economic Area (EEA) jurisdictions, this presentation outlines the barriers which application of default European data protection norms can pose to such work from requirements to obtain consent for sensitive personal data processing, to data subject notification rules and subject access. Drawing on a survey of Data Protection Authorities it also indicates that regulators are inclined to interpret the law strictly here although enforcement is often rather limited. The presentation then looks forward to the future under the General Data Protection Regulation (GDPR) arguing that the obstacles in the way of getting the law right here remain formidable and, in addition, there is a need for much greater engagement between DPAs and those involved in medical research. (N.B. These slides are based on talk given to the PHG Foundation at Hughes Hall on 13 October 2015 but have been updated in light of the finalization of the GDPR).

1. Dr. David Erdos
Faculty of Law
University of Cambridge
Image Welcome Images

2. Overview
 Tension between Data Protection & Medical Research
 Current Pan-European Provisions
 Aims and Methodology of the Study
 Findings: Formal law and regulatory interpretations
 Regulatory Enforcement
 Future European Regime
 Conclusions

3. The Basic Tension
 The EU Data Protection Directive aims to
so enabling the free flow of data within EU/EEA (A. 1).
 Predicated on ensuring “high level of protection”.
 Especially stringent as regards sensitive personal data
preeminent amongst which is data “concerning health”.
 (Epidemiological) medical research will often need to use
such private sensitive data.
“protect the fundamental rights and freedoms of natural persons,
and in particular their right to privacy with respect to the
processing of personal data.”

4. Wide (& Often Onerous)Default Standards
“Personal
data”
processing
DP Principles &
Legitimation
• Fair and lawful
• Legitimate basis
• Purpose quality and
compatibility
• Information quality
and limits esp. re:
time
Transparency
• Notification
• Subject Access
Sensitive Data
• Categorical
definition
• Default ban
(absent waiver)
Control
• Registration
• Permit
• Export control
• Security
Enforcement
• DPA
• Judicial Remedy
• Subject Rights

5. The Threat to Research from DP Default
 Informed consent or even notification may not even be
reasonably possible.
 Informed consent may in any case skew samples.
 Many other requirements may impose at least a
disproportionate resource burden.
 Requirement to obtain a permit may be considered
intrusive and even substantively problematic.

6. DP Directive : Research/Science Clauses
 Smattering of express derogations in DP Directive:
 Re-purposing if appropriate safeguards in national law
 Longer retention OK with national law safeguards
 Optional subject access/individual participation
derogation with conditions
 At other points Directive simply flags up a potential
discretionary use of general derogations:
Recital 34: Derogation from ban on processing sensitive data may
be used in areas such as “scientific research”

7. DP Directive: General Derogations
 Article 8: Sensitive Data
 Substantial public interest
 Suitable safeguards
 Notification to Commission
 Article 13: Wide range of other provisions
 Via legislation
 Necessity
 Safeguarding of inter alia rights and freedoms of others

8. Study: Aims and Methodology
 Explore EEA Member State approaches along three
dimensions:
1. Formal Law
2. Regulatory/DPA Interpretation
3. Regulatory/DPA Enforcement
 Data gathered through:
 English translations of national DP Law
 2013 survey of regulators – answered by +70% national
plus 6 sub-national DPAs.
 Analysis of material gathered from DPA websites (in 2013)
 N.B. Study is still ongoing and so results presented
are only provisional.

9. Study: Aims and Methodology
 Following hypothetical example used to structure the analysis
(as regards dimensions 1 and 2):
 Explored vis-à-vis five different aspects of DP.
 Only going to present results where DPA provided a
standardized response to the survey.
“A medical scientist wishes to use the medical records of patients
… All identifiable data would be kept confidential within the
research team and only anonymous results published. Alongside
satisfying him/herself that the scientific benefits of the study
outweigh any privacy infringement involve, which obligations
would apply under Data Protection law in your country?”

10. Study: Five Key Aspects of DP for Research
Default
Duties
Informed
Consent (for
Sensitive
Data)
Subject
Notification
Purpose
Specification
Subject
Access
Rectifying
Inaccuracy

11. Informed Consent: Formal Law
13/46%
7/25%
8/29%
0
2
4
6
8
10
12
14
16
18
20
22
24
No/Conditions only No/Conditions plus permit Consent required
NumberofJurisdictions

12. Informed Consent: DPA Interpretation
9/32%
19/68%
0
2
4
6
8
10
12
14
16
18
20
22
24
No/conditions only Consent required
NumberofDPAs

13. Need for Subject Notification: Formal Law
 Local law (& the Directive) generally very unclear here.
 Three different situations need to be considered:
 Controller obtained data indirectly: most jurisdictions
provide “disproportionate effort” exemption (usually subject
to conditions and perhaps even DPA permit).
 Controller doing the disclosing: May still have notification
duty (but Recital 40 of Directive suggests that might apply
“disproportionate effort” exemption if originally unanticipated).
 Controller obtained data directly: Situation generally even
more unclear here (even if reuse not originally anticipated).

14. Need for Notification: DPA Interpretation
5/18%
1/3.5%
22/78.5%
0
2
4
6
8
10
12
14
16
18
20
22
24
No Possibly Yes
NumberofDPAs

15. Purpose Specification: Formal Law
 Clear that if notification necessary, purpose of
processing must be given to data subject.
 Granularity of such purpose, however, generally remains
opaque in both Directive and in local law.
 In medical research may remain unclear whether can
simply notify generally re: research processing or must
notify regarding each specific study.

16. Purpose Specification: DPA Interpretation
 Two DPAs said no to informed consent but yes to specific notification.
 Six DPAs said yes to informed consent but no to specific notification.
8/36%
14/64%
0
2
4
6
8
10
12
14
16
18
20
22
24
Research Specific Study
NumberofDPAs

17. Subject Access: Formal Law
10/36%
18/64%
0
2
4
6
8
10
12
14
16
18
20
22
24
(Probable) exemption No exemption
NumberofJurisdictions

18. Subject Access: EU Directive (A. 13 (2))
“Subject to adequate legal safeguards, in particular that the data are
not used for taking measures or decisions regarding any particular
individual, Member States may, where there is a clearly no risk of
breaching the privacy of the data subject, restrict by a legislative
measure the rights provided for in Article 12 when data are processed
solely for the purposes of scientific research”

19. Subject Access: DPA Interpretation
5/18%
23/82%
0
2
4
6
8
10
12
14
16
18
20
22
24
Exception No exemption
NumberofDPAs

20. Rectifying Inaccuracy: Formal Law
 Right of individual to rectify inaccuracy part of A. 12.
 Relates to the duty of Controllers to ensure accuracy of
personal data (A. 6 (1) (d))
 Only one jurisdiction (Latvia) has formally limited
this aspect of individual participation under A. 12.
 However, it is arguably intrinsically tied to subject
access part of A. 12 (limited by 10 jurisdictions).

21. Rectifying Inaccuracy: DPA Interpretation
5/18%
23/82%
0
2
4
6
8
10
12
14
16
18
20
22
24
Exception No exemption
NumberofDPAs

22. DPA Permit: Formal Law
 Local legal provisions present a complex picture.
 17 (60%) jurisdictions: No permit required.
 3 (11%) jurisdictions: Permit only if unable to notify.
 1 (4%) jurisdiction: Permit only if unable to get consent
but REC permission may act in lieu.
 4 (14%) jurisdictions: Permit only if unable to get consent.
 3 (11%) jurisdictions: Permit generally always required.

23. DPA Permit: DPA Interpretation
16/57%
12/43%
0
2
4
6
8
10
12
14
16
18
20
22
24
Don't need permit Need permit
NumberofDPAs

24. Research Ethics Committee Findings
 Formal DP: Only c. 5 (18%) local laws specify this.
 But area may well be regulated by other law.
 DPAs responded as follows:
10/36%
4/14%
14/50%
0
2
4
6
8
10
12
14
16
18
20
22
24
No permission Consult etc. only Permission required
NumberofDPAs

25. (Direct) Enforcement: DPA Self Reports
19/68%
9/32%
0
2
4
6
8
10
12
14
16
18
20
22
24
No enforcement Enforcement
NumberofDPAs

26. Direct Enforcement: Published Examples
Catalan DPA (2011):
 Hospital sent University-affiliated researchers patient data for project
 Neither “dissociation” nor consent nor legal authorization
 Action: Resolution declaring illegal data transfer offence.
Swedish DPA (2011)
 University engaged in research on causes of allergy and diabetes
 Collects data (and hair) from children w/out parent consent or notice
 Complaint received
 Action: Decision issued stating that University would have to
notify and obtain consent if wanted to us this data.

27. General DP Regulation: Research Clause (A. 89)
 Derogations brought together in one article stipulating
need for “appropriate safeguards” ensuring in particular
“data minimization” (A. 89 (1)).
 Subject to this are common provisions for:
 Re-purposing of data (A. 5 (1) (b))
 Longer retention (A. 5 (1) (c)) (cf. also A 17 (3) (d))
 Lifting of most of sensitive data ban where necessary
& proportionate etc. State or Union law (A. 9 (2) (j))
 Purely optional derogations subject to further
conditions from subject access and right to object (A.
89 (2)).

28. General DP Regulation: Other Aspects
 Default provisions in Regulation (e.g. subject
notification (A. 12-14)) much more onerous than
present.
 General derogations (A. 23 & 10) e.g. for “rights &
freedoms of others” remain but are tighter and narrower
as exclude DP principles in and of themselves.
 Social and humanities research now protected as
“academic expression” alongside journalism in free
expression clause (A. 85).

29. Conclusions
 Clear tension between medical law and data protection
 Formal law is quite onerous and very confused.
 Many DPAs tend to interpret the law here even more
stringently than its wording would imply.
 This may fuel uncertainty and the chilling effect.
 However, enforcement appears limited.
 Getting law right under Regulation clearly a challenge.
 More proportionate and effective regime also requires
more DPA-medical research dialogue.