Comment
Can the GDPR make data flow for research easier? Yes it can, by differentiating! A careful reading of the GDPR shows how EU data protection law leaves open some significant flexibilities for data protection-sound research activities

https://doi.org/10.1016/j.clsr.2021.105539Get rights and content

Abstract

Against the common perception of data protection as a road-block, we demonstrate that the GDPR can work as a research enabler. This study demonstrates that European data protection law's regulatory pillars, the first related to the protection of the fundamental right to data protection and the second regarding the promotion of the free flow of personal data, result into an architecture of layered data protection regimes, which come to tighten or relax data subjects’ rights and data protection safeguards vis à vis processing activities differently grounded in public or merely economic interests. Each of the identified data protection regimes shape different “enabling regulatory spots” for the processing of sensitive personal data for research purposes.

Section snippets

Today's data-driven research and the GDPR

The definition of the boundaries of openness of datasets allowed by the GDPR in scientific research is an exercise of particular importance because of the prevalence of data protection law in ‘inextricably linked’ datasets2

The GDPR's frameworks for research

While data pooling is being encouraged by European regulators,6

‘Differential’ research in the GDPR

Recital 159 GDPR sustains the extension of the research exceptions to private motivated/funded research. This wide notion of research is confirmed also by the recently issued proposal for a Data Governance Act.11, in lin , in line with the European Commission's Strategy for data, which has stressed the public good dimension of data

‘Differential’ data protection regimes for different research

The different interaction between the legal bases for personal data processing for research and the recalled data protection framework for research creates a dynamic spectrum of legal regimes ranging from data subjects’ full control (consent) for private data pools processed for-profit purposes to data subjects’ transfer of control to data controllers for private or public data pools employed for-non-profit/public interest research-oriented purposes. The research exception is actually plural!

In

Shaping the GDPR's differential data protection regimes for research

Even under the restrictive approach required by the EDPS,17 it is possible to differently modulate the GDPR's flexibilities for public interest-oriented (or altruistic) research and profit-driven one, regardless of the sources of their funding. Such modulation is primarily rooted in the

Conclusions

Differential data protection regimes for research are rooted in the GDPR's double fine-tuning system based on the balancing among coded data protection principles and rules and the establishment by data controllers of adequate safeguards for the protection of data subjects’ rights and freedoms.

We read in the GDPR a scaling of this double fine-tuning system in respect to different research-based processing activities over sensitive data. This means that in case of merely for-profit research

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References (0)

This paper has been developed within the “SoBigData Plus Plus: European Integrated Infrastructure for Social Mining and Big Data Analytics” Project, funded by the EU Commission under the H2020 INFRAIA-1-2019 program (GA 871042) and within the "Legality Attentive Data Scientists (LeADS)" Project, funded by the EU Commission under the H2020-EU.1.3.1. - Fostering new skills by means of excellent initial training of researchers (GA 956562)

1

These authors contributed equally to this work, however paras 1–3 are to be attributed to Giulia Schneider, whereas paras 4–6 to Giovanni Comandè.

View full text