CommentCan the GDPR make data flow for research easier? Yes it can, by differentiating! A careful reading of the GDPR shows how EU data protection law leaves open some significant flexibilities for data protection-sound research activities
Section snippets
Today's data-driven research and the GDPR
The definition of the boundaries of openness of datasets allowed by the GDPR in scientific research is an exercise of particular importance because of the prevalence of data protection law in ‘inextricably linked’ datasets2
The GDPR's frameworks for research
While data pooling is being encouraged by European regulators,6
‘Differential’ research in the GDPR
Recital 159 GDPR sustains the extension of the research exceptions to private motivated/funded research. This wide notion of research is confirmed also by the recently issued proposal for a Data Governance Act.11, in lin , in line with the European Commission's Strategy for data, which has stressed the public good dimension of data
‘Differential’ data protection regimes for different research
The different interaction between the legal bases for personal data processing for research and the recalled data protection framework for research creates a dynamic spectrum of legal regimes ranging from data subjects’ full control (consent) for private data pools processed for-profit purposes to data subjects’ transfer of control to data controllers for private or public data pools employed for-non-profit/public interest research-oriented purposes. The research exception is actually plural!
In
Shaping the GDPR's differential data protection regimes for research
Even under the restrictive approach required by the EDPS,17 it is possible to differently modulate the GDPR's flexibilities for public interest-oriented (or altruistic) research and profit-driven one, regardless of the sources of their funding. Such modulation is primarily rooted in the
Conclusions
Differential data protection regimes for research are rooted in the GDPR's double fine-tuning system based on the balancing among coded data protection principles and rules and the establishment by data controllers of adequate safeguards for the protection of data subjects’ rights and freedoms.
We read in the GDPR a scaling of this double fine-tuning system in respect to different research-based processing activities over sensitive data. This means that in case of merely for-profit research
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
References (0)
Cited by (7)
Survey of Data Privacy Security Based on General Data Protection Regulation
2022, Jisuanji Yanjiu yu Fazhan/Computer Research and DevelopmentSecondary Use of Personal Health Data: When Is It “Further Processing” Under the GDPR, and What Are the Implications for Data Controllers?
2022, European Journal of Health LawHuman-GDPR Interaction: Practical Experiences of Accessing Personal Data
2022, Conference on Human Factors in Computing Systems - ProceedingsLegal Challenges of AI Supported Legal Services: Bridging Principles and Markets
2022, Italian Law JournalCurrent Trends, Machine Learning, and Food Safety Data Governance
2022, Law, Governance and Technology Series
This paper has been developed within the “SoBigData Plus Plus: European Integrated Infrastructure for Social Mining and Big Data Analytics” Project, funded by the EU Commission under the H2020 INFRAIA-1-2019 program (GA 871042) and within the "Legality Attentive Data Scientists (LeADS)" Project, funded by the EU Commission under the H2020-EU.1.3.1. - Fostering new skills by means of excellent initial training of researchers (GA 956562)
- 1
These authors contributed equally to this work, however paras 1–3 are to be attributed to Giulia Schneider, whereas paras 4–6 to Giovanni Comandè.