As scientists work around the clock to gain insights into the Corona virus and how to fight it, public and private-sector stakeholders are in discussions to promote the rapid exchange of scientific data. During these discussions, the GDPR acronym inevitably rears its head and casts doubt over what is lawful. The GDPR and national data protection laws can, and often do, complicate the matter of sharing personal data, and health data in particular. We provide some general pointers below to help demystify the GDPR and explain its impact.

  • It may be self-evident, but it is still worth noting, that the GDPR does not apply to data about the virus itself, including the genetic sequencing of the virus. The GDPR imposes no restrictions on the sharing of this data.
  • The GDPR does, however, apply to the personal data of any living individual, and those who are unfortunate enough to host the virus. The scope of the GDPR is broad. It typically applies to data that has been pseudonymized or coded (e.g., line data where the responsible physician or institute replaced the name of the patient with a code).
  • The GDPR does not apply to anonymous data, such aggregated data sets. For example, data sets consisting of “virus genetic sequence and other data related to the virus + age group of the patient (e.g., 60-64) + gender” should generally be outside the scope of the GDPR, as it is not reasonably likely that it can be associated with the underlying individuals.

However, if the above information were to originate from an named hospital with on only one infected patient in this age group, the data could then be personal data, as re-attribution to the person would probably not require much effort. Despite EU data protection laws having been in place for over two decades now, the boundary between personal data and anonymous data is often frustratingly unclear.

  • Even if the data sets contain personal data relating to patients, this does not mean that the data cannot be used or shared, and the GDPR contains numerous provisions allowing for this, especially where it involves scientific research. For example:
    • the GDPR allows lawfully collected data (e.g., health care data) to be re-used for scientific research, without consent, provided appropriate safeguards are in place, such as key-coding (Art. 5(1)(b) & 89(1) GDPR);
    • if the data are not obtained directly from the individual, the GDPR also relaxes the normal transparency requirements. Where patients cannot be informed individually (e.g., because it is impossible or represents a disproportionate burden), it suffices to make information about the research publicly available, for example on a website (Art. 14(5)(b) GDPR). Hospitals that obtain data directly from patients should inform them about the possible use of their data for scientific research, for example, by means of leaflets or notices on patient intake forms (Art. 13(3) GDPR);
    • an individual’s right to object to scientific research involving his/her data is restricted; the person in question would have to demonstrate cause for opposing it, and, in any case, the right does not apply where there are strong public interests that will be served  by the research (Art. 21(6) GDPR); and
    • an individual’s right to request erasure of their data is similarly restricted (Art. 17(1)(c) and 17(3)(d) GDPR).
  • Despite these derogations designed to promote research endeavors, the fact remains that the GDPR, in combination with national laws, is a very complex topic to navigate. Among other things, the GDPR allows Member States to maintain stricter rules in the area of health data. This means that the derogations mentioned above may not always apply or may not apply in the same way across the EU. Oftentimes, it will not be the GDPR that restricts the sharing of health data, but rather the stricter and/or ill-adapted national rules that deviate from the GDPR.

While the legal landscape is undoubtedly complex, data privacy regulators are aware of the critical need to exchange data to advance important research aims. As noted in our recent blog post, they do not believe that data protection laws have been an impediment to “national approaches to sharing public health messages; of using the latest technology to facilitate safe and speedy consultations and diagnoses; and of creating linkages between public data systems to facilitate identification of the spread of the virus”. Meanwhile, and in line with this thinking, the European Medicines Agency has called on researchers to pool research and collaborate to combat COVID-19.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.