As scientists work around the clock to gain insights into the Corona virus and how to fight it, public and private-sector stakeholders are in discussions to promote the rapid exchange of scientific data. During these discussions, the GDPR acronym inevitably rears its head and casts doubt over what is lawful. The GDPR and national data protection laws can, and often do, complicate the matter of sharing personal data, and health data in particular. We provide some general pointers below to help demystify the GDPR and explain its impact.
- It may be self-evident, but it is still worth noting, that the GDPR does not apply to data about the virus itself, including the genetic sequencing of the virus. The GDPR imposes no restrictions on the sharing of this data.
- The GDPR does, however, apply to the personal data of any living individual, and those who are unfortunate enough to host the virus. The scope of the GDPR is broad. It typically applies to data that has been pseudonymized or coded (e.g., line data where the responsible physician or institute replaced the name of the patient with a code).
- The GDPR does not apply to anonymous data, such aggregated data sets. For example, data sets consisting of “virus genetic sequence and other data related to the virus + age group of the patient (e.g., 60-64) + gender” should generally be outside the scope of the GDPR, as it is not reasonably likely that it can be associated with the underlying individuals.
However, if the above information were to originate from an named hospital with on only one infected patient in this age group, the data could then be personal data, as re-attribution to the person would probably not require much effort. Despite EU data protection laws having been in place for over two decades now, the boundary between personal data and anonymous data is often frustratingly unclear.
- Even if the data sets contain personal data relating to patients, this does not mean that the data cannot be used or shared, and the GDPR contains numerous provisions allowing for this, especially where it involves scientific research. For example:
- the GDPR allows lawfully collected data (e.g., health care data) to be re-used for scientific research, without consent, provided appropriate safeguards are in place, such as key-coding (Art. 5(1)(b) & 89(1) GDPR);
- if the data are not obtained directly from the individual, the GDPR also relaxes the normal transparency requirements. Where patients cannot be informed individually (e.g., because it is impossible or represents a disproportionate burden), it suffices to make information about the research publicly available, for example on a website (Art. 14(5)(b) GDPR). Hospitals that obtain data directly from patients should inform them about the possible use of their data for scientific research, for example, by means of leaflets or notices on patient intake forms (Art. 13(3) GDPR);
- an individual’s right to object to scientific research involving his/her data is restricted; the person in question would have to demonstrate cause for opposing it, and, in any case, the right does not apply where there are strong public interests that will be served by the research (Art. 21(6) GDPR); and
- an individual’s right to request erasure of their data is similarly restricted (Art. 17(1)(c) and 17(3)(d) GDPR).
- Despite these derogations designed to promote research endeavors, the fact remains that the GDPR, in combination with national laws, is a very complex topic to navigate. Among other things, the GDPR allows Member States to maintain stricter rules in the area of health data. This means that the derogations mentioned above may not always apply or may not apply in the same way across the EU. Oftentimes, it will not be the GDPR that restricts the sharing of health data, but rather the stricter and/or ill-adapted national rules that deviate from the GDPR.
While the legal landscape is undoubtedly complex, data privacy regulators are aware of the critical need to exchange data to advance important research aims. As noted in our recent blog post, they do not believe that data protection laws have been an impediment to “national approaches to sharing public health messages; of using the latest technology to facilitate safe and speedy consultations and diagnoses; and of creating linkages between public data systems to facilitate identification of the spread of the virus”. Meanwhile, and in line with this thinking, the European Medicines Agency has called on researchers to pool research and collaborate to combat COVID-19.