On April 21, 2020, the European Data Protection Board (“Board”) issued guidelines on the processing of personal data for scientific research related to COVID-19. The Board indicates that the GDPR takes into account the needs of scientific research and should not be a barrier to conduct such research, while at the same time, it helps ensure respect for the fundamental rights of patients.
That being said, the Board’s guidelines do not resolve all the issues that arise due to the complexities of this legal framework. For example, in terms of the legal basis for processing health data for scientific research, the Board rightly points out that there are two main options available: consent or a basis in EU Member State law. As we mentioned in a prior blog post, the problem that arises here is the divergent requirements of national laws, which often prevent a uniform application of the rules and exemptions. Regarding the equally fundamental issue of the further use of health data, the Board repeats the favorable language of the GDPR (qualifying scientific research, by default, as a compatible further use) but refrains from expounding on it “due to its horizontal and complex nature”.
In addition, the Board’s guidelines highlight and consider derogations to certain data subject rights, such as the right of information and the possibility to retain personal data for longer periods of time if necessary for scientific research. The guidelines stress, however, that these derogations in favor of scientific research should be used sparingly and accompanied by safeguards, such as pseudonymization, to the reduce the risk for the individuals concerned. This heavy emphasis on the limitations to the derogations may risk undercutting the central message of the guidelines: that the GDPR should not obstruct scientific research.
Finally, the Boards accepts that the fight against COVID-19 is a recognized public interest, which, at least under the current exceptional circumstances, allows organizations to set aside normal restrictions on international transfers of personal data to enable institutions and companies outside the EU to continue their efforts to fight the disease.