On February 2, 2021, the European Data Protection Board (“Board”) responded to questions submitted by the European Commission (“Commission”) on the application of the General Data Protection Regulation (“GDPR”) to health research.  The Board also announced that it is currently working on guidelines on the processing of personal data for scientific research purposes, which it aims to publish in the course of 2021.

The Commission’s questions covered the following seven topics:

  1. legal basis for processing of health-related data for scientific research purposes;
  2. further processing of previously collected health data;
  3. the notion of broad consent;
  4. transparency of data processing;
  5. anonymization;
  6. processing of special categories of data on a large scale; and
  7. international cooperation.

Regarding the legal basis for scientific research, the Board acknowledges that differences between EU Member States can be expected, given the leeway the GDPR grants Member States to adopt divergent national rules for the processing of genetic, biometric and health data.  While this may be true, the reality in practice is that most of the divergences that have developed around this topic are not the result of conflicting national laws, but rather, are due to diverging interpretations by Supervisory Authorities, ethics committees and other stakeholders on how to apply the GDPR.

The Board also calls on the Commission to adopt a common legal basis and/or scientific research regime for the planned European Health Data Space, to enable the creation of a common framework for the sharing and exchange of quality health data (see our blog post here).

In some of its responses, the Board refers the Commission back to its previously published guidelines, such as those on (1) the interplay between the GDPR and the Clinical Trials Regulation (see our blog post here) and (2) consent (see our blog post here).  This is the case, for example, when the Board answers questions regarding the possible legal basis for processing clinical trial data, the concept of broad consent, and the meaning of “large scale” processing.

In other responses, however, the Board does not answer the question presented by the Commission, and instead refers to its forthcoming guidelines on the processing of personal data for scientific research purposes.  It does so, for example, when answering questions relating to the further processing of previously collected health data, anonymization of data, and international cooperation.

As discussed in another Covington blog post (available here), the UK Government is considering similar issues as part of its review of health data uses for research and analysis purposes — including balancing access to such data while preserving patient privacy.

The team at Covington will continue to monitor developments on health research and report on the Board’s forthcoming guidance on the processing of personal data for scientific research purposes, once it is released.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.