On February 2, 2021, the European Data Protection Board (“Board”) responded to questions submitted by the European Commission (“Commission”) on the application of the General Data Protection Regulation (“GDPR”) to health research. The Board also announced that it is currently working on guidelines on the processing of personal data for scientific research purposes, which it aims to publish in the course of 2021.
The Commission’s questions covered the following seven topics:
- legal basis for processing of health-related data for scientific research purposes;
- further processing of previously collected health data;
- the notion of broad consent;
- transparency of data processing;
- anonymization;
- processing of special categories of data on a large scale; and
- international cooperation.
Regarding the legal basis for scientific research, the Board acknowledges that differences between EU Member States can be expected, given the leeway the GDPR grants Member States to adopt divergent national rules for the processing of genetic, biometric and health data. While this may be true, the reality in practice is that most of the divergences that have developed around this topic are not the result of conflicting national laws, but rather, are due to diverging interpretations by Supervisory Authorities, ethics committees and other stakeholders on how to apply the GDPR.
The Board also calls on the Commission to adopt a common legal basis and/or scientific research regime for the planned European Health Data Space, to enable the creation of a common framework for the sharing and exchange of quality health data (see our blog post here).
In some of its responses, the Board refers the Commission back to its previously published guidelines, such as those on (1) the interplay between the GDPR and the Clinical Trials Regulation (see our blog post here) and (2) consent (see our blog post here). This is the case, for example, when the Board answers questions regarding the possible legal basis for processing clinical trial data, the concept of broad consent, and the meaning of “large scale” processing.
In other responses, however, the Board does not answer the question presented by the Commission, and instead refers to its forthcoming guidelines on the processing of personal data for scientific research purposes. It does so, for example, when answering questions relating to the further processing of previously collected health data, anonymization of data, and international cooperation.
As discussed in another Covington blog post (available here), the UK Government is considering similar issues as part of its review of health data uses for research and analysis purposes — including balancing access to such data while preserving patient privacy.
The team at Covington will continue to monitor developments on health research and report on the Board’s forthcoming guidance on the processing of personal data for scientific research purposes, once it is released.