EU propose General Data Protection Regulation

 

PHG Foundation has been working with the Wellcome Trust to ensure the new Data Protection Regulation balances keeping vital health data available for research, while keeping individual’s data safe. We are pleased that the EU has listened and has now reached an agreement on data protection regulation which is positive for research.

How is data protection currently regulated within the EU?

Data protection among EU member states is currently regulated by the Data Protection Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

In June 2015 the Council of the European Union agreed an approach on the GDPR that was much more positive for research than the European Parliament’s position. Notably, it included important derogations for scientific purposes. These changes were approved by the Council.

On the 15 Dec 2015 the EU institutions finally agreed the new data protection law and the outcome for research was positive. The EU institutions listened to the concerns and the evidence presented by the Wellcome Trust, PHG Foundation and other signatories of the statement, and Parliament’s amendments were not included in the final text. Formal votes will take place in 2016, and the Regulation will be applicable two years from the date it enters into force.

What new controls was the EU debating?

General Data Protection Regulation (GDPR). Unlike Directives which are transposed by EU Member States into their own law, and can be adjusted for local requirements, Regulations are applied directly across all Member States. The GDPR as proposed in January 2012 was quite restrictive in terms of the limitations it placed on the use of data for scientific research. The version proposed by the European Parliament in 2013 was even more restrictive, and sparked considerable controversy. Numerous amendments were tabled and lobbying for change from some Member States, the UK government reportedly opposed the notion of a Regulation at all and preferred the possibility of re-casting it as a Directive.

Timeline

December 2015

EU institutions finally agree the new data protection law and the outcome for research is positive. Formal votes to take place in 2016, and the Regulation to be applicable two years from the date it enters into force

June 2015

Council of the European Union approves their full draft of the GDPR (their ‘General Approach’)
Trilogue process of negotiations begins between the European Commission, European Parliament and Council of the European Union

June 2014

UK Government publishes: Review of the balance of competences between the United Kingdom and the European Union: Information RightsThis agreed text is much more positive for research than the Parliament’s position as it includes important derogations for scientific purposes

March 2014

Plenary session of European Parliament passes the amendments proposed by European Parliament Civil Liberties, Justice and Home Affairs (LIBE) Committee

December 2013

LIBE committee agrees its text of the Draft Regulation. Approval of the text comes after months of negotiations between the various parliamentary committees
We believe some of the amendments, especially to Articles 81 and 83, may prove detrimental to the execution of scientific research

May 2013

PHG Foundation signs a joint statement coordinated by the Wellcome Trust: Impact of the draft European Data Protection Regulation and proposed amendments from the rapporteur of the LIBE committee on scientific research

January 2012

European Commission releases data protection legislative framework proposal for GDPR, intended to replace the Data Protection Directive

October 1998

Data Protection Directive comes into force

Why were the new Regulation and amendments proposed?

Much biomedical and health research depends on large quantities of data about individuals (e.g. whole genome sequencing biobanks). This personal data provides a vital resource for scientific research. New research methods increasingly rely on international data sharing, creating huge potential for international collaboration and scientific advancement. From a data protection perspective, however, new data sharing technologies pose problems. If data can move across jurisdictional boundaries easily, then it might be put to uses for which it was not originally intended or anticipated. The GDPR aims to address these concerns. But PHG Foundation, together with many interested organisations across Europe were extremely concerned about amendments proposed by the European Parliament, which would have restricted beneficial health and scientific research.

How PHG Foundation was involved

In May 2013 the PHG Foundation signed a joint statement from non-commercial research organisations and academics and coordinated by the Wellcome Trust entitled Impact of the draft European Data Protection Regulation and  proposed amendments from the rapporteur of the LIBE committee  on scientific research. Through this statement we:

  • Advocated for exemptions to allow secondary data processing in cases where seeking consent to re-use relevant data would be impractical
  • Highlighted that scientific research often relies on the ‘broad consent’ model where participants consent for their data to be used for a variety of research studies. Moreover, specific consent could in some situations introduce bias into the results of scientific studies
  • Called for pseudonymised (key-coded) scientific research data to be handled proportionately by the GDPR. Without explicit amendment to the GDPR, pseudonymised data would be treated as identifiable data and would therefore be subject to heavy regulation that would hinder its use in scientific research