The new EU data protection framework and medical research
The EU’s proposed General Data Protection Regulation has raised issues about the impact that new privacy protections may have on how clinical trials are conducted and information about patients is used for research purposes. Sylwia Paszek of Wardyński & Partners discussed concerns about the draft regulation in an interview by Simon Fuller.
In general, what are the concerns around data processing requirements in the new EU data protection framework in reference to health research?
Sylwia Paszek: The new EU data protection framework is now being drafted in order to enhance privacy on one hand, and on the other hand, to unify privacy legislation throughout the entire EU, facilitate data flows within the EU and fill in the legislation gaps (areas not covered by law or covered inappropriately) that have appeared as a result of rapid technological development.
Health data are, as usual, a sensitive issue. Up-to-date technological solutions enable the sourcing of such data (legitimately or not) far easier than a decade ago. Health data may be used to the detriment of data subjects, e.g. to give grounds for discriminatory treatment by insurers, employers or society in general. Thus the need to enhance protection of these data is fully justified.
On another note, use of databases gathering health data is crucial for the protection of public health. For example epidemiological registers enable analysis of spreading diseases and predict and counteract future outbreaks, cancer registers allow prevention, and haemophilia registers enable the provision of first aid to the persons suffering. If the databases may not be used as up-to-date, and a data subject’s consent is required for research each time, then both scientific research as well as reactions to crisis situations might be significantly slowed down.
A recent European Society of Medical Oncologists paper highlights that the proposed new data protection framework “imposes, or may be interpreted as imposing, the requirement for researchers to ask for a patient’s ‘specific’ consent every single time new research is carried out on already available data and/or tissues.” To what extent is this a concern for public health research should the framework be implemented as currently proposed?
Indeed a concern that Article 81(1b) will be interpreted as an obligation to obtain “each-time consent” from the data subject is justified.
The wording of Article 81(1b) and Article 81 (2) and (2a), taken together, seems inconsistent and overlapping.
Article 81(1b) requires (unconditionally) the data subject’s consent for the “processing of medical data,” whereas Article 81(2) requires the data subject’s consent for the “processing of personal data concerning health” (and allows exemptions), while both articles refer to scientific research.
In summary, it is difficult to reconstruct an actual legal framework on the basis of these articles. Certainly they need to be redrafted to make the regulation clear and concise.
What changes to the proposed framework might avoid this necessity for the repeated giving of consent?
As mentioned, as proposed Article 81(1b) of the draft regulation may (and does not have to) be interpreted as imposing the requirement for researchers to ask for a patient’s “specific” consent every single time new research is carried out on already available data and/or tissues.
Certainly a literal interpretation of the legislation goes first. If difficulties with understanding arise, a systemic interpretation must be used, too. In this case the article must be read together with the other provisions of the draft regulation, as well as other EU laws. “In order for processing to be lawful, personal data should be processed on the basis of the consent of the person concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation” (Recital 31 of the draft regulation). Such “other legitimate basis” can be, in my opinion, found in the draft regulation.
Amendment 191 of the European Parliament’s resolution on the proposed data protection regulation reads, “Processing of personal data concerning health which is necessary for historical, statistical or scientific research purposes shall be permitted only with the consent of the data subject, and shall be subject to the conditions and safeguards referred to in Article 83.” The ESMO has expressed its concern in particular about the effect of this on population-based disease registries. Assuming this amendment is part of the final framework, how feasible would this be to implement?
According to Article 81(2) of the draft regulation, “Processing of personal data concerning health which is necessary for historical, statistical or scientific research purposes shall be permitted only with the consent of the data subject, and shall be subject to the conditions and safeguards referred to in Article 83.” The wording of this paragraph suggests that obtaining the data subject’s consent is a precondition for any research document.
Still, Article 81(2a) provides for the possibility of setting up exemptions. (“Member States law may provide for exceptions to the requirement of consent for research, as referred to in paragraph 2, with regard to research that serves a high public interest, if that research cannot possibly be carried out otherwise.”)
Setting up exemptions requires a Member State’s decision. If a Member State sets up exemptions simply by copying Article 81(2a) (exemption applies to research that serves a high public interest), then there will be a need to resolve, on a case-by-case basis, whether particular research serves a high public interest or not, and whether it may or may not be covered by the above-mentioned exception. Needless to say such a scenario would be an obstruction; researchers would always be concerned as to whether their assessment is correct and whether they are authorised to take advantage of the exemption.
However, Member States establishing the exemption mechanism may make an effort and go into more detail by setting up some guidelines on how to identify when a high degree of public interest exists. This may be done twofold (and cumulatively), by setting up criteria for recognition of a high public interest and by publishing a list of research which shall be deemed as a high public interest.
It has to be noted that Article 81(2a), providing exemptions, was added by the European Parliament to the initial draft from the Commission. Therefore it is possible that the legislators became aware of the obstacles to research and thus this article is in fact designed to allow research that is relevant.
Article 81(1b) requires “each-time consent” “only where the data subject’s consent is required.” When acting on the basis of the Article 81(2a), consent will not be required, and processing of the data shall take place on the basis of Union law or Member State law (Article 81(1) and Recital 31).
If the data subject objects to the processing of personal data the controller may refute such objection by demonstrating “compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject” (Article 19).
In its attempts to address privacy concerns in other sectors, do you agree that the EU has “overlooked” the impact of proposed privacy measures on the health sector?
Not necessarily. Personal data protection regulations were always a general regulation that applied equally to all industries and areas of activity. Specific regulations on personal data protection could only be found, rarely, in particular industry regulations (e.g. telecommunication secrecy, banking secrecy and medical documentation).
The draft regulation proves that health data are treated with due reverence and seriousness. The drafters seem to recognise the specificity of this sector. The task now is to properly measure the effects of health data protection on the health sector and duly balance these elements.
Sylwia Paszek, Life Science Practice, Wardyński & Partners
The article was first published in eHealth Law & Policy