How is data protection currently regulated within the EU?

Data protection among EU member states is currently regulated by the Data Protection Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

In June 2015 the Council of the European Union agreed an approach on the GDPR that was much more positive for research than the European Parliament’s position. Notably, it included important derogations for scientific purposes. These changes were approved by the Council. 

On the 15 Dec 2015 the EU institutions finally agreed the new data protection law and the outcome for research was positive. The EU institutions listened to the concerns and the evidence presented by the Wellcome Trust, PHG Foundation and other signatories of the statement, and Parliament’s amendments were not included in the final text. Formal votes will take place in 2016, and the Regulation will be applicable two years from the date it enters into force.

What new controls was the EU debating?

General Data Protection Regulation (GDPR). Unlike Directives which are transposed by EU Member States into their own law, and can be adjusted for local requirements, Regulations are applied directly across all Member States. The GDPR as proposed in January 2012 was quite restrictive in terms of the limitations it placed on the use of data for scientific research. The version proposed by the European Parliament in 2013 was even more restrictive, and sparked considerable controversy. Numerous amendments were tabled and lobbying for change from some Member States, the UK government reportedly opposed the notion of a Regulation at all and preferred the possibility of re-casting it as a Directive.

(Click image for timeline of progress)

Why were the new Regulation and amendments proposed?

Much biomedical and health research depends on large quantities of data about individuals (e.g. whole genome sequencing biobanks). This personal data provides a vital resource for scientific research. New research methods increasingly rely on international data sharing, creating huge potential for international collaboration and scientific advancement. From a data protection perspective, however, new data sharing technologies pose problems. If data can move across jurisdictional boundaries easily, then it might be put to uses for which it was not originally intended or anticipated. The GDPR aims to address these concerns. But PHG Foundation, together with many interested organisations across Europe were extremely concerned about amendments proposed by the European Parliament, which would have restricted beneficial health and scientific research.

How PHG Foundation was involved

In May 2013 the PHG Foundation signed a joint statement from non-commercial research organisations and academics and coordinated by the Wellcome Trust entitled Impact of the draft European Data Protection Regulation and  proposed amendments from the rapporteur of the LIBE committee  on scientific research. Through this statement we:

  • Advocated for exemptions to allow secondary data processing in cases where seeking consent to re-use relevant data would be impractical
  • Highlighted that scientific research often relies on the ‘broad consent’ model where participants consent for their data to be used for a variety of research studies. Moreover, specific consent could in some situations introduce bias into the results of scientific studies
  • Called for pseudonymised (key-coded) scientific research data to be handled proportionately by the GDPR. Without explicit amendment to the GDPR, pseudonymised data would be treated as identifiable data and would therefore be subject to heavy regulation that would hinder its use in scientific research

Tom provided regulatory and ethical advice across a broad range of PHG Foundation programmes.

More about Tom