EU propose General Data Protection Regulation

31 October 2016

PHG Foundation has been working with the Wellcome Trust to ensure the new Data Protection Regulation balances keeping vital health data available for research, while keeping individual’s data safe. We are pleased that the EU has listened and has now reached an agreement on data protection regulation which is positive for research.

How is data protection currently regulated within the EU?

Data protection among EU member states is currently regulated by the Data Protection Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

In June 2015 the Council of the European Union agreed an approach on the GDPR that was much more positive for research than the European Parliament’s position. Notably, it included important derogations for scientific purposes. These changes were approved by the Council. 

On the 15 Dec 2015 the EU institutions finally agreed the new data protection law and the outcome for research was positive. The EU institutions listened to the concerns and the evidence presented by the Wellcome Trust, PHG Foundation and other signatories of the statement, and Parliament’s amendments were not included in the final text. Formal votes will take place in 2016, and the Regulation will be applicable two years from the date it enters into force.

What new controls was the EU debating?

General Data Protection Regulation (GDPR). Unlike Directives which are transposed by EU Member States into their own law, and can be adjusted for local requirements, Regulations are applied directly across all Member States. The GDPR as proposed in January 2012 was quite restrictive in terms of the limitations it placed on the use of data for scientific research. The version proposed by the European Parliament in 2013 was even more restrictive, and sparked considerable controversy. Numerous amendments were tabled and lobbying for change from some Member States, the UK government reportedly opposed the notion of a Regulation at all and preferred the possibility of re-casting it as a Directive.

Timeline

  • December 2015

    EU institutions finally agree the new data protection law and the outcome for research is positive. Formal votes to take place in 2016, and the Regulation to be applicable two years from the date it enters into force

  • June 2015

    Council of the European Union approves their full draft of the GDPR (their 'General Approach')
    Trilogue process of negotiations begins between the European Commission, European Parliament and Council of the European Union

  • June 2014

    UK Government publishes: Review of the balance of competences between the United Kingdom and the European Union: Information RightsThis agreed text is much more positive for research than the Parliament’s position as it includes important derogations for scientific purposes

  • March 2014

    Plenary session of European Parliament passes the amendments proposed by European Parliament Civil Liberties, Justice and Home Affairs (LIBE) Committee

  • December 2013

    LIBE committee agrees its text of the Draft Regulation. Approval of the text comes after months of negotiations between the various parliamentary committees
    We believe some of the amendments, especially to Articles 81 and 83, may prove detrimental to the execution of scientific research

  • May 2013

    PHG Foundation signs a joint statement coordinated by the Wellcome Trust: Impact of the draft European Data Protection Regulation and proposed amendments from the rapporteur of the LIBE committee on scientific research

  • January 2012

    European Commission releases data protection legislative framework proposal for GDPR, intended to replace the Data Protection Directive

  • October 1998

    Data Protection Directive comes into force

Why were the new Regulation and amendments proposed?

Much biomedical and health research depends on large quantities of data about individuals (e.g. whole genome sequencing biobanks). This personal data provides a vital resource for scientific research. New research methods increasingly rely on international data sharing, creating huge potential for international collaboration and scientific advancement. From a data protection perspective, however, new data sharing technologies pose problems. If data can move across jurisdictional boundaries easily, then it might be put to uses for which it was not originally intended or anticipated. The GDPR aims to address these concerns. But PHG Foundation, together with many interested organisations across Europe were extremely concerned about amendments proposed by the European Parliament, which would have restricted beneficial health and scientific research.

How PHG Foundation was involved

In May 2013 the PHG Foundation signed a joint statement from non-commercial research organisations and academics and coordinated by the Wellcome Trust entitled Impact of the draft European Data Protection Regulation and  proposed amendments from the rapporteur of the LIBE committee  on scientific research. Through this statement we:

  • Advocated for exemptions to allow secondary data processing in cases where seeking consent to re-use relevant data would be impractical
  • Highlighted that scientific research often relies on the ‘broad consent’ model where participants consent for their data to be used for a variety of research studies. Moreover, specific consent could in some situations introduce bias into the results of scientific studies
  • Called for pseudonymised (key-coded) scientific research data to be handled proportionately by the GDPR. Without explicit amendment to the GDPR, pseudonymised data would be treated as identifiable data and would therefore be subject to heavy regulation that would hinder its use in scientific research

For more information about this project please contact Alison Hall.