Deliberations concerning a new EU General Data Protection Regulation have been ongoing since the Commission released its formal proposal in January 2012. The European Parliament (EP) adopted its amendments in March 2014, and the Council of Ministers is currently preparing its amendments, aiming for a final decision in June 2015. Immediately after this decision, trilogue negotiations between the Parliament, the Council of Ministers and the Commission will ensue. Parts of the texts currently on the table – in particular in the EP version from spring 2014 – are directly harmful to research. The main objections are the following:
1. ”Purpose limitation”
A fundamental principle, both in the 1995 Directive underlying current legislation and in the current Regulation proposal, is that data must be collected for a specified purpose and cannot be used for other purposes. In the 1995 Directive, there is an exemption for processing of data for research purposes, which should always be seen as being consistent with the original purpose. In the EP version this exemption for research was deleted. This will be devastating for register-based research. The preliminary Council version of the text is far better in this respect.
2. Large scale data and active consent
It is imperative that large scale scientific studies can be performed without active consent also in the future. It is unfeasible to obtain individual consent from hundreds of thousands of individuals, and if attempted, the resulting losses will threaten to seriously bias the results. It is therefore very important to closely monitor the exact formulation of the regulation concerning consent. In addition, there is an ongoing discussion on the legal construction of the legislation. From research point of view a solution where there is a specific legal ground for research that is separated from the general legal grounds for processing of personal data would be favourable. This would make research more independent of general rules for consent as well as not requiring each single research project to show a clear relation to public interest. This view is supported by the Commission and several member states (MS), but is not fully supported yet by the Swedish delegation.
3. Anonymisation and pseudonymisation of data
It must remain legal and possible to process personal data – also data on health – in research without anonymisation or so-called pseudonymisation. It has been convincingly shown that these measures will introduce small errors, which will accumulate and result in flawed results of research. Moreover, pseudonymisation aims at minimizing the risk for backward identification by removing information. To achieve this, the datasets can only contain a small number of variables, significantly restricting high-quality research with control for confounding. Additionally, pseudonymisation will hamper data verification and quality control. The EP proposal is too far-reaching on this point. In the Council, Germany continues to promote pseudonymisation as an obligatory measure, despite the opposition from other MS.
Personal integrity is well protected in the current legislation and is possible to handle well also in the kind of regulatory environment that has been outlined above. Hopefully this view will gain support by national delegations as well as parliament representatives in the upcoming trilogue, leading to a final solution that will preserve the possibility to gain insights into important facts about health and welfare based on data analysis for the future.