Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [hereinafter GDPR].
2.
Decision of the EEA Joint Committee No 154/2018 of July 6, 2018 amending Annex XI (Electronic communication, audiovisual services and information society) and Protocol 37 (containing the list provided for in Article 101) to the EEA Agreement [2018/1022]. Membership of the EEA has grown to 31 states as of 2018: the 28 EU member states (which still includes the United Kingdom at the time of writing), as well as three of the four member states of the European Free Trade Association (EFTA): Iceland, Liechtenstein, and Norway. The other EFTA member, Switzerland, has not joined the EEA, but has a series of bilateral agreements with the EU that allows it also to participate in the internal market. Switzerland is currently revising its Federal Act on Data Protection to accord with the GDPR and maintain its “adequacy” status under Art. 45 of the GDPR.
E.S.Dove and M.Phillips, “Privacy Law, Data Sharing Policies, and Medical Data: A Comparative Perspective,” in A.Gkoulalas-Divanis and G.Loukides, eds., Medical Data Privacy Handbook (Cham: Springer, 2015). See also Information Commissioner’s Office (ICO), Big Data, Artificial Intelligence, Machine Learning and Data Protection (2017), available at <https://ico.org.uk/media/for-organisations/documents/2013559/big-data-ai-mland-data-protection.pdf> (last visited November 19, 2018); House of Lords Select Committee on Artificial Intelligence, AI in the UK: Ready, Willing and Able? (2018), available at <https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf> (last visited November 19, 2018).
5.
Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [hereinafter Data Protection Directive].
Under Article 2(d) of the GDPR, processing of personal data by competent authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, is subject not to the GDPR, but rather to a separate EU law: Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (otherwise known in shorthand as the Law Enforcement Directive).
8.
GDPR, Art. 2(c).
9.
California Consumer Privacy Act of 2018, A.B. 375. See generally L. de la Torre, “GDPR matchup: The California Consumer Privacy Act 2018,” IAPP Privacy Tracker, July 31, 2018, available at <https://iapp.org/news/a/gdprmatchup-california-consumer-privacy-act/> (last visited November 19, 2018).
10.
HIPAA Privacy Rule (“Standards for Privacy of Individually Identifiable Health Information: Final Rule”), 45 CFR Part 160 and Subparts A and E of Part 164.
11.
M.Tzanou, “Data Protection as a Fundamental Right Next to Privacy?”International Data Privacy Law3, no. 2 (2013): 88-99, at 89.
12.
Y.Poullet, “Is the General Data Protection Regulation the Solution?”Computer Law & Security Review34, no. 4 (2018): 773-778, at 778.
Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS No. 108 (1981), available at <https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108> (last visited November 19, 2018). In 2018, the Council of Europe adopted an amending Protocol which updates Convention 108. As with Convention 108, the amending Protocol is open to any country in the world to sign. See Council of Europe, Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data (2018), available at <https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016807c65bf> (last visited November 19, 2018).
15.
For a more complete history, see L.A.Bygrave, Data Privacy Law: An International Perspective (Oxford: Oxford University Press, 2014), at 54-56.
16.
Data Protection Directive, supra note 5, Recitals 3, 5, 7 (promoting data flow across the EU) and Recitals 2, 3, 10, 11 (emphasizing the importance of protecting data subjects’ rights).
17.
GDPR, Recital 9.
18.
Charter of Fundamental Rights of the European Union (2000/C 364/01), Art. 8(1) (“Everyone has the right to the protection of personal data concerning him or her.”)
19.
GDPR, Recital 9. See also Y.Poullet, “EU Data Protection Policy. The Directive 95/46/EC: Ten Years After,”Computer Law & Security Review22, no. 3 (2006): 206-217, at 206.
20.
D.Townend, “The Politeness of Data Protection: Exploring a Legal Instrument to Regulate Medical Research Using Genetic Information and Bio-banking” (PhD thesis, Maastricht University, 2012), at 48.
21.
Id. See also D.Beyleveldet al., eds., Implementation of the Data Protection Directive in Relation to Medical Research in Europe (Aldershot: Ash-gate, 2004).
22.
See e.g. Albrecht, J.P., “How the GDPR Will Change the World,”European Data Protection Law Review2, no. 3 (2016): 287-289.
In July 2018, due to the timing of the breaches, Facebook was fined £500,000 by the UK’s Information Commissioner’s Office, which was the highest allowed under the predecessor Data Protection Act 1998. See A.Hern and D.Pegg, “Facebook Fined for Data Breaches in Cambridge Analytica Scandal”The Guardian, July11, 2018, available at <https://www.theguardian.com/technology/2018/jul/11/facebook-finedfor-data-breaches-in-cambridge-analytica-scandal> (last visited November 19, 2018).
31.
GDPR, Art. 83(5).
32.
GDPR, Art. 83(4).
33.
GDPR, Art. 7(2).
34.
GDPR, Art. 6(1)(a).
35.
GDPR, Art. 7(3).
36.
GDPR, Art. 7(4).
37.
GDPR, Art. 15.
38.
GDPR, Art. 17.
39.
GDPR, Art. 20.
40.
GDPR, Art. 21.
41.
GDPR, Art. 22.
42.
GDPR, Art. 3(1).
43.
GDPR, Art. 3(2).
44.
GDPR, Art. 27. Importantly, this obligation does not apply to data processing which is 1) occasional, 2) does not include, on a large scale, processing of special categories of data (e.g. health-related data and genetic data), and 3) is unlikely to result in a risk to the rights and freedoms of data subjects, taking into account the nature, context, scope, and purposes of the processing. The obligation also does not apply to data processing performed by a public authority or body.
45.
GDPR, Art. 3(3).
46.
SACHRP, supra note 3.
47.
GDPR, Art. 4(1).
48.
Patrick Breyer v. Bundesrepublik Deutschland, Case C-582/14 (October 19, 2016). This case involved the predecessor 1995 Data Protection Directive, but the ratio endures.
49.
S. and Marper v. United Kingdom [2008] ECHR 1581, Application nos. 30562/04 and 30566/04.
50.
See M.Mourbyet al., “Are ‘Pseudonymised’ Data Always Personal Data? Implications of the GDPR for Administrative Data Research in the UK,”Computer Law & Security Review34, no. 2 (2018): 222-233. Mourby and colleagues argue convincingly that pseudonymized data can produce anonymous data for third parties, provided that pseudonymization is irreversible and re-identification is impossible as far as third parties are concerned.
51.
45 CFR § 164.514(b).
52.
In 2014, the Article 29 Data Protection Working Party issued an Opinion that highlighted various anonymization techniques and assessed their merits. This Opinion still has resonance under the GDPR. See Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques (WP216) (2014).
53.
These six legal bases are: (1) consent from the data subject; (2) necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) necessary for compliance with a legal obligation to which the controller is subject; (4) necessary in order to protect the vital interests of the data subject or of another natural person; (5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and (6) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
54.
GDPR, Art. 9(2)(a)-(j). Some Member States based in the civil law tradition (e.g. Germany), however, adopt the Roman law principle that when there is a general condition and a specific condition, the specific condition replaces the general. Thus, in this case, they take the position that Article 9 is lex specialis, i.e. a specific (special) condition about the legal basis for processing that replaces the general Article 6 requirements. They see this as important in preventing the circumvention of the high barriers introduced by Article 9 — especially compared to Art. 6(1)(b) and Art. 6(1) (f) — which has no equivalent in Article 9. Other Member States, including those based on common law tradition (i.e. the UK) do not take this position and adopt the one mentioned in the main text of this article. See generally, F. Molnár-Gábor, “Germany: A Fair Balance between Scientific Freedom and Data Subjects’ Rights?” Human Genetics (forthcoming).
55.
E.S.Dove, “Collection and Protection of Genomic Data,” in S.Gibbonet al., Routledge Handbook of Genomics, Health and Society (New York: Routledge, 2018), at 163-164.
56.
SACHRP, supra note 3.
57.
Declaration of Helsinki (2013), para. 32.
58.
GDPR, Art. 22(2)(c). An exception to this obligation is either where the automated decision is necessary for entering into, or performance of, a contract between the data subject and a data controller; or is authorized by EU or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests.
59.
These exceptions to the general rule prohibiting transfer of Europeans’ personal data to third countries are an adequacy decision pursuant to GDPR, Art. 45(3) and “appropriate safeguards” pursuant to Art. 46.
60.
GDPR, Art. 49(1)(a).
61.
Article 29 Working Party, Guidelines on consent under Regulation 2016/679 (WP259 rev.01) (2016), at 18-19.
62.
Id., at 28.
63.
Id.
64.
The European Data Protection Board has replaced the Article 29 Working Party as the independent European body that contributes to the consistent application of data protection rules throughout the European Union, and that promotes cooperation between the EU’s data protection authorities. See European Data Protection Board, available at <https://edpb.europa.eu/edpb_en> (last visited November 19, 2018).
GDPR, Art. 6(1)(f). See also M.J.Tayloret al., “When Can the Child Speak for Herself? The Limits of Parental Consent in Data Protection Law for Health Research,”Medical Law Review26, no. 3 (2018): 369-391.
GDPR, Art. 6(1)(e). The Explanatory Notes to the UK’s Data Protection Act 2018, example, state that “a [public] university undertaking processing of personal data necessary for medical research purposes in the public interest should be able to rely on [GDPR] Article 6(1)(e) [i.e. performance of a task carried out in the public interest].” See Explanatory Notes, Data Protection Act 2018, at para. 85, available at <http://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpgaen_20180012_en.pdf> (last visited November 19, 2018).
70.
GDPR, Recital 41 and Art. 6(3).
71.
For previous discussion of a draft version of the GDPR as well as the final version, and its implications for scientific research, see E.S.Dove, D.Townend, B.M.Knoppers, “Data Protection and Consent to Biomedical Research: A Step Forward?”Lancet384, no. 9946 (2014): 855; E.S. Dove, B. Thompson, and B.M. Knoppers, “A Step Forward for Data Protection and Biomedical Research,” Lancet 387, no. 10026 (2016): 1374-1375.
GDPR, Art. 45(1). See also J.Stoddart, B.Chan, and Y.Joly, “The European Union’s Adequacy Approach to Privacy and International Data Sharing in Health Research,”Journal of Law, Medicine & Ethics44, no. 1 (2016): 143-155.
See also Health Research Authority, “GDPR Guidance,” supra note 77.
94.
See GDPR Arts. 6, 8, 9, 22, 89. In the non-scientific research context, Member State derogations are also allowed in GDPR Arts. 10, 23, 36, 37, 38, 49, 58, 83, 87, 88, and 90. See generally Fazlioglu, supra note 6.
95.
For a theoretically-based argument as to why guidance is important, see G.Laurieet al., “Charting Regulatory Steward-ship in Health Research: Making the Invisible Visible?”Cambridge Quarterly of Healthcare Ethics27, no. 2 (2018): 333-347.
On this point, see also E.S.Dove, “Bio-banks, Data Sharing, and the Drive for a Global Privacy Governance Framework,”Journal of Law, Medicine & Ethics43, no. 4 (2015): 675-689.
