In this article, we consider the possible application of the European General Data Protection Regulation (GDPR) to “citizen scientist”-led health research with mobile devices. We argue that the GDPR likely does cover this activity, depending on the specific context and the territorial scope. Remaining open questions that result from our analysis lead us to call for lex specialis that would provide greater clarity and certainty regarding the processing of health data by for research purposes, including these non-traditional researchers.
Get full access to this article
View all access options for this article.
References
1.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [hereinafter GDPR].
2.
See generallyE.S.Dove, “The EU General Data Protection Regulation: Implications for International Scientific Research in the Digital Era,”Journal of Law, Medicine & Ethics46, no. 4 (2018): 1013-1030.
3.
Such as GDPR, Arts. 5(1)(b) & (e), 9(2)(j), 14(5)(b), 17(3)(d) and 21(6).
4.
C.J.Guerrini,et al., “Citizen Science, Public Policy,”Science361, no. 6398 (2018): 134-136.
5.
M.A.Rothstein, J.T.Wilbanks, and K.B.Brothers, “Citizen Science on Your Smartphone: An ELSI Research Agenda: Currents in Contemporary Bioethics,”Journal of Law, Medicine & Ethics43, no. 4 (2015): 897-903.
6.
S.Hoffman, “Citizen Science: The Law and Ethics of Public Access to Medical Big Data,”Berkeley Technology Law Journal30, no. 3 (2015): 1741-1805.
7.
GDPR, Recital 35.
8.
Id.
9.
GDPR, Recital 26. See also Patrick Breyer v Bundesrepublik Deutschland (CJEU, Case C-582/14), paras. 42-48.
10.
L.Rocher, J.M.Hendrickx, and Y.A.de Montjoye, “Estimating the Success of Re-identifications in Incomplete Datasets Using Generative Models,”Nature Communications10, no. 1 (2019): 3069 (1-9).
11.
GDPR, Art. 4(5).
12.
GDPR, Recital 28.
13.
GDPR, Art. 6(4).
14.
GDPR, Art. 25(1).
15.
GDPR, Art. 32(1).
16.
GDPR, Art. 89(1): “Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards […] Those measures may include pseudonymisation […].”
17.
P.Voigt and A.von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide (Springer, 2017): at 16.
18.
Bodil Lindqvist v Åklagarkammaren i Jönköping (CJEU, Case C-101/01) para. 47 (emphasis added).
19.
František Ryneš v Úůad pro ochranu osobních údajů (CJEU, Case C-212/13) paras. 29-30, 33 (emphasis added).
20.
Ryneš, para. 34.
21.
Tietosuojavaltuutettu v Jehovan todistajat (CJEU, Case C-25/17), paras. 42, 44-45.
22.
GDPR, Recital 18.
23.
European Union Agency for Fundamental Rights and Council of Europe, Handbook on European Data Protection Law: 2018 edition (FRA and CoE, 2018): at 103.
24.
Id, at 102.
25.
Id, at 103.
26.
B.Van Alsenoy,et al., “Social Networks and Web 2.0: Are Users Also Bound by Data Protection Regulations?”Identity in the Information Society2, no. 1 (2009): 65-79.
See e.g., the UK’s Data Protection Act 2018 ss. 19(3) and 19(4) (a). The DPA 2018 requires that processing of personal data that is necessary for scientific research purposes that relates to measures or decisions with respect to a particular data subject is forbidden unless it is “approved medical research,” by which is meant medical research carried out by a person who has approval to carry out that research from a recognized research ethics committee.
32.
M.Timmers,et al., “Will the EU Data Protection Regulation 2016/679 Inhibit Critical Care Research?”Medical Law Review27, no. 1 (2018): 59-78.
33.
GDPR, Art. 5(1)(b): “[…] further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes […].”
34.
M.Shabani and P.Borry, “Rules for Processing Genetic Data for Research Purposes in View of the New EU General Data Protection Regulation,”European Journal of Human Genetics26, no. 2 (2018): 149-156.
35.
GDPR, Recital 50.
36.
GDPR, Recital 159.
37.
GDPR, Art. 89(1): “[…] Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. […]”.