12 August 2013
European data protection and privacy law is in a state of flux as its governing legislation is in a process of being amended to create a unified regime for data protection across Europe.
In January 2012, the European Commission issued a draft Data Protection Regulation to replace the existing Data Protection Directive 95/46/EC and the legislation needed to implement it in each Member State. While the Directive allows countries within the EU a degree of flexibility as to how it is incorporated into each national legal framework, the Regulation would have direct effect in all EU Member States without each country having to introduce national legislation to implement it. The effect of the move from Directive to Regulation is that this will ensure a single set of rules on data protection across Europe, while at the same time allowing them to be adapted more easily.
The main purpose of the original proposed draft of the Regulation is to strengthen people's rights, but it also contains several changes that will have an impact on medical research and will force changes in practice. On 10 January 2013, the rapporteur to the EU Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE), Jan Philipp Albrecht, presented a draft report on the proposed EU's data protection Regulation, the so called 'Albrecht's Draft Report'. The Albrecht amendment to the proposed Data Protection regulation has a number of implications.
For research participants, significant changes in terms of consent, the right to be forgotten, and the removal of the public interest exemptions that currently exist will have significant implications for the way medical research is carried out. Data concerning health can only be processed for research with the consent of the participant (amendments 27, 327 and 334-336). This means that consent would almost always be required for medical research as the legal basis for the processing of personal data. Consent should be 'specific, informed and explicit'. For example, under amendment 19, 'the use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent' (1).
In the light of the amended proposals it is not clear whether broad consent would continue to be lawful. Also, the current exemptions that exist for research will no longer apply. It will no longer be possible to keep data indefinitely, or to use it for secondary research purposes without consent, as is possible under current UK law. This could jeopardise the way current observational research is carried out and areas such as epidemiology.
Article 17 of the draft Regulation contains the right of a data subject to be forgotten. This gives research participants the right to demand that data about them be deleted if there are no legitimate grounds for it to be retained. This switches the onus on the person using the data to justify why data should be kept, rather than the person who provided it having to prove why the data should be deleted. This provision has generated a lot of publicity, even though this right appears to be a simple extension of Article 12 of the existing Data Protection Directive (the right to have data erased). Under the Regulation, the data controller has just to notify any third parties that the research participant has requested the information be deleted, rather than having to ensure that it is erased (as written in the previous draft Regulation).
While the proposed regulations are prescriptive in some areas, they also allow Member States some freedoms. One of these is under the new article 81, para. 2 (a), where 'Member States law may provide for exceptions to the requirement of consent for research'. These exemptions also were within the Directive itself, however, in the Regulation they are now seen as something that can only be used in exceptional circumstances. To use these exemptions, Member States must be able to establish that the research serves an 'exceptionally high public interest' which must be authorised by a competent supervisory authority (amendments 328 and 337). This rule gives Member States the possibility to use this exception (States 'may' provide), meaning that they do not have to introduce a research exception. This will keep the current status quo where international consortia have to conform to different requirements in each Member State. Such a situation would be in contrast with one of the main objectives of the European Union to create a 'single market for knowledge, research and innovation'.
There are a number of issues that relate to medical research which are not adequately addressed by the amendments. It is not clear whether pseudonymised data are intended to be included in the scope of the Regulation. While genetic information is included as personal information, the Regulations do not cover when a data subject has died, and the possibility that their DNA will still reveal information about their living relatives.
In general, the draft Regulation is considered by some to be over-prescriptive in some areas, and therefore may be difficult to apply. Whilst favouring the individual person, certain articles can be limited to protect the public interest (Article 21). There are also some areas which still need to be refined and clarified. The consultations between European Parliament and European Commission are still on going, and the European Parliament's Legal Affairs Committee released its opinion on 19 March 2013. This opinion will be forwarded to the responsible Civil Liberties (LIBE) Committee for consideration alongside the submitted amendments, prior to the Parliament next plenary vote, which is expected to be in early 2014.