The European Data Protection Supervisor has just published an interesting paper on the research provisions in the GDPR. The whole thing is worth reading, but some things particularly caught my eye:
- Stresses (again) that research-consent is not the same as GDPR-consent, though the former may still be an “appropriate safeguard” when using a legal basis other than consent (pp18-20).
- Tries (pp9-10) to distinguish GDPR provisions on “academic expression” from those on “scientific research”. The breadth of the former should not be a way to avoid the safeguards required by the latter.
- Scratches head (pp20-21) on how to reconcile the right to information with research that requires subjects not to know what is actually being researched.
- “Requires controllers to assess honestly and manage responsibly the risks inherent in their research projects” (p2)
- Sees ethics review boards as key to that: in particular to distinguishing between public interest research (which should qualify for the various GDPR exemptions/presumptions) and “research which serves primarily private or commercial ends” (which should not). There’s a three-step test on p12, and a recommendation on p25 that Data Protection Officers should work with research ethics boards to refine both the rules and the applicable safeguards.
- Suggests (p25) EU-level Code(s) of Practice to govern research practices in different fields.
- Muses (p26) on a future right of access to large commercial datasets for research in the public interest.
Although the report concludes that “there is no evidence that the GDPR itself hampers genuine scientific reearch”, there is a recognition that “more time is needed to see how the special regime for data protection in the field of scientific research plays out on the ground”. As the list above indicates, several areas are identified as requiring further discussion, either within the research and data protection communities, or wider public debate.