key: cord-0819380-22tfpjm5 authors: Malgieri, Gianclaudio title: Data Protection and Research: A vital challenge in the era of Covid-19 Pandemic date: 2020-04-11 journal: nan DOI: 10.1016/j.clsr.2020.105431 sha: 93eac127deea5625591cc62752323ebc4bcd9038 doc_id: 819380 cord_uid: 22tfpjm5 nan Gianclaudio Malgieri, LSTS, Vrije Universiteit Brussel 1 The issue of data protection in research is becoming of pivotal importance, in particular in the last months with the pandemic emergency of COVID-19. Studying the development of the outbreak on affected populations under a scientific and statistic perspective is necessary to understand the trend of contagion, the effectiveness of social distancing measures, the most vulnerable people who are the target of the virus, etc. This has posed several questions in terms of privacy and data protection. 2 Medical researchers and even data scientists might use health data of patients for secondary purposes, different from the original purpose of the mere provision of healthcare services. In addition, researchers might analyse telcom data, such as location data, 3 of patients (or just of citizens of mostly affected area) to understand their movements and the spread of the virus. 4 Also, beyond research, these data have high potentials for further purposes (state surveillance on infected people, the enforcement of social distancing rules, etc.), and related high risks for fundamental rights and freedoms of data subjects (discrimination, stigmatization, unnecessary state surveillance and related chilling effect, profiling for manipulative purposes, etc.). 5 Accordingly, the application of privacy and data protection rules to research has reached higher attention in media and in the academic arena, although the topic seemed to be not adequately discussed in literature so far, unless few but relevant exceptions in the last few months. 6 This is why the need to further analyse this topic is even more pressing today. This special issue of Computer Law and Security 1 The deputy editor is extremely grateful to the authors and the secret reviewers for their invaluable efforts. This special issue is open access and funded by the EU Commission, H2020 SWAFS Programme, PANELFIT Project, research grant number 788039. 2 Kelly Kelly Servick, ‗Cellphone Tracking Could Help Stem the Spread of Coronavirus. Is Privacy the Price?' Science AAAS (22 March 2020) accessed 1 April 2020; Janosch Delcker, ‗POLITICO AI: Decoded: Artificial Intelligence in the Age of a Pandemic -Germany's Data Donation Experiment -A White Knight from Beijing?' (POLITICO, 25 March 2020) accessed 1 April 2020. 3 Actually, new efforts of researchers are focussing on data minimization techniques that would avoid the use of location data to track possible contagion. See Review has this goal: investigating on rules, potentialities and open issues of data processing for research purposes. The entry into force of the GDPR has given much more relevance to the issue of data protection in the field of research. The notion of research is now explicitly mentioned as an exception to the prohibition of processing of special categories of personal data (Article 9(j)), but also as an exception to the purpose limitation principle (Article 5(1)(b), to the storage limitation principle (Article 5(1)(e) and as a possible derogation from some rights (right to access, rectification, restriction and objection). These exceptions, however, are counterbalanced by a specific article about safeguards to be adopted in case of research purposes (Article 89). As also the preamble reveals, the GDPR recognises and encourages the development of scientific research 7 (and this is why it provides specific exemptions to the general limits of data protection principles and rights), but with alternative suitable measures that need to be respected. Such measures may include specific transparency safeguards, simplified exercise of data protection rights, security measures and an attentive analysis of the impact of research on data subjects. In other words, one of the most relevant principles that researchers should take into account is accountability (see Ben Wagner in this special issue). Notions like data protection by design and DPIA becomes thus central. In general terms, we can affirm that there is a sui generis protection for the processing of personal data for research purposes. 8 However, many issues are still unsolved, e.g.: how can we delimit the notion of -research‖ avoiding abuses of such terms as a legal ground for data processing? How to adequately protect research subjects, in particular the vulnerable data subjects? Should we consider consent as an adequate legal basis for processing data for research purposes or, to the contrary, it is highly unlikely that research subjects (including the vulnerable ones) might give a really -free‖ and unbiased consent? How could we enhance transparency in practice? What is the role of the accountability principle (including DPIA) when dealing with data processing in research and how such principle should interact with the principle of -ethics in research‖? This special issue of CLSR will try to engage in discussions on these fundamental research questions. The definition of research is vague and broad in the GDPR, sinceas recital 159 explainsit should include also -technological development and demonstration, fundamental research, applied research‖ and even -privately funded research‖. This might pose several interpretational issues, including e.g., defining the borderline between marketing studies and private researches; or between academic expression and scientific research; 9 between medical treatment and health research, which is a timely problem in the age of coronavirus pandemic. Interestingly, the EDPS has tried to delimit more the notion of research, to the cases with the aim of growing society's collective knowledge and wellbeing, as opposed to serving primarily one or several private interests. 10 But this notion seems still relative and open to discussions and interpretations (see Rossana Ducato in this special issue). 7 See, e.g., the tone of recital 159. 8 European Data Protection Supervisor (n 5) 21 referring to the ‗special regime' for scientific research in the data protection framework. 9 ibid 9-10. 10 ibid 13. Another issue is what the exact relationship between law and ethics in research is (in particular in case of Coronavirus-related researches) 11 : recital 33 argues that the provision of consent should be allowed also in case of undefined purposes, but only when -recognised ethical standards for scientific research‖ are respected. Interestingly, this is the only reference to ethics in the GDPR, 12 despite the broad discussion about data ethics in the European literature 13 Consent and purpose limitations are indeed two key issues that are largely addressed in this special issue, in particular in some critical areas of research, like genomic research (see Dara Hallinan in this special issue). The EDPB has already been very critical to the large use of consent in data processing for research purposes, in particular in case of medical trials. 14 Research subjects are often in a situation of power asymmetry (patients, employees, asylum seekers, etc.) that generates decisional vulnerability. 15 Such vulnerability does not allow them to give a really free consent according to Article 7 GDPR. This is in line with large part of legal literature in the field of data protection that recommends limiting the use of -consent‖ as a legal basis due to its fallacy and the difficulty to reach a really informed and free consent. 16 However, the EDPS seems to generally accept the use of consent in the research field, although at some specific conditions. 17 The problem of using alternative legal bases are at least two. First, while private universities or research entities can use -legitimate interests‖ (Article 6(f)), public universities or research centre would be forced to use -public interests‖ (Article 6(e)) 18 : this might create unreasonable disparities between different entities that should however respect similar rules and ethical standards (e.g., private entities would be required to do the balancing test, while the public ones would not; in case data subjects object to the data processing according to Article 21, public entities could profit from the exemption at Article 21(6), 19 while private entities cannot). Second, in case of processing of special categories of personal data, the only legal basis alternative to consent might be the necessity for scientific research purpose (Article 9(2)(j)), but that legal basis is conditional to the approval of a -Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific‖ safeguards. As the EDPS argued, many Member States have not yet approved these laws. 20 Accordingly, researchers might not use that exemption and would be required to ask for explicit consent (Article 9(2)(a)), even though it might be inappropriate in case of power imbalance between researchers and subjects. Actually, in the age of COVID-19 pandemic, most Member States have already approved emergency pieces of legislation that include also the processing of special categories of data for research purposes. 21 However, as also the EDPB has clarified, these legislations should be strictly limited to the duration of the emergency at hand and prove necessity and proportionality of the derogatory provisions. 22 The issue of necessity and proportionality is a key issue also in the interpretation of DPIA (Article 35(3)(b) ). 23 Another relevant problem in data processing for research purposes, especially in the age of pandemic, is purpose limitation. As we affirmed above, the risks (e.g. for data of people tested positive to COVID-19) of secondary purposes with significantly adverse effects on individuals (and on democracy in general) might be relevant. The principle of purpose limitation in research might be limited, but relevant safeguards (Article 89) should be implemented: e.g., pseudonymization, transparency and personalized safeguards for vulnerable individuals (see Denise Amram in this special issue). Each of these points, however, might be problematic. As regards pseudonymised data in research, some commentators have posed interpretational issues in case the data are acquired without the identifiers from a research entity which has pseudonymised the data: can these de-identified data be considered anonymous for whom acquires them? 24 Regarding transparency duties, more discussion is needed for particular personalised information and legibility requirements in case of research (see Arianna Rossi and Gabriele Lenzini in this special issue): there might be -secondary‖ data subjects (e.g. relatives of the genomic research subject) that are not informed 25 or there might covert researches where disclosing information might be detrimental to the success of the research (but the GDPR cannot help, since there are no exemptions for data collected directly from the subjects, Article13), 26 or there might be particularly cognitive vulnerable subjects that would not understand standard information. See the role of ethical checks in this ICT research project adopted by the NHS in the UK: Hannah Devlin Science, ‗NHS Developing App to Trace Close Contacts of Coronavirus Carriers' The Guardian The only other indirect reference is: -breach of ethics for regulated professions‖ at Article Gry Hasselbalch and Pernille Tranberg, Data Ethics: The New Competitive Advantage Expert Group on Artificial Intelligence of the European Commission, ‗Ethics Guidelines for Trustworthy AI European Data Protection Board, ‗Opinion 3/2019 Concerning the Questions and Answers on the Interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) ‗Does the New EU Regulation on Clinical Trials Adequately Protect Vulnerable Research Participants?' (2015) 119 Health Policy ‗Forgetting about Consent. Why the Focus Should Be on -Suitable Safeguards‖ in Data Protection Law' in Serge Gutwirth ‗The Crisis of Consent: How Stronger Legal Protection May Lead to Weaker Consent in Data Protection Or Do I? A Rights-Based Analysis of the Law on Children's Consent in the Digital World ‗Turning Privacy Inside Out' (2019) 20 Theoretical Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her Dariusz Kloza and others, ‗Towards a Method for Data Protection Impact Assessment: Making Sense of GDPR Requirements' 6 Miranda Mourby and others, ‗Are -Pseudonymised‖ Data Always Personal Data? Implications of the GDPR for Administrative Data Research in the UK' 2012) 105; See also, on the topic of the use of data of deceased subjects to profile living relatives Gianclaudio Malgieri, ‗R.I.P.: Rest in Privacy or Rest in (Quasi-)Property? Personal Data Protection of Deceased Data Subjects between Theoretical Scenarios and National Solutions European Data Protection Supervisor (n 5) 21. research (and the related literature on research ethics 27 ) might be an opportunity to finally address this issue, which also WP29 touched upon (without clear explanation) in several parts This special issue is not aimed at offering clear answers, but clear problematizations of open issues. The aim is to open a vivid discussion with scholars, policymakers, institutions and stakeholders in order to balance two fundamental values of our society, which are also strongly related: cultural and scientific growth and fundamental rights and freedoms Protecting the Vulnerable: A Reanalysis of Our Social Responsibilities ‗Vulnerability: Too Vague and Too Broad? Cambridge quarterly of healthcare ethics: CQ: the international journal of healthcare ethics committees 113 ‗Elucidating the Concept of Vulnerability: Layers Not Labels Article 29Working Party, Guidelines on DPIA, WP248, adopted on WP 203, 32; Article 29 Working Party, Guidelines on Transparency under Regulation 2016/679" clarifying requirements of the EU GDPR, WP 260, 9; Article 29 Working Party, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation