key: cord-0822752-6fmt13mf authors: Mantovani, Eugenio; Böröcz, István; de Hert, Paul title: Conducting research with school children and data in line with “ethical principles” lawyers at work in the ethics management of the H2020 mathisis project date: 2020-09-30 journal: Computer Law & Security Review DOI: 10.1016/j.clsr.2020.105451 sha: 1c77ca1c2b96b846b1a82100ac0d52c1f52801fb doc_id: 822752 cord_uid: 6fmt13mf Abstract Recent advancements in human-computer interaction, machine learning and in artificial intelligence hold the potential to influence both the curriculum and the pedagogy of school children. While the impacts of new technologies remain uncertain, ongoing research and innovation projects are already developing and testing such technologies in schools. This article builds on the experience of the authors as advisors for a Horizon 2020 (H2020) project conducting research with schoolchildren in twenty schools across the United Kingdom, Italy and Spain (the project MaTHiSiS). This contribution presents and discusses how the authors lived up to the obligation of conducting research in line with “ethical principles”. In the 21st century information technology finds its way to affect most aspects of life, including in the field of education. Recent advancements in human-computer interaction, machine learning and, more recently, in artificial intelligence hold the promise to influence both the curriculum and the pedagogy room; 3 embedded sensors and cameras capture the interactions between learners and machine, turn them into machinereadable data which computer scientists process "to train" an affective computing algorithm. 4 As expected outcome, the trained algorithm will adapt the learning offer to the affective state of the learner, increasing or lowering the difficulty of an exercise according to the learner state of boredom, arousal, attention, etc. In order to train the algorithm and attain the research's expected outcome, projects like MaTHiSiS organise use cases or pilots, at schools, and involving the participation of school children and the processing of their personal data. Reportedly, conducting this type of research in schools has a double effect. On one hand, researchers are overwhelmed by the enthusiasm, curiosity and amusement of young learners interacting with technologies, e.g., robots, and with the "circus" of cables, screens, and technicians swinging in and out; on the other hand, researchers are equally overwhelmed by the pointed concerns and risks that conducting this kind of research with school children entails. Consider a few: the interference with normal school life and school calendar; the stress or discomfort of teachers; the variety of emotional situations in which children are, parents happy, parents fighting, no parents; the unpredictability of their reactions; the protection of data, in particular images; parents' concern over paedophilia and more in general about what information about their kids is shared and with whom. Researchers are questioned by teachers and parents about the impact of continuous exposure of monitors on children's brain, 5 on the attention span, 6 3 MaTHiSiS is a research and innovation project, funded by the European Commission under the Horizon 2020 framework programme(grant agreement no 687772), aiming to create a novel educational framework enabling the coupling of new technologies with formal, in-formal and non-formal education. See http:// mathisis-project.eu/ Other projects pursuing similar purposes are COSPATIAL [FP7- ICT-231266] , ProsocialLearn [H2020-ICT 644204] or EU4ALL (IST-034778) 4 Affective computing is an area of study within cognitive computing and artificial intelligence which assigns computers the human-like capabilities of observation, interpretation and generation of affect features. About the importance and effects of affect in student learning read more at: Richard J. Davidson, Daren C. Jackson, and Ned H. Kalin. 2000 . "Emotion, Plasticity, Context and Regulation: Perspectives from Affective Neuroscience." Psychological Bulletin 126, 890-906. http://dx.doi.org/10.1037/0033-2909.126.6. 890 or Elizabeth A. Linnenbrink. 2007 . "The role of affect in student learning: a multi-dimensional approach to considering the interaction of affect, motivation and engagement." In Paul A. Schutz and Reinhard Pekrun, eds. 2007. Emotion in Education , (pp107-124) . Academic Press. https://doi.org/10.1016/B978-012372545-5/ 50008-3 5 Nicholas Carr. 2010 . The Shallows: How the Internet is Changing the Way We Think, Read and Remember. US: Atlantic Books 6 Burbules Nicholas. 2018 . Watch IT -The Risks And Promises Of Information Technologies For Education. New York, Routledge; Haya Shamir et al. 2018 . "Technology in early education: longterm effects" In Jiri Vopava et.al. eds. 2018 . Proceedings of MAC 2018 Rafal Wajszczyk. 2014 . "A study of the impact of technology in early education" available at: http://www.diva-portal.org/smash/get/diva2:737018/ FULLTEXT01.pdf ; Kevin Higgins and Shawna BuShell. 2018 . "The effects on the student-teacher relationship in a one-to-one technology classroom". Education and Information Technologies 23: 1069. https://doi.org/10.1007/s10639-017-9648-4 on the development of internally controlled sense of right and wrong. 7 This article tackles only a limited set of these concerns and from a peculiar perspective. The focus of this article is about the setting up of the research environment and about the compliance of the research activities with the "ethical principles" of the European Union Horizon (2020) -Framework Programme for Research and Innovation (2014-2020) ; 8 in the context of public schools across three different European Union (EU) countries (England, Italy, Spain); and involving children and the processing of their personal data. As Max Craglia synopsises, "[ l ]arge datasets are needed for training the systems, and the student behaviour needs to be actively monitored to provide feedback for personalised learning. This creates technical needs to monitor students unobtrusively, for example using video processing and remote eye-tracking, with associated ethical and regulatory challenges." 9 The adopted viewpoint, addressing primarily an audience of researchers interested in or working in H2020-funded projects, is that of the "ethics management" of use cases or pilots. Our contribution is structured as follows. A first section examines the obligation of researchers to conduct Horizon 2020 research in line with "ethical principles" ( Section 1 ). This introductory section announces what is perhaps unexpected, that the ethics management of research projects appears primarily a legal management of norms to be found in national and European legislation. A next section describes the legal framework conditions that a researcher wishing to conduct research in schools established in England, Italy, and Spain (where the salient project MaTHiSiS organised pilots) must take into consideration ( Section 2 ). As the quote from Craglia indicates, in projects like MaTHiSiS, the learner's behaviour is actively monitored to create large datasets and train the technology system. A third section broaches the legal framework and the implementation of personal data protection law ( Section 3 ). The conclusion summarises the findings and conveys the main messages of the article ( Section 4 ). 10 Article 19 of the Horizon (2020) Regulation states that any research and innovation project has to comply with 7 Anna-Lisa Vollmer, Robin Read, Dries Trippas, and Tony Belpaeme. 2018 ."Children conform, adults resist: A robot group induced peer pressure on normative social conformity ." Science Robotics , 2018; 3 (21) . This research indicates that while adults resist being influenced by robots, children instead seemingly yield more easily to the social pressure exerted by robots. 8 Regulation (EU) No 1291/2013 of the European Parliament and of the Council of 11 December 2013 establishing Horizon 2020 -the Framework Programme for Research and Innovation (2014 ) and repealing Decision No 1982 /2006 /EC Text with EEA relevance OJ L 347, 20.12.2013 9 Max Craglia ed. 2018 . Artificial Intelligence. A European Perspective . European Commission, Joint Research Centre, TP262. p. 71 10 During the editing process, the authors have become aware of the consequences of COVID-19 pandemic for research. The article does not reflect this change in circumstances. "ethical principles and relevant national, Union and international legislation, including the Charter of Fundamental Rights of the European Union and the European Convention on Human Rights and its Supplementary Protocols." 11 This provision also stipulates that "particular attention" shall be paid to "the principle of proportionality, the right to privacy, the right to the protection of personal data, the right to the physical and mental integrity of a person, the right to nondiscrimination and the need to ensure high levels of human health protection." 12 Another source, the Regulation establishing the Horizon (2020) Rules for Participation, provides more succinctly a similar indication stating, in article 14, that "ethics reviews […] shall verify the respect of ethical principles and legislation". 13 An alike dictum is integrated in the Horizon (2020) General Model Grant Agreement, the pre-filled template contract that formalises the agreement between funding agency and research consortia: article 34(1) binds beneficiary parties to "carry out the action in compliance with: a. ethical principles (including the highest standards of research integrity (as set out, for instance, in the European Code of Conduct for Research Integrity)) and b. applicable international, EU and national law". 14 To ensure that researchers take into consideration art.19 "Ethical principles" in their work, the EU has developed a system of controls that include an ethics selfassessment, carried out by the applicants during the proposalwriting stage; 15 an ethics screening performed by external experts invited by the funding agency, at the time of grant preparation; regular ethics checks during the life span of the project. On these revisions, researchers are expected to concoct, defend, demonstrate, and eventually document a robust plan to and "what has been done" to "manage" the research activities in line with "ethical principles." Whilst mentions of "ethics" abounds, 16 there apparently is a lot of law in the ethics management. The aforementioned ar-11 Article 19. Ethical Principles., Regulation (EU) No 1291/2013 of the European Parliament and of the Council of 11 December 2013 establishing Horizon 2020 -the Framework Programme for Research and Innovation (2014 ) and repealing Decision No 1982 /2006 /EC Text with EEA relevance OJ L 347, 20.12.2013 ticle 34 (Ethical Principles) of the Horizon 2020 General Model Grant Agreement refers to domestic, European and international legislation, as well as to rights, right to privacy, right to data protection, right to the physical and mental integrity, right to non-discrimination, and legal notions such as proportionality; while offering not one example of ethical principles. 17 Accordingly, "ethics management" seems to be characterizable more as legal management, inviting first and foremost to build and maintain a stable platform, whose building blocks are termed awareness, control, and ultimately, compliance. Engaging school children as research participants in England, Italy, and Spain As article 165 of Treaty of the Functioning of the European Union (TFEU) recognises, the organisation of education systems falls squarely within national competences. 18 Schooling systems are part of and reflect a country's cultural and political make-up just as, equally, a country's cultural and political make-up is, also, or in part, defined by its schooling system. Accordingly, the institution of a research sites, pilots or use cases in schools must be done in line with local conditions and procedures. The following paragraphs describes three main conditions and procedures that ought to be respected in England, Italy, and Spain. These are found in the legal norms dealing with the decision of the school to participate in a research project, the space of parental consent, and the role of authorities, such as research ethics committees. In addition, it is important for researchers to verify whether national law recognises special schools for learners with special needs. This possibility is critical for projects such as MaTHiSiS that primarily aim to develop solutions for students with disabilities. 19 A very important concern and requirement of computer scientists wanting to train an algorithm is collecting accurate data, in particular data-image. 20 At the time of data acquisition, the best way to do so in a class full of swirling children is to separate temporarily a child from the group, seat him in front of a pc or a robot (the "agent"), a mirror, and assign an exercise and records his or her interactions individually. But this possibility -to separate children in order to acquire accurate data-images, children with special needs -depends on 17 This does not mean that ethical issues or problems are less important. See for example the call for proposals for MaTHiSiS : https://ec.europa.eu/research/participants/portal/desktop/en/ opportunities/h2020/topics/ict-20-2015.html 18 Article 165 TFEU: "The Union shall contribute to the development of quality education by encouraging cooperation between Member States and, if necessary, by supporting and supplementing their action, while fully respecting the responsibility of the Member States for the content of teaching and the organisation of education systems and their cultural and linguistic diversity." 19 The project organised pilots at schools across three EU Member States (United Kingdom, Italy, and Spain), involving children below the age of 16, including learners with profound and multiple learning disabilities (PMLD), Asperger's syndrome, and autism. Overall, twenty schools, sixty teachers and around hundread and forty students participated. 20 See Max Caglia, op.cit., above . whether national systems recognise special schools and/or distinct classes for learners with special needs. Only if they do, it will possible for researchers to conduct research with students with special needs individually. In a typical situation taking place on English soil, the beneficiary research organisation will have contacted the local authority, identified a suitable school, and confirmed the resolve of the school to be "research site". 21 The diligent researcher will have already, in cooperation with head teacher, defined a research protocol. With the head teacher joining as co-applicant, the researcher will have by now submitted an application to the ethics committee of the affiliated research centre. In England and in the United Kingdom in general, any research that involves human participants must be authorised by an ethical committee. 22 Research organisations, such as universities, that process personal data for research purposes as part of their statutory activities, are expected to have a Research Ethics Committee (REC) instituted at their premises, with clearly defined responsibilities, procedures and documentation systems. 23 The importance of RECs cannot be overstated as they often have the ultimate say in deciding whether a research involving humans can go on, is approved or not. 24 Arguably for this reason, the responsibilities and procedures of RECs are regulated by the National Health Research Authority, for medical researches, and by the Economic and Social Research Council (ESRC), which set the guidelines for research having a non -medical purpose. 25 As the ESRC guidelines provide, RECs have the responsibility and the competence to assess not only the recruitment of human beings but also the processing of personal data of research participants. 21 The United Kingdom's education system has a number of regional differences, with separate legislation for England, Northern Ireland, Scotland and Wales. In England, the Children and Families Act 2014 endows local authorities (LAs) with specific duties, including the duty to ensure education opportunities to children from their areas. LAs are accordingly the first contact point for researcher wishing to introduce a research involving school children. See Jenny Ozga. 2002 25 Economic and Social Research Council, Governance arrangements for research ethics committees, available at: https: //esrc.ukri.org/funding/guidance-for-applicants/research-ethics/ governance-arrangements-for-research-ethics-committees/ Accordingly, research applications contain two sections: one section in which the applicants explain nature, scope, duration, means, risks, safeguards, contingency plans, safeguarding principles, legal basis for involving school children in the research project; another section where the aspirants answer to a series of questions designed to verify whether the processing activities are in compliance with the UK Data Protection Act. The legal basis for the participation of school children in research projects is informed consent. The legal framework concerning the consent of school children includes sources of common law, legislation, 26 and codes of practice. 27 In practice, any research project involving the participation of school children aged below 16 must obtain the explicit consent of parents or persons holding parental responsibility. Ethics research committees require from researcher to administer to parents concise, but sufficient and clear information about the research, as to enable them to make an informed decision about the participation of their children. 28 On account of Gillick doctrine, furthermore, researchers are required to explain the purpose of the research to children, for instance using pictograms or other techniques, with a view of obtaining their assent. 29 As for the legal recognition of special schools for learners with special needs, in England, if a child has special educational needs and a mainstream education is not appropriate, he or she will be offered to attend a special school or to attend a separate class within the same school. 30 For researchers, this means the possibility to target special schools and can also, if 26 Legislative interventions have introduced age limits in specific sectors, including in the field of education. For instance, Section 8(2) of the Education Act 1996 on compulsory school age (following his or her 5th birthday until they reach the age of 16, when they can leave school if they want), on employment of children or young persons, (section 558, "any person who is not over compulsory school age shall be deemed to be a child within the meaning of that enactment"). The Information Act 2018 introduces an age limit for accessing and using information society services, see discussion below in section 3 . The Mental Capacity Act 2005 (and respectively its Code of Practice) should also be mentioned. According to article 2 para 3) (a) "a lack of capacity cannot be established merely by reference to a person's age or appearance…" 27 [1986] AC 112. In English common law, the House of Lords laid down a test which is now known as Gillick competence for determining whether a child is competent to make decisions, about medical treatment. Outside the medical field, the Gillick stare decisis recommends an individual case by case assessment of the individual capacity to understand the specific circumstances and details of the research being proposed. See David Hunter and Barbara K. Pierscionek. 2007 . "Children, Gillick competency and consent for involvement in research" Journal of Medical Ethics 33.11 659-662. 30 Children and Families Act 2014 (c. 6), Part 3, Children and young people in England with special educational needs or dis-need be, separate special needs from mainstream learners, if they are together in the same class. In Italy, this would not be legal. In Italy, the decision to participate in research projects pertains to the "organizational and didactic autonomy" of schools, recognised in the country's Constitution and in legislation. 31 School autonomy means, on one hand, the existence of formal decision-making procedures to perform tasks vested in each school status of public authority; on the other, school autonomy means that the school decides to participate in research activities without external evaluation, for instance from ethics committees. On account of the first dimension of autonomy, researchers wishing to conduct study with school children must submit a research protocol to the school director or principal. After an internal process of deliberation, 32 the principal takes the final decision and assumes responsibility for hosting the pilots. 33 By virtue of the second dimension of school autonomy, i.e. freedom from third parties, with the exception of medical research, there is no obligation for researchers to appoint an ethical committee; 34 in addition, the abilities. http://www.legislation.gov.uk/ukpga/2014/6/pdfs/ukpga _ 20140006 _ en.pdf See also the statutory guidance provided by Department for Education and Department of Health and Social Care . SEND code of practice: 0 to 25 years. Guidance on the special educational needs and disability (SEND) system for children and young people aged 0 to 25, from 1 September 2014. https://www.gov.uk/ government/publications/send-code-of-practice-0-to-25 31 The Italian Constitution recognises school autonomy constitutional status in Article 117. c. 3: l' "autonomia delle istituzioni scolastiche ". See also Decreto Legislativo 16 aprile 1994 , n. 297 ("Testo Unico delle disposizioni legislative in materia di istruzione"), article 276 and 277; Law n. No. 59/1997 on the functioning public administration, which includes schools, article 21, paragraph 7 and paragraph 10. DPR n.275/1999. Regolamento recante norme in materia di autonomia delle istituzioni scolastiche,article 6 (Autonomia di ricerca, sperimentazione e sviluppo). 32 The research protocol should be submitted before the school develops its annual educational and training plan ("piano di offerta formativa" (POF)). The 'piano' is prepared annually and "determines the cultural and planning identity of educational institutions and the curricular, extra-curricular, educational and organizational projects that each school adopts within the limits of its autonomy". POFs are regulated according to Law n. 59/1997, mentioned earlier. 33 In a typical situation, the principal of the school will introduce the project and the pilots to the "collegio dei docenti" (assembly of teachers) for approval; the collegio dei docenti presents the project and the plan of pilots to the "consiglio di interclasse" (for primary schools, or scuole elementari), or "di classe" (secondary education), where the parents of the students are represented. In case children with particular needs are involved, the school informs also the "gruppo handicap di lavoro" (GHL or GHLO). 34 The translations in this contribution are done by the authors. Art. 276, Decreto Legislativo 16 aprile 1994, n. 297, aka "Testo Unico delle disposizioni legislative in materia di istruzione" "1. La sperimentazione nelle scuole di ogni ordine e grado è espressione dell'autonomia didattica dei docenti e può esplicarsi: a) come ricerca e realizzazione di innovazioni sul piano metodologico-school takes its decision without asking the consent of parents, save for exceptional cases, namely the research has a medical purpose or the research involves the processing of data images (as in MaTHiSiS case, see below section on data protection). 35 Researchers wishing to conduct research with school children in Italy are under the obligation to inform them, via the school channels, about the aims and methods of the research and offer them opportunity to ask questions; but save for the aforementioned case of processing images, and granted that the purpose of the project is not medical, parents or the legal representatives have no legal basis to interfere with the decisions of the school regarding participation in research projects. 36 Arguably the most distinctive characteristic of the Italian system affecting research is this country's legislation on learners with special needs. Starting from 1977, Italy abolished special schools and enforced a general prohibition to separate mainstream children from special needs children. 37 The right to education of persons with disabilities is and must be guaranteed in the ordinary ("comuni", in the original Italian version) classes of schooling institutions at all levels and also at universities. 38 As there cannot be special schools, there cannot be special classes, or even dedicated registries listing didattico; b) come ricerca e realizzazione di innovazioni degli ordinamenti e delle strutture esistenti. ("1. Experimentation in schools of all levels is an expression of the didactic autonomy of teachers and can be realised: a) as research and implementation of methodological-didactic innovations; b) as research on and innovation of existing systems [ordinamenti] and structures [strutture]"). 35 Article 3 Law DPR n.275/1999 , Regolamento recante norme in materia di autonomia delle istituzioni scolastiche, ai sensi dell'art. 21 della L. 15 marzo 1997, n. 59, which implements Law 59/1997 . Article 6 (Autonomia di ricerca, sperimentazione e sviluppo) states that "Educational institutions, individually or associated with each other, exercise their autonomy in research ("esercitano l'autonomia di ricerca"), experimentation and development, taking into account the cultural, social and economic local realities and addressing, among others: [...] educational research on the different opportunities of information and communication technologies and their integration in the educational process." 36 Parents who want to object to the participation of their child in the study must present a reasoned objection to the school principal. 37 Legge 118 del 30 marzo 1971 "concernente provvidenze a favore dei mutilati ed invalidi civili", article 28; Legge 4 agosto 1977 "Norme sulla valutazione degli alunni e sull'abolizione degli esami di riparazione nonché altre norme di modifica dell'ordinamento scolastico", n. 517 , article 2(2) and 7(2) which grant all children the right to be educated in common classes. Legge quadro 104/92 " per l'assistenza, l'integrazione sociale e i diritti delle persone diversamente abili", Article 12 (2):"E' garantito il diritto all'educazione e all'istruzione della persona handicappata nelle sezioni di scuola materna, nelle classi comuni delle istituzioni scolastiche di ogni ordine e grado e nelle istituzioni universitarie." ("The right to education of persons with disabilities at the nursery school, in the ordinary classes of schooling institutions of all levels and at university level, is guaranteed." Our translation) For a commentary see Canevaro, Andrea , ed. L'integrazione scolastica degli alunni con disabilità. Trent'anni di inclusione nella scuola italiana . Edizioni Erickson, 2007. 38 Article 12 (2), Legge quadro 104/92 op.cit. school children with special needs. 39 Unlike in England (and in Spain, see below) children with special needs seat in ordinary classes with other ordinary students, if necessary, assisted by a "special" tutor sitting in the class. 40 This long-established obligation not to separate limits the possibilities available to researchers in this country. In instances where one-to-one researcher-research participant interaction is the best option for research, as in the above mentioned "data acquisition" phase, it is illegal to take children to a separate room or aside and temporarily "observe" them individually. The school and teachers are responsible and can be held liable for violations, even if this separation is necessary, even if only temporarily. Similarly to Italy, Spanish law recognises the pedagogic, organisational and management autonomy of public schools. 41 According to article 120 of the Ley Organica 8/2013 para la mejora de la calidad educative (LOMCE) "the centers, in the exercise of their autonomy, can adopt experimentations, work plans, forms of organization […] . 42 As part of this planning, regional laws recognize the autonomy of schools to "plan projects". 43 Similarly to Italy, the school takes the decision regarding the participation of children in research. There is no obligation to consult an ethics committee or authority. Similarly, in principle, the researcher and the school must inform parents and legal representatives but are not requested to obtain parental consent. However, the law specifies that schools 39 Specific condition or disability is indicated by a number. See Law 170/2010 "Nuove norme in materia di disturbi specifici di apprendimento in ambito scolastico" recognises only dyslexia, dysgraphia, dysorthographia and dyscalculia as specific learning disorders (SLD). A code is assigned for pupils assisted by the local health care unit, to try to separate identity from condition or disability. 40 Foreseen in article 13 Law 1992 , n. 104, Legge Quadro per l'assistenza, l'integrazione sociale e (Pubblicata in G. U. 17 febbraio 1992, n. 39, S.O.) 41 Arguably the reason for this similarity may be in Spain and Italy sharing a recent past of dictatorship. Both under the Franco and Mussolini (1922 Mussolini ( -1943 regimes, schools, school programmes, curricula, pedagogy, were under the heavy and continuous control of the ruling fascist political party. On Spain, read Consuelo Flecha García. 2011 "Education in Spain: Close-up of Its History in the 20th Century". Analytical Reports in International Education Vol. 4. No. 1 17-42. On Italy, see Juri Meda. 2006 . "La politica quotidiana. L'utilizzo propagandistico del diario scolastico nella scuola fascista." History of Education and Children's Literature 1.1 1000-1027, who illustrates how the to demonstrate how the fascist regime manipulated the use of the school diary, considered until then substantially exempt from ideological implications. 42 Ley Orgánica 8/2013 , de 9 de diciembre, para la mejora de la calidad educativa. 43 For the Community of Castilla y León, where pilots took place, article 23, paragraph 4, of Orden Edu/1075/2016 , de 19 de diciembre, por la que se regulan los proyectos de autonomía en centros docentes sostenidos con fondos públicos de la Comunidad de Castilla y León que imparten educación primaria, secundaria obligatoria y bachillerato, available at: http://bocyl.jcyl.es/boletines/2016/12/22/ pdf/BOCYL-D -22122016-4.pdf must inform the legal representatives of learners, who can decide to opt out. 44 As in Italy, consent is required in case of medical research and if special categories of data, notably images, are processed (read more in the data protection section). The position of the Spanish law vis-à-vis learners with special needs shares similarities with the English system. Spanish law requires public schools to make every effort to educate special-needs children within mainstream schools; however, the law also recognises and organises public special schools, if the child's mainstream school is unable to provide the education required. 45 The implication for research is the possibility to involve special needs classes and to separate learners with special needs for a short lapse of time. This course of action would not attract any retribution to schools and teachers, as it would do in Italy. The previous section has described the framework conditions that a researcher needs to take into consideration in order to gain access to schools in different European jurisdictions. Let us now draw the mind to the conditions for processing the personal data of school children/research participants. The legal framework is sourced primarily in EU law. Until 25 May 2018 personal data were processed in H2020 research and innovation projects in accordance with the 95/46/EC Data Protection Directive (the Directive). 46 As of 25 May 2018, the GDPR has repealed the Directive becoming the centrepiece of data protection law in the countries of the EU. National laws can and do provide derogations. We will see that national derogations from the GDPR in this field are dictated by the need to remain coherent with the legislative norms regulating schools' life in general and participation of school children in research in particular. For research purposes, an important innovation of the GDPR is the legal obligation to perform a data protection impact assessment (DPIA) in every instance where the proposed processing activities may "represent a high risk to the rights and freedoms of natural persons". 47 This provision applies squarely to instances where children data are pro-44 Orden Edu/1062/2016 of 14 de diciembre, por la que se crea el fichero de datos de carácter personal denominado : «Datos generales y académicos de los alumnos de enseñanzas escolares de Castilla y León» available at: http://bocyl.jcyl.es/boletines/2016/12/ 22/pdf/BOCYL-D -22122016-3.pdf 45 Real Decreto 696/1995 , de 28 de abril, de Ordenación de la educación de los alumnos con necesidades educativas especiales (Royal Decree 696/1995, of 28 April (updated with Royal Decree 1/2013, of 29 November, chapter IV) 46 Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/31 47 Article 35 (1) GDPR and Recital 75 GDPR. See Article 29 Data Protection Working Party Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016 /679. cessed. 48 The following paragraphs discuss some salient aspects of the data protection impact assessment, namely: the data minimisation principle, the principle of accountability, the duty to anonymise and pseudonymise personal data; the choice for the appropriate legal basis and the application of article 8 GDPR, the protection of children data. 49 In continuity with article 6 under the Data Protection Directive 95/46, article 5 GDPR ordains the key principles of personal data protection: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. 50 According to the principle of minimisation, "personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation')". 51 The principle responds to a precautionary logic according to which the less personal information is put into circulation, the less the risks for the rights and freedoms of data subjects. 52 This long-established sobering principle retains its validity under the GDPR which has made explicit the obligation to minimise the processing of personal data as obli- 48 Article 35 (4) GDPR stipulates that supervisory authorities must draw up and make public a list of the types of treatments to be subjected to DPIA. All of three countries', England, Italy, and Spain, supervisory authorities mention DPIA for processing data relating to vulnerable subjects including minors. See for England, ICO's DPIA awareness checklist, Guide to the GDPR, p.197, 29 May 2019 ; for Italy, the Garante's "Elenco delle tipologie di trattamenti soggetti al requisito di una valutazione d'impatto sulla protezione dei dati ai sensi dell'art. 35, comma 4, del Regolamento (UE) n. 2016/679 of 11 October 2018"; for Spain, the authority's "Listas de tipos de tratamientos de datos que requieren evaluación de impacto relativa a protección de datos (Art.35.4)" of 9 September 2019. 49 The areas have been selected because they allow readers to anticipate other impacts on the data protection framework that, for limits of space, are not broached in this contribution: (the identification of the appropriate) data controllers, rights of data subjects / research participants, technical and organizational measures for data safety, storage, sharing, delete, and also codes of conduct, professional codes of conduct, good practices, etc. Please find the related public deliverables at: http://mathisis-project.eu/ en/deliverables . gation for any processing to be "adequate, relevant and limited to what is necessary." The implementation of this linchpin principle is, however, not straightforward as it seems: on one hand, new technologies enable the collection, storage, and sharing of enormous amounts of data; researchers (and data controllers 53 ) may be tempted to collect large quantities of data, for provision, or for curiosity. On the other, one must concede that the possibility that researchers collect more data than "what is necessary" is inscribed in the curiosity that motivates research; indeed, what the team of psychologists and computer sciences do is basically to experiment, to try, err, and try again, get depressed, rejoice, and settle for. The processing of certain data -e.g., collecting data about children keyboard stroke patters to monitor their state of engagement, -may appear as genuinely necessary at the beginning of the project, or in the middle of it, just to prove as genuinely unnecessary months after, or vice versa. These factors put a question mark on the implementation of the principle of data minimisation. Should researchers refrain from certain processing operation out of concern that they may infringe upon the minimization principle, should the data prove unnecessary at a later stage? The formulation contained in article 5 offers some guidance. Unlike the Directive's principle of minimisation, under which personal data had to be "not excessive", the GDPR employs the more expounded expression "adequate, relevant and limited to what is necessary." 54 Arguably the Directive's "not excessive" hinted at a problem of quantity, while the "what is necessary" formula possibly evokes more a question of quality of the data. In order to comply with the requirement of minimisation, researchers should honestly assess whether the processing is "required", meaning "adequate" and "relevant", refraining from collecting data simply because "it could be useful." The quality of data must also be gauged against "what is necessary." This means with no personal data (e.g., with fake data), or without that type of personal data, the purpose (obviously legitimate) of the research cannot be attained. 55 Such an assessment should be, furthermore, documented. Researchers should be able to defend choices made at different stages of the research, including the decision to undergo processing operations not originally foreseen in the initial research plan, or 53 Hielke Hijmans contrasts a 'select before collect' approach over a 'collect before select' one: "In the old, data-is-scarce model, companies had to decide what to collect first, and then collect it, but with the new, data-is-abundant model, we collect first and ask questions later." Hielke Hijmans, "Recent developments in data protection at European Union level", ERA Forum , Issue 2, 2010, p. 222 . See also Omer Tene and Jules Polonetsky who portray the relationship of data minimisation with big data business models as "antithetical. "Description of Action" (DoA). The obligation to document the necessity of data collection tallies well with another key principle enshrined in the Regulation, the principle of accountability. According to article 5 (2) GDPR "the controller shall be responsible for, and be able to demonstrate compliance with the fair processing principle (accountability)". While the notion of accountability is not new to data protection law, 56 the principle enshrined in article 5 places, loud and clear, on the data controller the responsibility to take proactive actions to ensure compliance with the Regulation and to be ready to demonstrate that compliance. 57 As mentioned earlier, the obligation to keep records of personal data processing activities, under article 30 GDPR, is particularly important for researchers. Article 30 puts data controllers/researchers under the obligation to keep written records that detail all data processing activities carried out within the context of a project, notably, what kind of data categories are being processed, by whom (which department or unit) and for which underlying purposes. While this new obligation puts extra work and change the routine of researchers, the existence of duly compiled records may be a valuable asset, for instance in case of accidental data breaches or, as mentioned earlier, to retrospectively justify the necessity of certain processing activities, later found to be unnecessary. Anonymisation and pseudonymisation techniques contribute to the implementation of data minimisation, because they diminish the amount of information related to an identifiable individual. Accordingly, where possible, they should be adopted. 58 Anonymisation is the processing operation that severs irreversibly the link between the data subject and the data relating to him or her, so that it is impossible to identify an individual via a set of anonymous data. Pseudonymisation is a technique that consists of replacing one attribute, typically the name in a record, with another, a code or number; the code or number is used to link individual-level data to data subjects'/ research participants' identities. 59 As for the first, the GDPR does not apply to anonymised data, data that cannot be linked to a living individual; for researchers, this means that anonymised data sets can be freely 56 For instance, in article 17 of the Data Protection Directive. 57 Christopher Docksey, "Responsibility of the controller", in Christopher Kuner (ed.) op.cit. p. 88 The active responsibility measures that descend from the principle are various and include, e.g., data protection by design and default under (article 25), data protection impact assessments (article 35), the appointment of a Data Protection Officer (DPO, articles 37-39), Binding Corporate Rules (BCRs, article 47) and the keeping of records of personal data processing activities, under article 30. 58 Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques available at: https: //www.pdpjournals.com/docs/88197.pdf. 59 Article 4(5) GDPR and Recitals 26, 28, and 29. processed. Despite its obvious traction, this option is not always practicable in research projects. In addition to technical problems, 60 anonymisation appears downright incompatible with the purpose of projects, like MaTHiSiS, which seek to personalise a technology application. In these cases, in order to test the technology, it is necessary for researchers to be able to track and observe individual research participants. Anonymisation is, thus, not an option. When it is not possible to anonymise research data, researchers should state so and provide a justification. 61 If anonymisation is not an option, researchers should verify whether other techniques are applicable. The new Regulation mentions repeatedly and encourages pseudonymisation. Unlike anonymised data, pseudonymised data are still personal. 62 This means that an English REC may require, in the ethics application, the stipulation of Data Protection Sharing Agreement with other partners processing the said data in other jurisdictions, the obligations to keep records of processing, carry out privacy impact assessments, appoint a Data Protection Officer and demonstrate compliance with the principle of privacy by design, as foreseen in arts. 30, 35, 36, 37 and 25 GDPR respectively. If data were anonymous, these cumbersome and costly obligations would not materialise. Concretely, a course of action for researchers would be to attribute to each school a code and to each research participant a pseudonym, with the keys kept by the head teacher; and, subsequently, to encrypt all information related to every pseudonymised research participant. 63 Researchers will process (for specific purposes) un-encrypted data related to a pseudonymised individual whom they are legally barred to re-identify. Ethics committees, however, remain free to impose stricter requirements, such as the stipulation of a data sharing agreement, as mentioned above. The imposition of additional requirements for the processing of pseudonymised data may not however always be necessary. Ethics committees may consider the quality of pseudonymised personal data and nuance the risks inherent in sharing these data on the position of the researchers processing it. Interestingly, in a case concerning a sui generis category of pseudonymised data, dynamic IP addresses, 64 60 The technical problems are related to the real and effective irreversibility of anonymised data. See Paul Quinn. 2017 . "The anonymisation of research data-a pyric victory for privacy that should not be pushed too hard by the eu data protection framework?" 63 Encryption is a way to obfuscate personal data related to data subjects'/research participants' identities, so that they can only be accessed with an (encryption) key. Without the key, the data are gibberish unreadable to human operators or machines alike. 64 In this case, data were partial, in the sense that they could only lead to an identifiable individual by adding additional information. In this respect, dynamic IP addresses were analogous to pseudonymised data. Patrick Breyer v Germany of 2014, the Court of Justice of the EU (CJEU) introduced a distinction between personal data and partial (non-personal) data. 65 For Miranda Mourby and colleagues, the distinction introduced is "vital" in a research context, as "it leaves open the option of "sharing" anonymized data with researchers, even when data are personal and GDPR pseudonymized within the organization itself." 66 The 2016 Patrick Breyer judgement followed a request for a preliminary ruling on Article 2(a), on the definition of personal data, and art.7(f) Directive 95/46, now reproduced in the GDPR article 6(1)f, on the legitimate interests-legal basis. 67 It concerned the registration and storage by German public authorities of the dynamic Internet Protocol (IP) address of visitors, when they access Internet sites operated by German Federal institutions. Mr. Breyer, a Pirate Party politician, had taken legal action against Germany claiming that it unlawfully stored personal data, the dynamic IP addresses of visitors. The referring German Court asked the CJEU whether dynamic IP addresses of website visitors constituted personal data for website operators and other online media service providers. The answer given by the Court of Luxembourg was yes; this marked an important interpretative step. In short, the Court ruled that, even if a piece of information about a person does not bring directly to that individual, data protection law applies, provided there are likely reasonable means which enable the data controller to obtain additional information that can identify a data subject [Mr. Breyer browsing the website pages]. In this case, there was such a means, since in case of "denial of service attack" or for other security reasons, the website owner could legally and easily obtain the link between the IP address and his or her name from a third party, the Internet access provider. 68 Miranda Mourby and colleagues salute the case because the Court, to determine the nature of personal data, deemed decisive the contextual assessment of the legal and technical possibility to combine partial data with additional data held by a third party. 69 They argue that the impossibility to draw 65 CJEU , Case C-582/14 Patrick Breyer v Germany [2016] , paragraph 49.. The German Federal Court of Justice referred the case to the CJEU asking whether a dynamic IP address registered by a website publisher/service provider when a person accesses the website that that publisher makes accessible to the public constitutes, with regard to that service provider, personal data where only a third party, in that case the internet service provider, has the additional data necessary to identify him (See paragraph 31). 66 Miranda Mourby, Elaine Mackey, Mark Elliot, Heather Gowans, Susan E. Wallace, Jessica Bell, Hannah Smith, Stergios Aidinlis, and Jane Kaye. 2018 . "Are 'pseudonymised' data always personal data? Implications of the GDPR for administrative data research in the UK", Computer Law & Security Review, 34:2, p.233 67 Article 7(1)f Directive 95/46/EC: " Member States shall provide that personal data may be processed only if: …(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1)" 68 The collection of IP addresses by the German public website operators was aimed at bringing criminal proceedings against cyber criminals attacking their websites (after identification with the help of Internet service providers). 69 Miranda Mourby et al. op.cit. linkages between partial data and additional data held by a third party can result in considering such data non-personal. 70 This can also mean that the definition of pseudonymised data, which compose the bulk of research data in their article, as personal data, is not set in bright lines; the Court opts for a case-by-case analysis of the means that can or are "likely and reasonable to be used to identify an individual" as described in Recital 26 GDPR. 71 Mourby and colleagues agree with the Court's rebuttal of the argument, advanced by the Advocate General, that pseudonymised data are always personal, as long as a known third party holds identifying information, which could be used to identify the data, regardless of the likelihood of attribution. 72 Leveraging on article 4.5 GDPR, they instead defend the claim that pseudonymisation is not a type of personal data, but a type of processing of personal data. 73 The relationship between data controllers (or researchers) and the risk of re-identification (via pseudonymised research data) thereof is not an hypothetical scenario. 74 Therefore, it is the assessment on a case-by-case basis -and not some kind of normative judgement-that must play the decisive role in determining whether personal data are processed. This "relative" approach to pseudonymisation, supported by amongst others the UK supervisory authority, 75 can be attractive for research through the use of administrative, population or even medical data. If the relationship between the parties does not enable access to additional data that in turn allow for identification and if there is no likely means to obtain additional information, pseudonymous data related to research participants can be deemed anonymous from the point of view of the researchers processing them (who cannot access additional information). 76 However, why pseudonymised data could be treated as anonymised remains unclear from the data recipient's per-70 Ibid. p. 226. 71 Ibid. p. 227. To determine whether there are means likely to be used to identify data, account should be taken of all the means reasonably likely to be used, and of "all objective factors " that may make the use of such means possible. In this regard, Recital 26 GDPR refers to costs, amount of time required for identification, existing technology at the time of the processing and "technological developments". 72 Ibid. p.226. 73 Art. 4(5) GDPR reads "pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed ( 3462948 , p.15. 75 According to the UK Data Protection Authority, "where an organisation converts personal data into an anonymised form and discloses it, this will not amount to a disclosure of personal data. This is the case even though the organisation disclosing the data still holds the other data that would allow re-identification to take place." Information Commissioner Office (ICO), Anonymisation: managing data protection risk code of practice , p.13 . https://ico. org.uk/media/1061/anonymisation-code.pdf Where the Information Commissioner really intends "pseudonymised form", since the data can be re-identified (not through a key) but by "other data." 76 Miranda Mourby et al. 2018 , op. cit. spective. 77 Pseudonymisation only applies to direct identifiers; from the data recipient's end, thus, data linked to his or her pseudonym remain 'personal' as long as a third party (not only the researcher processing it, but anyone) can determine his or her identity. In contrast to the relative approach, a more conservative approach criticises the Breyer-decision . 78 It is observed that the case was dealing with article 6(1).f, which concerns the balancing of private legitimate interests. Appropriate diligence should be demonstrated when drawing analogies, especially with regard to research activities, such as those in the medical field, that can rely upon the public interest-ground (art.6(1)(e)). The conservative approach criticises Breyer for offering a general rule of no rule that precludes from excluding, categorically and in general, the possibility of processing certain categories of personal data without allowing the opposing rights, freedoms and interests to be balanced on a case-by-case basis. The application of a general rule of no rule -making balancing possible always and everywhere -gives excessive leeway to any free circulation of personal data (art. 1(3) GDPR). 79 In the bourgeoning information society, what matters is the balancing of interests, but also attempts to establish legal certainty; this means space for developing incremental and practical national and local legislation 80 -while taking into due consideration risks to legal certainty posed by potential lack of standards during the balancing exercise. The imposition of common boundaries in fact gives guidance to the people and can align behaviours with changing environments. In the research area, for instance, legal certainty puts restraints on anonymisation and Big Data practices that just "help" actors stay out of the scope of data protection law. 81 In the light of such an alignment, and even though the consequences of this tailoring may have an impact on research, processing activities on pseudonymised data should continue to be treated as personal data-related processing activities. Any processing of personal data must be based on a legitimate basis. 82 The choice of legal basis is important because it influences the flexibility researchers have in terms of the applicability of the data protection principles, such as purpose limitation, or the data protection rights of data subjects/research participants. 83 For research with school children data, three of the legal bases recognised in the law are of relevance: consent, 77 Thanks to the anonymous reviewer who pointed this out. 78 Paul De Hert , "Data Protection's Future without Democratic Bright Line Rules. Co-Existing with Technologies in Europe after Breyer," European Data Protection Law Review (EDPL) 3, no. 1 (2017): 20-35 79 Ibid., p.28. The norms of public authorities that proscribe certain data processing activities without any space for further discussion are then construed as obstacles to the free of movement of personal data 80 Ibid., p.30-31 81 Ibid., p.27 82 Article 8 EU Charter of Fundamental Rights and Article 6 GDPR. 83 Paul Quinn and Liam Quinn. 2018 . op.cit ., p.12. See also Elena Gil González and Paul de Hert, 'Understanding the legal provisions that allow processing and profiling of personal data-an analysis article 6 (1) a) GDPR , the exercise of a task vested in an official authority recognised in the law, article 6 (1) e) GDPR, and the "legitimate interests" basis, article 6 (1) f) GDPR. The GDPR has introduced another legal basis, the "scientific research purpose." Researchers may indeed be tempted to evoke this basis leaning on the wording of Recital 159 GDPR, which states: "scientific research purpose should be interpreted in a broad manner including for example technology development and demonstration." 84 At closer inspection, however, the application of this ground is not fully persuasive in cases of research projects such as MaTHiSiS. First, a research project developing a machine learning algorithm unconvincingly fits in the definition of "scientific research." 85 If it did, then commercial entities might abuse the preferential treatment reserved to scientific research. Third, the use of the scientific research basis seems appropriate for cases in which the researcher collects personal data not directly from the research participants, but indirectly, or when it is very difficult or impossible to inform data subjects about the purpose of personal data processing, or arduous for data subjects to exercise their rights. 86 In research and innovation projects like MaTHiSiS, the legal basis mobilised for involving research participants in the project affects the choice of the legal basis for processing the personal data of data subjects/research participants. 87 The choice of consent seems to be the appropriate one in England; English RECs require consent for both the physical participation in research project and a separate one for the processing of their personal data. However, some words should be spent after the GDPR has provoked a shift in the choice of legal basis for research institutions in England. The of GDPR provisions and principles' ERA Forum , 2019, https://doi. org/10.1007/s12027-018-0546-z 84 Recital 159, GDPR. "For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. In addition, it should take into account the Union's objective under Article 179(1) TFEU of achieving a European Research Area." 85 This interpretation clashes vividly against the definitions of scientific research purpose put forth by the Council of Europe and the Article 29 Working Party. Council of Europe , Explanatory Report regard to Automatic Processing of Personal Data, Strasbourg, 10 October 2018, paragraph 50."Processing of data for "scientific research purposes" aims at providing researchers with information contributing to an understanding of phenomena in varied scientific fields (epidemiology, psychology, economics, sociology, linguistics, political science, criminology, etc.) with a view to establishing permanent principles, laws of behaviour or patterns of causality which transcend all the individuals to whom they apply." The Article 29 Working Party Guidelines on consent under Regulation 2016 /679 of 10 April 2018, p. 27, states that the notion of scientific research may not be stretched beyond its common meaning and understand that 'scientific research' in this context means a research project set up in accordance with relevant sector-related methodological and ethical standards, in conformity with good practice. 86 See Paul Quinn and Liam Quinn op.cit. p. 12. 87 According to Article 52(1) of the EU Charter of Fundamental Rights the conditions for lawful limitations of the right to data protection apply to all cases of Article 6(1). Lawful limitations include provisions of national law. explanatory note to the Data Protection Act (2018) states that for universities, National Health Service (NHS) organisations, Research Council institutes or other public authority the processing of personal data for research should be considered a "task in the public interest." 88 On a similar vein, the Information Commissioner's Office (ICO) "Guide to the GDPR" stipulates that "any organisation who is exercising official authority or carrying out a specific task in the public interest" can rely on the legal basis set out in article 6 (1) e) of the GDPR or article 9.2(j) for sensitive data. 89 Hence the question as to whether the legal basis "public interest" may be the appropriate one for research conducted by a public research centre involving the processing of school children data. 90 This begs a further, more complicated question that we cannot really address here, the question of what is public interest? These authors share the lights that Mark Taylor and Tess Whitton provide in a research article concerning health data and research exception in the UK. 91 A point they make is that the legal answer to whether public interest exception applies, depends, firstly, on the verification of the availability of reasons for not seeking explicit consent. 92 The theoretical framework behind this view posits, as one reason (of why consent is not available), the consequences of not obtaining consent; a second one, the consequences of a subsequent withdrawal of consent; third reason, the difficulty, in the context of the research, of obtaining valid consent, meaning genuinely "freely given, specific, informed, unambiguous." 93 The first reason materialises in cases where the research project 's intended purpose does not allow consent to participation in the research and not in activities involving personal data processing; or that it does not permit, as Recital 33 GDPR states, that participants can consent to certain areas of research or parts of research (which involve processing of personal data). 94 In the second case, a subsequent withdrawal would impose on researchers/data controllers to cease immediately any processing activities and, unless there is another lawful basis for the retention of those data, any al-88 Data Protection Act 2018 -Explanatory notes, p.23 http://www. legislation.gov.uk/ukpga/2018/12/pdfs/ukpgaen _ 20180012 _ en.pdf 89 Information Commissioner's Office (ICO), "Guide to the GDPR" https://ico.org.uk/for-organisations/guide-to-data-protection/ guide-to-the-general-data-protection-regulation-gdpr/ lawful-basis-for-processing/public-task/ 90 Thanks to the anonymous reviewer who pointed this out. 91 Mark Taylor and Tess Whitton , "Public Interest, Health Research and Data Protection Law: Establishing a Legitimate Trade-Off between Individual Control and Research Access to Health Data." Laws 9.1 (2020): 6, p. 7-8 92 Ibid. . The authors claim that, secondly, after the legal assessment of non -availability of consent, the acceptability of the public interest must be gauged against a "contextual assessment of the acceptability of the reasons for trading off the "common interests""(not to be confused with the legitimate interests, ndr ) engaged in the circumstances, such as common interest in a privacy, in education, in health care, etc. 93 Article 4(11) GDPR. 94 Recital 33 GDPR states ""Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose." "The MaTHiSiS consent form included two separate sections for consent to the processing of personal data and the collection of personal image -data, as the latter posed higher risks. ready collected data should be deleted. 95 As for the third reason for not seeking consent, the difficulty in contacting subjects, or the conditions of structural dependency, e.g., between doctors and some patients, or the vague definition of the research purpose, which run afoul of the requirements that consent be freely given, specific, informed, and unambiguous. In our specific case, the MaTHiSiS project, the intended purpose of research did not actually allow to separate participant from data subject; however, the "extent" of the intended purpose allowed some breath to consent givers to specific areas of data processing activities, with parents' having to explicitly opt in to some areas of data processing deemed more risks (data images). Second, in England there is a lawful basis for the retention of research data, records and related material, which should be retained for a minimum of 10 years, after the study has been completed. 96 During the research, however, it may be admittedly difficult for a school and a university centre to resist such a request in the event of the withdrawal of the school pupil from the research. As for the lack of conditions for valid consent, the legal basis for participation being informed consent, there was the manifest possibility for participants' legal representatives to signify their genuinely "freely given, specific, informed, unambiguous" agreement also to the processing of data relating to their children. The foregoing suggests that, from a legal point of view, the adoption of the public interest derogation may not be, also after the entry into play of GPDR, the appropriate one for research projects such as MaTHiSiS. The situation is different in Italy where, as discussed in Section 2 , the participation of school children in research project is based not on consent, but on the decision of the public school. As the Italian supervisory authority, known as "the Garante", clarified, "for processing performed by these subjects, consent to the treatment must not be acquired, but they [the data subjects] must participate in the research on a voluntary basis after having been clearly informed about the relative aims." 97 Without referring to it (the case dates before the entry 95 European Data Protection Supervisor. 2020 . A Preliminary Opinion on Data Protection and Scientific Research. Brussels: European Data Protection Supervisor, p.19. 96 See NTU Research Data Policy, paragraph 5.3.3: "All research data related to a research project shall be retained for 10 years after publication or after the completion of the project, whichever is later. If litigation proceedings, investigation on research misconduct, review of financial management or other formal enquiries are started during this ten-year period, all research data shall be retained until the satisfactory completion of these proceedings. https://research.ntu.edu.sg/rieo/RI/Pages/ Research-Data-Policies.aspx#53 97 Provvedimento del 23 dicembre 2004 Il Garante per la protezione dei dati personali https://www.garanteprivacy.it/web/ guest/home/docweb/-/docweb-display/docweb/1121429 . The case involved, as defendant, a university centre and an affiliated majoring graduate , and the parents of a primary school child, as applicants. The dispute arose after the plaintiffs found out that their seven-year-old son had participated -without their knowledge -in a research on the theme "the social representation of child maltreatment") carried out by a graduate of the defendant, which consisted in the distribution of a test / questionnaire to the students of an elementary school in Rome. Years later, in 2012 the same authority issued a vademecum of 2012 "La privacy tra i banchi di scuola.", which confirmed into force of the GDPR), the Garante mobilised article 6. (1) e) GDPR, which allows the processing of personal data without consent if the processing is "necessary for the performance of a task carried out [in the public interest or] in the exercise of official authority vested in the controller" and recognised in the law. 98 The use of this basis activates the obligation to offer data subjects/research participants (directly or, if minors, through their parents) the possibility to raise an objection to the processing, as article 21 of the Regulation provides. However, the Regulation still applies, meaning that schools remain under the obligation to balance the interest of research with the rights and freedoms of children/research participants, to explain the prevailing nature of the school interest in processing, to ensure the least intrusive measures are taken, as well as to ensure adequate safeguards are adopted. 99 Importantly, Italian law provides that for the processing of data images and videos portraying children, the explicit consent of the legal representatives is required. 100 In case a research processes this type of data, as it occurred in MaTHiSiS, the explicit consent of the parents or legal representatives has to be obtained. Finally, the choice of the appropriate legal basis in Spain. The situation in Spain is largely similar to Italy; interestingly, in this country, the recognition of autonomy of school as a legal basis for processing personal data has become explicit with the transposition of article 8 of the GDPR "Conditions applicable to child's consent in relation to information society services" into the Ley Orgánica (3/2018 ). The Spanish case thus deserves to be treated separately in the next paragraph. Article 8 "Conditions applicable to child's consent in relation to information society services"mandates on states the introduction of a legal age limit before which children cannot use information society services without parental consent, leaving member states free to set the age thresholds. The provision refers explicitly to the use of information society services, which are services "normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services", such as, indeed, social media, e-commerce, gaming sites, dating sites, etc. 101 Arguably, the introduction of article 8 responded to the social demand this interpretation. The vademecum states that "research activities involving the collection of personal information does not require consent of the parents, who must nonetheless be informed about the research purposes, the treatment modalities, the security measures, and be left free not to join the initiative." https://www.garanteprivacy.it/documents/10160/2052659/ La+privacy+a+scuola+-+Vademecum+%28anno+2012%29.pdf/ 57369f65-c4c7-4558-8832-353d7b9ee05c?version=1. to protect children who are avid users of digital technologies, in particular social media. 102 However, the implementation of article 8 in Member States has led to different outcomes. 103 Some countries, like the UK 104 and Italy, 105 have transposed the provision literally, applying to information society services only. Spain transposed article 8 in a different way. The revised Spanish data protection contains more than one provision regarding the processing of data relating to minors. 106 Article 7 stipulates that "any" processing of personal data processing of minors must be based on the consent of the person holding parental responsibility, when the child is below 14, and on the consent of the latter, when he or she is above 14. 107 Listed as one of the principles of personal data protection, article 7 lapidary applies only to information society services, but to any processing of the personal data of a minor. The other provisions are found under the title X (ten), data subjects' rights (Garanti á de los derechos digitales). Article 83 (Derecho a la educación digital) creates the obligation to insert in the curricula of students and in the training of teachers modules related to digital skills; article 84 places on 104 In the UK, the legislator set the limit at age 13 because "in line with the minimum age set as a matter of contract by some of the most popular information society services which currently offer services to children (e.g. Facebook, WhatsApp, Instagram). Section 9 of the UK Data Protection Act 2018 ; see also the Data Protection Act 2018 Explanatory Notes, para 89, p. 23., available at: http://www.legislation.gov.uk/ukpga/2018/12/ pdfs/ukpgaen _ 20180012 _ en.pdf 105 In Italy, article 2-quinquies of the Codice in materia di protezione dei dati personali specifies that the age limit of consent operates "in relation to the information society services". According to the Garante, "It would be inconsistent to admit the fourteen-year-old to give his consent to be adopted, but not to sign up for a social network." Parere sullo schema di decreto legislativo recante disposizioni per l'adeguamento della normativa nazionale alle disposizioni del Regolamento (UE) 2016/679 -22 maggio 2018 Registro dei provvedimenti n. 312 del 22 maggio 2018, paragraph 2.4 . https: //www.garanteprivacy.it/documents/10160/0/Codice+in+materia+ di+protezione+dei+dati+personali+%28Testo+coordinato%29.pdf/ b1787d6b-6bce-07da-a38f-3742e3888c1d?version=1.5 106 Ley Orgánica 3/2018 , de 5 de diciembre, de Protección de Datos Personales y garanti á de los derechos digitales Available at: https://delajusticia.com/wp-content/uploads/2018/12/ Ley-proteccion-datos.pdf fathers, mothers, guardians, curators or legal representatives ("padres, madres, tutores, curadores o representantes legales") the duty ("procuráran que") to protect minors on the internet, in particular the use and diffusion of images or personal information of minors, in social networks and equivalent information society services. Importantly for our purpose in this article, the Spanish legislator has inserted a provision dealing specifically with the processing of children at and by schools. Article 92 provides that "Educational centers ("centros educativos") […] will guarantee the protection of the best interests of the minor and their fundamental rights, especially the right to the protection of personal data, in the publication or dissemination of their data." 108 This means that, as previously under the pre-GDPR regime, 109 the legal basis for processing personal data of school children is not consent, but the decision of the public school when the processing is part of the activities undertaken by public schools. 110 It must be underlined that in case the legal basis of the processing of personal data of school children for research purposes is not consent but the personal data was previously already processed for other purposes, the school (as the data controller) has to consider a number of factors, listed in article 6 paragraph 4 of the GDPR. In our case, no secondary use of personal data has occurred as data has been recorded and processed for a sole purpose and has been deleted thereafter. According to this analysis, article 8 GDPR does not impose an indiscriminate rule of consent for processing the data of school children, when these processings are part of school activities. This also applies to research activities which the school has autonomously adhered to. Researchers wishing to conduct research with school children data for nonmedical purposes, except for image data, will continue to obtain the authorisation of the school and inform persons holding parental responsibility, offering them the possibility to object to the processing. 111 Conclusion: be mindful of domestic law in your ethics assessment and of the national implementations of the GDPR European Union's Horizon (2020) calls for projects put researchers under the obligation to respect ethical principles in research and to be ready to demonstrate that compliance. This article has showed that, in the context of research without a medical purpose, organised at schools, the respect of ethical 108 Article 92(1), Ley Orgánica 3/2018 . 109 See article 108 Ley Orgánica 2/2006 , de 3 de mayo, de Educación: "1. Los centros docentes se clasifican en públicos y privados. 2. Son centros públicos aquellos cuyo titular sea una administración pública." and Article 6.2 of the Ley Orgánica 15/1999 de Protección de Datos de Carácter Personal: "consent shall not be required when personal data are collected for the exercise of the functions of public Administrations within the scope of their powers." The provision is abolished in the 2018 new law. 110 With two exceptions, the processing of image-data and in case of publication or dissemination through social network services or equivalent services. Article 92(2). 111 The legal basis in the GDPR would then be article 6.1(e) or 6.1(f) GDPR. See analysis of Italy. principles means primarily respecting national and European laws. In this contribution we have highlighted the importance of education laws, such as the Children and Families Act (2014) , Spain's Real Decreto 696/1995 and Italy's Legge quadro 104/92 on children with special needs. In Italy, researchers cannot separate children with special needs from the class, even if computer scientists make pressure, as doing so would infringe on a legal limit. The legal limit applies in Italy, but not in the UK or in Spain. This circumstance does not mean "doing it nonetheless because the practice is acceptable in other countries, such as in the UK or Spain". As it is not possible to ignore domestic laws, legal assessment is not the place to express preferences. Ethical considerations, such as the argument according to which the law of that country creates inequality in access to technology research and innovation projects, can be added to the prescriptions of the law, but cannot go against or replace the law. One option would be to share the data collected in jurisdictions where such a collection is allowed, so that also Italian children with special needs can benefit from technology advancements in this field. Doing so, sharing research data, could however be construed as an infringement upon the data protection law in the jurisdictions where data is collected. Indeed, a problem not broached in this contribution is the requirement of deleting rare and precious data sets when the research comes to an end. The data minimization principle would indeed require such a deletion of research. Doing so, deleting data at the end of the project, would however hinder not only upon the interests of Italian children; as we have seen in the section on data protection, collecting data directly from children, in particular data images, is a very risky operation. Deleting data means that future research endeavors will have to collect again new data from other children, with the consequence of multiplying not only the efforts but also, importantly, the risks that are associated with such processing activity. Conversely, retaining the research data, in particular data-images (which cannot be anonymized), would mean using research participants/data subjects as means, and not as ends. In this connection, the question raised in the Breyer case (whether the pseudonym data could be considered non-personal data, and thus be freely processed, in case they were under the control of a researcher/data controller legally prevented from re-identifying the pseudonym data), the cooperation between computer scientists and lawyers, could be explored further. More in general, it will not be easy for researchers to remain, on one hand, loyal to their research purpose, -with its hump of passions and sack of problems to overcome and, on the other, to remain within the compassionless, stabilising limits of legal rules. No matter how difficult it may be to reconcile legal constraints with good research, researchers will have to put up with and navigate this condition that evokes what psychiatrists call a "double bind", a communicational dilemma which can provoke feelings of stress and frustration in the subject. In the second part of the article, the authors have attempted to alleviate this "double bind" risk by providing a series of practical recommendations concerning the protection of school children data in research. The article has put the accent on the principle of data minimisation, and on the germane need to minimise and to justify the necessity of the processing; to anonymise or pseudonymise and encrypt school children data, to keep a registry of processing activities, and to scrupulously identify the appropriate legal basis. These obligations should become a habit inscribed in the routine of researchers. One good reason for doing so is that, under the GDPR, there are substantial fines for damages caused by the violation of any of these obligations. Researchers and research organisations remain liable also after the conclusion of the project; the funding agency, or an enraged parent who has not been informed properly, for instance, can call upon researchers to explain also months or years after the end of the research. When it was conceived, the GDPR's aim was to harmonize the data protection laws of the EU member states. Article 8 GDPR, "Conditions applicable to child's consent in relation to information society services" clearly indicates that the Regulation will not harmonise every aspects of data protection. Article 8 explicitly allows member states to set an age limit that departs from the age of 16 foreseen in it. The "seed of diversity" contained in this provision comes to fruition in national laws that allow the processing of children school data without the consent of the parents, outside the risk area of information society services, such as social media. As more technology solutions pierce into schools, the possibility for a school to control the processing of personal data of learners will become increasingly important, also for research. In this sense, the formulation of article 8 GDPR, which restricts the rule of consent to information society services, can be saluted as respecting the political and social value of school autonomy, notably in countries, such as Italy and Spain, with a recent past of governmental control over schools, teachers, pedagogy and curricula. Finally, it appears to us that the main preoccupation of the ethics management of EU H2020 projects is the organisation of a stable legal framework. Issues such as neuroplasticity, the impact on development of the attention span, on the development of internally controlled sense of right and wrong, mentioned in the introduction, remain unanswered. This leaves the unkind impression that with or without our input, with or without an ethics management, technologies like MaTHiSiS' will be developed in any case. One often evoked mitigation is the institution, within research consortia, of external ethical advisory boards; another, perhaps better solution would be to separate the legal management of the project from the ethical management. This separation would encourage research consortia to acquire specialised expertise in both fields and incorporate their different perspectives and social contributions front the onset. Without such a separation, the stable, legal, platform will continue to rest over unchartered waters, something analogous to artist Christo's golden Floating Piers stretching across Italy's lake of Iseo . 112 The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper. Listas de tipos de tratamientos de datos que requieren evaluación de impacto relativa a protección de datos Trippas Dries , Belpaeme Tony . Children conform, adults resist: a robot group induced peer pressure on normative social conformity Article 29 Data Protection Working Party Article 29 Data Protection Working Party Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk Article 29 Working Party Guidelines on consent under Regulation Watch IT -The Risks And Promises Of Information Technologies For Education A study of the impact of technology in early education Les principes relatifs au traitement des données à caractère personnel et à sa licéité Commentary On the EU General Data Protection Regulation Education in Spain: close-up of its history in the 20th Century Explanatory Report regard to Automatic Processing of Personal Data 196 recante il "Codice in materia di protezione dei dati personali" integrato con le modifiche introdotte dal Decreto Legislativo Children, Gillick competency and consent for involvement in research Testo Unico delle disposizioni legislative in materia di istruzione SEND code of practice: 0 to 25 years. Guidance on the special educational needs and disability (SEND) system for children and young people aged 0 to 25 Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Our principles: research ethics committees Understanding the legal provisions that allow processing and profiling of personal data-An analysis of GDPR provisions and principles The role of affect in student learning: a multi-dimensional approach to considering the interaction of affect, motivation and engagement EU Charter of Fundamental Rights European Data Protection Supervisor. A Preliminary Opinion On Data Protection and Scientific Research. Brussels: European Data Protection Supervisor Looking for needles in a haystack: key issues affecting children's rights in the general data protection regulation Garante per la protezione dei dati personali, Elenco delle tipologie di trattamenti soggetti al requisito di una valutazione d'impatto sulla protezione dei dati ai sensi dell'art. 35, comma 4, del Regolamento (UE) n We have always managed risks in data protection law: understanding the similarities and differences between the rights-based and the risk-based approaches to data protection The Principle of Purpose Limitation in Data Protection Laws. The Risk-based Approach, Principles, and Private Standards As Elements For Regulating Innovation Multi-beneficiary general model grant agreement (H2020 general MGA -Multi) Version 5 grants _ manual/hi/ethics/h2020 _ hi _ ethics-self-assess _ en.pdf House of Lords, Gillick v West Norfolk & Wisbeck area health authority governance-arrangement-research-ethics-committees/ Information Commissioner Office (ICO) Understanding the balancing act behind the legitimate interest of the controller ground: a pragmatic approach Education governance in the United Kingdom: the modernisation project La politica quotidiana. L'utilizzo propagandistico del diario scolastico nella scuola fascista The effects on the student-teacher relationship in a one-to-one technology classroom Nuove norme in materia di disturbi specifici di apprendimento in ambito scolastico Legge Quadro per l'assistenza, L'integrazione Sociale e 275/1999, Regolamento recante norme in materia di autonomia delle istituzioni scolastiche, ai sensi dell'art. 21 della L. 15 marzo 59/ 1997 on the functioning public administration Legge 118 del 30 marzo 1971 "concernente provvidenze a favore dei mutilati ed invalidi civili Norme sulla valutazione degli alunni e sull'abolizione degli esami di riparazione nonché altre norme di modifica dell'ordinamento scolastico Ley Orgánica 15/ 1999 de Protección de Datos de Carácter Personal: "consent shall not be required when personal data are collected for the exercise of the functions of public Administrations within the scope of their powers 1. Los centros docentes se clasifican en públicos y privados. 2. Son centros públicos aquellos cuyo titular sea una administración pública de 5 de diciembre, de Protección de Datos Personales y garanti á de los derechos digitales Available at Ley Orgánica 8/2013, de 9 de diciembre, para la mejora de la calidad educativa The EU, children under 13 years, and parental consent: a human rights analysis of a new, age-based bright-line for the protection of children on the internet Governing by values. EU ethics: soft tool, hard effects Public interest, health research and data protection law: establishing a legitimate trade-off between individual control and research access to health data Artificial Intelligence: a European perspective Three educational scenarios for the future: lessons from the sociology of knowledge They who must not be identifieddistinguishing personal from non-personal data under the GDPR. Int. Data Privacy Law 2020 (forthcoming)Max Planck Institute for Innovation & Competition Research Paper No Consent for processing children's personal data in the EU: following in US footsteps? Are 'pseudonymised' data always personal data? Implications of the GDPR for administrative data research in the UK The Shallows: How the Internet is Changing the Way We Think, Read and Remember. US: Atlantic Books Big data for all: privacy and user control in the age of analytics por la que se crea el fichero de datos de carácter personal denominado: «Datos generales y académicos de los alumnos de enseñanzas escolares de Castilla y León por la que se regulan los proyectos de autonomía en centros docentes sostenidos con fondos públicos de la Comunidad de Castilla y León que imparten educación primaria, secundaria obligatoria y bachillerato Parere sullo schema di decreto legislativo recante disposizioni per l'adeguamento della normativa nazionale alle disposizioni del Regolamento (UE) 2016/679 -22 maggio 2018 Registro dei provvedimenti n The Use of ICT in Education: a survey of schools in Europe Data protection's future without democratic bright line rules. Co-existing with technologies in Europe after Breyer Big genetic data and its big data protection challenges The anonymisation of research data-A pyric victory for privacy that should not be pushed too hard by the eu data protection framework? Provvedimento del 23 dicembre 2004 Il Garante per la protezione dei dati personali on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation of the European Parliament and of the Council of 11 December 2013 laying down the rules for participation and dissemination in "Horizon 2020 -the Framework Programme for Research and Innovation of the European parliament and of the council of 11 december 2013 establishing Horizon 2020 -the framework programme for research and innovation (2014-2020) and repealing decision No 1982/2006/EC text with EEA relevance OJ L 347 Kalin Ned H. Emotion, plasticity, context and regulation: perspectives from affective neuroscience Applying for ethical approval for research in the United Kingdom Children: a special case for privacy? The research has been carried out in the context of a project funded by the European Union under the Horizon 2020 Programme ( H2020- ICT-2015 ) : Managing Affective-learning through Intelligent atoms and Smart InteractionS (MaTHiSiS), grant agreement no 687772 . Eugenio Mantovani, LLM (Male) is a researcher at the research group on Law, Science, Technology & Society (LSTS) in law and technology and human rights law. He has been involved in several FP7 and H2020 projects where he has been dealing with the ethical, psycho-social and legal, data protection and medical device aspects of technology developments, with particular focus on medical technologies and mobile technologies and on the implications of technology developments on vulnerable groups, such as the elderly and children. Email address: eugenio.mantovani@vub.be