When the process of updating Europe’s data protection laws began, public concerns about privacy – highlighted by the Snowden affair – led to the European Parliament filing amendments that would have inhibited medical research. Fortunately, Beth Thompson writes, MEPs listened to researchers and patients and a compromise has been reached.
After four years of debate, the European institutions reached agreement on the Data Protection Regulation in December. This huge piece of legislation will update Europe’s data privacy laws, which haven’t changed since 1995. At the Wellcome Trust we worked on the Regulation since it was proposed in January 2012. Our goal was for the Regulation to facilitate research with personal data while making sure that individuals’ data would be kept safe and used appropriately.
The outcome for research is very positive, but it didn’t always look like it would work out that way.
A vital resource for health research
Europe’s current Data Protection laws date from 1995, when “‘Amazon’ was best known as the name of a river”. To bring data privacy law up to speed with new technologies, the European Commission published a proposal for a new Data Protection Regulation in 2012.
Throughout society personal data is used in many ways, from providing public services to marketing. For researchers, personal data is a vital resource that helps us understand more about health and disease. Personal data was essential for making the link between smoking and lung cancer, and demonstrating that there is no link between the measles, mumps and rubella vaccination and autism.
The research community therefore took a keen interest in the evolving Data Protection Regulation, and the impact it would have on how personal data could be used in research studies.
Trials and tribulations for research
The European Commission’s original proposal for a new Regulation took a thoughtful and informed approach to research. Throughout the process, experts across the Commission engaged effectively with stakeholders and monitored proposed amendments and their potential impacts.
The European Parliament’s more ideologically-driven approach created problems for research. Parliament’s position was dominated by the views of privacy advocates. This was felt most strongly after Edward Snowden’s leaks about the use of personal data by national security agencies, which produced desire for consensus among Parliament’s diverse political groups.
Parliament had good intentions in taking a privacy-led approach, and MEPs did not intend to prevent research. However, many of their amendments to the Commission proposal were not based on a sound understanding of how research is conducted, or the potential impact these would have on research. In reality, the Parliament’s amendments would have inadvertently tightly restricted the ways in which personal data could be used in research, with devastating impacts.
Advocacy from the research community
For many working on the Regulation, inside Parliament and out, scientific research was a marginal issue. This may explain why the concerns of the research community were not heard when we first raised them in early 2013.
The research community’s input increased in volume as the situation grew more serious when the Parliament agreed that their amendments should form part of their position. Over the next two years a large coalition of research and patient organisations across Europe worked together to raise awareness of our concerns. We published joint statements, ran an online campaign and held many meetings.
We found that many of the MEPs working closely on the Regulation were willing to engage with the research community, even where our positions differed. We also valued the support of research-friendly MEPs from a range of countries and across the political spectrum, who understood the community’s concerns and helped to get the message across.
Breathing a sigh of relief for research
The Member States took longer than the Parliament to come to a position on the Regulation. The Member States’ final position took into account the concerns of the research community. This represented a balanced approach for research that emphasised the crucial role of safeguards to protect data subjects. A number of Member States even highlighted research as a particular priority.
The balance seemed to lie in favour of a positive outcome for research when the Commission, Parliament and Council came together to agree a middle ground. However, this outcome couldn’t be taken for granted. Research was discussed on a number of occasions between July and December 2015. And it wasn’t until the very final session of negotiation that the compromise on research was agreed.
Maintaining a supportive framework for scientific research
The Regulation follows the approach of the current Directive and includes a special set of rules for research. This waives some regulatory requirements in recognition of the benefits that research offers to society. For example, the rules facilitate the re-use of data for research, even where the data were collected for another purpose. Personal data can be stored for longer periods of time for research than other purposes. The Regulation also clearly allows research to take place with sensitive personal data − such as health data − without consent, provided that certain conditions are met.
In order to benefit from these special rules, researchers will have to comply with safeguards that ensure the use of personal data in research is proportionate – for example that anonymous data could not be used instead – and that individuals’ data are used responsibly, safely and securely.
Reaching compromise through increased Member State flexibility
The rules set out in EU Regulations apply to all EU countries. This is intended to produce a harmonised EU-wide approach. However, to reach agreement on this text, the legislators agreed that for many aspects Member States would be left to work out the details for themselves. Research was one such area. Within defined limits, the Regulation allows Member States to develop their own system of safeguards and exemptions from data subject rights for research. This flexibility creates opportunities for Member States to adapt the rules to fit their existing arrangements and make them more relevant to their own society and culture. However, it is highly likely that this will also continue the range of different regulatory approaches to the use of personal data in research across Europe.
We’re delighted that the EU institutions listened to the concerns and evidence presented by research and patient organisations and that the Parliament’s amendments were not included in the final compromise text.
This result is a significant achievement and a huge relief for the research community. However, this is not the end of the story. The devil will be in the detail of implementation. Wellcome will continue to work with the research community on securing a strong outcome as the Data Protection Regulation enters this next phase, before the law becomes active in 2018.
This post represents the views of the author and not those of BrexitVote, nor the LSE.
Dr Beth Thompson is Senior Policy Adviser at the Wellcome Trust, focusing on the regulation of research. Beth led Wellcome’s advocacy work on the impact of the EU Data Protection Regulation. Beth undertook her PhD and postdoctoral research at the Medical Research Council Laboratory of Molecular Biology in Cambridge after studying Natural Sciences at the University of Cambridge.