Last year saw significant changes in data protections laws across Europe, the UK and the USA. Daniel Spichtinger outlines how these changes have created a more complex but GDPR aligned regulatory environment for researchers.

The management of research data has become an important part of ethical and legal compliance. Data protection laws pose challenges to researchers and support staff, especially in international research collaborations that take place across different jurisdictions. In this respect 2023 was a pivotal year as data protection laws were updated in in key jurisdictions: the European Union (EU), Switzerland, the United Kingdom (UK), and the United States (US). These legislative developments, directly or indirectly influenced by the EU’s General Data Protection Regulation (GDPR), reflect a wider trend towards more stringent data protection standards in the Western World.

The EU

2023 marked a significant phase in the evolution of the European Union’s (EU) data protection landscape. Building on the foundation of the General Data Protection Regulation (GDPR) the EU has introduced new regulatory developments to further strengthen and streamline its data protection regime, most notably the Commission’s proposal for a new GDPR Procedural Regulation. Announced on July 4, 2023, it aims to standardise and enhance cooperation between EU Member State Data Protection Authorities (DPAs) in enforcing the GDPR, particularly in cases involving cross-border elements​​. The GDPR Procedural Regulation focuses on several key areas:

• Streamlining the handling of individual complaints related to personal data processing.
• Standardising the conduct of investigations by DPAs in cross-border cases.
• Ensuring procedural rights for individuals and businesses involved in enforcement actions or investigations.
• Facilitating cooperation and information sharing between DPAs in different member states​​.

For researchers operating in the EU, these developments represent a move towards a more centralised enforcement model of data protection laws. The new procedural rules are expected to provide legal certainty and efficiency, benefiting entities (including research performing organisations, although they are not explicitly named), involved in cross-border data processing and research activities. In a nutshell, the GDPR Procedural Regulation could in the future make EU wide cross-border access to personal data, if not easier, than at least more coherent.

The UK

While (so far) retaining the core principles of the EU GDPR, the UK’s approach to data protection has begun to diverge in specific aspects after Brexit. Most notably, the Data Protection and Digital Information (No.2) Bill, introduced on March 8, 2033 aims to amend the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The bill

• Introduces statutory definitions for “scientific research”, “historical research”, and “statistical surveys”, along with amendments to the definition of “consent”.
• Changes the role of data protection officers, which are replaced by a senior responsible individual (SRI) for certain organisations.
• Establishes a new test for making adequacy regulations for international data transfers.
• Establishes the new Information Commission, replacing the Information Commissioner’s Office (ICO).
• Increases the limit of fines for breaches of direct marketing rules under the Privacy and Electronic Communications Regulations (PECR).

The UK also passed a bill enabling UK organisations to transfer personal data to US entities certified under the UK Extension to the EU-US Data Privacy Framework without additional transfer safeguards. The UK has also been granted an adequacy decision by the EU, acknowledging that the UK provides a level of data protection essentially equivalent to that in the EU. This facilitates the free flow of personal data from the EU to the UK.

Researchers in the UK or those collaborating with UK entities must therefore understand and comply with the unique nuances of the UK’s data protection laws, distinct from both the EU GDPR and other legislation. Monitoring the progress of the Data Protection and Digital Information (No.2) Bill and ensuring its provisions are fit for facilitating cross-border research will be particularly important.

Switzerland

In 2023, Switzerland enacted the revised Federal Act on Data Protection (FADP), which brings several key changes to Swiss data protection law:

• Interaction with GDPR: The revised FADP mirrors many GDPR principles, aiming to maintain compatibility with EU data protection standards and ensuring the free flow of data with the EU​​​​​​. At the same time, there are also a number of important differences.
• Enhanced Individual Rights: Like GDPR, the new Swiss law strengthens the rights of individuals regarding their personal data, granting rights akin to access, rectification, erasure, and data portability​​.
• Stricter Compliance Requirements: Organisations are obliged to adhere to stricter compliance requirements, similar to those under GDPR, including obligations for data security, processing transparency, and lawful data processing​​​​.

The revised FADP also introduces a new sanction system. Unlike GDPR’s focus on administrative fines for companies and organisations, the Swiss law also covers penalties against individuals responsible for data protection within organizations, with fines up to CHF 250,000.

The updated Swiss data protection legislation has significant implications for researchers: Researchers handling Swiss data must ensure compliance with the revised FADP, particularly in aspects like lawful data processing, individual rights, and data security, which is an “upgrade” as compared to previous Swiss law, meaning that researchers working with Swiss data must be more diligent in how they collect, use, and store personal data. However, in some cases the revised FADP is still less restrictive than the GDPR.

The US

It’s important to note that the US does not have federal-level data protection. Instead, data protection in the US is governed by a patchwork of federal and state laws, along with sector-specific regulations. However, in 2023 the landscape of data protection in the United States has been moving towards a more comprehensive, rights-based model:

• State-Level Privacy Laws: States such as California, Colorado, Connecticut, Utah, and Virginia have implemented GDPR-inspired data privacy statutes. The new state laws are influenced by the GDPR’s rights-based approach, categorising entities as “data controllers” and “data processors” and defining similar obligations, including individual rights such as access, correction, portability, erasure, and consent regarding personal data use and sale. Other states that have enacted or modified privacy statutes governing personal information include states like Montana, Oregon, Tennessee, Texas, and Indiana, each with specific consumer rights and data processing regulations.
• Sector-Specific Federal Laws: At the federal level, the US continues to rely on sector-specific laws like the Health Insurance Portability and Accountability Act (HIPAA) for health data and the Gramm-Leach-Bliley Act (GLBA) for financial data. These laws, though not as comprehensive as GDPR, provide specific protections in their respective domains.

Researchers in the US may therefore need to navigate a patchwork of state and federal laws, requiring a nuanced understanding of the varying regulations across different jurisdictions. As GDPR like regulations are being implemented on a state level, researchers must ensure compliance with these new laws, which may include requirements like consumer consent, data subject rights, and data minimisation principles. The move towards more rights-centric data protection standards at the state level heightens the ethical and legal responsibilities of researchers, especially those dealing with personal data.

Implications for research

In the evolving landscape of data protection legislation, 2023 marked a significant year of change and advancement across the globe. While the European Union further elaborated its approach through its GDPR Procedural Regulation, Switzerland aligned its laws more closely with GDPR standards, and the United Kingdom refined its post-Brexit data protection framework. The United States witnessed a surge in state-level privacy laws. These legislative shifts underscore a move towards more stringent, rights-based data protection standards in the Western world, heavily influenced by the GDPR.

For the research community, this landscape presents both challenges and opportunities. On one hand, navigating these complex legal frameworks in cross-border research can require a deep understanding of the nuances in each jurisdiction, demanding significant resources and expertise. On the other, a more closely aligned regulatory environment offers the potential for easier exchange of research data provided that researchers adapt their methodologies to ensure compliance with these stringent requirements.

The content generated on this blog is for information purposes only. This Article gives the views and opinions of the authors and does not reflect the views and opinions of the Impact of Social Science blog (the blog), nor of the London School of Economics and Political Science. Please review our comments policy if you have any concerns on posting a comment below.

Image Credit: Shubham Dhage via Unsplash.