Such large datasets often cannot be sufficiently de-identified to be considered ‘anonymous data’ and hence outside the scope of the GDPR.1 The latter, guided by the objective to protect the data protection and privacy-related interests of data subjects, embraces restricted rather than open access. Core principles of the GDPR are ostensibly in contradiction with the FAIR principles. We have set out to shed light upon these competing interests and consider how they may be reconciled for beneficial ends.
We have taken as a case study one research area that straddles the worlds of health and informatics: neuroimaging. While brain MRIs can undergo various levels of de-identification, for example by having facial features blurred,2 such ‘de-identification’ does not amount to anonymisation in terms of the GDPR.3 Just like a fingerprint the link between the data and the person is intrinsic, and hence should be considered “personal data” under the GDPR; defined as “any information relating to an ... identifiable natural person ... who can be identified, directly or indirectly, in particular by reference to ... one or more factors specific to the physical, physiological ... identity of that natural person”.4
We submit that ‘de-identified’ neuroimaging data does not comfortably fit within any of the kinds of data described in the GDPR, i.e. personal (including pseudonymised) and anonymous data. Furthermore, such brain images arguably consist of ‘data concerning health’; while a scientific research community may be interested in the study of the brain, and not of any particular health condition, such data collection may reveal signs and symptoms of a medical condition, such as a tumour.
Having reached the conclusion that neuroimaging data is personal data concerning health, and hence ‘special categories of data’ in terms of article 9 GDPR – we moved on to consider under which legal basis such data may be processed. Since, following FAIR and Open data principles, it would be desirable to make research data as open as possible, explicit consent is not an appropriate legal basis because, first, consent could not be considered to be specific and informed as per GDPR Article 4(11) criteria; and second, it would thereafter be unlikely that processing could be halted if consent were to be withdrawn (a condition of consent under article 7(3) GDPR). We therefore argue that consent in this context should be considered an aspect of ethical research, but not an appropriate legal basis as per the GDPR.
Therefore, the lawfulness of such processing would need to be considered under the ‘scientific research purposes’ legal basis (GDPR article 9(2)(j)). However, this legal basis also requires “Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.”
The public interest in scientific research should not be unduly hampered by an overly prohibitive reading of data privacy law. For this reason we submit that the way forward is to uphold the core data protection principles of ‘lawfulness, fairness and transparency’, informing research participants of the nature of their personal data which will be shared openly for scientific research purposes, while obtaining explicit consent as an ethical standard. Therefore what is urgently needed is the enactment of EU or, in the absence thereof, national law at Member State level that operationalises GDPR Article 9(2)(j), rendering legal certainty for researchers whose activities require such data processing. The balancing of interests which permeates the GDPR should lead to the conclusion that scientific research should not be unduly held back by data protection interests and legislation – a conclusion that does not necessarily match the impression researchers in the field have already formed of this law.
1cf. Sweeney 2015
2Wilkinson et al. 2016
3cf. Purtova 2018 The Law of Everything
4cf. the Human Connectome Project, acknowledging this fact in their open access terms and conditions (point 3), <www.humanconnectome.org/study/hcp-young-adult/document/wu-minn-hcp-consortium-open-access-data-use-terms>
Article provided by: Dr. Gege Gatt and Mireille M Caruana (MITLA, Malta)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)