Research wins an exemption in new data protection rules

Intense lobbying by Europe’s leading medical and scientific funding bodies has paid off, with research given an exemption in strict new date protection laws agreed this week.

EU negotiators in Strasbourg signed off on the new European Data Protection regulation almost four years after it was proposed to overhaul the 1995 data protection law. The rules are expected to take effect from 2018.

Researchers were concerned that changes proposed during the bill’s passage, requiring specific consent each time an individual’s data was used in research, would be unworkable.

The proposal was made despite the fact that research already requires ethical approval, ensures confidentiality, and the identity of individuals is often masked.

“We’re pleased the law has steered away from a damaging course that would have held major studies back by limiting how researchers use personal data in their work,” said Emma Greenwood, head of policy development at Cancer Research UK.

“The outcome looks very good for researchers,” said Magnus Stenbeck, a senior researcher in Sweden’s Karolinska Institutet. “There’s a requirement in there to inform people whose data we use and it might be a bit cumbersome and take a bit of time and money, but it’s not unlike the present arrangement we have,” said Stenbeck. 

“There’s also provisions in the new rules which say if it’s truly impossible to inform someone of personal data use, then it’s still okay to use it,” he added.

This would legally protect a researcher whose makes use of thousands or millions of health records, for example. Not only would it be impractical to find consent for each and every one, it could also risk biasing results, researchers said.

“Consent is already an important principle of research,” said Catherine Castledine, EU public affairs manager at Cancer Research UK. “But when you’re doing a study that involves half a million data points across 10 European countries, the obligation to get it every time would have been unworkable.”

Safeguards and governance structures are already in place to ensure personal information is used safely and ethically, according to the Wellcome Trust, the largest charitable funder of research in Europe. “The text agreed in enshrines the need for such safeguards and rejects amendments that would have imposed new disproportionate limits on the use of health data in research,” it said.

Researchers set up the European Data in Health Research Alliance to lobby for research exemptions in the new legislation. Its ‘Data Saves Lives’ petition gained over 7,000 signatures.

After a long battle with politicians in Brussels, the mood among researchers was jubilant. “It is good to see that reasoned argument and choices based on population health priorities have led to a good decision,” said Richard Frackowiak, chair of the Medical Sciences Committee of Science Europe.

"With a view to the future, it will be important to follow up the specific provisions that member states will have to introduce to adapt their legal basis to the new regulation and ensure that proper exemptions apply to research," added Lidia Borrell-Damián, director of research and innovation with the European University Association. 

Tech firms could face huge fines

Changes will be more keenly felt in the corporate world. According to Hazel Grant, head of privacy at the law firm Fieldfisher, the new legislation “is the single most important change in data privacy law for the EU in the last twenty years. It will affect all businesses, all over the world – as every organisation has employees and contacts, even if they don't have individual customers.”

Technology firms found in breach of new rules will face fines of up to 4 per cent of their yearly revenue, which could imply billions of euros for the major global online corporations, according to Parliamentarian Jan Philipp Albrecht, the chief negotiator on the bill.

Companies will also be obliged to report data breaches, such as hacking of databases, within 72 hours.

In effect, firms that handle significant amounts of data will have to hire in-house regulators. “Under the new rules, businesses would also have to appoint a data protection officer if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers,” Albrecht said. SMEs are excluded from this requirement.