Doubts linger over impact of new data protection rules on research

The EU has given national governments too much leeway when it comes to interpreting tough new data protection rules, leaving the door open for member states to develop excessive safeguards and limitations that could hamper research, according to critics.

The League of European Research Universities (LERU) says it is concerned that the new EU Regulation will lead to a patchwork of different data protection and privacy rules in the EU Member States. “It will now be up to the member states – through the implementation of the regulation – to refrain themselves from introducing excessive and divergent safeguards and limitations that would hamper research,” LERU says.

Giving governments some discretion on how to implement the law could lead to problems, agrees Magnus Stenbeck, a senior researcher in Sweden's Karolinska Institutet. “When you leave things up to member states there will always be variability,” he said.

For example, the legislation leaves it open for member states to set different standards for ethical research committees. “We have a system in Sweden, in Denmark they have a different one,” said Stenbeck. He believes the legislation will have to be cracked open again in the future, to confront these issues.

Lidia Borrell-Damián, director of research and innovation at the European University Association, said inconsistencies between countries’ research policies may emerge, but it remains to be seen. “It will be important to follow up,” she said.

“We are very happy with the outcome,” said Beth Thompson, a policy adviser at the Wellcome Trust. “It has avoided the very damaging Parliament amendments and reached a good compromise.”

“The point that LERU has picked up is that, unfortunately, the new text does not take us any further towards harmonisation,” said Thompson. “This would have been a great step forward for cross-border research. However, during the process it became clear that it would not be possible to achieve harmonisation for research without compromising the more research-friendly rules that we currently have in some member states.”

“What we have achieved is similar to the status quo, rather than a step backward,” Thompson said.

Researchers were concerned that changes proposed during the bill’s passage, requiring specific consent each time an individual’s data was used in research, would be unworkable.

The proposal was made despite the fact that research already requires ethical approval, ensures confidentiality, and the identity of individuals is often masked.

Researchers set up the European Data in Health Research Alliance to lobby for research exemptions in the new legislation. Its ‘Data Saves Lives’ petition attracted over 7,000 signatures.

The campaign said last week the result was good news for research in Europe, as the European Parliament passed the final vote on the regulation.

The new rules are intended to strengthen online privacy, streamline legislation between the 28 member states and boost police and security cooperation.

Catherine Castledine, public affairs manager at Cancer Research UK, said the research charity, “is pleased that the final text of the new law strikes a balance between protecting privacy and safeguarding research.”

The rules will come into force in the summer, with member states having two years to comply. 

Under the new rules universities will have to hire a data protection officer. Borrell-Damián said her team are preparing to investigate the implications of these new responsibilities.

Breach of the rules

The new rules cover all businesses that handle data of EU citizens, even those not based in Europe. 

Technology firms found in breach will face fines of up to 4 per cent of their yearly revenue, which could imply billions of euros for major global online corporations.

Companies will also be obliged to report data breaches, such as hacking of databases, within 72 hours. Firms that handle significant amounts of data will have to hire data protection officers.

William Priestley, systems engineer at Varonis, an American software company, said companies will need to create incident response plans, restrict access to data and retire data when it is no longer needed.