Centre for Research Ethics & Bioethics (CRB)

Renewed European effort to agree on data protection

2015-09-28

The European Data Protection Regulation keeps moving through the administrative and legislative process. This summer, The Council, The European Parliament and the European Commission started the 'trilogue' negotiations. Here, Anna-Sara Lind gives her comments on the process.

Right now, intense efforts are made to agree on a common view on data protection in the European Union. In accordance with the legislative process of the European Union, the three institutions have – at different times – over the last years produced one document each of their version of how a regulation should be written. It is noteworthy that the three versions differ rather heavily when it comes to matters having an impact on biobank research. When comparing the documents from the three institutions, it is clear that the Council is more generous towards research. The European Parliament on the other hand is striving for a stronger protection for personal integrity in all fields, even research.

The European Parliament's position regarding purpose limitation is one example of this. Today, the main rule states that data that have been gathered for a certain purpose should not be used for other purposes, unless consent has been given for the new purposes. This rule does however, contain an exception for research. The Parliament strongly objects to this, while the Council to some extent advocate it for the new regulation. Consent is problematic to handle in the negotiations. It is far from clear that the institutions could agree on a research friendly rule that allows for processing of large amounts of data without active consent.

Another major issue for the research community is how anonymization and pseudonymized data should be handled in a new regulation. The main motive for enacting a new regulation is to strengthen the personal integrity in all fields. It has, however, turned out to be difficult for the European institutions to include the possibility for researchers to conduct research on personal data when it is possible to identify individuals. The European Parliament demands that no person should be identified. To meet this demand, information would have to be removed, something that would undermine research results.

During the negotiations this summer, the European Commission underlined that the present Data Protection Directive represents the minimum level of data protection that we need to guarantee in this process. The goal is to achieve a single set of rules on data protection, valid across the EU. A new regulation should reinforce rights in order to put people back in control over their data. The Commissioner in charge of these matters has also underlined the importance of achieving a system where the same rules apply for companies from both within and outside the EU. The regulation should also include a strong and effective one-stop shop mechanism to simplify the lives of companies and citizens. The negotiations will continue this autumn. When they close and the parties agree, it will take another two years for a new data protection regulation to enter into force.

By Anna-Sara Lind

More news from CRB