Centrum för forsknings- & bioetik (CRB)

Data Protection Regulation: final result

2016-06-20

Anna-Sara Lind gives us an update on the what the final results of the negotiations for a general data protection regulation in the European Union.

Anna-Sara Lind, photo Eva HolstOn May 4, 2016, the phase of negotiating a new Data Protection Regulation officially came to an end as the text was formally published in the Official Journal of the European Union, after it had been decided by the European Parliament and the Council. The Regulation aims at protecting personal data and individual fundamental rights relating to this data. It is legally binding in all EU Member States and prevails over national law. It applies from May 2018.

The idea of a broad consent is mentioned in the preamble, but is not specifically handled in the articles. It is too early to be sure that broad consent can be used as some leeway in that regard is left to the Member States’ national law.

As to matters relating to welfare and research, it was finally decided that the Regulation should include rules opening up for the Member States to regulate some questions that earlier on was suggested to be explicitly part of the Regulation through national law.

Specific rules are included in the Regulation that aim at handling historical, statistical and scientific research and enhance the importance of individuals’ rights (data subject rights), such as the right to data portability and the right to be forgotten. As was the case in the former Data Protection Directive, the Regulation includes provisions regarding sensitive data such as health and genetic data. In Article 9 it is stated that exceptions to the prohibition of data processing in case of sensitive data such as health and biometric information can be done if so is stated in EU law or Member State law also in case of research. The requirements in Article 89 need to be met, comprising safeguards such as strict technical measures so that the processing is kept to a minimum and pseudonymisation is used when possible. As was earlier the case with the Directive, the Regulation only applies to personal data, not to anonymous data. This will in the future require that risk assessments are done in order to ensure if the data can be considered as anonymous in research. It also follows from the preamble that genetic data is to be defined as personal data, if relating to the inherited or acquired genetic characteristics of a natural person shown in a DNA or RNA analysis.

A major difference compared to the Directive is that the data protection impact assessments and the procedures for handling data breaches now become mandatory, but also that remedies, fines and sanctions become more severe. Another important change is that a processor, someone processing data on behalf of the controller such as a cloud service provider, will have independent responsibilities for handling the data.

Anna-Sara Lind

Mer nyheter från CRB