1. Bio-Banking vs Interventional research. The need for a scalable and proportionate approach to compliance.
Most of the bio-ethics studies regarding data protection rules in the field of research have often captured the view of patients and research participants, while focusing less on the perspective of researchers. Capturing the view of researchers toward data protection regulation is one of the greatest merit of the debate preceeding the GDPR adoption. The Scientific Community had the chance to express its concerns toward standard models of data protection requirements, in particular much criticism has been directed against a general consent model.
Epidemiological clinical and lifestyle research that make uses of registries and bio-banks have expanded rapidly over the past 20 years. Studies and interview-based studies that carry minimal risks to research participants may not need the same level of legal requirements on data protection as (for example) interventional research. Therefore the research organizations championed a case-by-case approach to guarantee the scalability of data protection requirements and avoid unbalanced compliance burdens when the processing carries minimal risks to research participants. However, while there can be little doubts that a risk-based review system for the protection of research participants of great interest would accelerate scientific research, a case-by-case approach would go directly counter the fundamental right nature of the right to data protection in EU.
From the perspective of researchers, complying with standard models of data protection, irrespective of the risks posed to data subjects by the processing concerned, is an unnecessary administrative burden in an area, such scientific research, which is already highly regulated. From the perspective of research participants there cannot be effective control over their personal data if rights are not ensured to them by law and/or if these protections are not exhaustively regulated by legislator.
2. Facilitating regime for scientific research and risk-based review systems.
To facilitate scientific research, the GDPR sets a series of exemptions from core principles of data protection ( in particular from principles of lawfulness, transparency and storage limitation) and from certain data subjects’ rights. The facilitating regime is however mainly composed of open clauses to be further implemented by National Legislators, who are ultimately responsible to reconcile the social benefits deriving from scientific research with a framework of adequate safeguards for research participants.
When implementing the GDPR clauses for scientific research through legislation and code of conducts, national legislators are entitled to take into consideration all relevant factors to ensure that data protection obligations are proportionate both to the social benefits of research pursued through the processing and the risks for research participants. Given the wide margin of manoeuvre provided by the GDPR to Member States, these can establish scalable facilitating regimes depending on the needs of the different research fields and the type of data processed. Member States are, for example, entitled to establish stricter requirements and additional safeguards when the processing for purpose of scientific research concern sensitive data (such as data concerning health, genetic or biometric data).
It cannot be disputed that national legislators can take into account the likelihood and degree of risks posed by each category of data processing and regulate them accordingly. By contrast it is not yet clear the significance of the risk-assessment to controllers in the field of research. More specifically it is worth investigating the legitimacy (within the GDPR) of a risk-based review system where ethical committees play a prominent role to allow the scalability of the data protection requirements depending on the degree of risks associated with the specific study concerned. The concept of the risk-based approach to data protection has indeed stirred controversy also outside the context of scientific research.
3. What is the significance of the risk-based approach within the GDPR?
The risk-based approach is not a new concept introduced by the GDPR. Under the Directive 95/46/EC the data protection regime for sensitive data could be considered as an application of the risk-based approach. Indeed stricter legal protections apply for the processing of sensitive data, due to the higher risks posed to data subjects’ rights and freedoms.
Within the GDPR the risk-based approach translates, among others, with the obligation to undertake a Data Protection Impact Assessment (35), the obligation of security (Art 32) and other implementation measures such as the data protection by design principle (Art 25), the obligation for documentation (Art 30) and the use of certification and codes of conduct (Articles 42 and 40).
According to a broad interpretation, the risk-based approach would represent the view that data protection obligations must be scalable to the controllers depending on the risks for the data subjects associated with the processing concerned. The risk has a certain degree measured in term of likelihood and severity, having regards to the factors specified in the GDPR and in the WP29 Guidelines on Data Protection Impact Assessment (DPIA) issued on 4 April 2017. As the GDPR aims to ensure substantial (and not purely formal) protection for data subjects, “compliance should never be a box ticking exercise, but should really be about ensuring that personal data are sufficiently protected”. Additionally the scalability of legal obligations to controllers is due to avoid unbalanced legal and administrative burdens and to ensure social acceptance of data protection rules.
It has to be noted that the risk-based approach goes beyond a narrow harm-based approach that focuses on damage impact to the data subjects. The impact assessment should take into consideration the whole spectrum of potential adverse effects including the general societal impact (such as the loss of social trust). Moreover, while assessing the impact on “the rights and freedoms of the data subjects” the controllers should take into consideration, in addition to privacy, other fundamental rights that can be affected such as the freedom of speech, freedom of thoughts, freedom of movement, prohibition of discrimination, right to liberty, conscience and religion.
A broad interpretation of the risk based approach has been promoted in public debates before the final approval of the GDPR in the context of big data. In particular, t has been argued that collection should not be considered longer the main focus of the Regulation, but compliance should rather shift to the framing of data use, in consideration of the low level of risks associated with the collection. There has been also a debate in the context of the trilogue negotiation on the applicability of a lighter legal regime to the processing of pseudonymized data, due to the lower level of risks for data subjects.
These interpretations of the risk-based approach motivated the Art 29 Working Party (WP29) to issue a position statement in 2014 to clarify the proper significance to be assigned to the risk assessment in the context of the GDPR. (WP29 Statement on the role of a risk-based approach in data protection legal frameworks adopted on 30 May 2014). As a result of the WP29 position of 2014, the final version of the GDPR took on board a risk-based approach which is limited to compliance matters.
4. DPIA: Mitigating risks and compliance with rules of GDPR are two different things?
Article 35 is the most important provision applying the risk-based approach within the GDPR. It introduces the duty of conducting a Data Protection Impact Assessment (DPIA or PIA). The provision still contains some inconsistency since it doesn’t clarify whether the impact-assessment’ s object is the likely high risk to data subjects’ rights and freedoms or, by contrast, the impact on the protection of personal data. According to some interpreters this provision suggests that compliance to data protection regulation and mitigating the risks to the rights and freedoms of data subjects are two different things. In which case the impact assessment would represent something different from the traditional compliance approach. (C. Quelle, Does the Risk-Based Approach to Data Protection Conflict with the Protection of Fundamental Rights on a Conceptual Level? Available at SSRN: https://ssrn.com/abstract=2726073).
Indeed, if the controllers are entitled to use the risk-impact assessemnt to mitigate risks for data subjects, it should follow that controllers are also entitled to make discretionary choices on which legal requirements and safeguards complying to. And if this is true, then what is the role of data protection rules and data subjects rights if the controllers can use a DPIA to avoid compliance to some of the GDPR requirements?
The mentioned WP29 position statement had already tried to solve this issue in 2014, before the final approval of the GDPR. According to the WP29 the DPIA is not a process designed to justify a failure to comply with to some of the GDPR requirements, but rather a process for building and demonstrate compliance. In particular it has been clarified by the WP29 that:
- the rights granted to data subjects by the EU law should be respected regardless of the level of the risks posed by the processing concerned;
- core principles applicable to the controllers (such as legitimacy, transparency, data minimization) should remain the same whatever the processing and the risk for the data subjects.
- the risk-based approach requires additional measures when specific risks are identified and the DPA (Data Protection Supervisory Authority) should be consulted when highly risky processing has been identified by an impact assessment.
Therefore the WP29 excluded the legitimacy of lighter regimes as championed in public debates for big-data collection and for processing involving pseudonymized data. Rather the legal requirements of the GDPR represent a minimum and not negotiable level of protection for all individuals that applies irrespective of the level of risk for data subjects. The DPIA seems only to serve to justify the implementation of additional measures, when highly risky processing is concerned, but not to justify a failure to comply with the GDPR rules.
This interpretation, which has been upheld by the final version of the GDPR, gained much criticism because it doesn’t enable the risk-based approach to its full potential. Indeed it doesn’t satify that need for a granular dimension of compliance. Moreover one may wonder what’s the point of conducting a risk assessment if it doesn’t follow a risk management phase, where controllers have discretion to a risk response.
For the WP29 this interpretation is nevertheless the only possible given the right-based nature of data protection. The fundamental right nature of data protection in the EU is thus the greatest obstacle to a risk based approach applicable to its full extent. At the same time the WP29 recognizes that implementation of controllers’ obligations through accountability tools and measures can be varied according to the type of processing and privacy risks for data subjects. In the GDPR “there should be recognition that not every accountability obligation is necessary in every case, for example where processing is small-scale, simple and low risk”.
This position was then confirmed in 2017 WP29 Opinion on DPIA where it has been stated that the “DPIAs are important tools for accountability as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance witht the Regulation”, “in other words a DPIA is a process for building and demonstrating compliance”.
In conclusion, the object of the impact assessment under Article 35 is the compliance risk, rather than the risks for data subjects. Such interpretation is the only way to reconcile the risk-based approach (introduced by the GDPR) with the right-based nature of data protection, despite the contradditory wording contained in that provision. The nature of fundamental right of data protection is an obstacle for an approach to data protection different and alternative to traditional compliance approach. ( R. Gellert, Why the GDPR risk-based approach is about compliance risk, and why it’s not a bad thing, in Schweighofer, Kummer, Sorge (eds), Trends and Communities of legal informatics: IRIS 2017- Proceedings of the 20th International Legal Informatics Symposium, 2017, pp. 527-532;)
Same reasoning applies to scientific research. In order to respect the rights-based nature of data protection, National Legislators called to implement the facilitating regime should define precisely the scope of application of the exemptions and exhaustively regulate the “adequate safeguards” referred to in Article 89.1. If a processing meets the requirements for carrying a mandatory DPIA, additional measures may need to be implemented. In the following months the national supervisory authorities will need identify when processing in the context of bio-banking falls into the cases provided for in Article 35.3 b). Indeed despite being a a large scale processing of special categories of data, bio-banking may pose less risks to data subjects compared to other studies of medical intervention. Thus evidence on the real risks posed by bio-banking activities should be collected by the research organizations and this evidence may be of help in individuating when the DPIA will be mandatory.
There seem to be no space for the case-by-case approach or a review-based system championed by the Scientific Community during the debate on the GDPR. The controllers will need to demonstrate compliance to the legal requirements of data protection as specified in the national legislation or in the national code of conducts of each Member State. When an exemption doesn’t apply (for example with respect to the requirement of fully informed and specific consent), the risk based approach won’t serve to controllers to justify a failure to fulfill the national applicable regime for scientific research, even if the processing concerned carries low or no risks for data subjects.