GDPR must not create unnecessary barriers for scientific research – CSC gave input to European Commission’s upcoming GDPR evaluation report
The General Data Protection Regulation (GDPR) of the EU has had a significant positive impact on the protection of personal data and individuals’ rights. However, its application in the field of scientific research has posed challenges, particularly concerning the utilization of health-related and other biomedical data. It is crucial to comprehensively assess the experiences and challenges encountered in applying the regulation to ensure that research activities vital for the well-being, competitiveness, and strategic autonomy of the EU are not unnecessarily hindered.
In the field of scientific research, the GDPR and its fragmented interpretation across Europe have increased bureaucracy and uncertainty regarding the correct procedures. The transfer of biomedical data has halted on many occasions, with member states opting to keep data within their own borders. To address this situation, it is paramount to ensure consistent interpretation and application of the GDPR across Europe. The guidelines and recommendations of the European Data Protection Board (EDPB) play a significant role in this regard. Additionally, input should be taken into account from entities such as the European Data Innovation Board (EDIB), established by the Data Governance Act, and other stakeholders.
The utilization of biomedical data for research purposes also faces significant challenges due to ambiguities concerning pseudonymization and determining adequate security levels for it. The GDPR evaluation reportshould clarify the interpretation of pseudonymized data regarding its status as personal data and overall adopt an enabling approach to data use and improve reusability of datasets. These needs are also highlighted in studies such as the report published by the Finnish Ministry of Education and Culture on the impact of social and healthcare legislation on research freedom and research, development, and innovation activities (available in Finnish at https://julkaisut.valtioneuvosto.fi/handle/10024/163611).
In scientific research, expanding knowledge by enriching it with new information and integrating new data into broader contexts is essential. As research activities become increasingly data-intensive, it is necessary to critically examine the GDPR’s principle of data minimization in the context of research in the evaluation report. Furthermore, ensuring the proportionality and technical feasibility of requirements for secure data processing environments is important.
In the evaluation report, it must also be taken into account that the GDPR increases the costs of developing and maintaining RDI services. For example, developing and operating IT services that comply with GDPR requirements practically requires substantial resources and expertise. Privacy-by-design solutions facilitate cross-border research by increasing trust but are more expensive to produce and, consequently, more expensive for users to procure.
The administrative burden resulting from the role of data controller must also be reduced, not only through the effective use of codes of conduct, certification mechanisms, and standard contractual clauses but also by providing concrete guidance on what, why, and how to document. To achieve this, uniform templates, for example, should be developed.
The secure and seamless research use of biomedical data can provide a competitive advantage for European research and thereby contribute to improving public health and well-being throughout Europe. The GDPR evaluation report should therefore focus on ensuring that the regulatory framework enables the widest possible use of data in scientific research.