Data turbo for research: How the GDPR should accelerate innovation

Scientific breakthroughs today depend more than ever on the availability of large amounts of data. Whether in medicine, sociology, or the development of Artificial Intelligence – personal information is considered one of the fuels for modern knowledge acquisition. However, there has long been uncertainty in the research community about how the provisions of the General Data Protection Regulation (GDPR) are compatible with the dynamics of innovative projects. The European Data Protection Board (EDPB) now clarifies with new guidelines: The GDPR is not intended to be an obstacle to progress, but a reliable framework for responsible innovation.

The definition of what constitutes privileged scientific research has already been challenging. Not every data-driven project can claim the GDPR's exceptions. The EDPB now provides six concise indicators for this.

According to the guidelines, a research project must proceed methodically and systematically, adhere to recognized ethical standards, and ensure a high degree of transparency and verifiability. Furthermore, the directive emphasizes the autonomy of researchers and the pursuit of manifest scientific goals. These should have the potential to expand existing knowledge. If the criteria are met, the presumption of scientificity applies. This reduces the bureaucratic justification pressure for academic institutions.

End of the “purpose limitation trap”

The explanations on purpose limitation are far-reaching. In practice, it often only becomes apparent during a study that the data collected would also be valuable for another, complementary research question. Previously, researchers often had to painstakingly check whether the new use was compatible with the original purpose of collection. This process often led to legal dead ends. According to the guidelines, further processing for scientific purposes is generally considered compatible with the original purpose. This presumption relieves researchers of complex compatibility tests, provided that the original legal basis for data collection remains valid.

Another practical problem is the fact that not all future detailed questions of an investigation are typically determined at the time of data collection. Here, the EDPB confirms the admissibility of “broad consent.” Test subjects can therefore give their consent for broadly defined research areas instead of having to sign for each specific analysis individually.

To protect data subjects, however, such consents must be accompanied by additional protective measures, such as ethical oversight or special technical precautions. In addition, the EDPB strengthens the model of dynamic consent. Researchers communicate continuously with participants via digital platforms and can thus obtain consent for new project steps.

Are data subject rights being undermined?

The committee also wants to ensure greater practicality in research for data subjects' rights. While the fundamental rights to erasure or objection remain. However, the committee acknowledges that their unrestricted exercise could jeopardize the integrity of scientific studies. If the deletion of a dataset would destroy the statistical validity of a research series, scientists can reject requests under certain conditions. This applies particularly when processing is absolutely necessary for tasks in the public interest.

Technical aspects such as anonymization and pseudonymization are coming more into focus. The EDPB emphasizes that the goal of research must always be achieved with the lowest possible risk to privacy. To accelerate technical implementation, the committee has formed a “Sprint Team.” It is expected to provide details on anonymization by summer.

The EU data protection authorities are thus responding to developments in re-identification through AI. In Germany, a dispute has been raging for years, primarily over the sell-off of health data in the name of research. Stakeholders can provide feedback as part of a consultation until June 25 before the rules come into effect.

(nen)