Differential Data Protection Regimes in Data-Driven Research: Why the GDPR is More Research-Friendly Than You Think

Abstract

Against the backdrop of an evolving landscape describing data driven research, this article discusses the role of data protection laws in shaping a free flow of research data. In particular, the analysis inquires whether European data protection law hampers or encourages data-driven research. The analysis critically challenges the shared belief that the more severe data protection regime laid down by the European legislator adversely affects data flows and with that data-driven research. This is contrary to what occurs in the United States, where the more fragmented and less developed data protection framework facilitates data flows and related innovation patterns. We show how research objectives through data re-usability have been very recently given primary importance in the GDPR, where they find a formidable ally enabling the re-usability of public data by businesses and of private data by public institutions, for either public interest-related research purposes or commercially oriented innovation purposes. We argue that the GDPR differently promotes research-valuable data flows in consistency with an emerging principle of free movement of personal data. In order to ground this statement, our analysis links to this principle three-directional research regimes emerging from the GDPR.

A. Introduction and Scope of the Analysis

Data sharing practices imply access to data among contracting parties and the processing of it by involved subjects. ¹ Even when data are shared merely for research purposes a legal framework is needed ² and implied in all the terms of service and licenses agreements. Access is generally meant to maximize the scientific and technological value of aggregated datasets, as processed for research and development purposes. ³ Several sets of legal rules have been issued with the specific aim of incentivizing data exchanges among different stakeholders for research and innovation purposes.

In the United States, ⁴ for example, the policy stance of enhancing the free flow of information has triggered recent reforms, especially in the health sector, that we choose as a test bed for our analysis. With the aim of promoting the flow of patients’ personal health information, the 21st Century Cures Act ⁵ has established a framework to advance “interoperability and support the access, exchange and use of electronic health information.” ⁶ For these purposes the Act creates a Trusted Exchange Framework and Common Agreement (TECFA), creating a network among authorized participants facilitating data exchanges to overcome existing barriers and to mitigate information blocking and withdrawal by relevant parties. ⁷ The Cure Act targets these objectives by setting shared standards establishing principles of transparency and non-discrimination specifically devoted to access to and research activities over electronic health information. ⁸

In the EU, data sharing has lately become a key concern with the objective of boosting data availability within the European digital single market. ⁹ The European Commission has highlighted the importance of access to health data in its “European strategy for data.” ¹⁰ Here, the creation of a “Common European health data space” ¹¹ has been considered among the nine European data spaces the European Commission intends to encourage in the coming years.

Under the EU strategy for data, data pools shall be as “open as possible” and as “closed as necessary,” ¹² so as to promote data re-usability and analysis across different sectors. The innovation principle, which, as the Commission underlines, ensures that “legislation is designed in a way that creates the best possible conditions for innovation to flourish,” ¹³ supports the sharing of data at regulatory level.

Accordingly, soft law tools have been used by the Commission in its Recommendation on access and preservation of scientific information ¹⁴ to directly target data-driven research objectives. Research goals have been lately acknowledged by the Open Data Directive, ¹⁵ the Regulation regarding the free flow of non-personal information, ¹⁶ the Digital Single Market Directive, ¹⁷ as well as the proposed Data Governance Act. ¹⁸ All these set of rules are closely connected to the General Data Protection Regulation (“GDPR”) ¹⁹ and help to unfold the pro-research potentials it has, especially with respect to datasets in which non-personal data and personal data are “inextricably linked.” ²⁰ Indeed, all these legislations expressly do not derogate the GDPR but build on it.

Against the backdrop of this evolving landscape, this article discusses the role of data protection laws in fostering a reliable and balanced framework for data sharing and related research objectives reaching conclusions opposite to mainstream literature. ²¹ In particular, it demonstrates that European data protection law does not hamper but rather encourages data-driven research.

For these purposes, the study critically challenges the shared belief that the apparently more severe and burdensome data protection regime laid down by the European legislator adversely affects data flows and with that data-driven research, ²² contrary to what occurs in the U.S., where the more fragmented and less developed data protection framework may facilitate data flows and related innovation patterns. ²³

As a disclaimer, we do not argue that the GDPR offers a perfect world; after all its wording is afflicted by many political compromises. However, we claim that its overall structure and content are naturally steered towards a balanced approach fostering research and research-based data sharing. In this approach, we move from the analysis of the GDPR’s research goals and their specific rules. We thus explore how these rules enable suitable pathways for sharing research.

B. Setting the Landscape

As recital 159 of the GDPR clarifies, the research objectives pursued by the Regulation are directly linked to the objectives set under Article 179(1) of the Treaty on the Functioning of the European Union, which encourages “the objective of strengthening its scientific and technological bases by achieving a European research area in which researchers, scientific knowledge and technology circulate freely.” ²⁴ In light of these statements, data sharing is a “quasi-constitutional” mandate. These free circulation goals are directly connected with the market-integration objectives resulting from the free flow of personal data, the GDPR expressly pursues under Article 1(1) of the GDPR. ²⁵

Recital 2 of the GDPR states that the GDPR intends to contribute “to the economic and social progress” and “to the strengthening and the convergence of the economies within the internal market.” ²⁶ Accordingly, also recital 5 GDPR acknowledges that the “economic and social integration resulting from the functioning of the internal market” have facilitated the “exchange of personal data between public and private actors.” ²⁷ This market-based foundation of the GDPR stands directly behind the fundamental rights dimension of European data protection law, expressed under recital 1 and directly rooted in Article 8(1) ECFR and in Article 16 TFUE(1). ²⁸

In consistency with the set goals, the GDPR offers a specific framework regarding the processing of personal data for research purposes, primarily found under Articles 6(4); 5(1)(b); 9(2)(j) and 89 GDPR. Considering this research-based set of provisions, various scholars ²⁹ have commented that the greater consideration of free flow of information and research objectives within the GDPR with respect to the previous Data Protection Directive, highlighting the occurrence of a “regime change” in European data protection law; ³⁰ has led to a research facilitating regime ³¹ and the establishment of an outright research efficiency defense under data protection law. ³²

Building on this literature, this study moves from the acknowledgment of an existing gap in the literature as to how the GDPR can facilitate data-driven research in practice. It thus intends to answer largely unaddressed questions regarding where and how to draw the boundaries of openness allowed by the GDPR with respect to data sharing, and, in particular, the boundaries of openness for data sharing established and alimented for research purposes.

The analysis thus shows that there are many answers to the set questions, arguing that the two recalled European data protection law’s regulatory pillars—fostering free flow of data while protecting fundamental rights—create an architecture of layered data protection regimes, which come to tighten data subjects’ rights vis à vis massive data collection and processing activities on the one hand, and establish fruitful “enabling regulatory spots” for the processing of personal data on the other.

These differential data protection regimes applicable to data-driven research are not static and should be dynamically interpreted considering the flexibilities the GDPR provides. These flexibilities are leveraged taking the protection of fundamental rights with respect to the sharing of research-precious data—as health data—as a major concern and operationalizing it as an internal parameter of any sharing practice, also for research purposes.

This study proposes a “differential” interpretation of the GDPR’s flexibilities based primarily on the different adherence of these differential data protection regimes to the parameters related to individual control objectives—data subjects in charge—and the free flow of information objectives—more extensive maneuvering ability for data controllers, or data controllers in charge. These different data protection regimes are first identified within the listed legitimate bases for data processing activities and further analyzed to describe how they balance the role and powers of the relevant stakeholders involved in the processing of personal data for research purposes.

The identified regimes differently address data subjects’ control prerogatives and free flow of research data objectives by differentiating the safeguards requested and thus the standard of data protection required for private data pools, public data pools, and mixed private-public data pools.

Although we discuss health data pools, their regulatory framework as a case-study for their incredible research value, ³³ and special consideration offered in any given jurisdiction, for example under Article 9 GDPR, our analysis has general relevance for any personal data sharing. The enquiry ultimately demonstrates that differential data protection regimes have a varied affect on the contractual freedom to share and aggregate personal data, which is the primary pillar of the creation of “common data spaces” envisaged under the latest European strategy for data. With respect to the case of health data, it shows how the GDPR offers specific data protection tools, capable of maximizing the research value embedded in health datasets, without unduly undermining patients’ or data subjects’ fundamental rights in the emerging “health data space.” ³⁴

By unveiling the sophisticated nature of European data protection law with respect to data-driven research objectives, this study finally underlines the paradigmatic relevance of the resulting European regulatory model for both the interpretation of U.S. data protection regulations as well as their much-advocated reforms. Moreover it lays the basis for a possible alignment between the U.S. and European data protection regimes regarding research-oriented processing activities, which may be relevant especially with respect to EU-U.S. data transfers after the falling of the Privacy Shield. ³⁵

Under these general premises, the analysis requires a clear setting of the “legal” notion of research and of its scope across the ocean.

C. The Notion of Research Under Data Protection Laws: A Comparative Perspective

Big Data is deeply changing research methodology, and with it the range of public and private applications of the new insights collected through their use. ³⁶ The sources of Big Data potentially valuable to medical researchers include electronic medical records and electronic health records, ³⁷ aggregate clinical trial data, administrative health care data, ³⁸ genomic, and other -omics data, ³⁹ along with health data collected using other means, and granular environmental data. ⁴⁰ It is the case of health data collected by recording of online and physical activities of individuals, such as on mobile phones or wearable devices, ⁴¹ that are not labelled as medical devices. ⁴² This causes the same notion of “health data” to become increasingly diaphanous ⁴³ and problematic in the data driven society.

As a result, research is evolving with a profound differentiation between data-driven and conventional approaches to research. First, researchers capture more comprehensively the data related to the phenomenon of their interest with all the environmental correlations, for example, being forced to assess trade-offs outside their normal range: Between data quality and quantity—for example—which are dimensions that are not in conflict in traditional research. Second, new methods of data analysis emerge to extract valuable information from more comprehensive data. For example, there are the various forms of machine learning put in place to detect patterns and correlations from data, as hypotheses to work on, rather than starting from a hypothesis and looking for data to work on. ⁴⁴

The ongoing changes in the ways research is conducted, the increasing relevance of data, and the involvement of both public and private stakeholders in research projects that are of an increasingly complex nature ⁴⁵ render the legal notion of research a highly challenging interpretative battlefield at both the international ⁴⁶ and supra-national level.

At a supra-national level, the definitions given to research and the rules provided with respect to processing operations of personal data conducted for research purposes greatly vary across jurisdictions. These differences are important to take into account because the legal uncertainties they engender may hamper the conduction of transnational collaborative research projects.

The following paragraphs will account for the differences in the definition of research between U.S. data protection laws and the European GDPR, setting the ground for a deeper analysis of the differential data protection regimes for research in the EU. The “differential” data protection regimes for research emerging from our analysis will provide relevant interpretative criteria for addressing legal uncertainties in minimizing these differences, favoring trans-oceanic data flows for research purposes.

I. Research under US Data Protection Laws

In the U.S., the Health Insurance Portability and Accountability Act (HIPAA), lays down rules for the protection of health information, specifically addressing the use and disclosure of such information for research purposes. ⁴⁷ It lays down only a very general framework for the protection of patients’ personal data, however, deferring to State laws for the definition of more specific standards. This creates a mosaic of privacy regulations disparately addressing privacy concerns and creating a substantial regulatory hurdle to data sharing among relevant stakeholders. ⁴⁸

HIPAA defines research as “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.” ⁴⁹ It provides that health information can be processed for research purposes without the data subject’s authorization only when there is a documented waiver approved by an Institutional Review Board (IRB) or Privacy Board ⁵⁰ of the covered entity making the disclosure, the receiving entity, or an independent board. ⁵¹

Under HIPAA, in the absence of the institutional waiver, the processing of data for research purposes requires data subjects’ authorization. ⁵² In this case, HIPAA encourages the adoption of “data use agreements” on the processing of certain kinds of health information, which although not fully de-identified has been subject to the removal of certain direct identifiers. ⁵³ Ultimately, HIPAA establishes a data subjects’ right to receive an accounting for personal information that has been disclosed by covered entities for research purposes over the last six years. ⁵⁴ This obliges the same covered entities to accurately document disclosures for research purposes in a way not dissimilar to what requires the accountability principle under the GDPR but in a more burdensome way because it is operated in a less structured environment to gather evidence and keep track of the various data flows.

Additional restrictions to the processing of personal data for research purposes, specifically regarding personal data regarding children, are provided by the U.S. Children’s Online Privacy Protection Act (COPPA), which establishes the requirement of consent from the parents of the interested children limited to the collection and use of children’s personal information for research purposes, but excludes the possibility of consent for the disclosure to third parties of such information for the same purposes. ⁵⁵

The recently enacted California Consumer Privacy Act, ⁵⁶ although only binding at the State level, is important for its intended natural leading role across the country and globally. The CCPA narrowly defines and circumscribes the notion of research only to public-interest oriented research activities, that is “scientific, systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health ….” ⁵⁷ The Act further states that “personal information that may have been collected from a consumer in the course of a consumer’s interaction with a business’s service or device for other purposes” can be processed for research purposes, provided certain conditions are met. These conditions include the required compatibility of the research purposes with the business purposes for which the information was collected, the implementation of technical safeguards obstructing the reidentification of consumers, and the pseudonymization or deidentification of such information are envisaged. ⁵⁸

The CCPA excludes from the scope of research-oriented processing those activities serving commercial purposes, ⁵⁹ defined as “the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes” ⁶⁰ in order “to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.” ⁶¹ The California data protection law thus provides an objective-based definition of commercial-oriented research, which is based on the nature of the satisfied interest, rather than on the nature of the involved research entities. This objective interpretation of the notion of research under the CCPA helps clarify why the Act still considers as research those activities that are conducted in the realm of the “business purpose,” defined as the use of personal information “for certain operational purposes or other notified purposes” including “undertaking internal research for technological development and demonstration.” ⁶² In this way the CCPA still allows for non-commercial oriented research conducted by businesses.

When it comes to the processing of personal data for research purposes, the CCPA allows for a derogation to data subjects’ right to have their personal information deleted. ⁶³ The same regulation nonetheless envisages additional obligations onto controllers when it comes to the “sale” of personal information for research purposes. ⁶⁴

Against the backdrop of this brief overview of U.S. data protection provisions about research, it emerges that HIPAA does not appear to take into consideration the distinction between different types of research, such as for profit and public interest-oriented research. A different approach in this perspective has been conversely adopted by the California Consumer Privacy Act, which cuts off from the notion of research those processing activities that directly target a commercial interest. As has been observed in the literature, ⁶⁵ however, by including in the business purpose research activities for internal “development and demonstration,” the Act opens up to substantial ambiguities regarding what is to be considered research conducted for “business purposes,” and research which serves a purely commercial and economic interest and cannot, according to the cited provisions, be included within the CCPA’s notion of research and corresponding data protection rules. Although more privacy preserving, this regulatory option may block potentially innovative research projects, as the ones involving private players and thus commercial research.

Overall, although the analyzed regulations provide some allowances to processing activities for research purposes, as it occurs with the derogation to data subjects’ right to deletion provided by the CCPA, they nonetheless establish significant burdens onto controllers engaging in research endeavors, such as the need to have a waiver approved by an institutional board under HIPAA or the requirement of technical safeguards and the enactment of pseudonymization techniques under the CCPA. These considerations suggest that while being subject to an alternative set of data protection rules, processing activities conducted for research purposes do not enjoy a much more favorable data protection regime under US data protection laws especially when compared to the differential regimes emerging in the GDPR.

II. Research under EU Laws and the General Data Protection Regulation

Research objectives through data re-usability have been very recently given primary importance within the European Commission’s Strategy for data, which in the aim of creating and consolidating a single market for data, stresses the need to enhance the re-usability of public data also by businesses ⁶⁶ and of private data by public institutions, for either public interest related research purposes and commercially-oriented innovation purposes. ⁶⁷ In particular, the Strategy acknowledges the relevance of the use of private data for the public good, thus also for public-interest related purposes. ⁶⁸

It thus appears that at European policy level, a new principle of free movement of research data is emerging, encompassing 1) public data employed for public interest-related research purposes, 2) public data employed for commercial-related research purposes, 3) private data employed for public-interest related research purposes, and ultimately, 4) private data employed for commercial-related research and innovation purposes.

This principle is differently substantiated at the European regulatory level. For example, in the Recommendation on access to and preservation of scientific research and in the Open Data Directive research and scientific innovation objectives are directly promoted through the establishment of facilitated accessibility regimes regarding public data. The notion of research as shaped by these two frameworks resides on the paradigms of open science and open access. ⁶⁹ It is restricted to publicly-funded research, ⁷⁰ and is primarily linked to public interest purposes. Nonetheless, under both frameworks the re-usability of research data is envisaged also for research carried out for commercial purposes. ⁷¹ As we shall see, this policy baseline is fully coherent with the differential regimes provided for by the GDPR which the Open Data Directive expressly declares to abide to under Article 1(4).

Similarly focusing on publicly funded research, also in the Copyright Directive, recital 12 excludes from the notion of “research organizations” and thus from the correspondent research-enabling regime “organizations upon which commercial undertakings have a decisive influence allowing such undertakings to exercise control because of structural situations, such as through their quality of shareholder or member, which could result in preferential access to the results of the research.” ⁷² Based on such subjective definition, however, contrary to the Recommendation or the Open Data Directive, the Copyright Directive appears to implicitly draw a distinction between not-for-profit and public interest-oriented research entities, on the one hand, and organizations operating for commercial purposes on the other.

The Copyright Directive example illustrates that the categorizations and definitions of research at European level are far from being settled or harmonized as well. ⁷³ However, in this context, European data protection law takes a distinctive position. ⁷⁴ Research has a particularly important role within the General Data Protection Regulation, which overtly aims to facilitate research carried out over personal data. ⁷⁵

At a general level, recital 159 GDPR suggests that scientific research “should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research.” ⁷⁶ Under the interpretation suggested by the cited recital, scientific research for the purposes of European data protection law encompasses research activities conducted by both public and private stakeholders, or more generally funded by public or private resources. ⁷⁷ This multifaceted definition of scientific research has recently been welcomed by the German Data Ethics Commission, which includes both publicly and privately funded research, as well as commercially-oriented research such as product development and enhancement, in its definition of “research.” ⁷⁸

A wide notion of research, similar to the one provided by the GDPR, encompassing both privately and publicly funded investigations has also been adopted by the recently issued proposal for a Data Governance Act, which stated that “scientific research, including for example technological development and demonstration, fundamental research, applied research and privately-funded research, should be considered as well purposes of general interest.” ⁷⁹

In this perspective, the GDPR leads an approach different from the one taken by the described US data protection regulations, which have equally provided research-enabling data protection regimes.

The GDPR welcomes a more inclusive notion of research and the scope of applicability of the correspondent data protection regime is thus of broader reach. To this end, the German Data Ethics Commission has underlined the opportunity to exploit to the maximum the research privileges existing under European data protection law, as well as the need to consider research as a “particularly valuable good” when compared with other competing interests. ⁸⁰

1. The Tiziana Life Science Case

The challenges of distinguishing “qualified” processing activities carried out for research purposes from other processing activities mainly conducted to pursue an economic interest are well mirrored by the Italian rulings by the Tribunal of Cagliari ⁸¹ and the Italian Data Protection Authority ⁸² in the Tiziana Life Science Case. The controversy involved the transfer of genetic data from an Italian genomic biobank named Shard. Na, storing genetic and health data of Sardinian data subjects to the U.K.-based for-profit corporation Tiziana Life Science plc. ⁸³

The Italian Data Protection Authority ⁸⁴ had blocked the transfer with an interim injunction, ordering the company Tiziana to inform the data subjects of the change of data controller and of the new research purposes for which the transferred genetic data would have been processed for. In addition to this, the DPA required the company to recollect consent from all the data subjects whose data was transferred. ⁸⁵ Overturning this decision, the Tribunal of Cagliari ruled for the lawfulness of the processing of the genetic and health data acquired by the English company in view of the common research purpose shared by it with the genomic biobank. ⁸⁶ The ruling was, however, soon followed by a subsequent decision of the Italian Data Protection Authority, again ordering the English company to block the processing of health data referring to the data subjects that had withdrawn their consent as a result of the occurred data transfer to the for-profit company. ⁸⁷

In these two decisions, the Italian Data Protection Authority signals the opportunity to distinguish between the diverse types of research—that is the public interest-oriented research carried out by Shard. Na and the profit-based research conducted by Tiziana Life Science Corporation—with the resulting need to apply to them different data protection regimes.

As the Authority has underlined, in the notice given to data subjects the purposes to which consent was linked were specifically related to the research activities of the Sardinian genetic bank. ⁸⁸ Accordingly, it was stressed that many Sardinians had volunteered their genetic data to a public not-for profit research project and might have objected the swift change in controllership—public vs. private— and of purpose, from basic research to profit research. ⁸⁹

Despite referring to the Italian data protection framework before the General Data Protection Regulation, the case triggers many questions, which are of great interest also for the purposes of the implementation of current EU data protection law. These questions mainly regard the interaction and application of different data protection rules with respect to research projects based on the processing of personal data: can different research projects be treated alike under the General Data Protection Regulation? Is a one-size-fits-it-all model of data-driven research desirable with respect to the two data protection law’s policy objectives of promoting the flow of personal information and of protecting data subjects’ fundamental rights? Or should exactly the consideration of such rationales suggest the adoption of a diversified approach? Speaking in more technical terms, should a further processing operation carried out for research purposes be subject to a presumption of compatibility with the first processing operation likewise conducted for research purposes, as Article 6 (4) (a) and Article 5 (1) (b), along with referral 40 GDPR, seem to suggest? Should those secondary processing activities be considered lawful in case of data subjects’ consent withdrawal? Under which legal basis?

The analysis that follows aims at providing clearer answers to these questions suggesting the existence of differential regimes under EU data protection law and showing how these are generally more favorable to research than the ones found in the U.S. data protection framework.

D. Health Data as a Case Study: The Legitimate Bases under Article 9 GDPR

To define the differential research data regimes under the GDPR we need to briefly describe the relevant legal bases for data processing. The GDPR provides a complex regulatory framework regarding health data. First, it provides specific definitions of different types of health data, such as genetic data or biometric data under Article 4(13)–(15) GDPR. Moreover, health data are considered as a “special category of data” and is subject to a specific regulatory regime under Article 9 GDPR. In line with the previous Data Protection Directive, ⁹⁰ the GDPR conditions the processing of such special category of personal data to stricter data protection rules.

This stricter regime is directly substantiated in the prohibition of processing special categories of data under Article 9(1) GDPR, for simplicity we will use the “old” expression” sensitive data. The prohibition to process sensitive data under Article 9(1) GDPR is one of the most apparent expressions of the fundamental rights foundation of the General Data Protection Regulation. ⁹¹ This prohibition, however, is mitigated by the legitimacy of the processing of health data under specific and rather broad legal bases and in case certain conditions are met. These conditions are listed under Article 9(2) GDPR.

If one of the general legal bases for processing under Article 6 GDPR is met, ⁹² the legitimate bases for the processing of special categories of data, including health data under Article 9(2) GDPR, build up a mosaic of processing possibilities of sensitive data, health data in our use case, which need to be carefully interpreted with respect to the general prohibition regarding its processing.

By establishing a general prohibition of health data processing and some grounds of exceptions to that prohibition, the regulatory status of health data processing appears to be shaped by a layered regime, which triggers some challenging interpretative efforts. The different nature of the various legitimate bases under Article 9(2) GDPR has both theoretical and practical relevance, given that, as will be shown below, the choice of the applicable legal basis influences the scope of data subjects’ applicable rights and has an affect on the developed data pools and derived products. For instance, without a legal basis different from consent, any withdrawal of consent would affect both the available data pool and the developed models. ⁹³ Hence, a correct interpretation of the scope of these legal bases is of crucial importance to determine the closeness/openness of the data protection regime to be applied, and thus the reaction capabilities of involved data subjects. It is also crucial to design clear guidance for researchers both in the public and private domains.

Under these premises, the following paragraphs will identify the different data protection regimes that are associated to the legitimate bases applicable to data-driven research activities over special categories of data as health data under the GDPR. They will give account of the state of the art in the literature regarding the interpretation of these different regimes, which we will sub-group into three main categories. The first category relates to the fundamental rights-based pillar of the General Data Protection Regulation, directly based upon the protection of data subjects’ right to informational self-determination through consent. Conversely, the second and third categories rely on some specific purposes to which data controllers’ processing activities are bound, namely public interest or “purely” research-related purposes.

The mentioned legal bases describe a scale of different data protection regimes ranging from data subject-controlled to data controller-oriented ones.

These data protection regimes are given by the combination between the lawful bases under Article 9(2) GDPR and the specific rules the GDPR sets for research, namely the default compatibility with the purpose limitation principle under Articles 5(1)(b) and 6(4) GDPR on further processing for research purposes; and the provision under Article 89(1) GDPR requiring controllers to enact appropriate measures to safeguard data subjects’ fundamental rights and freedoms that may be impaired in the course of research investigations. The framework resulting from the combined reading of these provisions is applicable whenever the processing over personal data is carried out for research purposes, irrespective of the legitimate basis on which the processing relies on. Accordingly, we assess the different interaction between the mentioned legal bases for the processing of personal data for research and Articles 5(1)(b); 6(4), and 89 GDPR along the lines of a dynamic spectrum ranging from data subjects’ full control—consent with all its characteristics—for private data pools processed for profit purposes, to release and consequent loss of control with the exceptions to rights provided for by Chapter III GDPR for private or public data pools employed for non-profit, non-public interest research-oriented purposes.

In this perspective, we identify below a data subject-based, a public interest-based and a general research-based regime. This categorization is the result of the application to the legitimate bases under Article 9(2) GDPR of the two parameters of data subjects’ control and free flow of personal information as defined in the scope of Article 1 GDPR. As will be highlighted, under the first data protection regime the data subjects’ rights provided by Chapter III GDPR are fully actionable; under the public interest-based regime some derogations to ordinary data subjects’ rights may be established by Union or national laws in accordance with Article 23 GDPR; ⁹⁴ conversely, under the research-based regime, substantial derogations to those rights are envisaged directly in the GDPR and further ones can be introduced by state and Union law. However, in order to counterbalance the weakening of actionable data subjects’ rights, the GDPR shifts the burden of care onto data controllers, which are required to enact adequate safeguards for the protection of data subjects’ rights and freedoms: With greater powers come greater responsibilities.

E. The Data Protection Regimes for Research

I. The Data Subject-Oriented Regimes: Consent under Article 9(2)(a) and 9(2)(e) GDPR

Just as the prohibition of processing under Article 9(1) GDPR, the first category of data protection regimes for the processing of special categories of data under Article 9(2) GDPR is to be directly contextualized in the individual fundamental rights’ dimension of the General Data Protection Regulation. It comprises legitimate bases for processing, which are directly based upon the protection of data subjects’ fundamental rights as the right to informational self-determination through consent.

Article 9(2)(a) and 9(2)(e) GDPR respectively allow the processing of special categories of data, provided data subject’s consent is given and in case the data are made “manifestly public” by the data subject. In both cases the data subject is given the autonomy of choice over the processing of their sensitive personal data, thus directly exercising their right to informational self-determination.

Under Article 9(2)(a) GDPR, the given consent ⁹⁵ needs to be explicit and must relate to one or more specified purposes in accordance with the principle of purpose limitation. ⁹⁶ As newly required by the GDPR, consent must be “freely given” in a contractual relationship where there is no “significant imbalance” between the data subject and the controller. ⁹⁷ The performance of the contract must not be “conditional on consent to the processing of personal data that is not necessary for the performance of a contract.” ⁹⁸

Through the reference to explicit consent needed for the processing of data concerning health, the Regulation reaffirms the role of data subject’s consent as a fundamental condition for the processing of sensitive data, as variously established in international declarations and guidelines regarding medical research. ⁹⁹ Explicit consent was considered as the default regime for the processing of health data in the context of scientific research ¹⁰⁰ and is additionally required for the processing of personal data in case of automated individual decision making, such as profiling. ¹⁰¹ Yet, in several medical research contexts it is not advised to use consent as a legal basis for personal data processing. ¹⁰²

Already under the Data Protection Directive, the Article 29 Data Protection Working Party has specified that explicit consent must be given through an “express statement,” such as a written statement signed by the data subject “in order to remove all possible doubt and potential lack of evidence in the future.” ¹⁰³

As widely stressed by scholars, in the traditional data protection law architecture, consent is the fundamental means of control over the course of data processing activities. ¹⁰⁴ It is strictly related to the individual values of autonomy and dignity, ¹⁰⁵ which are structural elements of the individual fundamental right to data protection. It is thus a means for data subject’s self-determination and self-empowerment. To these purposes, consent is associated with the reaction means newly provided by the General Data Protection strengthening data subjects’ control over personal data. ¹⁰⁶

Note, however, that the notion and limits of consent under the GDPR are more stringent. Pursuant to Article 7 GDPR, “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.” ¹⁰⁷ Any violation of these requirements or more generally of the GDPR makes consent not “binding” and not valid. Moreover, consent should be withdrawable as easily as it was to give it.

The suitability of the legal basis of consent has been much debated both at general level and with specific regards to health research. From the first standpoint, the adequacy of using consent as a legal basis for data processing in the digital age has been widely questioned both in the literature and in policymaking processes. Consent’s “pathologies” have been brought into the spotlight, especially in terms of unwitting consent, coerced consent, and incapacitated consent. ¹⁰⁸ The shortcomings of consent models permeating the digital consumer landscape appear to sharpen what has been traditionally known as the “privacy paradox,” given by the existing gap between what privacy—and consent—is theoretically meant for and what consumers actually do in practice. ¹⁰⁹ As increasingly demonstrated also at empirical level, the understanding of the privacy policies is often quite weak, if not completely null. ¹¹⁰ As a result, consent has become a “free pass” for big businesses’ data gathering practices. ¹¹¹ With respect to possible remedies to these failures, there have been discussions about how to render privacy policies more effective. ¹¹² Accordingly, new personalization and visualization schemes are being proposed by DPAs. ¹¹³

These general considerations also apply in the context of data-driven health research, which increasingly relies on the sharing, aggregation and repurposing of data processing activities. ¹¹⁴ Nonetheless, the specificities of digital health research raise some additional, sector-specific concerns. For example, although voluntary participation in research might not be considered a contract in many jurisdictions, in those countries that acknowledge the possibility of a fee for participation or even a form of incentive might cast doubts on the freedom of consent, especially in case of economic or other vulnerabilities. Moreover, data-intensive health research has widely expanded the borders of research projects, which have become ever more interconnected and open-ended, ¹¹⁵ and is thus becoming structurally unsuitable with respect to the consent paradigm, designed for specific and “closed” research projects. ¹¹⁶

As a result, alternative forms of informed consent, of more open and dynamic nature are considered more appropriate for the governance of the uncertainty and unpredictability of data-driven health research. ¹¹⁷ This opportunity has been concretely acknowledged within the General Data Protection Regulation, which under recital 33 GDPR admits consent given for “certain areas of scientific research” ¹¹⁸ under the condition that these areas of research respect the “recognized ethical standards for scientific research.” ¹¹⁹ It is worth noting from the outset that these broad terms could unveil a Pandora’s box notion of “research.” It can remain questionable if recital 33 GDPR, having no binding force, is able to justify a reading of Article 9(2)a GDPR, which requires “explicit” consent for specific purposes, compatible with forms of wide-ranging consent, open to further use. This is likely to be the case, at least if the architecture used follows the parameters of recital 33 GDPR: broad consensus limited to specific areas of scientific research and accompanied by “recognized ethical standards for scientific research.” ¹²⁰

The possibility of a broad consensus for research purposes has been confirmed and further developed in the proposed Data Governance Act, in the form of a new notion of “data altruism,” relating to “consent by data subjects to process personal data pertaining to them … without seeking a reward, for purposes of general interest, such as scientific research purposes ….” ¹²¹

Nevertheless, with respect to consent as a legal basis, there are still problems, mainly related to its revocability, which raise significant uncertainties in the research practice. ¹²²

In this respect, Article 29 Data Protection Working Party ¹²³ has clarified that research purposes as well as relevant research areas need to be “well-described,” nonetheless admitting the possibility that they are not “fully specified.” ¹²⁴ The legitimacy of consent for broad research purposes implies a partial derogation of the principle of purpose limitation. Nonetheless, in case of a lack of a specified purpose, the same Working Party mitigates this derogation, by advising data controllers to implement additional safeguards as the provision of a comprehensive research plan before the commencement of the project, as well as the implementation of adequate transparency measures enabling data subjects also to withdraw consent. ¹²⁵

In addition to this, the GDPR directly sets a derogation to the purpose limitation principle with respect to further processing for research purposes of personal data initially collected through consent. In this respect, the default compatibility rule under Article 6(4) GDPR and Article 5(1)(b) GDPR suggests that the processing of personal data for secondary purposes “in the public interest, scientific or historical research purposes or statistical purposes shall in accordance with Article 89(1), not be considered incompatible with the initial purposes” ¹²⁶ and thus it is considered lawful under Article 6(4) GDPR, even if such further processing is not based upon the data subject’s consent. ¹²⁷

The joint consideration of the possibility of a broad consent for the initial processing of health data for research purposes under Article 9(2)(a) GDPR, as interpreted in light of recital 33 GDPR and the recalled Working Party’s guidelines on consent, as well as the mentioned default presumption of compatibility regarding secondary processing for research purposes, show how a very weak impulse by the data subject through a broad consent could apparently legitimize potentially infinite cycles of processing activities for various, different research purposes. In this respect, it is important to observe that the derogation of the purpose limitation rule for research would enable not only the sharing of sensitive health data among different businesses, but also the re-use of data by different research teams within broader corporate teams. For example, this is the case within big tech companies where there are often no separate research departments. Nonetheless, since the derogation to the purpose limitation principle is limited to research, the data should not be further used within a same corporate team for purely commercial, non-research-driven purposes. Here, the principle of segregation of personal data processing, ¹²⁸ similar to what is clearly set out in the Data Governance Act for data sharing entities, ¹²⁹ would be paramount in guaranteeing a clear respect of the purpose limitation principle. However, the borders between research-based and commercial-based data processing activities conducted within a same corporate unit could be quite difficult to draw, even if their corresponding personal data processing are correctly mapped in the records. In this specific case, when data is used for commercial purposes by a corporate unit, no default compatibility rule can apply and the relevant data should be processed in accordance with a full application of the purpose limitation principle demanding that datasets are processed in consistency with the “specified, explicit and legitimate” purposes for which the data has been originally collected. Accordingly, a proper respect of this principle requires to use the data only for the specific project for which they have been collected and not for other projects/purposes.

Yet, there is an inherent tension between recital 33 GDPR, not binding by definition, and the mentioned Working Paper 29 guidelines under the regime of the Data Protection Directive on the one hand and the recalled notion of consent under the GDPR –that need to be specific pursuant to Article 7 GDPR.

A way forward putting at ease those tension might emerge from the systemic interpretation we envisage. For instance, blanket consent might be more welcome if and when it is related to public interest research or in favor of public good institutions. Furthermore, blanket consent might be “more” acceptable when the same data processing is assisted by another suitable legal basis.

In any event, it is possible to sustain the general stricter scrutiny for the validity of consent in the research domain needs to be read in connection with recital 33 GDPR and that the formula clearly uses the language of the protection of the fundamental right to data protection but actually opens the way to both 1) blanket consent, as long as it unfolds “with recognized ethical standards for scientific research”, and 2) to select specific research projects’ objective aim of consent, or entities-subjective criteria, as assumed in the Tiziana case by the DPA and confirmed by the proposed Data Governance Act.

Under these premises, the legal basis of the explicit consent is to be aligned to the legitimate basis under Article 9(2)(e) GDPR, regarding the processing of sensitive data that are “manifestly made public by the data subject”, since it equally implies the release of personal data based on the data subject’s will. However, it is particularly problematic, since it could be applied to all the data that is “made public” online, in social networks or in specific online communities, without the need of a consent, be it of specific or of broad nature, or the enactment of safeguards offering the outer limits of the perimeter of a lawful data processing of sensitive data. This basis could thus potentially legitimate free flows of sensitive data as a result of their publicity. Nonetheless, the applicability of general data subjects’ rights under Chapter III GDPR still assures the preservation of a certain degree of individual control over such data flows and the ability to challenge the requirement of being “manifestly made public.”

In line with the guidance provided by referral 33 GDPR, personal data can be “manifestly made public” by selecting, for instance, kinds of project or data controllers creating a very simple avenue for data subjects’ contribution to research. In a sense, data subjects are enabled to directly express their consent to a given and known data controller or to express their will towards unidentified data controllers with the ability of setting the terms of this implied consent by publication. Note that, by managing their autonomy along the lines of Article 9(2)(e) GDPR, data subjects simplify data controllers’ compliance without burdening them with further latches even when data subjects select projects or data controllers they want to contribute to.

II. The Public Interest-Oriented Regime under Article 9(2)(i) and Article (9(2)(g)

Shifting from data subject-based regimes to controller-based legal bases for the processing of health data, the GDPR allows for many exceptions to the general prohibition of processing special categories of data, as health data.

For our purposes, however, we are interested in the notion of public interest directly concretized by Article 9(2)(i) GDPR referring to the purposes of “protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.” ¹³⁰ The link between public interest and the protection of the right to health as enshrined in some Member States’ constitutions has been assessed by the Article 29 Data Protection Working Party, ¹³¹ which has underlined how every processing activity that is functional to the protection “against serious cross-border threats to health” or the safeguard “of high standards of quality and safety of health care” are to be considered of public interest-oriented nature. In the absence of further indications, it has however left controllers to set the boundaries of what is necessary to safeguard “high standards of quality and safety of health care.”

The public health interest exception offered by Article 9(2)(i) GDPR clearly encompasses, among others, post market studies, observational studies, and pharmacovigilance activities. Note, however, that these processing activities must be grounded in “Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.” ¹³² The public interest clause is employed in many ways at both normative and policy level and is mostly defined on a case-by-case basis. In the absence of a determination by national legislators, the guidelines of data protection authorities are to be taken into consideration. ¹³³ Here, what is relevant is that the GDPR qualifies in terms of public interest the research—post-market, observational studies, pharmacovigilance—ensuring “high standards of quality and safety of health care and of medicinal products or medical devices.” In this way it appears to legitimize personal data processing for public interests that at the same time serve also private interests. Post market studies and product monitoring, although fulfilling legal duties, clearly serve legitimate and business interests of data controllers generating data that under the GDPR regime can more easily be further processed for secondary research using the presumptions of “non-incompatibility in Article 5(1)(b) GDPR, the compatibility test in Article 6(4) GDPR, and the general research regime in Article 89 GDPR.

Within the system of the General Data Protection Regulation, the public interest aim embedded in the legal basis under Article 9(2)(i) GDPR regarding sensitive data is to be aligned to the one generally envisaged under Article 6(1)(e) GDPR, regarding processing activities that are “necessary for the performance of a task carried out in the public interest.” ¹³⁴ The notion of “the task carried out in the public interest” has been interpreted by the U.K. Data Protection Authority in accordance with an objective criterion based on the nature of the purpose of the processing and not on the nature of the controller, ¹³⁵ clarifying that any organization either private or public can rely on this basis. ¹³⁶ This approach appears consistent with the one also upheld by the European Data Protection Board, which has specified that the processing of personal data for the purposes of clinical trials’ procedures is to be considered as a task carried out in the public interest, when “the conduct of clinical trials directly falls within the mandate, missions and tasks vested in a public or private body by national law.” ¹³⁷

As the Article 29 Data Protection Working Party had already outlined under the Data Protection Directive, the public interest clause is an expression of the flexibilities within data protection law, enabling to strike the appropriate balance between the protection of data subjects’ rights and other collective interests. ¹³⁸ It is worthwhile noticing that article 9(2)(i) GDPR does not expressly mention the need to “respect the essence of the right to data protection,” as does, for instance, article 9(2)(g) GDPR. This because article 9(2)(j) GDPR assumes that the general framework for “medicinal products or medical devices” already “provides for suitable and specific measures to safeguard the rights and freedoms of the data subject” and thus already respects such an essence. Otherwise, the provision and the recalled rules would be in violation of the Treaties and subject to be struck down by the European Court of Justice (ECJ).

Overall, the notion of “the essence of the right to data protection” is recalled for instance also under Article 23(1) GDPR, allowing for Union or Member State laws’ restrictions to the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34. Under EU law the elements constituting the essence of the fundamental rights to personal data protection are basically listed under Article 8(2) of the EU Charter of Fundamental Rights According to this provision the principles of purpose specification, fairness in processing on a legitimate basis laid down by law along with the right of access to one’s own personal data and the right together with the control by an independent authority. Along these lines, the ECJ has concluded that legislation not providing for any possibility of pursuing legal remedies to access, rectify or erase their personal data “does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter.” ¹³⁹

The fact that Article 9(2)(i) GDPR does not recall the requirement to respect “the essence of the right to data protection” allows, with the mentioned caveats, higher pressure on the right to personal data protection when public health or “quality and safety of health care and of medicinal products or medical devices” are at stake. This is well reflected by Article 23 GDPR, which explicitly allows EU or Member States laws to restrict the applicability of—and thus set derogations to—Articles 12–22 GDPR or Article 5 GDPR, establishing fundamental data protection principles such as, amongst others, the principle of data minimization and accuracy, when the processing serves “important objectives of general public interest of the Union or of a Member State,” as public health. ¹⁴⁰ Also Article 17(3)(c) GDPR, which directly refers to Article 9(2)(i) GDPR, admits derogation to data subjects’ right to erasure when the derogation is needed for “reasons of public interest in the area of public health.” Moreover, as will be better shown below other derogations under Article 14(5)(b) and Article 89(2) GDPR can be allowed for with respect to processing activities under Article 9(2)(i) GDPR.

However, as the GDPR clarifies, the balance between the competing interests of data subjects and data controllers always has to respect the “essence” of the right to data protection in accordance with the proportionality principle ¹⁴¹ and through the enactment of suitable and specific measures to safeguard data subjects’ fundamental rights and interests. ¹⁴²

The importance of anchoring personal data processing activities carried out for public interest purposes to the parameters of proportionality and necessity has been underlined also by the ECJ, ¹⁴³ which has affirmed that “the protection of the fundamental right to respect for private life at the European Union level requires that derogations from the protection of personal data and its limitations be carried out within the limits of what is strictly necessary.” ¹⁴⁴ This means, firstly, that if another legal basis more respectful of the data subjects’ rights and interests, such as consent, can be relied upon by the controller for the achievement of the same purpose, then this must be chosen. ¹⁴⁵ Yet, these clarifications were suggested under the previous data protection regime when the exception envisaged by Article 9(2)(i) GDPR did not exist. Secondly, exactly the principles of proportionality and necessity assure that the data subjects’ rights as set by Chapter III GDPR are not undermined or somehow restricted in case of processing for public interest reasons. This means that the data subjects shall maintain control of such processing activities through their information rights and their corresponding reaction tools.

A further limit for the respect of the essence of the right to data protection is directly given by the principle of purpose limitation, which harshly cuts out from the realm of public interest-oriented processing activities those that serve different purposes, as commercial purposes. This is directly acknowledged by recital 54 GDPR, stating that the processing of personal data concerning health for public interest purposes shall not result in the same data being processed for other purposes by third parties, as employers or insurances and banking companies. ¹⁴⁶ However, here the principle of purpose limitation finds a special discipline for research under Article 5(1)(b) GDPR, the presumption of compatibility if Article 89 GDPR is applied, and Article 6(4) GDPR, a test for further use.

In short, the GDPR offers a different and more data-controller-oriented regime for the research aims mentioned under Article 9(2)(i) GDPR moving along the spectrum by authorizing data processing without consent and opening to further research uses, provided appropriate safeguards are offered. These are instances in which both public and private research aims are pursued and in which clearly research is mostly run by private—and for-profit entities.

The scaling of possibilities in our spectrum of data protection regimes for research finds another instance—reflecting the proportionality principle described above—in Article 9(2)(g). Contrary to Article 9(2)(i) which is specific for “public interest in the area of public health,” Article 9(2)(g) is of general relevance and requires—in addition to the requirements provided by Article 9(2)(g)—that the public interest is “substantial” and that the legislation defining it along with the needed safeguards respects “the essence of the right to data protection.”

III. The Research-Based Regime under Article 9(2)(j) GDPR

The third category of data protection regimes progressively offering a more liberal legal framework regards processing activities over special categories of data conducted for research purposes. Research is indeed an autonomous legal ground for the processing of special categories of data, as health data, under Article 9(2)(j) GDPR, which states the legitimacy of the processing when this is “necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” if:

1. a) In accordance with Article 89(1);

2. b) is based in Union or Member State law, which will thus have to define the activities that fall under the scope of research as a legitimate basis for the processing of special categories of data;

3. c) it is proportionate to the aim pursued, consistently with the proportionality under art. 5(1)(b);

4. d) it respects the essence of the right to data protection;

5. e) it is subject to suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. ¹⁴⁷

As can be derived, the legitimate basis under Article 9(2)(j) GDPR is shaped similarly with respect to the public interest-oriented ground for processing under Article 9(2)(g) GDPR. The major difference between the two legitimate bases is given by the explicit link of the former to Article 89(1) GDPR. Conversely, it is interesting to notice that both the considered provisions, unlike what occurs under Article 9(2)(i) GDPR, make reference to the respect of the essence of the fundamental rights to data protection. This is not surprising since the legitimate bases respectively regarding research under Article 9(2)(j) GDPR and the public interest 9(2)(g) GDPR are of very general scope and do not precisely list the sectors, respectively for research and the public interest, to which these legitimate bases apply, to the contrary of the provision under Article 9(2)(i) GDPR that makes a specific list of the cases relevant for “the public interest in the area of public health.”

This regime requires the safeguards enacted by the controller to assure the respect of the principle of data minimization. The principle as generally expressed under Article 5(1)(b) GDPR is certainly applicable also to the processing for public interest purposes and to consent as a legitimizing basis for processing. Nonetheless, the explicit reference to the principle under Article 89(1) GDPR—recalled by Article 9(2)(j) GDPR—suggests that in case of processing activities for research purposes grounded in the legitimate basis of research there must be a strengthened compliance with data minimization goals: To the larger maneuvering room for data controllers corresponds a smaller ability to contractually derogate exactly because data subjects have reduced avenues to monitor the actual enforcement of the data minimization principle. The legislator sets it as a driving principle to data controllers, calling to its strict adherence exactly because appropriate safeguards are established by data controllers themselves policed only by the principle of accountability but not, eventually, by the exercise of data subjects’ rights.

Indeed, this stricter interpretation of the safeguards under Article 9(2)(j) GDPR with respect to the ones justified under Article 9(2)(g) GDPR is to be better understood considering the possibility to derogate to data protection principles and rights available to controllers undertaking research activities. This softening in the data protection system requires tighter data protection measures from the controllers’ side to comply with the “essence of the right to data protection” recalled by Article 9(2)(j) GDPR. The switching of the power of setting the stage for data processing from data subjects—consent and manifestly public data—to data controllers—for research purposes without consent—signaled by the constraints to data subjects’ rights revolves around more defined boundaries to set up appropriate safeguards, and above all the respect of the data minimization principle. When the general data protection principles as the one of purpose and storage limitation under Articles 5(1)(b) and 5(1)(e) GDPR and other data subjects’ rights are derogated, then the protection of the “essence of the right to data protection” needs to be achieved by other means, and cannot suffer a compression also of the data minimization principle around which revolves the indications of Article 89 GDPR in term of safeguards.

Under these premises, the next sections will analyze the special data protection research regime as normatively shaped by the Regulation, identifying the derogations it sets in case of research activities for research purposes and providing some first interpretative guidance regarding the required safeguards on how GDPR opens the personal data flow.

IV. The EU Data Protection Rules for Research: The Derogations

On a general level, it can be outlined that the rules applicable to processing activities encourage on the one hand the processing of personal data for research purposes through significant derogations to ordinary data protection principles and rights. These derogations are nonetheless paired with the requirement of enacting appropriate measures to safeguard data subjects’ fundamental rights and freedoms under Article 89(1) GDPR. The framework resulting from the combined reading of these provisions offers the parameters for the research exemption applicable whenever the processing over personal data is carried out for research purposes, irrespective of the legitimate basis on which the processing relies.

The derogations in case of processing for research purposes involve, first, important data protection law principles, as the principle of storage limitation under Article 5(1)(e) GDPR and the principle of purpose limitation under the above-recalled default compatibility rule under Article 6(4) and Article 5(1)(b) GDPR offering a presumption of compatibility. The mentioned provisions in turn derogate to the principle of data minimization established under Article 5(1)(c) GDPR. The default compatibility rule proves to be particularly difficult in the interplay of different legitimate bases and of data protection regimes for research, as will be assessed below.

Also, data subjects’ rights as the right to be forgotten under Article 17(3)(c) and (d) GDPR can be derogated in case the enactment of the right impairs the achievement of the research objectives. Specific attention is to be given also to the possible derogation under Article 14(5)(b) GDPR to data subjects’ right to be informed when the processed data is collected from third party sources and not directly from the data subjects, in case the “provision of such information proves impossible or would involve a disproportionate effort.” ¹⁴⁸ This last derogation is quite far-reaching since it allows controllers processing health data for research purposes to diminish the information they have to disclose to the data subjects in the privacy notice.

The two derogations to the right to erasure, under Article 17 (3)(c) and (d) GDPR, and the right to be informed, under Article 14(5)(b) GDPR, appear to be structurally incompatible with the legitimate basis of consent. In this respect indeed, the data subject has established a direct relationship with the data controller through its consent. The eventual withdrawal of consent would automatically block the processing activities of the data subject’s personal information, with a de facto erasure of the relevant data from the controllers’ databases, in consistency with the principle of storage limitation under Article 5(1)(e) GDPR. The provision indeed requires data controllers to store data as long as it is “necessary for the purposes for which the personal data are processed.” In case of consent withdrawal this necessity to store the data would be radically voided, this leading to an automatic data erasure. Similarly, with respect to the data subject’s right to receive information under Article 14 GDPR, the fact that the subject has given its consent first presupposes the release by the controller of the information needed to shape an informed consent. In second stance, the existence of a consent from the data subject itself eases the provision of information to the data subject by the data controller, thus excluding a situation in which the data controller faces an impossibility or a “disproportionate effort” to provide the relevant information, as required under Article 14(5)(b) GDPR.

On the contrary, the concerned derogations are highly relevant when the processing is based on the other legitimate bases not only under Article 9(2)(j), but also under Article 9(2)(i) GDPR, which is expressly recalled under Article 17(3)(c) GDPR. In this case, indeed the derogations directly facilitate the achievement of the particular objectives of the processing in the context of public health interventions and of research enquiries. Accordingly, the derogations can be relied on by data controllers also in case of secondary processing of datasets that were originally processed on the basis of the data subjects’ consent and that are then grounded in the pursuing of a public health or pure research goals.

When the data are directly collected from the data subject, the controller still needs to comply with information duties under Article 13 GDPR, unless, as described by recital 62 GDPR, “the provision of information to the data subject proves to be impossible or would involve a disproportionate effort.”

In addition to the derogations directly established by the Regulation, under Article 89(2) GDPR Member States can issue further derogations from data subjects’ right to access under Article 15 GDPR; right to rectification under Article 16 GDPR; right to restriction of processing under Article 18 GDPR; and ultimately the right to object under Article 21 GDPR. These derogations can be provided only when the full enforcement of data subjects’ rights “are likely to render impossible or seriously impair the achievement of the objectives of that processing” and these derogations are necessary for the fulfilment of the purpose. ¹⁴⁹ Additional derogations by national laws to data subjects’ rights under Articles 12–22 GDPR are permitted by the recalled provision under Article 23(1)(e) GDPR when the processing targets public health objectives.

These national-based derogations under Articles 89(2) and 23(1)(e) GDPR should be applicable only when the processing for research purposes is based on the legitimate grounds under Article 9(2)(i)–(j) GDPR, and not when these are based on consent under Article 9(2)(a) GDPR (Table 1): consent and the controller-data subject relationship directly activated by consent should indeed pose data controllers in the ease of protecting the mentioned data subjects’ rights. Conversely, the specificities of processing operations for reasons of public interest in the area of public health, Article 9(2)(i) GDPR, or for research purposes, Article 9(2)(j) GDPR, may well justify the establishment of the mentioned derogations by national laws, in light of the excessive burden data controllers could face for satisfying data subjects’ requests in these particular processing circumstances.

Just as in the recalled GDPR-based derogations, however, national legislations need to assure that appropriate conditions and safeguards for the processing are enacted and respected. The effective restraints to processing activities regarding sensitive data will largely depend on how burdensome the derogations and correspondent safeguards defined at national level will be. ¹⁵⁰

In light of these derogations to the mentioned principles and rights, the data protection regimes for research purposes under Articles 9(2)(i)–(j) GDPR appear to undercut data subjects’ control prerogatives over their sensitive data and, with that, to shift the control over the data processed for research purposes onto data controllers. As can be seen from Table 2 below, the derogations to data subjects’ rights under Chapter III are always possible for processing activities conducted for public health purposes. This suggests the controller-oriented nature of these data protection regimes, to be placed at the opposite edge in a descriptive spectrum with respect to the data subject-oriented regime for research under Article 9(2)(a) GDPR and its subjective control rationales.

Table 1. Data Protection Regimes for Research under Article 9(2) GDPR

Table 2. The Data Protection Derogations for Research under the GDPR

In light of the recalled derogations, the research-based data protection regimes under Articles 9(2)(i)–(j) GDPR, mitigate ordinary data controllers’ regulatory burdens so as to enhance the free-flow of sensitive data for research and innovation objectives. However, this de-regulatory stance over the processing for research purposes regards only ordinary data protection requirements and should be compensated by the requirement to establish safeguards that are appropriate to the protection of data subjects’ fundamental rights and freedoms as required under Articles 89(1) GDPR. It is thus time to delve more in these safeguards.

V. The Data Protection Rules for Research: The Safeguards

While medical research is being fueled by the exchange of scientific information and the resulting cooperation among different stakeholders of both the private and the public sector, the development of adequate data protection enhancing techniques is essential for creating the needed trust for data integration and aggregation practices. This is directly acknowledged by both Article 89(1) GDPR, requiring the enactment of “appropriate safeguards” in the form of “technical and organizational measures” and Article 9(2)(j) GDPR requiring the performance of “suitable and specific measures” for safeguarding data subjects’ fundamental rights and freedoms.

The mentioned requirements of “suitable and specific” measures or “appropriate safeguards” reflect the legislator’s intention to set onto data controllers the choice to decide on a case-by-case basis—and thus considering the research projects’ peculiarities—which are the safeguards that best protect data subjects’ rights without impairing the objectives of the processing activities. This is why the Regulation does not list the safeguards that need to be enacted in the context of research activities, but rather takes a dynamic approach so as to maximize their effectiveness in the highly varied data-driven research environment. Article 89(1) GDPR asks data controllers to identify and properly implement the safeguards for the protection of data subjects’ and patients’ fundamental rights.

In accordance with the layered research data regimes, a fundamental criterion for assessing the appropriateness and suitability of the safeguards to be enacted by the controller is related to the invasiveness of the derogations mentioned in the previous paragraph: This means that the more a controller leverages on the derogations the Regulation or Member States laws allow, the tighter the safeguards to be enacted should be.

Accordingly, from an opposite perspective, the enactment of these safeguards should be read as a direct precondition for the enjoyment of the derogations outlined above. As a result, the research-based regime concretely applicable to processing activities variously carried out for research purposes is the result of a double fine-tuning process, in accordance with which the more derogations the controller avails himself, the stricter the safeguards that she will enact should be. Such interpretation is directly suggested by the guidance offered by Article 89 GDPR, which, firstly stresses that “technical and organizational measures” shall ensure “in particular … the principle of data minimization.” It does not rule out the other principles not already limited by Article 5 GDPR, but it clearly indicates that data minimization is not negotiable for the reasons we stressed before. Secondly, it sets a cryptic obligation and indication to use “further processing which does not permit or no longer permits the identification of data subjects …”—anonymous data—if the purposes of processing can be fulfilled with these data. This is in line with Article 2 GDPR and referral 26 GDPR as well as with Article 6(4) GDPR at least as a safeguard for further processing. Note, however, that such a notion can be fine-tuned for the interest of the data controller as well by pairing the choice of selecting processing modalities which do not require identification. Under Article 11 GDPR, indeed, if the controller is able to demonstrate that it is not in a position to identify the data subject, and upon informing the data subject, if possible, Articles 15–20 GDPR shall not apply—except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification. For example, separating permanently a pseudonymized dataset from the dataset of the corresponding identifiers can easily fulfil this anonymity safeguard discharging the data controller by several burdens. Thirdly, in the alternative, it suggests implementing pseudonymization techniques, stating that the employment of such technique is encouraged “as long as (the research purposes) can be fulfilled in this manner.” Additionally, it imposes a principle of segregation of data processing since derogations are strictly connected to research purposes and cannot spillover other data processing purposes. ¹⁵¹ Finally, it links all the “appropriate safeguards … for the rights and freedoms of the data subject” to the overall architecture of the regulation: “in accordance with this Regulation.” This statement at the beginning of Article 89 is not without consequences because in line with the principle of accountability with greater technical discretion for the data controllers comes greater responsibilities and the burden to prove that the selected technical and organizational measures are appropriate. De facto, Article 89 GDPR offers both instructions and rules setting a roadmap for data controllers.

In light of this clarification, further relevant “technical and organizational measures” can be derived from the general provisions of the General Data Protection Regulation, as the ones regarding data protection impact assessments under Article 35 GDPR. For the purposes of such assessments, the potential derogations to data subjects’ rights even when they satisfy the strict requirements of Article 89(2) GDPR, which states “in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes,” clearly flag a potential high risk for rights and freedoms due to their limitation. Thus, the preliminary analysis whether a data processing requires a DPIA pursuant to Article 35 GDPR might be more demanding and should certainly take into account the derogations and safeguards. Yet, this is routine under the GDPR framework and does not add further burdens.

Another relevant safeguard could be related to the employment of data protection certification mechanisms as seals or marks, if developed by Member States, the supervisory authorities, the Board, and the Commission in accordance with Article 42 GDPR. As the same provision underlines, these seals and marks would be relevant for showing controllers’ compliance in processing operations with technical standards and thus with GDPR. Similarly, data protection measures by design and by default under Article 25 GDPR would structurally internalize and assure compliance to data protection law ¹⁵² and require taking in proper consideration the peculiarities of the research purposes and derogations.

With specific reference to health-related data, Article 9(4) para GDPR allows Member States to establish “further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.” This means that national laws can establish specific safeguards required for the protection of data subjects’ interests in the context of health research projects. Once again, delegating national legislators does not help a uniform regulatory landscape and opens to a sort of rush to the bottom among Member States as in the fragmented American system. Nevertheless, the bottom line remains the GDPR itself ensuring appropriate safeguards and limiting the risk of a race to the bottom.

Overall, the mentioned system of safeguards for the processing of data for research purposes is directly aimed at conforming the goals of research data flows to the protection of data subjects’ rights and freedoms, as potentially impaired by the loss of control over the processed information resulting from the derogations to some of data subjects’ rights. Yet, once a systemic reading of the GDPR is in place, the mechanisms designed do not reveal to be burdensome for data controllers wile facilitating the free flow of data.

VI. The Interaction Between Differential Data Protection Regimes

As the above analysis has shown, processing activities for research purposes can be based on different lawful bases under the GDPR and are subject, irrespective of the chosen lawful basis, to the outlined research exception shaped by the mentioned derogations and the additional obligations to enact relevant safeguards borne by controllers.

Against this backdrop, a first question arises related to the interaction between the exceptional data protection regime regarding processing operations carried out for research purposes, based on any of the above-outlined legitimate bases, and the “ordinary” data protection regime applicable to processing activities conducted for non-research related but purely commercial purposes, as profiling operations and decisions regarding data subjects. Suggestions regarding the borderlines between the two different regulatory regimes can be drawn from recital 162 GDPR, which states the prohibition of processing data collected for statistical purposes “in support of measures or decisions regarding any particular natural person.” ¹⁵³

The stated prohibition, as read in consistency with the principle of segregation described above under Article 89(1) GDPR, can be extensively applied in case processing activities for research purposes result into further, “secondary” commercial-oriented processing, deriving from the “practical” economic employment of the statistical models designed and constructed in the context of research projects. ¹⁵⁴ In other words, general models developed for research or statistical purposes should not be used for singling out individuals. Thus, the derogatory data protection regime for research would not apply. The example given by recital 162 GDPR regarding statistical data thus beautifully illustrates the idea of segregation of research results from their non-research use. In this respect, the key factor is keeping the research promises of “statistical confidentiality” as a counterpart to processing personal data necessary “for the production of statistical results.” After all, it just echoes the basics of processing data for statistical purposes. As recital 162 GDPR illustrates, further research uses would be allowed while further non-research-oriented ones—that are those used “in support of measures or decisions regarding any particular natural person”—would not, unless consent is given.

In addition, the recalled principles enshrined in both Article 89(1) GDPR and recital 162 GDPR can provide precious guidance in order to set further boundaries among different research activities.

As the Italian cases involving Tiziana Life Sciences illustrate, processing activities of health data can be extremely complex and be related to different types of research, in terms of different research entities potentially taking part to established research projects, and of the possibilities of secondary uses of employed health datasets to radically different research projects in terms of scope and aim. Although both the administrative and the judicial decisions have been given under the Italian data protection legal framework preceding the European reform, both the decisions are interesting for the purposes of the interpretation of the subsequent framework under the General Data Protection Regulation.

More precisely, the mentioned cases well highlight the uncertainties on the applicability of the research exception regime in case of processing activities carried out for research purposes by a third-party recipient of a research-valuable dataset. These uncertainties relate directly to:

1. 1) The applicability of the presumption of compatibility pursuant to Article 5(1) (b) or the need to assess compatibility according to Article 6(4) and eventually acquire a new consent with the related information duties as it occurs in the case of mergers codified under Article 14 GDPR;

2. 2) The applicability of the more favorable provision under Article 9(2)(j) GDPR. As has been recalled, following the default compatibility rule set out under Articles 6(4) and 5(1)(b) GDPR, if the secondary processing is conducted for research purposes, controllers do not have to seek anew consent from data subjects but would still need to provide information pursuant to Article 14 GDPR, as long as the provision of such information does not prove impossible or requires a “disproportionate effort.” ¹⁵⁵

3. 3) The possibility to withdraw consent since under Article 7(2) GDPR it is always possible. The question thus arises regarding whether after withdrawal of consent by data subjects the legal basis on research is still eligible. The second decision by the Italian data protection authority seems to suggest a negative answer to this question. Conversely, the European Data Protection Board’s Opinion on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation, has stated that “the withdrawal of consent does not affect the processing operations that are based on other lawful grounds.” ¹⁵⁶ The European Commission, on its side, has suggested that the compatibility analysis for secondary uses of data is never allowed when the original legal basis is consent. ¹⁵⁷

The choice to apply one or the other data protection regime, will largely depend on the definition of the scope of the specific research purpose. Thus, it will depend on whether the mentioned compatibility rule applies also to a different third-party organization, carrying out private and for-profit oriented research activities—as the one carried out by a company as Tiziana—in the form of different research projects that are not strictly related to the research projects for which the health data were originally collected. ¹⁵⁸

According to the broad interpretation of research under recital 159 GDPR, the decision of the Tribunal of Cagliari would be more adherent to the newly established, controller-friendly, research-based data protection framework, ¹⁵⁹ as based either on specific, sectoral blanket consents, as the ones described above, or on Articles 9(2)(i) or 9(2)(j) GDPR as legitimate bases alternative to the one of consent. In this perspective, both decisions by the Italian Data Protection Authority suggest the practical opportunity to handle different types of research differently.

The EDPB itself has underlined that in the data protection regime for research “the rules contain a special regime affording a degree of flexibility for genuine research projects that operate within an ethical framework and aim to grow society’s collective knowledge and wellbeing” ¹⁶⁰ and alludes to the difficulty “to distinguish research with generalizable benefits for society from that which primarily serves private interests.” A borderline difficult to trace. In the Tiziana cases genetic research could clearly benefit mankind but the fact that for-profit research could be performed by processing personal data that were collected explicitly for non-profit research purposes, casted and casts doubts on whether the presumption of compatibility would stand the test of Article 5(2)(b), Article 6(4), and Article 7.

To address these persisting interpretative doubts, the next paragraph will propose a framework that differentiates data protection regimes within the research-based regime as shaped in the black letters of the General Data Protection Regulation. This framework is primarily based on the distinction between for profit and public interest-based research.

As the last section will demonstrate, there is direct correspondence between loss of control and free flow of personal information objectives only in this last case. Conversely, when private or public data are processed for commercial-oriented research purposes, the loss of subjective control over processed data needs to be compensated with safeguards for the protection of data subjects’ fundamental rights and freedoms, which come to restrain research data flows.

F. Shaping Differential Data Protection Research Regimes

Our analysis has illustrated that the intertwining of flexibilities and derogations the GDPR offers for research leaves open to interpretation several instances. ¹⁶¹ As anticipated, this also occurs under the new Open Data Directive, which has extended the scope of data re-use, however leaves to Member States the ultimate definition of the access regimes. Against this backdrop, however, a clear limit to eventual arbitrary decisions by data controllers in the data research domain is clearly established, according to the European Data Protection Supervisor (EDPS), ¹⁶² by the impossibility of disowning the “essence of the (fundamental) right to data protection.” This means that the derogations provided by the special regime cannot be abused by data controllers acting for research purposes. To sanction this need, the EDPS suggests a highly restrictive interpretation of the research-based regime. ¹⁶³

Nevertheless, and following such a cautious interpretative approach, a possible restraint to the creeping abusive application of the differential data protection regime for research can be found in the distinction between public interest and commercial-oriented research.

In the previous paragraphs it has been shown that under recital 159 GDPR, the GDPR’s notion of research encompasses both public and privately funded research differently from other normative definitions of research, even within the EU, as the one enshrined in the new Copyright Directive. Under the latter, following a subjective approach to research, the distinction between these two types of research causes the application of the ordinary regulatory regime to privately funded “research” activities, and of the special regulatory regime only to public funded-research activities. ¹⁶⁴ On the other side of the Atlantic, the CCPA adopts a rather objective approach, excluding from the scope of the research exception those processing activities that are linked to commercial research purposes. ¹⁶⁵

At a closer examination, however, it appears that within the same recital 159 GDPR a differentiation between public interest and commercial research is also envisaged. Indeed, the same letter of the recital sets the ground for a free flow of research data within the EU through the reference to Article 179(1) TFEU, but it also highlights both the peculiar link between research that might require “the publication or otherwise disclosure of personal data in the context of scientific research purposes” and the need to adapt the application of the GDPR to the implications of scientific research “in the interest of the data subject,” “in particular in the health context.” The chosen examples relate to the public interest to verify scientific results allowing the repeatability of scientific experiments or the verification of data provenance, on the one hand, and, on the other the benefits of scientific research for the data subject as well.

The beneficial effect of research investigations resulting from the sharing of data has been explicitly acknowledged by the European Commission’s Strategy for data, which highlights the relevance for the achievement of society’s well-being of the employment of public sector information by private entities; government-to-business-G2B-data sharing; the sharing and use of privately-held data by other companies; business-to-business-B2B-data sharing; as well as the use of privately-held data by government authorities; government-to-business-G2B-data sharing.

In consistency with these statements, the recently proposed Data Governance Act considers also privately-funded research as pursuing “a purpose of general interest.” ¹⁶⁶ In this respect the Act establishes a registration mechanism for legal entities, also of private nature, which are willing to make available datasets for purposes of general interest. As it states, “the voluntary compliance of such registered entities with a set of requirements should bring trust that the data made available on altruistic purposes is serving a general interest purpose.” ¹⁶⁷ However, the legal entities willing to be registered as “Data Altruism Organizations recognized in the Union” must be not-for-profit ¹⁶⁸ and must share their data “without seeking a reward.” ¹⁶⁹ In light of these declarations the Data Governance Act appears to shape a notion of “altruistic” research that is already implicitly provided by recital 159 GDPR, promoted by private legal entities with a not-for-profit character and that engage in jointly conducted research activities without targeting economic returns.

A similar approach has been welcomed also by the European Data Protection Board’s Guidelines on “the processing of data concerning health for the purpose of scientific research in the context of the Covid-19 outbreak,” where it is observed how also private entities can play a role in pursuing public interest, especially in an extraordinary situation, such as the pandemic, where it is suggested that the collaboration between private entities and public institutions can be essential for a faster production of results. ¹⁷⁰

These statements are highly interesting also for the purposes of interpreting the notion of research within the GDPR. Indeed, while the already recalled specification within recital 159 GDPR “and privately funded research” clearly sustain the extension of the research exception to private motivated/funded research, it also signals a possible differentiation of regimes echoed as well in the need to take into consideration “reasons for further measures in the interest of the data subject.” For example, in the case of research for orphan diseases, it clearly “gives reason for further measures in the interest of the data subject,” indicating that their interests are served better by the sharing of data. Thus, the fact that “the general rules of this Regulation should apply in view of those measures” shows in turn that the GDPR regime could be softened, as in the differential research-data regimes we described.

Seeds of a taxonomy thus are appearing, distinguishing among various combinations of interests including public, private, and for profit-oriented research, and primarily related to research with advantages to the general public, with further advantages for data subjects, and research mostly profit-oriented. Pharmaceutical research, for instance, is indirectly beneficial to the data subject and society at large but mostly motivated by profit. Its balance tips towards public interest in cases when it “is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health” for example during a pandemic or “ensuring high standards of quality and safety of health care and of medicinal products or medical devices.” ¹⁷¹

Thus, the differential regimes for research data, while do not differentiate among private and public funding, clearly differentiate in terms of the more “egoistic” or “altruistic” aim of the research. The subjective perspective regarding the private or public nature of the funding, and thus the private or public nature of the entities conducting research, appears to be quite irrelevant since it can well be the case that also privately funded research serves broader public interest goals, as it can occur with the research and development of a vaccine or with the special derogations and aids offered for orphan drugs.

Conversely, the objective perspective highlighting that the public interest and commercial-based research activities are linked is highly informative. In this respect, as recital 159 GDPR seems to propose, the boundary is to be drawn between those research enquiries whose results also benefit data subjects and research that, as acknowledged under the CCPA, mainly serve controllers’ economic interests. However differently from the CCPA, the “broad interpretation” of the notion of research recalled by the same recital 159 GDPR appears also to suggest encompassing this latter type of research in the research-based data protection regime.

Against this backdrop, we propose to employ such distinction for the purposes of scaling the flexibilities or “privileges”—as the Data Ethics Commission defines them—of the special research-based data protection regime. As has been illustrated above, these flexibilities are directly given by the national definitions of the derogations and the data controllers’ choice about needed safeguards.

Under these premises, a restrictive interpretative approach as the one required by the European Data Protection Supervisor suggests the opportunity to modulate these flexibilities differently with respect to public interest-oriented, or altruistic, research and profit-driven one, regardless of the sources of their funding. Such modulation should thus be primarily rooted in the principles of proportionality and fairness, which assures the protection of data subjects from controllers’ and processors’ abuse, by preventing disproportionate harms stemming from the power asymmetries that characterize the technology-driven processing environment, and in particular the research processing environment.

The said principle suggests tempering the flexibilities existing under the research-based regime in accordance with data subjects’ interests and reasonable expectations. Indeed, referral 159 GDPR clearly illustrate it in the domain of orphan drugs where the research output “gives reason for further measures in the interest of the data subject” and requires reading accordingly the GDPR.

From this perspective, data subjects’ control rationales and free flow of information goals are the parameters upon which the taxonomy is based. Control rationales suggest that both the derogations and the safeguards required under the research-based regime should thus be respectively restricted to the minimum and stretched to the highest when it comes to merely commercial-oriented research data processing. Conversely, public interest-oriented research activities could enjoy a more enabling regulatory regime, designed around deeper derogations, if needed, defined at national level, and less burdensome safeguards, helping the flows of research data.

The three prongs unfolding of the research regime based on Consent, ¹⁷² Public interest, ¹⁷³ and Research, ¹⁷⁴ reflects clearly in the interplay between data pools and their eventual swinging from one regime to the other.

G. Applying the Spectrum of Differential Data Protection Regimes to Data Pools

I. From Public Interest Research to For Profit-Oriented Research

The exploitation of private or public data pools by businesses for profit-oriented research, as the one conducted by Tiziana Life Science Corporation in the aforementioned ruling, may pose higher risks for the protection of data subjects’ rights and freedoms, including to any form of moral objection and overture to specific kinds or goals for the research itself, including data philanthropy. In the Tiziana case, many citizens consensually volunteered to pursuing data-philanthropy aims that might lead the transfer for further use to fail the test under Article 6(4) GDPR. Such assessment is to be primarily conducted in accordance with a risk-based evaluation required by the same Regulation under the data protection impact assessment. Accordingly, the principles of proportionality and necessity—first of all—would require processing activities conducted for for-profit research purposes to rely on the legitimate basis that is more respectful of data subjects’ interests and rights, that is consent. Consent and the related possibility of its withdrawal structurally assures a higher degree of control, also if it is related only to certain research areas as suggested by recital 33 GDPR. In addition to this, taking into account the safeguards for the essence of the fundamental right to data protection, consent allows for a negotiation around the willful conferment of personal data. The effectiveness of such control is mitigated by the presumption of compatibility under Article 6(4) and 5(1)(b) GDPR, enabling further processing for research purposes. Exactly in the view of the necessity of data subjects’ stronger control prerogatives, the same mentioned principles advocate a strict interpretation of such compatibility rules, to restrict the further flows of research data to the realm of data subjects’ self-informational determinations, and to what is proportionate for the prevention of greater risks to the same data subjects. In other words, changing the context ¹⁷⁵ from merely altruistic goals to also for-profit ones might lead to failing the compatibility test.

Note, however, that it is not a clear-cut solution. Indeed, if genetic data under the Tiziana cases were made “manifestly made public by the data subject” without limitations, the further use would be clearly permissible. Similarly, if the informed consent had a scope compatible with the further use or a sufficiently large–although specific as required by the GDPR–blanket consent was acquired.

In the same vein of setting parameters for the research “privileges,” also, the derogation to the principle of storage limitation under Article 5(1)(e) GDPR should be restricted to the storage that is strictly necessary to the performance of the specific research project and not be stretched for other purposes. According to a similar perspective, the possibility to derogate to the information duty under Article 14(5)(b) GDPR should also be restrained by applying a higher standard of impossibility or “disproportionate effort” of providing information by the controller. What is disproportionate for public interest research might not be for profitable interests.

Conversely, research for profit can also benefit from the derogations if appropriate safeguards are provided, for instance, selecting “processing which does not require identification. ¹⁷⁶ Equally, the derogations to ordinary data protection rights could be circumscribed to the sole derogations directly allowed by the Regulation and not be aggravated by Member States laws.

This interpretative possibility is to be directly drawn from Article 89(4) GDPR establishing a principle of segregation: privileges only apply to research purposes and do not extend to other purposes. A striking example can be offered by research for marketing and the use of the research outputs for marketing. While personal data processing for scientific studies on marketing would enjoy the research privileges, the use of the same data for purely marketing purposes would not in consistency with the principle of segregation as illustrated also by recital 162 GDPR stressing that the results of statistical purposes processing operations should not be used “in support of measures or decisions regarding any particular natural person.”

It remains unclear if the same proportionality and necessity principles guide a more severe interpretation of when, in the case of commercial-oriented research, the actioning of data subjects’ rights would “render impossible or seriously impair the achievement” of set research objectives, as required by Article 89(2) GDPR.

On the side of the safeguards required under Article 89(1) GDPR, the same principles of proportionality, fairness and segregation suggest the enactment of higher context-sensitive safeguards for preventing research processing activities to result into the processing of health data for pure, non research-based, commercial purposes. Such processing is indeed prohibited under Article 9(1) GDPR, unless the data subject gives explicit and specific consent for these purposes as required under Article 9(2)(a) GDPR. This suggests a higher threshold of “appropriateness” of the safeguards to be employed under Article 89 GDPR with respect to private or public health data pools employed for commercial-oriented research. More precisely, the safeguards should be appropriate whenever these prevent uses of data that would not be acceptable for the data subjects. A higher appropriateness threshold regarding the safeguards to be enacted would thus feed confidence and trust in privately conducted health research, otherwise impaired by the weakening of individual control over treated health data.

In terms of the requirements under Article 89(1) GDPR, this requires a close scrutiny of the:

1. 1) adherence to the principle of data minimization;

2. 2) requirement to use anonymized data for the purposes of the research activities; or if this is not possible to use pseudonymization techniques;

3. 3) respect to the principle of data segregation;

4. 4) principle of accountability as generally supporting the whole system of data protection safeguards.

A more precise identification of relevant safeguards can be defined in consideration of the possible harms stemming from a processing operation. In case of processing activities that are likely to result in a high risk to the rights and freedoms of natural persons, these harms are to be identified by the controllers’ data protection impact assessment under Article 35 GDPR. Harms stemming from the processing of private data pools can be related to the data subjects’ moral suffering related to the disclosure of sensitive health conditions, stigmatizations, and the generation of stereotypes regarding certain groups in the health sector and beyond. Moreover, the processing of data for the purposes of for-profit research easily results into purely commercial activities, as monitoring and marketing by third parties, also potentially triggering profiling activities, which are formally prohibited under Article 22 GDPR. Processing activities of sensitive data conducted for research purposes may thus engender heavy intrusions in data subjects’ personal lives, to be accurately addressed through the establishment of adherent safeguards.

II. Keeping Public Interest Research on the Go

A different standard of data protection emerges for public interest-oriented research. Both private and public research organizations can potentially be involved in public interest-oriented research activities. Examples of public interest-oriented research areas can be found in Article 9(2)(i) GDPR, listing the protection against serious cross-borders threats to health, the accomplishment of high standards of quality and safety of health care and of medicinal products or medical devices. Additional suggestions with respect to public interest-related sectors can be found in recital 54 GDPR, further referring to “morbidity and disability,” “the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.” Research related to these sectors is thus certainly to be considered of public interest-oriented nature, disregarding the public or private nature of its funding. Here a simple example can be research related to post-market surveillance where private, for-profit, and public interest walk hand in hand.

Note however, that national implementations of the GDPR have offered a more stringent test. For instance, the UK Data Protection Act 2018 establishes that the processing will only meet the requirement under the research exception for a basis in UK law if the processing not only is conducted for research purposes and is carried out in accordance with Article 89(1) GDPR, that is the enactment of adequate safeguards, but is also conducted in the public interest. ¹⁷⁷ This public interest requirement applies to any research processing of health data reliant upon the research exception, whether carried out by private or public bodies. The public interest is envisaged under UK law whenever there is a trade-off between the individual interests in data protection and the benefits of research, which justifies the fact that the data subjects who are individually affected have a reason to accept those interferences. This is exactly the case of research in the interest of the data subject, mentioned by recital 159 GDPR.

Conversely, in the absence of such a trade-off, personal interferences are not acceptable if not grafted in an express consent of the data subject, exceptionally allowing an interference in their personal sphere. As anticipated, following this same logic, recital 162 GDPR regarding the processing of personal data for statistical purposes suggests that the results of these processing operations should not be used “in support of measures or decisions regarding any particular natural person.”

Against this backdrop, the acceptability of the processing of sensitive data is to be defined on the basis of a proportionate balance between the reasons for protection of data subjects’ fundamental rights and other fundamental rights, such as the right to health, promoted by research activities over health data.

This acceptability criterion could justify research activities in a legitimate basis that is more controller-oriented as the one under Article 9(2)(j) GDPR. This appears exactly to be acknowledged by Article 110 of the Italian data protection law, which states that processing activities for research purposes do not require data subjects’ consent if the research activities that are carried out are defined on the basis of Union or national laws as required under Article 9(2)(j) GDPR, or in case the retrieval of consent would make the achievement of research objectives impossible or otherwise impair them seriously. The Italian provision thus well reflects how with respect to processing for research purposes, the principles of necessity and proportionality allow a detachment from individual control rights.

In the same perspective, exactly the public interest nature of research activities could justify the possibility to interpret the default compatibility rule under Articles 5(1)(b) and 6(4) GDPR in a broader manner when it comes to the further processing of data for public interest-oriented research purposes; and the storage of employed data for longer periods taking advantage of the flexibilities under Article 5(1)(e) GDPR.

Likewise, acceptability of research activities from the data subjects’ perspective could sustain the derogation to information duties under Article 14(5)(b) GDPR even when safeguards would not trigger the application of Article 11 GDPR. Such derogation would be directly motivated upon the impossibility or “disproportionate effort” for the data controller to provide to data subjects relevant information, while accommodating individual and collective fundamental rights, as it occurs in the case of public health emergencies.

Based on the same reasoning, compliance with the other data subjects’ rights under Chapter III GDPR would be more likely to “render impossible or seriously impair the achievement” of public interest research objectives, thus justifying derogations under Member State laws as allowed under Article 89(2) GDPR.

With respect to this type of research, control rationales may be less stringent in accordance with a risk-based evaluation as the one conducted through the data protection impact assessment. Conversely, free flow of research data goals may gain priority, with the recalled limit provided under recital 162 GDPR. This may justify lower burdens for data controllers with respect to the safeguards under Article 89 GDPR, which would need to be modulated in consistency with the public-oriented nature of the enacted research activities. This means that in case of public interest-oriented purposes of the research, as the development of a vaccine, the safeguards could be restrained to the minimum normative requirements, to what is necessary to fuel data subjects’ confidence that the data is used only in a manner that is acceptable for the community.

As a regular test, the public oriented nature of the research indicates that the driving public interest benefits of a given data processing clearly outweigh the risks to the fundamental right to data protection and does not crashes its essence while for-profit reasons do not weigh in. In this perspective, public interest-targeted research should surely imply controllers’ observance of the general data protection principles recalled by Article 89(1) GDPR, expressly referring to “safeguards in accordance with this Regulation.” As occurs for commercial-based research, the principle of accountability is central also for public interest-oriented research to ensure the essence of personal data protection is not hindered. Processing activities for public interest research purposes should thus also comply with the minimum standard set by Article 89(1) GDPR, particularly regarding the principle of data minimization and the enactment of data pseudonymization techniques.

III. Mixing Interests in Private-Public Research

With respect to mixed private-public health datasets employed for research purposes, the data protection research regime should be calibrated based on the influence that commercial undertakings have within established research partnerships or organizations. The degree of influence of these entities indeed determines the risk of commercial “capture” of research results, especially when for-profit interests weigh in.

The involvement of for-profit organizations and thus their influence in the governance of research projects and results can be derived from specific parameters. In this respect, the Copyright Directive mentions some parameters that can be relevant also for the purposes of data protection. In particular, recital 12 of the Directive refers the influence by commercial-oriented organizations in research activities to “structural situations” as a qualified shareholder control or the presence of specific members of for-profit organizations in the management of research projects. These structural situations may engender a direct control by these organizations over research infrastructures and thus over initiated research patterns. As the recital suggests, these structural situations may in turn favor a preferential access to the results of the research by for profit organizations. Note also that such preferential access would be dealt with in separate agreements.

In the event a “decisive influence” of for-profit organizations over the established research partnership or organization exists, safeguards should be as strict as in the case of a fully for-profit conducted research. Conversely, in case the control of the research endeavors over mixed private-public datasets primarily resides onto the public entity, the identified mentioned data protection flexibilities could be exploited to the maximum.

However, under the GDPR, it is not who funds the research that matters, but its scope. The reason why this is so and why it is a better solution can be clarified by an example. Using the dichotomy under the Copyright Directive could prove to be difficult with respect to private-public partnerships established for grounds of public health protection, as is occurring in the fight against the Coronavirus pandemic. For instance, in the collaboration between private and public actors, as in the “Innovative Medicines Initiative,” based on a public-private partnership between the European Commission and the pharmaceutical industry, ¹⁷⁸ it might trigger the enactment of higher data protection safeguards and lower derogations from the ordinary regime, merely because of the presence of commercial-oriented stakeholders. Nonetheless, purposes of public health protection, and the need of immediate research actions, could conversely suggest a relaxation of data protection checkpoints. In the specific cases where mixed health data pools are employed for research purposes in the public interest in the area of public health, such as for the protection against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, the higher level of restrictions on the processing of special categories of personal data can be relaxed, in accordance with what is required for the processing for public interest purposes under Article 9(2)(j) GDPR, disregarding the public or private nature of the subjects involved. ¹⁷⁹

H. Conclusion

This study has identified three “differential” data protection regimes for research entailed in the General Data Protection Regulation, given by a data subject-centered regime; a public interest-oriented regime and a general research-based regime. It has demonstrated how the European data protection framework provides the interpretative criteria for the distinction between a for profit research-based data protection regime and a public interest research-based data protection regime providing effective tools to manage it and to leverage private-public partnerships and data sharing with a fluid movement from one differential regime to the other.

The variations between these data protection regimes are rooted in the GDPR’s double fine-tuning system based on the balancing among coded data protection principles and rules and the establishment of ad hoc safeguards for the protection of data subjects’ rights and freedoms by data controllers. It has been indeed demonstrated how moving along the spectrum of the differential data protection regimes the greater the loss of individual control is, the greater the shift of burden of protection onto data controllers is in terms of additional safeguards required under Article 89(1) GDPR accompanied by a wider autonomy in selecting the safeguards in line with the specifics of the research processing needs.

We theorized a similar scaling with respect to differential research-based regimes, to level an asymmetrical flow between for profit and public interest research regimes. This means that in case of for-profit research activities data subjects are entitled to a greater control over occurring processing operations due to a fuller application of data protection principles and rights and a more severe layer of safeguards that controllers need to enact; conversely, in case of public interest-based research possible derogations can be exploited with greater ease by data controllers, which can establish lighter additional safeguards.

Against a generally favorable set of regimes for processing personal data for research, the double fine-tuning data protection system under the European framework has the effect of limiting the application of higher protection standards to be followed by data controllers to data sharing practices for merely commercial-oriented research. To the contrary, in case of public interest-based research, data protection regimes facilitate the free flow of personal information and the interrelated sharing activities.

Overall, the study has shown how the European data protection law provides a highly sophisticated regulation of data processing activities for research purposes, balancing sharing and innovation goals with the high level of protection for data subjects’ fundamental rights it purports fine tuning research privileges and individual rights privileges scaling them in various ways.

We argue that the sensitivity of the European data protection regulatory model could inspire the developments of U.S. data protection regulations for research purposes since it offers a pro-research set of differential regimes able to foster data flow without hampering the essence of the fundamental right to personal data protection. A much-needed solution after the final collapse of the Privacy Shield.