Data protection boundaries know no EU border

x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.

Rumour has it, you can take the girl out of the country but not the country out of the girl. The UK might well have left the European Union but it hasn’t broken all ties just yet. Whether you are a 48 or a 52, it doesn’t really matter when it comes to data protection: its principles, values and ethics are here to stay.

That doesn’t mean they are dogma, or not up for discussion. Au contraire! Only one thing is more exciting than a pure doctrinal discussion about rights and freedoms: a practical one. How are businesses impacted? What does it mean for small and micro companies? Can I guarantee the safety of my research participants from existential threats? This is why conversations are important. This is why, when guidelines and guidance are drafted, their aim is not governing the laws of the universe but rather easing everyday life applications.

MRS has always championed conversations, especially with members, but also with other national, European and international associations. One in particular is always close to its heart: Efamro. It is the European research federation, representing the interests of market, social and opinion research in Europe. Its members are national trade associations for research businesses. Its playground is Brussels and the European institutions. Its role is to promote the interests and needs of the sector, make sure that voices are heard, and pleas accepted. And lately, it has been very active.

First things first, a check-up on the GDPR. In April, Efamro published and submitted the position paper ‘A Response to the EC’s Roadmap Report on the General Data Protection Regulation’. In association with the European Pharmaceutical Market Research Association (EphMRA) and the British Healthcare Business Intelligence Association (BHBIA), Efamro asked the European Commission to:

• Review and update standard contractual clauses and adopt new EU processor to non-EU or EEA processor clauses. With only 13 adequacy decisions in place, businesses need to refer to other tools listed in Chapter V. Standard contractual clauses for data transfers to third countries have not been updated since they were originally adopted. The commission should urgently review and revise the standard contractual clauses and consider the needs of controllers and processors with the addition of new clauses to cover EU processor to non-EU or EEA processor data transfers.
• Clarify and publish additional guidance on codes of conduct. The different sectorial experiences in devising sector codes has demonstrated that there is some degree of uncertainty regarding codes of conduct by sectors and the same data protection authorities that should be in charge of adopting them.
• Investigate further and get a better understanding of how the issue of overlapping territorial scopes of national laws implementing the GDPR has affected controllers and processors, and how they are dealing with such fragmentation. The GDPR is directly applicable in all member states but it also leaves a margin for national legislators to maintain or introduce more specific provisions to adapt the application of certain rules. This national margin has resulted in a fragmented legal landscape for some of the GDPR provisions. In turn, the non-uniform application of the GDPR across member states can create obstacles to cross-border operations, even intra-EU.
• Highlight the broad need for practical guidelines. On the one hand, businesses may accept the best analysis that fits their interests and consequently adopt practices that would fall in a grey area at best. On the other hand, by focusing relentlessly on the methods and impacts of technology giants, the realities of micro, small and medium-sized enterprises are being overlooked, as are those sectors, such as research, which follow existing rigorous codes supporting ethical personal data practice.

Among many, one topic in particular is still very much up for debate. For Efamro members, the most interesting example of national fragmentation is the concept of scientific research, which has resulted in a patchwork of safeguards, with 27 different interpretations of the concept or the absence of a clear definition. The absence of common ground for scientific research is hindering the single market as it is very difficult to imagine European data processing operating in the strict framework of national borders. The concept of research, without additional specification, has raised practical difficulties.

In January, the European Data Protection Supervisor (EDPS) issued a ‘preliminary opinion’ discussing scientific research – great news, as, finally, one European body has published a position on this. Because of the nature of the EDPS and its mandate, the scope of application is relatively narrow and it’s only an opinion. Nonetheless, it provides all stakeholders an opportunity to engage in the discussion – a debate that needs to look at the actual applications in practice, so that the GDPR provisions are not left in the realm of ‘possibilities’ but can be appreciated and – most importantly – understood by anyone undertaking scientific research that includes personal data.

This is why Efamro partnered with EphMRA and Esomar to publish ‘A Response to the EDPS Preliminary Opinion on Data Protection and Scientific Research’. Our position is clear: scientific research cannot be limited to the common understanding of medical and academic research but needs to be considered alongside other forms of research such as healthcare, arts, humanities, social and market research.

The identification of scientific research cannot be limited to juxtaposition of academic versus commercial, private versus public as much as it cannot be of limited consideration – for example, health science is not only medical research and clinical trials. The source of funding for research is not a determining factor in whether research is scientific; nor does it determine whether an activity results in public benefit or good.

Market, opinion and social research is robustly self-regulated by a family of national and international codes of conduct, ensuring that data collected for research is strictly limited to only research, thus preventing harm or adverse consequences to individuals. Compliance with legal and ethical requirements for the treatment of personal data is vital for maintenance of consumer trust. Ethical standards are set out in national and international codes.

A fully functioning framework for scientific research must reflect the approach of the GDPR. It needs to be technology-neutral, relying heavily on both co-regulation and on a ‘toolbox’ of privately adopted measures that present the undisputed advantage of being fit for purpose within the sector in which they are implemented and, in doing so, transcending the theory and enabling the practice.

While the Covid-19 hiccups may have derailed most of our plans and engagements, it has surely not affected the core of our professions and ethical values. Conversations are important; debates are essential. Whether in conferences, boardrooms or virtual meetings, they help us shape the present and the future. MRS’ work supporting Efamro and EphMRA means, irrespective of Brexit, that MRS remains at the heart of the European debate about research, ethics and GDPR. Keep engaging with Codeline and MRS – we are here for you.

This article was published in the July 2020 issue of Impact.