Defining scientific research: GDPR and the EU

x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.

Here we are again: the concept of scientific research in the context of the General Data Protection Regulation (GDPR) is once more the topic of the day. I am not whining; I love a good debate, especially when it is fuelled by the passionate stances of representatives from individual companies, sector organisations, non-governmental organisations, law firms and academia.

Unfortunately, that is not always the case. Sometimes, it is just a tour de table of somewhat irreconcilable positions, and it is really no-one’s fault: it is theory clashing with practice; cultures clashing with interests; innovation clashing with the side of caution; or sector-specific features clashing with legislative and regulatory settings.

This is not a scientific debate; we are not discussing the merits of pure science vs scientific development vs industrial application. It is a debate about how to protect the rights and freedoms of data subjects while trying to achieve benefits for mankind.

But really, how do you define scientific research? Where do you draw the line? How do you help the regulator understand that scientific research is the actual basis of their evidence-informed decision-making and not just clinical trials? How do you help them to help you put Article 89 of the GDPR (which defines scientific research) into practice? You, the practitioner who committed to the Market Research Society (MRS) Code of Conduct, have adopted, and are working within, a full functioning ethical framework – but how does ethics help explain to your data subject, Mr John Doe, that you are using their personal data in the name of science?

The GDPR is a beautiful piece of legislation; an empowering tool that allows for achieving compliance rather than imposing impossible deeds. But it also stems from negotiations and compromises, and its interpretation always depends on the circumstances and the balance of power between the data subject and the data controller. Sometimes, it creates more questions than it solves.

This is especially true when it comes to scientific research. The GDPR states “the processing of personal data for scientific research purposes should be interpreted in a broad manner, including, for example, technological development and demonstration, fundamental research, applied research and privately funded research” – but it does not specify which research.

It also says “the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes should be subject to appropriate safeguards”, but it doesn’t specify what these safeguards are. Member states are also allowed to adopt safeguards, specifications and derogations – but they didn’t.

The European Data Protection Board (EDPB) finally started a conversation on the subject (don’t worry, the Information Commissioner’s Office is working on it too).

The EDPB is very well aware that the GDPR states: “Within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions, such as unemployment and education, with other life conditions. Research results obtained through registries provide solid, high-quality knowledge, which can provide the basis for the formulation and implementation of knowledge-based policy, improve the quality of life for a number of people and improve the efficiency of social services.” But, somehow, it appears to have lost the memo, which is why MRS got involved again.

Efamro, the European research federation (of which MRS is a member), created a sector working group with European partners, including the European Pharmaceutical Market Research Association and Esomar, and joined the EDPB meeting to make a point.

Our aim was to make the EDPB understand that, among many other points:

• Scientific research cannot be framed in fixed regulatory boundaries, national or European
• Scientific research must not be limited to the common understanding of medical and academic research, but needs to be considered alongside other forms of research, such as healthcare, arts, humanities, social and market research
• The span of scientific research must not be a simple dichotomy of ‘private research versus public research’. It would be inappropriate to use the source of funding to define the parameters of scientific research, not least because very few projects are wholly public or private
• The identification of scientific research cannot be limited to the juxtaposition of academic versus commercial, private versus public, as much as it cannot be of limited consideration – for example, health science is not only medical research and clinical trials. The source of funding for research is not a determining factor in whether research is scientific; nor does it determine whether an activity results in public benefit or public good
• The concept of ‘scientific research’ should be focused on all kinds of empirical scientific research where personal data of the research subjects (that is, the participants) is processed, which is also, for example, the case in market, opinion and social research.

We said that public interest research purposes should focus on research activities that serve the public good and benefit society (and are not exclusively for personal or private gain). Examples include:

• Providing or improving evidence bases that support the formulation, development or evaluation of public policy or public service delivery; and guiding decision-making with anticipated benefits for the economy, society or people’s quality of life
• Significantly extending understanding of social or economic trends or events, either by improving knowledge or challenging accepted analyses
• Extending knowledge of a disease or treatment options in a way that leads to improved patient-support programmes.

Furthermore, the ‘additional safeguards’ framework must reflect the approach of the GDPR, and needs to be technology-neutral. It should rely on both co-regulation and a ‘toolbox’ of sector measures that present the undisputed advantage of being fit for purpose and, in doing so, transcend the theory and enable practice.

Were they listening? Did they grasp the concept? As the well-respected members of society and representatives of national data-protection authorities that they are, I am sure they did. Whether this will pass the test of agreement between 27 different opinions, I really can’t say.

This article was first published in the July issue of Impact.