——> Follow us on TWITTER

General Data Protection Regulation

Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Comments and follow-up of “EpiBlog: Informed consent” and “EpiBlog: A New EU Directive for Data Protection in Europe[1]

I have seen the future, baby
it is murder

—Leonard Cohen

As previously announced, the European Union will replace their Directive on Data Protection with a new text. A draft is now available on this website: http://www.statewatch.org/news/2011/dec/eu-com-draft-dp-reg-inter-service-consultation.pdf, and it is not pleasant reading for epidemiologists. Should this text be adopted as a regulation (and that is what they propose) it will be much more difficult to do research in the future, at least in parts of Europe. Our opportunities to identify new toxic hazards, to evaluate health programs, to see if laws have unwanted or unexpected health effects, to examine who will suffer most from the current health crises in Europe, etc., will be more difficult in several parts of the region.

Explicit informed consent for handling of all personal, sensitive data (all health data) overseen by a European Agency for Data Protection is the red thread in the text, which seems to have been written without consulting the people who do population based research. How this will work in GWAS studies, in using biobanks, and so on, is difficult to see. Studies that address large segments of people’s lives may be impossible to conduct in a valid way if explicit informed consent is needed each time the database has to be updated and used. As before, governments are exempted from this rule and can run registers as they see fit. The text is a legal text, not a text related to history, science, or ethics. They do not consider the fact that personal data have been misused by governments as well, both in the past and in recent times, to take away human rights from opponents of regimes. Data and information is needed for a democracy to work, and some of that information comes from independent research. The threat of unethical and undemocratic misuse of data comes primarily from governments, not from researchers. And these governments seldom support independent and free research.

The text does address “freedom of speech” rights but without any discussion of how we guarantee freedom of speech unless we have something to talk about, and journalists are not the only protectors of democracy. Researchers also play a key role, besides providing information on how we can improve, e.g., disease prevention and health care.

“The right to be forgotten” is considered a key principle in this text. One could wish it would also include the text itself. In any case, we hope that the final text will be more research friendly, but it is of concern that the researchers most affected by this, the epidemiologists, were not consulted more (if at all) before this first draft was written.  The text cites numerous people and organizations that presented evidence in two rounds of consultation –  commercial and legal voices dominated.  Among the health-related groups that did comment, National Health Services Scotland, for example, stated that it “would not like to see the EC introduce any regulations that make it even more difficult for bona fida organsations/individuals to undertake public health surveillance and research”.  Unfortunately, there is no information on the responses to these comments by those drafting the regulation.

This proposal is a text of 116 pages, and in the following paragraphs we will only highlight a few key points. The text provides detailed information on the role of the data controller, the right of access to data, the obligation to correct mistakes, and more, which all could be very expensive and time consuming obligations and activities.

First of all, the Directive will be replaced with a Regulation that will reduce legal fragmentation and harmonize a set of core rules. Sounds fine but means higher costs and limitations of research options in some countries.

Several European researchers collaborate with research groups outside the EU and exchange data with these collaborators; have data analyzed or use lab facilities placed outside the EU. It may ease the current procedures that a European Data Protection Board will be established by this regulation and this Board will provide a list of countries/regions that are considered to have the same level of data protection as in the EU.

Informed consent continues to be key when doing health research. The concept may be well defined in the randomized trial where participants need to know they are part of a trial that may impose a risk. But what about large-scale, long-term observational studies? How informed and explicit  should the consent be? For any SNP in the GWAS chip? And should it be renewed at regular intervals? The consent is based on an active statement, not necessarily by signing in writing a document, but it has to demonstrate that the participant is aware of the purpose of the study. Many large-scale cohorts have multiple purposes, and it is not clear if a purpose could be as unspecific as “research”. Participants have the right to withdraw their consent at any time (as now), but they cannot withdraw consent for data already collected and analyzed. It is not clear if they can withdraw consent for data that have been collected but not yet analyzed, and in these situations the specificity of the consent is of crucial importance. The text provides special rights for children who participate because their parents gave consent. The text does not take risk or lack of risk into consideration, as it is done by most research ethics committees.

Participants should be informed about how data are processed, how long they are stored, and that they have the right to access data and to complain. If this information has to be given personally it will be prohibitively expensive in some studies. At present, we often provide this information on our study website. The text provides a broad definition of health data, including any information related to physical or mental health, including all data generated by health services. In addition, excluding participants from a study (for which they have already given informed consent upfront) may seriously bias its results, thus providing wrong conclusions with a detrimental effect on the health of the whole population.

It is important to keep in mind that processing of health data (and other sensitive data) is illegal unless the researcher has informed explicit consent with a few exceptions. Participants should be informed about how long data are to be stored, and they have the right to get a copy of their own data (including GWAS data?). The text does not require the researcher to explain the importance of the data, but it is not clear how we can avoid providing such information.

The data controller is given a large set of responsibilities in the text that most likely will increase the cost of running a study.

There is a crack in everything
that is how the light gets in

—Leonard Cohen

This new EU regulation may not change the rules for many small-scale studies with a specific purpose such as randomized trials. It is more complicated for studies that have no specific research aim, or multiple research aims, such as large-scale biobanks whether they are based on existing biological samples from health care or ad hoc collected data. If studies using existing health data such as cancer registers, mortality registers, hospital registers, etc., can continue as now is not clear.

The present proposal makes several remarks that may allow these studies in the future, for example by using the principles of “a trusted third party”. The researcher may continue to have access to health data that are coded, if the code is not available for the research team. The principle of getting informed consent may also be overridden if it is very difficult (or expensive) to get such a consent. Data on health may also be collected without consent as before in health care but now also in preventive medicine. We guess this practice will be decided by the EU Board and not the national data protection agency. In any case, this part of the text can be improved and may be more precise. Hopefully, we can avoid that very valuable research data collected without explicit informed consent will be destroyed. We have seen in the US that courts have ruled that extremely valuable and important blood spot biobanks should be destroyed. We have in Europe seen that cancer registers could not be used for research. How “research friendly” the members of the EU Board will be is of crucial importance, especially since the text is far from being clear on how to administer exemptions to the “explicit informed consent principle”. Do not let the Hungarian government appoint all the members.

In our opinion, restrictive actions are not in the interest of the people. The public is interested in knowing how best to protect their health and to get the best possible treatment. Modern data management technology, if applied properly, provides important safeguards against misuse.

The regulation may, however, help remove many of the local “homemade” obstacles to use data for research. People who have something to hide have often successfully obstructed researchers’ access to data. It would probably have been too much to hope for that a new EU regulation could advocate for more, better, and more affordable health research, but the people in the EU have the right to expect this.


The aim of the proposed regulation is to adopt the practice of data protection in Europe to new ways of using personal data. As stated, the aim is to harmonize this practice. How much this will interfere with our options for doing epidemiologic research is not clear, but the consequences could be devastating for re-use of research data in meta-analyses, for example, for being able to do critical analyses on data collected by others, for using routinely collected health care data, for using biobanks of biological material collected for other purposes or for other research projects, and for using existing administrative registers. Health in Europe (and the rest of the world) could be set back by this regulation. What we need is not harmonizing where some will gain and some will lose in research. We need to make research conditions better for all, since this can be done without violating people’s right to privacy. Nothing is mentioned on how technology has improved the protection of people’s privacy without reducing research options.

In an open, democratic society research plays a role in enabling people to exercise their democratic right and duties, but this regulation will not, in its present form, move us in the right direction. We must hope the final text becomes more “research friendly” and move us closer to the “open society”. We do not think this will happen without a debate, and we, as epidemiologists, need to take part in this debate.

Jørn Olsen, Cesar Victora, Neil Pearce, Patricia Buffler, Shah Ebrahim

[1] http://ieaweb.org/index.php?option=com_content&view=category&id=22&Itemid=54

Share Button