9 September 2014

The Draft General Data Protection Regulation: current proposals [UPDATED 5 November 2013]

By Leslie Stevens

UPDATE, 5 November 2013: After much delay, the Civil Liberties, Justice and Home Affairs Committee of the European Commission considered and approved submitted amendments to the original draft of the proposed General Data Protection Regulation on 21 October 2013. The European Parliament aims to agree upon a finalised version of the Regulation by May 2014. Despite these intentions, recently published conclusions reached by the European Council have spurred intense debate over the possible postponement of the Regulation until 2015, and thus possible abandonment of the current draft proposal. However, given the political climate after revelations regarding surveillance of European citizens by the United States' National Security Agency, it remains a distinct possibility that the Regulation could meet the summer 2014 deadline. (The current draft as approved on 21 October 2013 can be downloaded here and here.) 

The Draft General Data Protection Regulation (Draft Regulation) was published on 25 January 2012.[1] It is currently estimated that a final draft will be agreed by the European Commission by the end of 2013, with an expected two-year transition period for Member States to fully implement the legislation.[2] Once in force, the Draft Regulation will impact all forms of processing personal and sensitive personal data within the UK, including processing for research. Therefore it is important that the research community understand the Draft Regulation and its potential to change the research landscape within the UK.

Since the Draft Regulation was published in 2012 key stakeholders within Europe and the UK have voiced concerns over the proposed legislation. On the European level, the European Data Protection Supervisor’s office released an opinion on the Draft Regulation[3], as well as the Article 29 Working Party[4], both expressing disappointment in the lack of comprehensiveness in choosing to create a separate legislation to govern the processing of personal and sensitive personal data for police and criminal justice matters.[5] From the UK, the Ministry of Justice and the Information Commissioner’s Office (ICO) have similarly issued statements regarding the perceived strengths and weaknesses of the Draft Regulation, with particular concerns over the prescriptiveness of the proposed legislation.[6] Strong opinions have also been stirred from non-governmental stakeholders including industry[7]and academia[8]. The interest generated by the Draft Regulation demonstrates the importance of the proposed legislation, and in particular, the importance of getting it right.

Amendments to the Draft Regulation were introduced in December 2012 by Jan-Philipp Albrecht[9], in a report containing over 2,000 amendments to the original draft.[10] Of interest to the UK’s research community are those amendments which propose significant changes to the way personal, and in particular, sensitive personal data, are processed for research.[11] The amended Article 4 defines pseudonymous data in such a way that it may come within the scope of the restrictions imposed on personal data.[12] Pseudonymous data is currently treated as ‘anonymous data’ in the UK[13] and is commonly used by researchers to safeguard individuals’ privacy, whilst allowing for meaningful research to be undertaken. This research practice would be jeopardised if pseudonymous data became likened to personal data in the way suggested by Albrecht’s amendments.

Furthermore, the amendments made to Articles 81 and 83 of the Draft Regulation pose risk to common research practices regarding the use of health data, which in the UK includes any data regarding an individual’s physical or mental health or condition.[14] These amendments would require explicit consent to be obtained prior to using such health data in research. A complicated series of conditions can be met in lieu of obtaining explicit consent. If explicit consent is not obtained, an exception to this must be written into the Member State’s law. The health data must be anonymised, and if not possible, pseudonymised. Prior approval from the Member State’s data protection authority must be sought and only research, which serves ‘an exceptionally high public interest’, will be considered in compliance with this provision.[15] This emphasis on obtaining explicit consent ignores the other several lawful bases for processing personal and sensitive personal data under the Data Protection Act 1998 which may in fact provide more robust protection to data subjects, than a single communication with data subjects to obtain such consent.[16]

These amendments will be voted on by the Civil Liberties, Justice and Home Affairs Committee of the European Commission on 29-30 May 2013.[17] Stakeholders within the European and UK research communities are hopeful that the amendments which have the most potential to negatively impact research – without necessarily offering increased protection of data subjects – are voted against and that the Draft Regulation as proposed in 2012 will be reinstated.[18]

--------------------

[1] European Commission, ‘Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.’ (General Data Protection Regulation) COM (2012) 11 final.

[2] European Parliament, ‘Procedure File: 2012/0011(COD) Personal data protection: processing and free movement of data (General Data Protection Regulation)’, accessed 3 May 2013; ‘Regulatory Timeline 2013-2014: Data Protection, Privacy and Freedom of Information’, 8 March 2013 accessed 3 May 2013.

[3] European Data Protection Supervisor, ‘Opinion of the European Data Protection Supervisor on the data protection reform package’, 7 March 2012 accessed 7 May 2013;

[4] Article 29 Data Protection Working Party, ‘Opinion 01/2012 on the data protection reform proposals’, 23 March 2012 accessed 7 May 2013.

[5] European Parliament and Council, ‘A proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data’ COM (2012) 10 final.

[6] Ministry of Justice, ‘Government response to Justice Select Committee’s opinion on the European Union Data Protection framework proposals’, January 2013 ; ‘Information Commissioner’s Office: initial analysis of the European Commission’s proposals for a revised data protection legislative framework’, 27 February 2012 accessed 7 May 2013.

[7] For example, the Draft Regulation has received strong criticism from the Direct Marketing Association: accessed 7 May 2013; similarly so from Facebook: Nikolaj Nielsen, ‘Facebook warns against “detailed” EU data law’, 26 March 2013 accessed 7 May 2013; and also from pharmaceutical companies such as GlaxoSmithKline: Liat Clark, ‘Trust us to pseudonymise your data, says GSK (Wired UK)’, 26 March 2013 accessed 7 May 2013.. 

[8] For instance: ‘Data Protection Regulation: A FEAM Statement’, June 2012 accessed 7 May 2013. 

[9] Jan Albrecht is the rapporteur for the proposed Data Protection Regulation for the Civil Liberties, Justice and Home Affairs Committee (LIBE) of the European Parliament. <‘Data Protection Regulation: A FEAM Statement’, June 2012> accessed 7 May 2013; European Parliament Committee on Civil Liberties, Justice and Home Affairs, ‘Draft Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data’ (General Data Protection Regulation) COM (2012). (Albrecht Report)

[10] Jan Albrecht, ‘Draft Report on the Proposal for a Regulation of the European Parliament and of the Council on the Protection Of’ (European Parliament 17 December 2012) accessed 29 March 2013. (Albrecht Report)

[11] These changes are reflected in Articles 4, 81, 83 of the Albrecht Report.

[12] Albrecht Report, Article 4, Amendment 85.

[13] The Information Commissioner’s Office, ‘Anonymisation: managing data protection risk code of practice’ (20 November 2012) 7 accessed 7 May 2013.

[14] The Data Protection Act 1998, Part I, Section 2(e).

[15] Albrecht Report, Article 81, Amendments 327-330; Article 83, Amendments 334, 336.

[16] Laurie and Postan ‘seek to demonstrate a growing legal focus on the consent form— a tendency towards its fetishisation—and…suggest that this is an impoverished means of giving effect to the ethical objectives of consent and, indeed, of a responsible research relationship. Graeme Laurie and Emily Postan, ‘Rhetoric or Reality: What is the legal status of the consent form in health-related research?’ [2012] Medical Law Review 6 accessed 8 May 2013.

[17] ‘Civil Liberties, Justice and Home Affairs (LIBE) | Privacy Campaign’ < http://www.privacycampaign.eu/contact-your-meps/civil-liberties-justice-and-home-affairs-libe/> accessed 7 May 2013.

[18] For instance, the Wellcome Trust in coalition with other stakeholders in the European and UK research communities issued a joint statement in opposition to the amendments proposed by Jan Albrecht: Federation of European Academies of Medicine and Wellcome Trust, ‘Federation of European Academies of Medicine and Wellcome Trust briefing: Ensuring the LIBE rapporteur’s amendments to the Data Protection Regulation do not prevent health research’, February 2013 accessed 7 May 2013.

This post was first published on 13 May 2013.