UPDATE, 5 November 2013: After much delay, the Civil Liberties, Justice and Home Affairs Committee of the European Commission considered and approved submitted amendments to the original draft of the proposed General Data Protection Regulation on 21 October 2013. The European Parliament aims to agree upon a finalised version of the Regulation by May 2014. Despite these intentions, recently published conclusions reached by the European Council have spurred intense debate over the possible postponement of the Regulation until 2015, and thus possible abandonment of the current draft proposal. However, given the political climate after revelations regarding surveillance of European citizens by the United States' National Security Agency, it remains a distinct possibility that the Regulation could meet the summer 2014 deadline. (The current draft as approved on 21 October 2013 can be downloaded here and here.)
The Draft General Data Protection Regulation (Draft Regulation) was published on 25 January 2012. It is currently estimated that a final draft will be agreed by the European Commission by the end of 2013, with an expected two-year transition period for Member States to fully implement the legislation. Once in force, the Draft Regulation will impact all forms of processing personal and sensitive personal data within the UK, including processing for research. Therefore it is important that the research community understand the Draft Regulation and its potential to change the research landscape within the UK.
Since the Draft Regulation was published in 2012 key stakeholders within Europe and the UK have voiced concerns over the proposed legislation. On the European level, the European Data Protection Supervisor’s office released an opinion on the Draft Regulation, as well as the Article 29 Working Party, both expressing disappointment in the lack of comprehensiveness in choosing to create a separate legislation to govern the processing of personal and sensitive personal data for police and criminal justice matters. From the UK, the Ministry of Justice and the Information Commissioner’s Office (ICO) have similarly issued statements regarding the perceived strengths and weaknesses of the Draft Regulation, with particular concerns over the prescriptiveness of the proposed legislation. Strong opinions have also been stirred from non-governmental stakeholders including industryand academia. The interest generated by the Draft Regulation demonstrates the importance of the proposed legislation, and in particular, the importance of getting it right.
Amendments to the Draft Regulation were introduced in December 2012 by Jan-Philipp Albrecht, in a report containing over 2,000 amendments to the original draft. Of interest to the UK’s research community are those amendments which propose significant changes to the way personal, and in particular, sensitive personal data, are processed for research. The amended Article 4 defines pseudonymous data in such a way that it may come within the scope of the restrictions imposed on personal data. Pseudonymous data is currently treated as ‘anonymous data’ in the UK and is commonly used by researchers to safeguard individuals’ privacy, whilst allowing for meaningful research to be undertaken. This research practice would be jeopardised if pseudonymous data became likened to personal data in the way suggested by Albrecht’s amendments.
Furthermore, the amendments made to Articles 81 and 83 of the Draft Regulation pose risk to common research practices regarding the use of health data, which in the UK includes any data regarding an individual’s physical or mental health or condition. These amendments would require explicit consent to be obtained prior to using such health data in research. A complicated series of conditions can be met in lieu of obtaining explicit consent. If explicit consent is not obtained, an exception to this must be written into the Member State’s law. The health data must be anonymised, and if not possible, pseudonymised. Prior approval from the Member State’s data protection authority must be sought and only research, which serves ‘an exceptionally high public interest’, will be considered in compliance with this provision. This emphasis on obtaining explicit consent ignores the other several lawful bases for processing personal and sensitive personal data under the Data Protection Act 1998 which may in fact provide more robust protection to data subjects, than a single communication with data subjects to obtain such consent.
These amendments will be voted on by the Civil Liberties, Justice and Home Affairs Committee of the European Commission on 29-30 May 2013. Stakeholders within the European and UK research communities are hopeful that the amendments which have the most potential to negatively impact research – without necessarily offering increased protection of data subjects – are voted against and that the Draft Regulation as proposed in 2012 will be reinstated.
 European Commission, ‘Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.’ (General Data Protection Regulation) COM (2012) 11 final.
 European Parliament, ‘Procedure File: 2012/0011(COD) Personal data protection: processing and free movement of data (General Data Protection Regulation)’,