PrivacyImplicationsofResearchData:ANISOSymposium11SEPTEMBER 2016, DENVER
Security, Solidarity, Science and the rule of law
Open Science and privacy protection in transnational cooperation
Dr. Christoph BruchHelmholtz Association
Contents
§ HelmholtzAssociation
§ TheGermanNationalCohort
§ Dataprotectioninaninternationalsetting
Seite2Denver,11.09.2015
HelmholtzAssociation
Seite3Denver,11.09.2015
Seite4Denver,11.09.2015
HelmholtzAssociation
§ Staff:38,237
§ Budget:€ 4.45billion� Twothirdscomefrompublic
sponsors (ina9:1splitbetweenFederalandstateauthorities)
� TheindividualHelmholtzCentresareresponsibleforattractingmorethan30%themselves intheformofcontractfundingprovidedbypublicandprivatesectorsponsors.
§ Eachyear,severalthousandvisitingscientistsandresearchersfromallaroundtheworldcometotheHelmholtzCentres
TheGermanNationalCohort
Seite5Denver,11.09.2015
NAKOFactsandfigures§ Itwillprovideamajor,centralresourceforpopulation-basedepidemiologyin
Germany,andwillhelptoidentifynewandtailoredstrategiesforearlydetection,prediction,andprimarypreventionofmajordiseases.
§ Overalldurationof25–30 years§ 18regionalstudycentres§ 200,000womenandmenaged20–69 years§ 200,000
� extensiveinterview� self-completion questionnaires� awiderangeofmedicalexaminations� collectionofvariousbiomaterials
§ 40,000� “Level2”programme
§ 30,000� Magneticresonanceimagingexaminationprogramme
§ After4–5 years,allparticipantswillbeinvitedforare-assessment.
Seite6Denver,11.09.2015
NAKOTimeline
Seite7Denver,11.09.2015
NAKOStudycentresoftheGermanNationalCohort
Seite8Denver,11.09.2015
NAKOdataprotection/managementconcept§ 2datasources
� Datageneratedwithintheproject§ Interviews/Questionnaires§ Medicalexaminations(level1:all;level2:40,000;MRT:30,000)§ Collectionofvariousbiomaterials
� Linkagetosecondarydatatoobtainadditionalinformationonthe individual’shealthandemploymenthistory§ Patientfiles§ statutoryhealthinsurances§ Dataonoccupationalhistory§ Geocodedenvironmentaldata
§ DataProtectionConcept� Centraldatamanagement� CompliancewiththeFederalDataProtectionActs� Compliancewith „OpinionoftheGermanEthicsCouncil”� Adataprotectionconceptwasdeveloped inclosecollaborationwiththeGermanfederaland
statecommissioners.� A‘CodeofEthics’oftheGNChasbeendeveloped.� Anexternalethicsadvisoryboardhasbeenestablished.
Seite9Denver,11.09.2015
NAKOdataprotection/managementconcept
Seite10Denver,11.09.2015
NAKOCriticismconcerningdataprotectionconcept
§ DataprotectionisahighlycontentiousissueinGermany
§ AcivillibertiesorganizationcriticizedNAKObecauseofallegedshortcomings(Atleastsomehavebeenamelioratedbynow.)ofitsdataprotectionconcept:� Discrepancybetweeninformation concerning intendeduseinconsentformanduser(=research)agreement/rules
� Nooptions forrequestingcontentatlaterstagesasnewusesareintended
� Nowautomaticrenewalofconsent thatisonlyvalidfor5years.(Thiswording isproblematicanywayasbylawconsentcanbewithdrawnanytime.)
� Consentformallegedlydidnotenableparticipanttoinsertdisagreementwithparticularpartofthatform.(noNO-Field)
� Ambiguities inrespecttoprohibition ofcommercialuse
Seite11Denver,11.09.2015
NAKOillustrates
§ thecommitmentoftheresearchcommunitytodataprotection
§ theeffortnecessarytoreachandmaintainanadequatelevelofdataprotection
§ tensionsexistingbecauseofinherentconflictsofinterestbetweenresearchwhichisaboutuncoveringandprivacywhichisaboutseclusion
Seite12Denver,11.09.2015
Theresearchcommunityisprodataprotection
§ Dataprotectionisaprerequisitetobuildtrustwhichinturnisaprerequisiteforthecooperationofthedatasubject(testperson,interviewee)
§ ThereisastrongincentivetodemonstratecommitmenttodataprotectionsincethereisatendencytocollectmorePPI.
§ Commitmenttodataprotectionisalsomotivatedbytheawarenessofanincreasein� theamountofdatabeingcollectedand� theabilitytoprocessdatawhichresultsin� greaterrisksoftheoccurrenceofmishapsand� newandmoredangersofmisuse(e.g.deanonymization)
Seite13Denver,11.09.2015
Dataprotectionisachallengefortheresearchcommunityas
§ AlimitationoftheuseofPIIfortheoriginalpurposeisatoddswiththevisionofdatadrivenscience.
§ Researchersarefacedwithnewdemandstotheirdataavailable,e.g.� openscience� Interdisciplinarycooperation� reproducible science� commodification ofscience
§ Newscenariosforproperusebutalsomisuseresultinanincreasedburdentomaintainadequatedataprotectionstandards.
§ Coredataprotectionprincipleslikedataminimization,strictlimitationofuse,informedconsentareatoddswiththehighhopesrelatedtobigdata.
Seite14Denver,11.09.2015
Repercussionsfor3rdparties
§ ThecollectionandanalysisofPIIcanhaverepercussionsbeyondthegroupofpersonswhosedatearecollected.
§ Theseimplicationsforsecondarygroupscanoccurasaresultvariouscircumstances,e.g.� Geneticdata:containinformationaboutrelatives
� Securitydata:Contactpersonsmaybeassociatedwithsecurityrisk/criminaloffences
� Profiledata:derivesformdatarelatingtocertainindividualsmaybeassociatedwithotherpersonsconsideredbelongingtoasimilar„profilegroup“
Seite15Denver,11.09.2015
Informedconsent
§ Thepracticalmeaningofinformedconsentisstronglydependentontheamountofcomprehensionintendedtobenecessarytoenableanindividualtogivethatinformedconsent.
§ ActualconsenthastobeconsideredrathervagueiftheconsentingPersonhasasuperficialunderstandingonlyoftheimplicationsofhisdecision.
§ StatementsconcerningintendeduseofPIIaretypicallyverycomplex,oftenquitelongandincomprehensibleforthegreatmajorityofpersonswhoagreewiththem.
§ Thus,thereclearlimitationstothepossibilitytorealizeinformationalself-determinationviathistool.
Seite16Denver,11.09.2015
Dataprotectioninan
internationalsetting
Seite17Denver,11.09.2015
MotivationforEUdataprotectionregulation
§ GreatvariationsinprotectionlevelswerepossiblebecauseofthebroadscopelefttomemberstatesbyEUDirectivefrom1995
§ Thisledto„forum-shopping“bybigcompanies=choosingofjurisdictionwithlowestdataprotectionrequirements
§ ResultinginGoogle,Facebook…transferringtheirEuropeanoperationstoIreland
§ Adataprotectionregulationwastocreateamorelevelplayingfield.
Seite18Denver,11.09.2015
Timeline:Harmonizationofdataprotection
1980 OECDDataProtectionPrinciples
1995 Directive ontheprotectionofindividuals withregardtotheprocessing ofpersonal dataandonthefreemovementofsuchdata(95/46/EC)(repealed by2016/679/EU))
1998 NegotiationsonSafeHarborPrivacyPrinciples arestarted
2000 SafeHarborDecision - EuropeanCommunity declaresInternationalSafeHarborPrivacyPrinciples arecompliantwiththeEUDataProtectionDirective(Decision 2000/520)
2015 JudgmentoftheEuropeanCourtofJusticedeclaringinvalid theEUCommissions SafeHarborDecision(CaseC-362/14)
2016 Regulation ontheprotectionofnaturalpersonswithregardtotheprocessing ofpersonaldataandonthefreemovement ofsuchdata,andrepealingDirective95/46/EC (GeneralDataProtectionRegulation)(2016/679/EU)May2016 Regulationtookeffect
Transition period:MemberstateswilladapttheirdataprotectionlawsMay2018 Endoftransitionperiod– regulationcomesintoforce
2016 February: Completionofnegotiations onEU-U.S.PrivacyShieldJuly: AdequacyDecision byEUCommission concerning EU-U.S.PrivacyShield
Seite19Denver,11.09.2015
GeneralDataProtectionRegulationKeyfeatures(1)
§ StrongerEU-wideharmonization– butalotofscopeformemberstates
§ Increasedfines(§ 43,Art.83)� forindividualsuptoEUR300,000� ForcompaniesuptoEUR20,000,000or4%ofannualturnover
§ Obligationtodemonstrateadequateprotection� Thisresponsibilityiswithprincipleinvestigationofaresearchprojectortheheadofaresearch
institution� Incertaincasesadataprotection officerneedstobeappointed
§ Thepositionofthedataprotectionofficershasbeenstrengthened.� Thisincludese.g.involvingdataprotectionofficersalreadyatearlyplanningstagesofbigger
researchprojects
Seite20Denver,11.09.2015
GeneralDataProtectionRegulationKeyfeatures(2)
§ Transparencydemandsfordatacontrollershavebeenincreased� Thisincludestheobligationtocommunicateclearlyandinalanguageeasilycomprehensible.� Bythesametoken, informationrightsofpersonswhosePII’sarecollectedhaven
strengthened
� Inordertobeabletofulfiltheinformationobligationsmoremonitoringandreportingmaybenecessary
� Infactthe informationobligationsmayprovetobethehighestdataprotectionhurdleincasesinwhichthePIIareanonymizedasthepersonswhosedataareusehaverighttoknow howexactlytheirdatewereused.Thiswillbedependent onhowthenewdataprotectionregulationwilltransformedintonationallawoftheMemberStates
§ Expansionoftheareaofapplication� The GeneralDataProtectionRegulationalsoappliestoPIIprocessedoutsidetheEUifthisis
doneonbehalforunderresponsibilityofacompanywithalegalbranchinaEUmemberstate.
Seite21Denver,11.09.2015
GeneralDataProtectionRegulationKeyfeatures(3)
§ ADataprotectionimpactassessmentisobligatoryincertaincases(Art.35)
§ Theoptionsforbuilding-uplargecollectionsofPIIarelimitedbytheinstructionpersonaldatamaynotbeingmadeavailable“toanindefinitenumberofnaturalpersons”(Art25(2))
§ Theuseofhumangeneticdataposesachallengeasthesecaninprinciplenotbepseudonymizedoranonymized.Atthesametime,manyresearchquestionsinthefieldofgenetics(e.g.personalizedmedicine)canonlybetackledbytheanalysisofaggregationsofgreatmassesofthesedata.Evenifaggregationsofthesedataismadepossiblebasedonappropriateconsentsthechallengeremainstoguaranteeadequatesecuritylevelsandrightsmanagement.
Seite22Denver,11.09.2015
GeneralDataProtectionRegulationResearchprivileges (1)
§ Informedconsent� Lowerstandardforresearchpurposes[recital26]
§ Useforresearchpurposesofpersonaldatawhichwasnotcollectedforthispurpose,includingdatainpublicregisters� Memberstatesmayallowthis. Ifdoingsoresearchpurposes needtobeoneoftheprivileged
uses.[recital50,159,162;Art.5(1)(b)]
§ Permissiontoprocessespeciallysensiblepersonaldatawhichingeneralmaynotbeprocessed� theprohibitionmybeliftedforresearchpurposes[recital52&53]
§ Informationobligationsinrespecttothedatasubjectandotherreportingobligationscanbeloweredresearchpurposes[recital62,156;Art14(5)(b)]
Seite23Denver,11.09.2015
GeneralDataProtectionRegulationResearchprivileges(2)
§ Limitationsconcerningthedurationdataretention� Theselimitationcanbeextendedorliftedforresearchpurposes [Art.5(1)(e)]
§ Rightofdatasubjectstohavedatacorrectedorerased� Thecorrespondingobligationforthedatacontrollercanbeloweredforresearchpurposes
[recital65;Art.17(3)(d)]
§ (international)Datatransfer� Transfersforresearchpurposescanbeprivileged[recital113)
Seite24Denver,11.09.2015
RuleoflawScopefor„practicalsolutions“
§ Compliancewithdataprotectionlawisachallengeonthenationallevelandevenmoresointheinternationallevel.
§ Harmonizationoftherespectivestatutorylawisalongtermprojectthatoftendoesnothelptosolvecurrentproblems.
§ Forgingagreementbetweenstatesestablishingprocessesthateaseobservationofthelawarethereforeacommendableapproach.
§ WhenratingtheUSSafeHarborPrivacyPrinciplesasadequatetheEuropeanCommissiondidnotadequatelyconsiderEUlawincludingtheCharterofFundamentalRightsoftheEuropeanUnion.
§ NowtheEU-U.S.PrivacyShieldistobethenewandbetterpracticalsolution.
§ ThereisgeneralagreementthatthePrivacyShieldisamajorimprovement.
§ TheEuropeandataprotectioncommunitywillsurelytrytohaveprivacyshieldtestedbytheEuropeanCourtofJusticeassoonaspossible.
Seite25Denver,11.09.2015
Thankyouverymuch
foryourattention
Seite26Denver,11.09.2015
Top Related