Data protection and research in the European Union: a major step forward, with a step back

The perspective and role of the medical oncologist in cancer prevention: A position paper by the European Society for Medical Oncology

The use of personal data is critical to ensure quality and reliability in scientific research. The new Regulation [European Union (EU)] 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [general data protection regulation (GDPR)], repealing Directive 95/46/EC, strengthens and harmonises the rules for protecting individuals’ privacy rights and freedoms within and, under certain conditions, outside the EU territory. This new and historic legal milestone both prolongs and updates the EU acquis of the previous Data Protection Directive 95/46/EC. The GDPR fixes both general rules applying to any kind of personal data processing and specific rules applying to the processing of special categories of personal data such as health data taking place in the context of scientific research, this including clinical and translational research areas. This article aims to provide an overview of the new rules to consider where scientific projects include the processing of personal health data, genetic data or biometric data and other kinds of sensitive information whose use is strictly regulated by the GDPR in order to give the main key facts to researchers to adapt their practices and ensure compliance to the EU law to be enforced in May 2018.

How healthcare is being administered is nowadays one of the distinctive traits expressing the progress of a given society. The steadfast implementation of e-health services has become an indispensable tool in order to bring the provision of healthcare to the next level. Notwithstanding e-health’s actual and promising applications, e-health hinges on highly sensitive information on patients’ personal lives and even intimacy, which, in Member States of the European Union (EU), must comply with the pertinent personal data protection legislation. In effect, health data have been classified as a special category of personal data by Directive 95/46/EC, the Data Protection Directive (DPD). The DPD subjects the processing of personal health data to a specific, stronger protection compared to less sensitive personal data in the form of a prohibition, which can only be excepted when the data subjects grant their explicit consent to the processing or if such consent is overridden by a superior interest provided by the law. Aware of the major changes brought about by technological progresses in this field, the EU initiated in January 2012 a revision of the DPD. Eventually, Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) were published in May 2016, to be applicable as of spring 2018. Regulation 2016/679 displays an even greater carefulness with the safeguard of health data than the DPD. Yet, it is unclear whether this legal reform is up to the challenge of current technological developments, particularly, as so-called big data technologies advance. Notwithstanding the impulse that the EU is placing on e-health and cross-border cooperation, e-health systems are developing primarily at the domestic level. In this article, we will seek to review and compare different e-health platforms now operating under the public health system of a EU member state, Portugal, with a specific focus on how the legal protection of personal data is being configured for each of them. Given the growing importance of big data in the field of health, we extend our comparative endeavour to this emerging phenomenon.

The process of legislative settlement of issues related to the protection of personal data began in the European Union (EU) with the entry into force of Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals regarding the processing of personal data and on the free movement of such data (Directive). After adoption the Charter of Fundamental Rights of the European Union (2000), which Article 8 defined the protection of personal data as a human right, establishment of the sufficient principles in the Lisbon Treaty (2009), there were amended two key EU acts: the Treaty on EU and the Treaty establishing the European Community. As a result, everyone in the EU was guaranteed the right to protect their personal data. In 2016 the EU adopted Regulation 2016/679/EC of the European Parliament and of the Council on the protection of natural persons regarding the processing of personal data and on the free movement of such data (Regulation), which radically updated the methods of collecting and processing personal data, and not only in the EU. As a result, to comply with its requirements, both EU-based companies and those operating in the EU or working with consumers from the EU market were forced to update their privacy/personal data policies. In turn, in Ukraine, significant progress in the development of legal regulation of personal data protection occurred later. As of 2010, public relations regarding collection, storage, use and dissemination of information about a person were regulated by more than two dozen uncoordinated laws and secondary legislation. To specify and define the mechanisms for implementing the provisions of Article 32, Constitution of Ukraine, which proclaimed the right of a person to non–interference in its personal life and established a ban on the collection, storage, use and dissemination of confidential information about a person without its consent, the Verkhovna Rada of Ukraine in 2010 adopted the law of Ukraine “On Personal Data Protection”. Having played a vital role in the legislative codification of the rules for processing personal data, the law, like the Directive, failed to respond to technological changes and the processes caused by this in society, despite numerous amendments made by MPs. Since the Association Agreement between EU and Ukraine came into power, there is noticeable arising necessity to harmonize the Ukrainian legislative framework with EU, as though contexts of adoption of the Regulation and the Law are different, so are the ways of resolving personal protection issues in Ukraine and the EU. Therefore, it is necessary to establish the new legislative amendments, the degree of compliance of personal data protection standards in Ukraine with the relevant standards in the EU. In this paper, as an outcome of estimations of relevant international research, further analytical and comparative analyses, there are some proposals to future institutional features of such modernization, affecting such issues as: clarification regarding material effects in order to limit legal regulation and avoid excessive legal burden on individuals, as well as in some cases on state authorities; providing new definitions of concepts that are not yet available in domestic regulation; establishment of fundamental guidelines for the processing of personal data in accordance with international standards; fostering more sustainable standards for the processing of sensitive personal data; in-depth structuring the issue of processing personal data for a different purpose than the one for which they were collected; regulating the implementation of the rights of personal data subjects, in particular, the right to information, the right to access, the right to correct personal data, the right to be forgotten, the right to personal data mobility, the right to restrict the processing of personal data, the right to protection from automated decision-making, the right of the data subject to protection of their rights and compensation for damage; clarifications regarding the definitions of the duties and responsibilities of the personal data controllers and operator; sustainable regulations concerning the issue of cross-border transfer of personal data.

This paper undertakes to decompose the notion of “Data Protection Impact Assessment” pursuant to the definition and the requirements set forth in Article 35 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR” or the “Regulation”). The paper defines the exact circumstances under which the conduct of a Privacy Impact Assessment is mandatory and highlights the key points for a proper implementation from a procedural perspective. Throughout all the aforementioned steps, additional deliberation will be provided in order to distill the terms and conditions mentioned in the Regulation, Article 29 Data Protection Working Party (hereinafter “WP29”) and European Data Protection Board (hereinafter “EDPB” or the “Board”) guidelines and opinions. In order to achieve an efficient comprehension of the current document a good knowledge on the fundamental notions of privacy and security is required.

The General Data Protection Regulation (full name: Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive) entered into force on May 25 2018, but was approved on April 27 2016. The General Data Protection Regulation (GDPR) aims to ensure the coherence of natural persons’ protection within the European Union (EU), comprising very important innovative rules that will be applied across the EU and will directly affect every Member State. The GDPR considers a ‘special category of personal data’, which includes data regarding health, since this is sensitive data and is therefore subject to special conditions regarding treatment and access by third parties. This premise provides the focus of this research work, where the applicability of the GDPR in health clinics in Portugal is analysed. Such analysis is based on a study by [1], who presents the results of a survey regarding the GDPR applicability in health clinics six months before its enforcement. This work aims to present the evolution of the regulation applicability six months after its enforcement. The results are discussed in light of the data collected from a survey and possible future works are identified.

Artificial intelligence applied to medicine: There is an “elephant in the room”

Rozporządzenie Parlamentu Europejskiego i Rady Unii Europejskiej nr 2016/679 z dnia 27 kwietnia 2016 r. w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych i w sprawie swobodnego przepływu takich danych (w skrócie RODO), ma znacznie większą siłę oddziaływania na Kościoły i inne związki wyznaniowe niż wcześniej obowiązująca dyrektywa 95/46/WE Parlamentu Europejskiego i Rady z dnia 24 października 1995 r. w sprawie ochrony osób w związku z przetwarzaniem danych osobowych oraz swobodnego przepływu takich danych. Zgodnie z art. 91 ust. 1 RODO Kościoły i inne związki wyznaniowe, które w momencie wejścia w życie rozporządzenia – tj. 24 maja 2016 r. – stosowały szczegółowe zasady ochrony osób fizycznych w związku z przetwarzaniem danych, mogą je nadal stosować, jeśli zostały one dostosowane do RODO. Porównanie polskiej wersji art. 91 RODO z jego angielskim odpowiednikiem budzi jednak poważne wątpliwości. Zamiast przymiotnika „kompleksowy”, który wydaje się być dokładniejszym tłumaczeniem słowa „comprehensive” występującego w angielskiej wersji tekstu, użyto określenia „szczegółowy”. W konsekwencji, w obowiązującym prawie państw Unii Europejskiej, dwie różne kategorie pojęciowe są używane w tym samym kontekście w zależności od języka: „szczegółowe zasady” oraz „kompleksowe zasady”. W tej sytuacji jednolite stosowanie prawa jest znacząco utrudnione. W niniejszym opracowaniu zostały poddane analizie zasady ochrony danych osobowych przewidziane w porządku prawnym Kościoła Ewangelicko-Augsburskiego w RP. Stanowią one przykład zasad, jakie Kościoły i inne związki wyznaniowe stosowały przed wejściem w życie RODO. Uzasadnieniem wyboru KE-A jako przykładowego jest fakt, że należy on do największych Kościołów i innych związków wyznaniowych w Polsce, a ponadto stosunek państwa do niego – jak i czternastu innych –został określony odrębną ustawą.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), became effective on 25 May 2018. With the regulatory form the legislator raised the regulation of the right to the protection of personal data within the European Union to a higher level. The legislative act has a fundamental impact on the legal systems of the member states showing various differences from each other. Further, it can be stated as a general experience that the right to the protection of personal data and the nature of such right are less known either to those affected or to the data controllers. The new legislative act and the penalties with increased amounts [Article 84 of the GDPR] demand the elaboration of a study understandable for laics, too. Finally, as a result of the General Data Protection Regulation, the institution system ensuring the protection of personal data has fundamentally changed, so, therefore, it is also necessary to examine the authorities of the member states and the Union, as well. The study primarily approaches the occurring problems from the practice side. Accordingly, the examination conducted by the Commission nationale de l’informatique et des libertes (CNIL) against Google is described, as the first significant penalty imposed based on the General Data Protection Regulation. The first part of the study is intended to present the right to the general protection of personal data. The historical part addresses in details the major elements of the historical development of data protection and the development of its contents, with particular regard to the appearance of the right to information self-determination based on the so-called “census-judgement” of 1983 of the BVerfG (Federal Constitutional Court of Germany). Finally, this part touches upon the theories defined in connection with the historical generations of the right to the protection of personal data. After the historical part the study addresses the peculiarities of the right to the protection of personal data, paying particular attention to separation from the neighbouring legal areas. The second part is intended to present the prevalence of the right to information self-determination according to the GDPR. It is the institution system protecting personal data that has undergone the most significant change. The Work Group under Article 29 has been replaced by the Data Protection Agency set up based on the GDPR. Setting up the Agency, enlarging its scope of authority and its stronger independence from the executive powers of the Union can, by all means, be evaluated positively. As regards the security of personal data, the practice, major directives and opinions of the Work Group under Article 29 have been examined. It is a significant step forward that the GDPR has made the sphere of special personal data more specific, promoting by this the increase of the extent of protection. It is important that, as a general rule, the Regulation forbids controlling special personal data. The definition of the concept of personal data is an essential condition for understanding the regulation. In addition to the principles of controlling personal data, the legal fundaments of data control have particular significance, with special regard to the consent and the data control necessary for performing the contract. In my view, the consent is a legal fundament of auxiliary nature for data control, which is also supported by the opinions of the Work Group, too. Granting the consent and the individual excluding circumstances occurring in connection with this, were examined on a case-by-case basis. In my opinion, the automated decision making process and the regulation of profile creation are one of the most cardinal issues of the GDPR. The way in which profiles are created, their use and the permissibility of such use are discussed in details. In my view, the regulation of the GDPR is deficient as regards the automated decision making process and the profile creation. The decision making necessary for performing the contract is not separated sharply enough, and it is not necessary for this. In my opinion, in respect of this latter sphere of cases the GDPR is not strict enough and may easily serve as a basis for misuse on the part of data controllers. In my view, granting the consent should be made stricter in respect of creating profiles and the introduction of the (contradictable) legal presumption of refusal would also be desirous.

Rapid technological developments and globalization have created new challenges in terms of the protection of Personal Data, requiring a solid and more coherent protection framework in the European Union (EU), and it was, without a doubt, one of the great novelties of the Regulation (EU) 2016/679 that came into force on May 25, 2018 (RGPD). This Regulation has introduced important changes on the protection of individuals in relation to the processing of personal data, imposing new obligations on citizens, companies and other private and public organizations. However, on the day it came into force, organizations were faced with four different types of maturity in their management systems: (1) Organizations that were not in compliance with the Regulation; (2) Organizations that initiated the compliance process; (3) Organizations in compliance with the Regulation; and (4) Organizations that, in addition to being in compliance, will be able to demonstrate it through the presentation of evidence and the practices implemented. On August 8, 2019, Law No. 58/2019 was published, which ensures the implementation of the General Data Protection Regulation (Regulation (EU) 2016/679), regarding the protection of natural persons with regard to concerns the processing of personal data and the free movement of such data, where the National Data Protection Commission (CNPD) is designated as the national supervisory authority for the purposes of the GDPR. This new framework for the protection of personal data, the RGPD, forces a rethinking of the business model and requires organizations to adapt it to this new reality.KeywordsCanvasGeneral data protection regulation (GDPR)Personal data protection and privacy

BackgroundRapid technological advancements are reshaping the conduct of clinical research. Electronic informed consent (eIC) is one of these novel advancements, allowing to interactively convey research-related information to participants and obtain their consent. The COVID-19 pandemic highlighted the importance of establishing a digital, long-distance relationship between research participants and researchers. However, the regulatory landscape in the European Union (EU) is diverse, posing a legal challenge to implement eIC in clinical research. Therefore, this study takes the necessary steps forward by providing an overview of the current regulatory framework in the EU, relevant to eIC.MethodsWe reviewed and analyzed the key EU regulations, such as the EU General Data Protection Regulation (GDPR) and the Clinical Trials Regulation (CTR). We investigated the legality of eIC in several EU Member States, Switzerland, and the United Kingdom. To this end, we contacted the medicines agencies of various countries to clarify the national requirements related to the implementation and use of eIC in clinical research. Our research was complemented by comparing the legal acceptance of eIC between the EU and the United States.ResultsIn the EU, a distinction must be made between eIC for participation in clinical research and eIC for processing the participants’ personal data, complying respectively with requirements laid down by the CTR and the GDPR. On a national level, countries were classified into three groups: (1) countries accepting and regulating the use of eIC, (2) countries accepting the use of eIC without explicitly regulating it, and (3) countries not accepting the use of eIC. As a result, the regulation of eIC through laws and guidelines shows a large variety among EU Member States, while in the United States, it is harmonized through the Code of Federal Regulations.ConclusionVarious requirements must be considered when implementing eIC in clinical research. Nevertheless, requirements across the EU Member States may differ significantly, whereas, in the United States, efforts have already been made to achieve a harmonized approach.

One of the central concepts of the General Data Protection Regulation (GDPR) is the “data subject”. This notion in relation to the establishment of rights and obligations for controllers and processors becomes a common denominator in the implementation of this Regulation at the level of all Member States of the European Union. The Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) was adopted, in order to protect the privacy of data subject, whether a parent, an young person or a child. However, starting with the title we can identify two different actions: to assure the protection of personal data and the free movement of this data within and outside the Union borders. In this context we must take the following into account: the reality of conceptual gaps in interpretation of this document; old or non-existent infrastructure; legislative bottlenecks and the risks involved in the protection of children’s data. Are parents, young people or children properly informed about their rights and the risks to which they are exposed in an era of digitalization? Can online school ensure the protection of children? Does the current infrastructure allow the optimal implementation of the General Data Protection Regulation? My research, in this context, has the aim of identifying gaps between information, infrastructure and the application of the GDPR, using the content analysis method and the questionnaire as a qualitative method of research. The expected results of this research are awareness by state institutions about the risks to which children are exposed in an era of digitalization and the awareness of the controllers about the obligation to ensure the protection of children’s data in the processing process.

Entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/ EC (General Data Protection Regulation) significantly changed the legal situation of information security administrators. The new institution is a data protection officer. The provisions of the regulation not only changed the name but also the requirements for the person who will perform it in the organization. The main task of the DPO is to provide expert support to the controller and the processor and to monitor compliance with the provisions on personal data protection in cooperation with the supervisory authorities. The importance of the DPO’s function has been strongly emphasized in recital 97 of the preamble to the GDPR. This means that the data protection officer is the person responsible for acting in accordance with the data processing regulations. The independence of DPO is guarantee by its correct placement in the structure of the controller’s organization. As regards the employment of a DPO, the legislator left employers a large dose of freedom. Acquiring specialists dealing in the personal data protection in the company is possible by selecting several options. We can deal with the employment of a stationary specialist or an external consultant. Due to the very wide competence of the DPO, the legislator also provided for the possibility of commissioning the inspector’s tasks to a group of people or a department or an external company.

The General Data Protection Regulation (hereinafter the GDPR) and the Danish Data Protection Act (hereinafter the DDPA) has been effective since 25 May 2018 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), see: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=ENG. The Danish Data Projection Act is available in English at https://www.datatilsynet.dk/media/6894/danish-data-protection-act.pdf.). However, the interpretation of the regulation still raises questions in Denmark. Thus, in this article, predictions of future case law are mainly based on the work of the Danish Ministry of Justice on adapting Danish law to the GDPR. This work resulted, among others, in a white paper encompassing more than 1000 pages, published on 24 May 2017 (White paper no. 1565, GDPR – and the legal framework of Danish legislation, available at: http://justitsministeriet.dk/nyt-og-presse/pressemeddelelser/2017/nye-regler-styrker-beskyttelsen-af-persondata-i-europa.). In Denmark, case law traditionally stays close to the evaluations and considerations set forth in such white papers and other preparatory works. The predictions must therefore be considered to be founded on a realistic and sound basis.It should be noted that, in accordance with the systematics of the GDPR, the right to be forgotten is in the following regarded as a right related to information which is correct, and otherwise handled legally. In connection to this distinction, reference is made to chapter II of the GDPR on the rights of the data subjects, section 3. This states that article 16 regulates the correction of inaccurate personal data, while article 17 establishes a right to erase correct personal data—and in the header’s brackets, reference is made to the “right to be forgotten”.

The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) shall concern all those who process personal data of natural persons with regard to their professional, commercial and statutory activities. It was addressed to many industries, and as it is well known each industry is different, running an online store cannot be compared with the provision of health care or treatment. The Member States, the supervisory authorities, the European Data Protection Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation. The code of conduct is to provide the minimum requirements related to the protection of personal data in health care facilities that must be met in order to demonstrate compliance with the GDPR. The purpose of the code is, inter alia, the collection of the personal data, fulfilling the obligation to inform and the use of technical means to prevent personal data breach. Almost four years have passed since the application of the GDPR regulations and no code of conduct has been adopted for application, including the health protection. The GDPR applied without proper interpretation would make it impossible to conduct medical treatment which involve sensitive data processing. In the current legal situation is a patient provided with adequate protection?