Data Protection, Scientific Research, and the Role of Information

Abstract

This paper aims to critically assess the information duties set out in the General Data Protection Regulation (GDPR) and national adaptations when the purpose of processing is research. Due to the peculiarities of the legal regime applicable to the context information about the processing plays a crucial role for data subjects. However, the analysis points out that the information obligations, or mandated disclosures, introduced in the GDPR are not entirely satisfying and present some flaws. In addition, the GDPR information duties risk suffering from the same shortcomings usually addressed in the literature about mandated disclosures. The paper argues that the principle of transparency, developed as a “user-centric” concept, can support the adoption of solutions that embed behavioural insights to support the rationale of the information provision better. This article is structured as follows. A preliminary issue to untangle is the definition of scientific research under the GDPR: what kinds of activities fall under this notion? What are the differences from neighbouring concepts, such as statistical purposes? (Section 2). Once the boundaries of the concept of are clarified the applicable legal regime will be reconstructed. As will be shown in Section 3 the GDPR establishes a framework particularly favourable for purposes. Such processing can benefit from some exceptions to data protection principles and derogations to data subjects' rights. However, this special regime comes with a set of obligations. Data controllers, in particular, have to set up appropriate measures and safeguards to protect the rights and freedoms of individuals. How these safeguards look is not an entirely clear matter in either the GDPR or national adaptations. Section 4 will complete the analysis of the legal regime by investigating the lawful basis that can legitimise processing for purposes. As the analysis will show, on the one hand data subjects’ consent is not always necessary for processing. On the other hand, can open the door to secondary uses and indefinite retention of personal data originally collected for other purposes. Therefore, information duties established at Articles 13 and 14 GDPR remain a fundamental tool for data subjects to exert some form of control over their data. However, mandated disclosures are a policy instrument that has been highly criticised in the literature. In particular, they are unable to preserve the autonomy of the data subject for several reasons: people are decision-averse, data subjects suffer from a certain degree of illiteracy and innumeracy, readers are unable to cope with the overload and accumulation problem, and cognitive biases and heuristics interfere - often in unpredictable ways – in the decision-making process of individuals. In Section 5 such criticisms will be addressed and contextualised within the framework of the GDPR. In particular, identification of potential shortcomings will be used to pave the way for possible interventions to effectively and dynamically inform data subjects. Such solutions, coupled with the controller’s accountability duties, can help shape the abstract principle of transparency in practice and promote the data subject’s informationelle Selbstbestimmung.