The European Parliament proposal for the new EU General Data Protection Regulation may severely restrict European epidemiological research.

Abstract

In January 2012, the European Commission presented the draft of a new General Data Protection Regulation (GDPR) to the European Parliament and the Council of the European Union. The GDPR is planned to replace the 1995 Directive 95/46/EC, which constitutes the present European legal framework for processing of personal data. Hence, this new binding Regulation will lay the legal foundation for future European epidemiology based on personal data, including register-based research. The intentions behind the new GDPR are commendable: [1] to protect the fundamental rights and freedoms of individuals, in particular their right to protection of personal data, in a society where commercial enterprises and authorities have rapidly increasing capabilities to collect, store and combine personal information; and [2] to facilitate free movement of personal data within the European Union through a uniform legislation in all member states. The Commission’s proposal is being reviewed and amended independently by the Council of the European Union and the European Parliament. In the Parliament, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) was assigned the task of formulating the Parliament’s amendments. The first draft by the chairman of the Committee, Jan Philipp Albrecht, was criticized for insufficient consideration to the needs of epidemiological research. The proposed text threatened to restrict currently existing possibilities to produce scientific evidence based on European data analysis and, in turn, to impede efforts to improve public health and welfare in the union and elsewhere. In October 2013, after a long period of negotiations surrounded by intense lobbying efforts, the LIBE Committee voted on its final amendments to the Commission’s proposal [1]. Alas, although some improvements were noted, the overall outcome was largely disappointing from an epidemiological perspective. The main points are summarized in the following. The first Articles with specific relevance for scientific research are concerned with general principles (Article 5) and lawfulness (Article 6) of personal data processing. Article 5b lays down that personal data shall be collected for specified, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes (“purpose limitation”). This corresponds to an identical principle in the current 95/46/EC Directive. However, in Directive 95/46/EC there was an exemption for research, namely that further processing of data for historical, statistical or scientific purposes is not to be considered as incompatible with the original purpose as long as Member States provide appropriate safeguards. This exemption was omitted in LIBE’s amendments, dramatically reducing the scope for data sharing between research groups and severely restraining the use of retrospective (historic) cohort study designs. Such studies utilize old data collections with exposure information that was collected for other purposes than the current scientific research. Thus, hundreds of thousands person-years of follow-up may have accumulated already at the start of the retrospective cohort study, making it possible to immediately test important public health hypotheses that would otherwise take decades to address. A typical example is the study of long-term health effects of Swedish snus (snuff) in an already existing cohort of construction workers [2]. If taken literally, the omission of the exemption threatens to eliminate the possibility to use administrative registers for epidemiological research altogether.