Data protection in the European Union 2

Published on August 31, 2015   29 min
0:05
FEMALE SPEAKER: With regards to the processing of data, Article 9 has the general provision about the ban on processing of sensitive data however it also, like the directive, provides for several exceptions. And consent is one of these exceptions like in the directive. It is possible to process sensitive data if it's necessary for health purposes, and subject to conditions and safeguards referred to in Article 81, which means safeguards of confidentiality and security of data. And finally importantly for this talk, processing is necessary for scientific research purposes, subject to the conditions and safeguards referred to in Article 83. This is very interesting. I will focus on that, let me just shortly summarize the consent provisions.
1:02
The process of genetic data for example, and personal data, health data, is allowed with consent. However this consent has to be explicit, and it is the controller who will bear the burden of proof for data subject consent. So it's not for the individual, the data subject, to prove that they have given their consent, this is for the controller to do that. If there are some competing or cumulative purposes for processing, the purpose requiring consent requirement must be clearly distinguished, which might pose several problems for research which trickles down from other research which is a continuation from other research projects. And also the consent, which is important, shall not provide a legal basis for the processing, where there is significant imbalance between the position of data subject and controller. Which means if the controller has the power over the data subject to ask for the data, and this data subject has really no choice but to keep the data in order to obtain let's say health care or some treatment, consent given by the data subject might be questioned. However, again, ambiguous provisions don't really say much about the situations in which this would be so. I guess we have to say that this would have to be decided by courts on a case by case basis or by data protection authorities in each country.
2:39
Let's talk about the exceptions to the ban to process sensitive data for public interests. Article 83 is the most important provision from the perspective of medical research and scientific research. This has been widely discussed by the research community, so far by EU institutions and by member states. Therefore, like the whole regulation, it has been amended at different stages of the legislative process. I've mentioned that this process has taken several years. It has been a lengthy process and a complex process, in which many EU institutions and many lobby groups have been involved. Therefore there have been some changes to the original proposal by the Commission. Let's focus on article 83 and the text adopted first by the Commission. The Commission, in its original proposal of the regulation said that there is a general ban to the processing of sensitive data however there are some exceptions to that. It is possible to process data even without data subjects consent. And one of these purposes which we have to allow to happen, is the processing for scientific research. It is possible, according to the Commission, this processing could happen where if, only if, these purposes cannot be otherwise fulfilled by the processing of data, which does not permit or not any longer permit the identification of the data subject. The data subject could not be identified if the data are to be processed. The data enabling the attribution of the information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this matter. The key, the code, has been completely separate from the data. And also the Commission wanted to have the power to adopt delegated acts, for the purposes of further specifying the criteria and requirements for the processing of personal data for the purposes of scientific research, which would give the Commission quite extensive prerogatives in this matter.
Hide

Data protection in the European Union 2

Embed in course/own notes