The right to privacy has usually been considered as the most prominent fundamental right to protect in data-intensive (Big Data) health research. Within the European Union (
Over the last decade, technical possibilities for collecting, re-using and linking data related to individuals have increased tremendously. Moreover, data sharing for health research purposes is increasingly being presented as an ethical and scientific imperative.1 The effectiveness of certain traditional approaches that govern the use of data in health research is, however, decreasing in the era of Big Data. It has been indicated that a strict ‘consent or anonymise approach’ neither sufficiently allows for progress in data-intensive health research, nor adequately protects individual rights and interests.2 In addition, the large scale re-use of data is difficult to reconcile with certain data protection principles, such as purpose limitation and data minimisation.3 The current debate is about what form laws and information governance — consisting of organisational and technical measures — should take to allow for progress in data-intensive health research while effectively protecting fundamental rights and other morally relevant interests.
This debate usually revolves around the right to respect for private life (hereafter: the right to privacy) as the key fundamental right to protect. Within the
It largely remains unclear what this shift from the right to privacy to the right to data protection in the
2 A Right to Data Protection in the Charter of Fundamental Rights of the
This way of framing data protection norms in the Charter, the jurisprudence of the
Furthermore, it should be taken into consideration that the Charter, in itself, is different from traditional human rights instruments, such as the
3 How Data Protection Differs from Privacy
At first glance, it seems like the right to data protection has dethroned the right to privacy as the key fundamental right to protect, according to Article 1(2) of the
3.1 Individual Rights Decoupled from Privacy
Firstly, both the scope and the substance of the individual rights guaranteed by the right to data protection differ from those based on the right to privacy. It is the mere processing of personal data that allows data subjects to invoke their rights based on the right to data protection. The definitions of ‘personal data’ and ‘processing’ are broad. According to Article 4 sub 1 and 2 of the
In addition to the difference in scope, the substantive protection offered by the right to privacy and the right to data protection also differs. This is illustrated by the confirmation of the ECtHR that the right to privacy does not guarantee a general right of access by the data subject to his own personal data.21 This is in contrast to the right to data protection, which explicitly guarantees such a right of access in the abstract, irrespective of whether there is an interference with the right to privacy. Some, however, argue that the ECtHR is currently moving towards the introduction of a more general right of access, based on the right to privacy.22 This growing willingness of the ECtHR to recognise more general rights, based on the right to privacy, makes it increasingly difficult to discern a distinction between the substantive protection offered by both rights. Differences between the substantive protection offered by the right to data protection and the right to privacy do nevertheless remain.23 These differences may be related to the dissimilar background of the right to data protection, which is also designed to protect non-privacy related interests.
3.2 A More Positive Approach
A second difference is that the right to data protection has been designed as a largely positive obligation of the
Today, positive obligations related to data-processing activities of private sector entities are nevertheless also inferred from the right to privacy. The ECtHR confirmed that states may be required to adopt measures designed to secure respect for the right to privacy, “even in the sphere of the relations of individuals between themselves”.26 These positive obligations based on the right to privacy do, however, suffer from a number of limitations. One of these limitations is that the concrete positive obligations stemming from the right to privacy are always linked to particular circumstances. This is because what constitutes these positive obligations is predominantly determined by the ECtHR on a case-by-case basis. These cases do not provide a basis for the more general positive obligations as guaranteed by the right to data protection.27
The right to data protection therefore complements the positive obligations inferred from the right to privacy with explicit positive obligations that are of a more abstract nature. Consequently, the somewhat blurred distinction between privacy as an essentially negative obligation and data protection as a largely positive obligation is still relevant.
3.3 A More Comprehensive and Systematic Approach
A third difference is that the right to data protection rests on a more comprehensive and systematic approach, one beyond individual rights. Article 8 of the Charter guarantees a comprehensive system of data protection norms and explicitly confirms that the principles of fair and lawful processing, purpose specification and limitation, and the requirement of independent supervision are key elements of this system. In addition, data security — consisting of technical and organisational measures to prevent the accidental loss, alteration or unlawful destruction of the data — was referred to by the
The extent to which the right to privacy could embrace similar data protection requirements however remains a complicated matter, since the recognition of data protection norms based on the right to privacy is on a case-by-case basis. Although data security is for instance not regarded as an essential element of the right to privacy,30 a lack of security measures could result in a violation of the right to privacy, especially when it concerns sensitive health information.31 Nevertheless, the right to privacy is not considered to be of a nature to include independent supervision, data security or data quality requirements as its core elements. In other words, the right to privacy does not guarantee a comprehensive system of data protection norms similar to that guaranteed by Article 8 of the Charter.
4 Relevance to Data-intensive Health Research
In the coming years, the
4.1 The Impact of Individual Rights
The individual rights rooted in Article 8 of the Charter could have a significant impact on data-intensive health research. Even though the right to data protection guarantees a system of data protection beyond individual rights, the individual rights of data subjects are still an essential element of this system. This may be why the allowed derogations from some of the individual rights in the
A negative impact of these individual rights on data-intensive health research may nevertheless be reduced by taking them into account throughout the process of engineering information systems and shaping information governance. Those responsible for Big Data infrastructures and projects know beforehand which rights data subjects could invoke. This is due to the decoupling of the scope of individual rights of data subjects from an interference with the right to privacy, which results in more legal certainty. Implementing technical and organisation measures to ensure that data subjects can invoke their rights and that data-protection principles are implemented is not a mere opportunity for data controllers. It also is a legal obligation laid down in Article 25 of the
4.2 Safeguards beyond Individual Rights and Consent
The more positive and comprehensive approach required by the right to data protection is of great importance to allow progress in data-intensive health research in a responsible way. The key strength of the system of data protection is that it does not merely rely on strengthening individual rights or consent requirements to protect and balance relevant rights and interests.
After all, individuals are often no longer able to make meaningful decisions about the use of their personal data, as a consequence of the rapidly increasing scale and complexity of data-intensive health research.32 Although efforts are made to enhance the exercise of individual control in health research by the use of online portals and engaging individuals as active participants,33 it must be recognised that individuals can only selectively choose to be engaged. ‘Broad consent’ models, as referred to in Recital 33 of the
By way of contrast, the effectiveness of data protection law in regulating data-intensive health research has also been criticised. Some scholars have argued that the term personal data is poorly defined and have raised questions about what data or communications should be protected by law.40 Others have suggested that the limits of the law should be recognised and the strengths of soft law options such as ethical guidance or professional codes should be more appreciated.41 In their view, data protection law should provide for sufficiently open norms to allow for soft law instruments, such as the international governance frameworks that are currently being developed.42 The
Nonetheless, Article 89(1) of the
Although the rights to privacy and data protection are closely related, they should not be considered as identical. The right to data protection adds a crucial layer of protection beyond essentially negative obligations, individual rights based on the right to privacy, and consent requirements. It aims to complement the right to privacy by positively guaranteeing a more comprehensive and harmonised system of data protection norms, which are relatively easy to enforce and comply with.
Within the context of data-intensive health research, such a comprehensive system of data protection should be considered to serve two functions in particular. Firstly, the aim is to provide effective overarching safeguards that secure the rights and interests of individuals, irrespective of whether the personal data processing is grounded on consent or any other legal basis. After all, merely adhering to the principle of lawfulness is never sufficient to respect the right to data protection. Secondly, such a system of data protection arranges for specific safeguards when it is necessary and proportional to derogate from consent requirements or certain individual rights. These specific safeguards are also essential to allow for the re-use of personal data in data-intensive health research, without taking heed of the principle of purpose limitation. The overarching safeguards should, amongst other things, include requirements of accountability subject to independent oversight, transparency towards data subjects and the public, ensure that data subjects can invoke their rights and data security. The issue of which specific safeguards should be provided for by law with regard to data-intensive health research remains unclear and deserves further study. After all, these specific safeguards should compensate for the loss of individual control as a result of the exceptions from individual rights and consent requirements for health research purposes.
At the same time, the limits of data protection law should be recognised. Relying on the distinction between personal and non-personal data to protect privacy and other relevant rights and interests might prove to be inadequate. In addition, inflexible or static data protection laws could hamper the development of suitable information governance frameworks on the national or international scale, in which the myriad of ethical, legal, social and professional norms need to be reconciled.
B.M. Knoppers, J.R. Harris, I. Budin-Ljøsne and E.S. Dove, ‘A human rights approach to an international code of conduct for genomic and clinical data sharing’, Human Genetics 133(7) (2014) 895-903.
M. Mostert, A.L. Bredenoord, M.C.I.H. Biesaart and J.J.M. van Delden, ‘Big Data in medical research and EU data protection law: challenges to the consent or anonymise approach’, European Journal of Human Genetics 24(7) (2016) 956-960; Nuffield Council on Bioethics, ‘The collection, linking and use of data in biomedical research and health care: ethical issues’, February 2015, online at http://nuffieldbioethics.org/project/biological-health-data/, retrieved 20 January 2017.
B. Custers and H. Uršič, ‘Big data and data reuse: a taxonomy of data reuse for balancing big data benefits and personal data protection’, International Data Privacy Law, 6 (1) (2016) 4-15.
G.G. Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU (Dordrecht: Springer, 2014) doi:10.1007/978-3-319-05023-2.
M. Tzanou, ‘Data protection as a fundamental right next to privacy? ‘Reconstructing’ a not so new right’, International Data Privacy Law 3(2) (2013) 88-99; O. Lynskey, ‘Deconstructing data protection: the ‘Added-value’ of a right to data protection in the EU legal order’, International and Comparative Law Quarterly 63(3) (2014) 569-597.
Fuster, supra note 4.
P. Hustinx, ‘EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation’, September 2014, online at https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches/2014/14-09-15_Article_EUI_EN.pdf, retrieved 20 January 2017; J. Kokott and C. Sobotta, ‘The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR’, International Data Privacy Law 3(4) (2013) 222-228.
Fuster, supra note 4.
ECtHR, Khelili v. Switzerland, App no. 16188/07 (18 October 2011).
S. Douglas-Scott. ‘The European Union and Human Rights after the Treaty of Lisbon’, Human Rights Law Review 11(4) (2011) 645-682.
Convention Praesidium, ‘Explanations Relating to the Charter of Fundamental Rights of the European Union, Brussels’, 11 October 2000, CHARTE 4473/00, CONVENT 49.
Kokott and Sobotta, supra note 7; R. Gellert and S. Gutwirth, ‘The legal construction of privacy and data protection’, Computer Law & Security Review 29(5) (2013) 522-530.
Lynskey, supra note 5.
See, among others: Kokott and Sobotta, supra note 7; Fuster, supra note 4; Hustinx, supra note 7; R. Gellert and S. Gutwirth, ‘The legal construction of privacy and data protection’, Computer Law & Security Review 29(5) (2013) 522-530; P. de Hert and S. Gutwirth, ‘Data Protection in the Case Law of Strasbourg and Luxembourg: Constitutionalism in Action’, in: S. Gutwirth et al. (eds.), Reinventing Data Protection? (New York: Springer, 2009) pp. 3-43.
Additionally, see recital 26 of the
See, among others: Hustinx, supra note 7, p. 5; De Hert and Gutwirth, supra note 15, p. 9-10.
Kokott and Sobotta, supra note 7; Lynskey, supra note 5.
ECtHR, Gaskin v. United Kingdom, App no. 10454/83 (7 July 1989).
Lynskey, supra note 5.
Hustinx, supra note 7; Lynskey, ibid.
B. van der Sloot, ‘Privacy as human flourishing: Could a shift towards virtue ethics strengthen privacy protection in the age of Big Data?’, Journal of Intellectual Property, Information Technology and Electronic Commerce Law 5(3) (2014) 230-244.
ECtHR, Hämäläinen v. Finland, App no. 37359/09 (16 July 2014).
ECtHR, X and Y v. the Netherlands, App no. 8978/80 (26 March 1985).
Hustinx, supra note 7.
P. de Hert and S. Gutwirth. ‘Data Protection in the Case Law of Strasbourg and Luxembourg: Constitutionalism in Action’, in: Gutwirth et al. (eds.), supra note 15, pp. 9-10.
De Hert and Gutwirth, supra note 29.
See: I. v. Finland, App no. 20511/03 (17 July 2008).
Mostert, supra note 2.
J. Kaye et al. ‘Dynamic consent: a patient interface for twenty-first century research networks’, European Journal of Human Genetics 23 (2015) 141-146.
See: supra notes 2 and 3; C.T. Di Lorio, F. Carinci and J. Oderkirk, ‘Health research and systems’ governance are at risk: should the right to data protection override health?’, Journal of Medical Ethics 40(7) (2014) 488-492.
For an overview of these derogations see: The Wellcome Trust, ‘Analysis: Research and the General Data Protection Regulation’, July 2016, online at https://wellcome.ac.uk/sites/default/files/new-data-protection-regulation-key-clauses-wellcome-jul16.pdf, retrieved 20 January 2017.
See: Article 89(1) of the
See: recital 157 of the
The Wellcome Trust, ‘Implementing the General Data Protection Regulation [2016/679] to maintain a competitive environment for research in Europe’, September 2016, retrieved 20 January 2017 http://www.scienceeurope.org/wp-content/uploads/2016/10/EU-GDPR-implementation-Sep-2016.pdf.
E.S. Dove, B. Thompson, B.M. Knoppers, ‘A step forward for data protection and biomedical research’, The Lancet 387(10026) (2016) 1374-1375.
O. O’Neill, ‘Can Data Protection Secure Personal Privacy?’, in: T.S. Kaan, C.W. Ho (eds.), Genetic Privacy (London: Imperial College Press, 2013) pp. 25-40.
G.T. Laurie and N. Sethi, ‘Delivering proportionate governance in the era of eHealth: Making linkage and privacy work together’, Medical Law International 13(2-3) (2013) 168-204.
B.M. Knoppers, ‘Framework for responsible sharing of genomic and health-related data’, The Hugo Journal 8 (2014) 3.