Hostname: page-component-8448b6f56d-wq2xx Total loading time: 0 Render date: 2024-04-19T19:40:58.252Z Has data issue: false hasContentIssue false
  • English
  • Français

To What Extent Does the EU General Data Protection Regulation (GDPR) Apply to Citizen Scientist-Led Health Research with Mobile Devices?

Published online by Cambridge University Press:  01 January 2021

Edward S. Dove  and
Jiahong Chen
Get access Rights & Permissions [Opens in a new window]

Abstract

In this article, we consider the possible application of the European General Data Protection Regulation (GDPR) to “citizen scientist”-led health research with mobile devices. We argue that the GDPR likely does cover this activity, depending on the specific context and the territorial scope. Remaining open questions that result from our analysis lead us to call for lex specialis that would provide greater clarity and certainty regarding the processing of health data by for research purposes, including these non-traditional researchers.

Type
Symposium Articles
Information
Journal of Law, Medicine & Ethics , Volume 48 , Issue S1: Unregulated Health Research Using Mobile Devices , Spring 2020 , pp. 187 - 195
Copyright
Copyright © American Society of Law, Medicine and Ethics 2020

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [hereinafter GDPR].Google Scholar
See generally Dove, E.S., “The EU General Data Protection Regulation: Implications for International Scientific Research in the Digital Era,” Journal of Law, Medicine & Ethics 46, no. 4 (2018): 1013-1030.CrossRefGoogle Scholar
Such as GDPR, Arts. 5(1)(b) & (e), 9(2)(j), 14(5)(b), 17(3)(d) and 21(6).Google Scholar
Guerrini, C.J., et al., “Citizen Science, Public Policy,” Science 361, no. 6398 (2018): 134-136.CrossRefGoogle Scholar
Rothstein, M.A., Wilbanks, J.T., and Brothers, K.B., “Citizen Science on Your Smartphone: An ELSI Research Agenda: Currents in Contemporary Bioethics,” Journal of Law, Medicine & Ethics 43, no. 4 (2015): 897-903.CrossRefGoogle Scholar
Hoffman, S., “Citizen Science: The Law and Ethics of Public Access to Medical Big Data,” Berkeley Technology Law Journal 30, no. 3 (2015): 1741-1805.Google Scholar
GDPR, Recital 35.Google Scholar
Id.Google Scholar
GDPR, Recital 26. See also Patrick Breyer v Bundesrepublik Deutschland (CJEU, Case C-582/14), paras. 42-48.Google Scholar
Culnane, C., Rubinstein, B.I., B. I., and Teague, V., “Health Data in an Open World,” arXiv preprint (2017), available at <https://arxiv.org/abs/1712.05627> (last visited March 3, 2020); Rocher, L., Hendrickx, J.M., and de Montjoye, Y.A., “Estimating the Success of Re-identifications in Incomplete Datasets Using Generative Models,” Nature Communications 10, no. 1 (2019): 3069 (1-9).Google Scholar
GDPR, Art. 4(5).Google Scholar
GDPR, Recital 28.Google Scholar
GDPR, Art. 6(4).Google Scholar
GDPR, Art. 25(1).Google Scholar
GDPR, Art. 32(1).Google Scholar
GDPR, Art. 89(1): “Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards […] Those measures may include pseudonymisation […].”Google Scholar
Voigt, P. and von dem Bussche, A., The EU General Data Protection Regulation (GDPR): A Practical Guide (Springer, 2017): at 16.CrossRefGoogle Scholar
Bodil Lindqvist v Åklagarkammaren i Jönköping (CJEU, Case C-101/01) para. 47 (emphasis added).Google Scholar
František Ryneš v Úůad pro ochranu osobních údajů (CJEU, Case C-212/13) paras. 29-30, 33 (emphasis added).Google Scholar
Ryneš, para. 34.Google Scholar
Tietosuojavaltuutettu v Jehovan todistajat (CJEU, Case C-25/17), paras. 42, 44-45.Google Scholar
GDPR, Recital 18.Google Scholar
European Union Agency for Fundamental Rights and Council of Europe, Handbook on European Data Protection Law: 2018 edition (FRA and CoE, 2018): at 103.Google Scholar
Id, at 102.Google Scholar
Id, at 103.Google Scholar
Wong, R., “Social Networking: Anybody Is a Data Controller,” 2008, available at <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1271668> (last visited March 3, 2020); Van Alsenoy, B., et al., “Social Networks and Web 2.0: Are Users Also Bound by Data Protection Regulations?” Identity in the Information Society 2, no. 1 (2009): 65-79.Google Scholar
Edwards, L., “Data Subjects as Data Controllers: A Fashion(able) Concept?” (2019) available at <https://policyreview.info/articles/news/data-subjects-data-controllers-fashionable-concept/1400> (last visited March 4, 2020).+(last+visited+March+4,+2020).>Google Scholar
GDPR, Art. 9(1).Google Scholar
GDPR, Art. 6(1).Google Scholar
GDPR, Art. 9(4).Google Scholar
See e.g., the UK’s Data Protection Act 2018 ss. 19(3) and 19(4) (a). The DPA 2018 requires that processing of personal data that is necessary for scientific research purposes that relates to measures or decisions with respect to a particular data subject is forbidden unless it is “approved medical research,” by which is meant medical research carried out by a person who has approval to carry out that research from a recognized research ethics committee.Google Scholar
Timmers, M., et al., “Will the EU Data Protection Regulation 2016/679 Inhibit Critical Care Research?” Medical Law Review 27, no. 1 (2018): 59-78.CrossRefGoogle Scholar
GDPR, Art. 5(1)(b): “[…] further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes […].”Google Scholar
Pormeister, K., “Genetic Data and the Research Exemption: Is the GDPR Going Too Far?” International Data Privacy Law 7, no. 2 (2017): 137-146; Shabani, M. and Borry, P., “Rules for Processing Genetic Data for Research Purposes in View of the New EU General Data Protection Regulation,” European Journal of Human Genetics 26, no. 2 (2018): 149-156.CrossRefGoogle Scholar
GDPR, Recital 50.Google Scholar
GDPR, Recital 159.Google Scholar
GDPR, Art. 89(1): “[…] Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. […]”.Google Scholar
See Code of Conduct for Health Research, available at <http://code-of-conduct-for-health-research.eu> (last visited March 4, 2020).+(last+visited+March+4,+2020).>Google Scholar