Processing of personal data for research purposes

Part 1 – advantages and consequences

Private entities in the life sciences industry commonly process both sensitive and non-sensitive personal data within research and development for research purposes. Such research could be related to the development of new pharmaceuticals or medical devices, for example.

This two-article series will focus on some key legal aspects for life sciences companies when processing personal data for research purposes. In Part 1, we will discuss the term “research” from a legal perspective and explain what advantages a company may have, as well as what consequences there may be when processing personal data for research purposes. In Part 2, we will discuss processing of personal data in clinical trials. 

Scientific research under the GDPR
Processing of personal data for “scientific research purposes” under the General Data Protection Regulation (“GDPR”) involves a number of advantages for a data controller compared to what applies to other processing activities. However, the GDPR does not provide a definition of the term “scientific research”.

The GDPR provides a few examples of what could be considered scientific research, including that it shall be interpreted “in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research”. It is also stated that scientific research purposes should include studies conducted in the public interest in the area of public health.

Furthermore, the GDPR refers to the Treaty on the Functioning of the European Union. The referenced article promotes the European Union’s objective of “strengthening its scientific and technological bases by achieving a European research area in which researchers, scientific knowledge and technology circulate freely, and encouraging it to become more competitive, including in its industry”.

Even though it is stated in the GDPR that the term scientific research shall be interpreted broadly, the European Data Protection Board (“EDPB”) (former WP29), in its Guidelines on consent under Regulation 2016/679, stresses that the wording in the GDPR may not be stretched beyond its common meaning. The EDPB further considers the term scientific research to mean “a research project set up in accordance with relevant sector-related methodological and ethical standards, in conformity with good practice”.

In our opinion, after discussing the above with professionals working in research and development, the EDPB’s statement still does not give clear guidance, as this could include a wide range of research and development projects.

Research as defined in the Swedish Ethical Review Act
The Swedish Act concerning Ethical Review of Research Involving Humans (Sw. Lag [2003:460] om etikprövning av forskning som avser människor) (the “Ethical Review Act”) is inter alia applicable when research involves sensitive personal data (e.g. personal data about an individual’s health condition), personal data regarding criminal offences and/or is carried out according to a method that aims to influence the research person physically or mentally.

The term “research” is defined in Section 2 of the Ethical Review Act as the following:

“Research: Scientifically experimental or theoretical work intended to result in new knowledge and development outcomes on a scientific basis, excluding work that is performed within the framework of higher education on the basic or advanced level.”

The above definition is further explained in the government bill of the Ethical Review Act.  It states that by emphasizing a scientific approach when acquiring new knowledge as well as in development work, research is distinguished from other activities that may be similar in nature, such as work to secure quality, follow-up on performances or journalistic work. The bill also explains that the term “scientific” refers to a knowledge methodology, where knowledge is systemized and structured, through use of development theory and methodological tools.

Several decisions from the Swedish Ethical Review Authority (Sw. Etikprövningsmyndigheten) (former Central Ethical Review Board) emphasize that a high level of scientific approach is required in order to consider work to be research. Furthermore, it has inter alia been taken into account in the decisions whether the research will be conducted by researcher(s) and/or if the results of the research will be made available to the public, e.g. by publishing the results in scientific journals.

The interplay between research in the Ethical Review Act and scientific research in the GDPR
There is no direct relationship between the definition of “research” in the Ethical Review Act and the use of “scientific research” in the GDPR.  Since the Ethical Review Act is a national legislation, it does not influence the meaning of the terminology used in the GDPR. Until further guidance on the interpretation of scientific research under the GDPR is available, research as defined in the Ethical Review Act may however – at least from a Swedish perspective and in relation to the Swedish Data Protection Authority – provide guidance on what can be considered scientific research in the GDPR.

In our opinion, it is not possible to conclude that the definition of “research” under the Ethical Review Act is applicable with regard to how the term scientific research shall be interpreted in the GDPR. It could however be argued that if the Ethical Review Act applies, research involving processing of personal data performed by a company should also fall within the scope of scientific research under the GDPR. However, since scientific research in the GDPR shall be interpreted in a broad manner including e.g. technological development, this implies that the scope of the term scientific research is broader compared to research as defined in the Ethical Review Act (see picture below).

Scientific research

In light of the above, it could be advantageous for companies that conduct research to fall within the scope of “scientific research” under the GDPR, but outside of the scope of “research” under the Ethical Review Act. This could be the case e.g. for medical device companies when processing personal data within their research and development, without being subject to the Ethical Review Act.

The advantages under the GDPR inter alia include opportunities for a data controller to derogate from certain obligations as listed in the following table.

Advantages

Consequences
When a company processes personal data for scientific research purposes under the GDPR, there is a risk that the processing will be subject to the Ethical Review Act. If a company’s planned research falls within the scope of the Ethical Review Act, the company will have to seek approval from the Swedish Ethical Review Authority (Sw. Etikprövningsmyndigheten) in relation to each research project. The fee for submitting an application is at present either SEK 5,000 or SEK 16,000 depending on the number of research organisations involved.  After an application for approval has been filed, a decision will normally be reached by the Swedish Ethical Review Authority within 60 days. Awaiting approval could of course delay a research project, and consequently the release of a product and/or service onto the market.

To determine if a company may be subject to any of the above stated advantages and/or consequences, it is necessary that the company makes its own  assessment of its processing of personal data, on what legal basis the processing may be based as well as whether or not the Ethical Review Act applies. As mentioned in the beginning of this article, Part 2 of this article series will focus on what legal basis a company may base its processing of personal data when performing clinical trials.