Scientific research and privacy: European limits are sufficient. Why is Italy trying to go further?

The European Regulation that became applicable on May 25 radically transforms the processing of data and represents, in all likelihood, the most advanced regulatory structure at international level. Its ambitious goal is to combine data protection on one side with economic and technological development, on the other side. So why do Italian patients need to be protected more than other patients, as the draft decree implementing the EU Regulation in Italy seems to want to do?

On 25 April the European Commission presented a series of new proposals to facilitate the use of data within the EU. The stated objective is to support data economy (according to the projects of the COM 2017-9 of 10 January 2017 - Building a data economy), necessary for the markets growth, job creation (in particular in SMEs and start-ups) and technology development.

On the same day, the Commission issued a new Communication relating to digital health projects: the COM (2018) 233 final on enabling the digital transformation of health and care in the Digital Single Market; empowering citizens and building a healthier society.

The three keypoints are the ability of citizens to share their data across national borders, the use of data to promote research, prevention and personalized medicine, the development of digital tools for citizen empowerment and people-centered healthcare.

All measures are based on full and proper implementation of the new EU Reg. 2016/679 (so-called GDPR or General Data Protection Regulation) which will become fully effective on May 25th. Now, these Community objectives might be hindered in Italy due to legislative choices that seem to result from the draft decree implementing the GDPR, which is yet to become final.

In particular, many doubts arise in relation to the choices concerning the use of data in the field of research. There is no doubt that the GDPR, while maintaining a high level of data security, seems to want to encourage the use of data in this area.

In fact:

- Article 5 letter b) states - without distinguishing between personal and sensitive data - that processing for research purposes is compatible with the initial purpose for which the data weas collected (so-called secondary use), on the sole condition that the requirements of art. 89 paragraph 1 are applied;

- Article 9 letter j) provides for the possibility to process such data without the consent of the data subject, on condition that art. 89 is complied with;

- Article 89 establishes that processing for scientific or historical research purposes is subject to appropriate safeguards for the rights and freedoms of the data subject. These safeguards ensure that technical and organizational measures have been set up, in particular to ensure compliance with the principle of data minimization. Such measures may include pseudoanonymisation.

In short, in accordance with the new EU Reg. 2016/679 the controller that processes data (and sensitive data as well) for scientific research purposes:

1. must ensure adequate safeguards for the data subjects’ rights and freedoms are set in place,

2. these guarantees imply that technical and organizational measures have been implemented,

3. Among the measures, compliance with the principle of data minimization isp articularly important,

4.  such measures may include pseudoanonymisation,

5. where possible it is necessary to proceed to the full anonymisation of the data,

6. the consent of the data subject is not required. 

The Italian draft decree is, however, stricter. In addition to the requirement to inform the data subject (Article 71), a general obligation to obtain the interested party’s consent is expressly provided for (Article 73). In medical research, the requirement of consent may be eliminated in only two cases:

1. when the research is carried out on the basis of national or community laws or regulations. However, in this case, an Impact Assessment pursuant to Article 35 GDPR must be carried out;

2. when it is not possible to provide information to the data subject and when obtaining consent would imply a disproportionate effort. In this case, however, the data controller must take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, the research program must receive the favorable opinion of the competent ethical committee at the territorial level, as well as the authorization by the Data Protection Authority. At the very least, the research must be submitted for prior consultation to the Data Protection Authority in accordance with Article 36 of the GDPR.

Furthermore, Article 77 of the draft decree - referring to Article 110a of the Privacy Code introduced by the recent law 167/2017 - regulates the re-use of data (provision that is not regulated by the GDPR). It establishes that where it is not possible to inform data subjects and obtain consent, it will be possible to re-use the data with prior authorization by the Privacy Guarantor, who will define appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, in accordance with Article 89 of the GDPR. It must be noted however, that genetic data are may not be re-used.

There is no doubt that the complex framework summarized above and contained in the draft decree is based on Article 9 paragraph 4 of the GDPR, which legitimises Member States to introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or health data.

So the national legislature, if it considers it appropriate, can set a stricter limit than the GDPR with regard to the processing of data for research purposes.

But the real question is the following: is it really necessary to introduce a framework that is so complex and limiting? The GDPR radically transforms the processing of data and represents, in all likelihood, the most advanced regulatory structure at international level. The ambitious goal is to combine data protection on one side, with economic and technological development, on the other.

Recital 4 of the GDPR well represents this new approach by stating that: "The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.".

So the intention is not only to protect data, but to find a balance between protection and use of data for social purposes, where research undoubtedly plays a major role.

So are we really sure that the framework set by the GDPR is not sufficient to protect data, leaving more space for Italian research? This question takes into account the other Member States as well: in fact, even though we still do not know how all of them adjusted to the GDPR, it seems possible that they merely incorporated the GDPR without introducing other limitations on this point. 

At this point a question arises: are we really sure that Italian patients should be protected "more" than other European patients? Are we also sure that research in Italy will not be excessively hindered because of this limiting provision?