Humanities and social science research contribute enormously to collective public knowledge and discussion. Such activity will almost invariably involve the processing of personal information and will, therefore, trigger the application of EU data protection law including the forthcoming General Data Protection Regulation (GDPR). This presentation argues that the GDPR’s default provisions – especially as regards the presumption of consent for sensitive data, data subject notification rules and strict discipline provisions – pose an acute threat to such activity. Moreover, whilst the research derogations (Art. 89) ameliorate a few of the issues, they are principally designed for work based on a highly structured, predetermined and largely fiduciary model such as is common in bio-medicine. As recognised by a wide variety of research organizations during debate on the GDPR (including the Wellcome Trust and UK Economic and Social Research Council), given that social/humanities scholarship is intrinsically linked to public knowledge and discussion, it should in fact benefit not just from these research derogations but also from the more permissive (but not absolute) derogations for free speech. The GDPR now recognises this but granting free speech protection for “academic expression” alongside that of journalism, literature and art (Art. 85 (2)). (N.B. These slides are based on a talk given at the University of Hong Kong “Positioning Privacy and Transparency in Data-intensive Research and Data-drive Regulation” on 8 November 2016).
2. Outline of Talk
1. Overview of EU General Data Protection Regulation
2. GDPR Derogations for Research
3. Problems raised by its approach
4. Academic/Free Expression & General Derogations
5. Conclusions
3. EU General Data Protection Regulation (A. 1)
Be default, GDPR regulates the:
“Processing” of
“Personal information”
with a view to
Protecting fundamental rights and freedoms &
Ensuring free flow within safeguarded space.
4. EU GDPR: Default Substance
Personal
Data
Processing
DP Principles
• Fair, lawful,
transparent
• Purpose quality &
limits
• Information
quality & limits
• Integrity &
confidentiality
Legitimation
• Legitimating
Criteria
Transparency &
Control
• Proactive Direct
• Proactive Indirect
• Subject Access
• Control rights –
RtbF, objection
Sensitive Data
• Criminal Data
• Other:
• Political,
• Religious,
• Trade union
Discipline
• Security
• Record-keeping
• Data Export
• Joint Controller
agreements
• Processor
agreements
Supervision
• Courts
• DP Authorities
Subject to Applicable Derogations and Exceptions
5. GDPR Research Derogations: Scope (cf. A. 89)
Personal
Data
Processing
DP Principles
• Fair, lawful,
transparent
• Purpose quality &
limits
• Information
quality & limits
incl time
• Integrity &
confidentiality
Legitimation
• Legitimating
Criteria
Transparency &
Control
• Proactive Direct
• Proactive
Indirect
• Subject Access
• Control Rights
• RtbF
• Objection
Sensitive Data
• Criminal Data
• Other:
• Political,
• Religious,
• Trade union
Discipline
• Security
• Record-keeping
• Data Export
• Joint Controller
agreements
• Processor
agreements
Supervision
• Courts
• DP Authorities
6. GDPR Research Derogations: Conditions
Article 89 (General Conditions)
Focus especially on “data minimisation”
“Whenever these purposes can be fulfilled by further processing which
does not permit or not any longer permit the identification of data
subjects these purposes shall be fulfilled in this manner.”
Article 8 (2) (j) (Sensitive Data):
“suitable and specific measures to safeguard the fundamental rights
and interests of the data subject.”
Article 89 (other optional derogations):
Application of provision must “render impossible or seriously
impair” research purpose; derogation must be “necessary”
7. Ways SSH Challenge GPDR Research Prism
Personal
data use
Ubiqutious
Decentred
&
Individual
May be
messy
May be
specifically
focused
Generally
not
fidiuciary
May need
non-
transparent
methods
8. Normative Reason why Free Expression Engaged
Social science & humanities (SSH) scholarship is orientated
to making public information and ideas.
SSH ethic of rigour, culmination, precision, reflexivity etc.
means publication should be “high value”.
Restricting SSH more than journalistic “infotainment”
turns human right to free speech on its head.
“The quality of that knowledge depends crucially on free competition between
the information providers. If what has traditionally been the most
disinterested source of information, the universities, becomes systematically
handicapped in that competition, then all citizens lose out.” (Dingwall, 2008)
9. Efforts to Protect SSH as Free Expression
UK Economic & Social Research Council Response (2013)
Wellcome Trust et. al. Academic Research Perspective (2015)
N.B. I actively assisted in both these initiatives.
“A historian or social investigator working in an academic context should not
be treated less favourably by the law than a historian or social investigator
writing in a non-academic context … It is therefore essential than the work of
academic social science researchers be brought within the ambit of Article 80
[now Article 85].”
“Freedom of expression … It is important that arts and humanities research
should benefit from derogations because research in areas such as politics
and history is unlikely to be compatible with the research model set out in
Article 83 [now Article 89] and may not be permitted otherwise.”
10. GDPR Freedom of Expression (A. 85)
1. Member States shall be law reconcile the right to the protection of
personal data pursuant to this Regulation with the right to freedom of
expression and information ….
2. For the processing of personal data carried out for journalistic purposes
or the purpose of academic artistic or literary expression, Member States
shall provide for exemptions or derogations … if they are necessary to
reconcile the right to the protection of personal data with the freedom of
expression and information.
3. Each Member States shall notify to the Commission the provisions of its
law which it has adopted pursuant to paragraph 2 ….
• N.B. free expression clause (A. 85 (2)) is not an absolute exemption
from DP but rather seeks to establish a necessary balance between
equally fundamentally rights.
11. GDPR General Derogations (A. 9 (g), 10 & 23):
Personal
Data
Processing
DP Principles
• Fair, lawful,
transparent
• Purpose quality
• Information
quality & limits
• Integrity &
confidentiality
Legitimation
• Legitimating
Criteria
Transparency &
Control
• Proactive Direct
• Proactive Indirect
• Subject Access
• Control Rights
Sensitive Data
• Criminal Data
• Other:
• Political,
• Religious,
• Trade union
Discipline
• Security
• Record-keeping
• Data Export
• Joint Controller
agreements
• Processor
agreements
Supervision
• Courts
• DP Authorities
12. Conclusions
1. Default provisions of GDPR at profound odds with
nature of social science & humanities research.
2. Research derogations also don’t really fit this work.
3. The protection of “academic expression” as part of free
expression offers a way forward.
4. Should certain activity in social science fall outside this
then general derogations should be deployed alongside
those specific to research (although won’t solve all issues).