I. Research under US Data Protection Laws

In the U.S., the Health Insurance Portability and Accountability Act (HIPAA), lays down rules for the protection of health information, specifically addressing the use and disclosure of such information for research purposes.Footnote ⁴⁷ It lays down only a very general framework for the protection of patients’ personal data, however, deferring to State laws for the definition of more specific standards. This creates a mosaic of privacy regulations disparately addressing privacy concerns and creating a substantial regulatory hurdle to data sharing among relevant stakeholders.Footnote ⁴⁸

HIPAA defines research as “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.”Footnote ⁴⁹ It provides that health information can be processed for research purposes without the data subject’s authorization only when there is a documented waiver approved by an Institutional Review Board (IRB) or Privacy BoardFootnote ⁵⁰ of the covered entity making the disclosure, the receiving entity, or an independent board.Footnote ⁵¹

Under HIPAA, in the absence of the institutional waiver, the processing of data for research purposes requires data subjects’ authorization.Footnote ⁵² In this case, HIPAA encourages the adoption of “data use agreements” on the processing of certain kinds of health information, which although not fully de-identified has been subject to the removal of certain direct identifiers.Footnote ⁵³ Ultimately, HIPAA establishes a data subjects’ right to receive an accounting for personal information that has been disclosed by covered entities for research purposes over the last six years.Footnote ⁵⁴ This obliges the same covered entities to accurately document disclosures for research purposes in a way not dissimilar to what requires the accountability principle under the GDPR but in a more burdensome way because it is operated in a less structured environment to gather evidence and keep track of the various data flows.

Additional restrictions to the processing of personal data for research purposes, specifically regarding personal data regarding children, are provided by the U.S. Children’s Online Privacy Protection Act (COPPA), which establishes the requirement of consent from the parents of the interested children limited to the collection and use of children’s personal information for research purposes, but excludes the possibility of consent for the disclosure to third parties of such information for the same purposes.Footnote ⁵⁵

The recently enacted California Consumer Privacy Act,Footnote ⁵⁶ although only binding at the State level, is important for its intended natural leading role across the country and globally. The CCPA narrowly defines and circumscribes the notion of research only to public-interest oriented research activities, that is “scientific, systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health ….”Footnote ⁵⁷ The Act further states that “personal information that may have been collected from a consumer in the course of a consumer’s interaction with a business’s service or device for other purposes” can be processed for research purposes, provided certain conditions are met. These conditions include the required compatibility of the research purposes with the business purposes for which the information was collected, the implementation of technical safeguards obstructing the reidentification of consumers, and the pseudonymization or deidentification of such information are envisaged.Footnote ⁵⁸

The CCPA excludes from the scope of research-oriented processing those activities serving commercial purposes,Footnote ⁵⁹ defined as “the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes”Footnote ⁶⁰ in order “to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.”Footnote ⁶¹ The California data protection law thus provides an objective-based definition of commercial-oriented research, which is based on the nature of the satisfied interest, rather than on the nature of the involved research entities. This objective interpretation of the notion of research under the CCPA helps clarify why the Act still considers as research those activities that are conducted in the realm of the “business purpose,” defined as the use of personal information “for certain operational purposes or other notified purposes” including “undertaking internal research for technological development and demonstration.”Footnote ⁶² In this way the CCPA still allows for non-commercial oriented research conducted by businesses.

When it comes to the processing of personal data for research purposes, the CCPA allows for a derogation to data subjects’ right to have their personal information deleted.Footnote ⁶³ The same regulation nonetheless envisages additional obligations onto controllers when it comes to the “sale” of personal information for research purposes.Footnote ⁶⁴

Against the backdrop of this brief overview of U.S. data protection provisions about research, it emerges that HIPAA does not appear to take into consideration the distinction between different types of research, such as for profit and public interest-oriented research. A different approach in this perspective has been conversely adopted by the California Consumer Privacy Act, which cuts off from the notion of research those processing activities that directly target a commercial interest. As has been observed in the literature,Footnote ⁶⁵ however, by including in the business purpose research activities for internal “development and demonstration,” the Act opens up to substantial ambiguities regarding what is to be considered research conducted for “business purposes,” and research which serves a purely commercial and economic interest and cannot, according to the cited provisions, be included within the CCPA’s notion of research and corresponding data protection rules. Although more privacy preserving, this regulatory option may block potentially innovative research projects, as the ones involving private players and thus commercial research.

Overall, although the analyzed regulations provide some allowances to processing activities for research purposes, as it occurs with the derogation to data subjects’ right to deletion provided by the CCPA, they nonetheless establish significant burdens onto controllers engaging in research endeavors, such as the need to have a waiver approved by an institutional board under HIPAA or the requirement of technical safeguards and the enactment of pseudonymization techniques under the CCPA. These considerations suggest that while being subject to an alternative set of data protection rules, processing activities conducted for research purposes do not enjoy a much more favorable data protection regime under US data protection laws especially when compared to the differential regimes emerging in the GDPR.

II. Research under EU Laws and the General Data Protection Regulation

Research objectives through data re-usability have been very recently given primary importance within the European Commission’s Strategy for data, which in the aim of creating and consolidating a single market for data, stresses the need to enhance the re-usability of public data also by businessesFootnote ⁶⁶ and of private data by public institutions, for either public interest related research purposes and commercially-oriented innovation purposes.Footnote ⁶⁷ In particular, the Strategy acknowledges the relevance of the use of private data for the public good, thus also for public-interest related purposes.Footnote ⁶⁸

It thus appears that at European policy level, a new principle of free movement of research data is emerging, encompassing 1) public data employed for public interest-related research purposes, 2) public data employed for commercial-related research purposes, 3) private data employed for public-interest related research purposes, and ultimately, 4) private data employed for commercial-related research and innovation purposes.

This principle is differently substantiated at the European regulatory level. For example, in the Recommendation on access to and preservation of scientific research and in the Open Data Directive research and scientific innovation objectives are directly promoted through the establishment of facilitated accessibility regimes regarding public data. The notion of research as shaped by these two frameworks resides on the paradigms of open science and open access.Footnote ⁶⁹ It is restricted to publicly-funded research,Footnote ⁷⁰ and is primarily linked to public interest purposes. Nonetheless, under both frameworks the re-usability of research data is envisaged also for research carried out for commercial purposes.Footnote ⁷¹ As we shall see, this policy baseline is fully coherent with the differential regimes provided for by the GDPR which the Open Data Directive expressly declares to abide to under Article 1(4).

Similarly focusing on publicly funded research, also in the Copyright Directive, recital 12 excludes from the notion of “research organizations” and thus from the correspondent research-enabling regime “organizations upon which commercial undertakings have a decisive influence allowing such undertakings to exercise control because of structural situations, such as through their quality of shareholder or member, which could result in preferential access to the results of the research.”Footnote ⁷² Based on such subjective definition, however, contrary to the Recommendation or the Open Data Directive, the Copyright Directive appears to implicitly draw a distinction between not-for-profit and public interest-oriented research entities, on the one hand, and organizations operating for commercial purposes on the other.

The Copyright Directive example illustrates that the categorizations and definitions of research at European level are far from being settled or harmonized as well.Footnote ⁷³ However, in this context, European data protection law takes a distinctive position.Footnote ⁷⁴ Research has a particularly important role within the General Data Protection Regulation, which overtly aims to facilitate research carried out over personal data.Footnote ⁷⁵

At a general level, recital 159 GDPR suggests that scientific research “should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research.”Footnote ⁷⁶ Under the interpretation suggested by the cited recital, scientific research for the purposes of European data protection law encompasses research activities conducted by both public and private stakeholders, or more generally funded by public or private resources.Footnote ⁷⁷ This multifaceted definition of scientific research has recently been welcomed by the German Data Ethics Commission, which includes both publicly and privately funded research, as well as commercially-oriented research such as product development and enhancement, in its definition of “research.”Footnote ⁷⁸

A wide notion of research, similar to the one provided by the GDPR, encompassing both privately and publicly funded investigations has also been adopted by the recently issued proposal for a Data Governance Act, which stated that “scientific research, including for example technological development and demonstration, fundamental research, applied research and privately-funded research, should be considered as well purposes of general interest.”Footnote ⁷⁹

In this perspective, the GDPR leads an approach different from the one taken by the described US data protection regulations, which have equally provided research-enabling data protection regimes.

The GDPR welcomes a more inclusive notion of research and the scope of applicability of the correspondent data protection regime is thus of broader reach. To this end, the German Data Ethics Commission has underlined the opportunity to exploit to the maximum the research privileges existing under European data protection law, as well as the need to consider research as a “particularly valuable good” when compared with other competing interests.Footnote ⁸⁰

I. The Data Subject-Oriented Regimes: Consent under Article 9(2)(a) and 9(2)(e) GDPR

Just as the prohibition of processing under Article 9(1) GDPR, the first category of data protection regimes for the processing of special categories of data under Article 9(2) GDPR is to be directly contextualized in the individual fundamental rights’ dimension of the General Data Protection Regulation. It comprises legitimate bases for processing, which are directly based upon the protection of data subjects’ fundamental rights as the right to informational self-determination through consent.

Article 9(2)(a) and 9(2)(e) GDPR respectively allow the processing of special categories of data, provided data subject’s consent is given and in case the data are made “manifestly public” by the data subject. In both cases the data subject is given the autonomy of choice over the processing of their sensitive personal data, thus directly exercising their right to informational self-determination.

Under Article 9(2)(a) GDPR, the given consentFootnote ⁹⁵ needs to be explicit and must relate to one or more specified purposes in accordance with the principle of purpose limitation.Footnote ⁹⁶ As newly required by the GDPR, consent must be “freely given” in a contractual relationship where there is no “significant imbalance” between the data subject and the controller.Footnote ⁹⁷ The performance of the contract must not be “conditional on consent to the processing of personal data that is not necessary for the performance of a contract.”Footnote ⁹⁸

Through the reference to explicit consent needed for the processing of data concerning health, the Regulation reaffirms the role of data subject’s consent as a fundamental condition for the processing of sensitive data, as variously established in international declarations and guidelines regarding medical research.Footnote ⁹⁹ Explicit consent was considered as the default regime for the processing of health data in the context of scientific researchFootnote ¹⁰⁰ and is additionally required for the processing of personal data in case of automated individual decision making, such as profiling.Footnote ¹⁰¹ Yet, in several medical research contexts it is not advised to use consent as a legal basis for personal data processing.Footnote ¹⁰²

Already under the Data Protection Directive, the Article 29 Data Protection Working Party has specified that explicit consent must be given through an “express statement,” such as a written statement signed by the data subject “in order to remove all possible doubt and potential lack of evidence in the future.”Footnote ¹⁰³

As widely stressed by scholars, in the traditional data protection law architecture, consent is the fundamental means of control over the course of data processing activities.Footnote ¹⁰⁴ It is strictly related to the individual values of autonomy and dignity,Footnote ¹⁰⁵ which are structural elements of the individual fundamental right to data protection. It is thus a means for data subject’s self-determination and self-empowerment. To these purposes, consent is associated with the reaction means newly provided by the General Data Protection strengthening data subjects’ control over personal data.Footnote ¹⁰⁶

Note, however, that the notion and limits of consent under the GDPR are more stringent. Pursuant to Article 7 GDPR, “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”Footnote ¹⁰⁷ Any violation of these requirements or more generally of the GDPR makes consent not “binding” and not valid. Moreover, consent should be withdrawable as easily as it was to give it.

The suitability of the legal basis of consent has been much debated both at general level and with specific regards to health research. From the first standpoint, the adequacy of using consent as a legal basis for data processing in the digital age has been widely questioned both in the literature and in policymaking processes. Consent’s “pathologies” have been brought into the spotlight, especially in terms of unwitting consent, coerced consent, and incapacitated consent.Footnote ¹⁰⁸ The shortcomings of consent models permeating the digital consumer landscape appear to sharpen what has been traditionally known as the “privacy paradox,” given by the existing gap between what privacy—and consent—is theoretically meant for and what consumers actually do in practice.Footnote ¹⁰⁹ As increasingly demonstrated also at empirical level, the understanding of the privacy policies is often quite weak, if not completely null.Footnote ¹¹⁰ As a result, consent has become a “free pass” for big businesses’ data gathering practices.Footnote ¹¹¹ With respect to possible remedies to these failures, there have been discussions about how to render privacy policies more effective.Footnote ¹¹² Accordingly, new personalization and visualization schemes are being proposed by DPAs.Footnote ¹¹³

These general considerations also apply in the context of data-driven health research, which increasingly relies on the sharing, aggregation and repurposing of data processing activities.Footnote ¹¹⁴ Nonetheless, the specificities of digital health research raise some additional, sector-specific concerns. For example, although voluntary participation in research might not be considered a contract in many jurisdictions, in those countries that acknowledge the possibility of a fee for participation or even a form of incentive might cast doubts on the freedom of consent, especially in case of economic or other vulnerabilities. Moreover, data-intensive health research has widely expanded the borders of research projects, which have become ever more interconnected and open-ended,Footnote ¹¹⁵ and is thus becoming structurally unsuitable with respect to the consent paradigm, designed for specific and “closed” research projects.Footnote ¹¹⁶

As a result, alternative forms of informed consent, of more open and dynamic nature are considered more appropriate for the governance of the uncertainty and unpredictability of data-driven health research.Footnote ¹¹⁷ This opportunity has been concretely acknowledged within the General Data Protection Regulation, which under recital 33 GDPR admits consent given for “certain areas of scientific research”Footnote ¹¹⁸ under the condition that these areas of research respect the “recognized ethical standards for scientific research.”Footnote ¹¹⁹ It is worth noting from the outset that these broad terms could unveil a Pandora’s box notion of “research.” It can remain questionable if recital 33 GDPR, having no binding force, is able to justify a reading of Article 9(2)a GDPR, which requires “explicit” consent for specific purposes, compatible with forms of wide-ranging consent, open to further use. This is likely to be the case, at least if the architecture used follows the parameters of recital 33 GDPR: broad consensus limited to specific areas of scientific research and accompanied by “recognized ethical standards for scientific research.”Footnote ¹²⁰

The possibility of a broad consensus for research purposes has been confirmed and further developed in the proposed Data Governance Act, in the form of a new notion of “data altruism,” relating to “consent by data subjects to process personal data pertaining to them … without seeking a reward, for purposes of general interest, such as scientific research purposes ….”Footnote ¹²¹

Nevertheless, with respect to consent as a legal basis, there are still problems, mainly related to its revocability, which raise significant uncertainties in the research practice.Footnote ¹²²

In this respect, Article 29 Data Protection Working PartyFootnote ¹²³ has clarified that research purposes as well as relevant research areas need to be “well-described,” nonetheless admitting the possibility that they are not “fully specified.”Footnote ¹²⁴ The legitimacy of consent for broad research purposes implies a partial derogation of the principle of purpose limitation. Nonetheless, in case of a lack of a specified purpose, the same Working Party mitigates this derogation, by advising data controllers to implement additional safeguards as the provision of a comprehensive research plan before the commencement of the project, as well as the implementation of adequate transparency measures enabling data subjects also to withdraw consent.Footnote ¹²⁵

In addition to this, the GDPR directly sets a derogation to the purpose limitation principle with respect to further processing for research purposes of personal data initially collected through consent. In this respect, the default compatibility rule under Article 6(4) GDPR and Article 5(1)(b) GDPR suggests that the processing of personal data for secondary purposes “in the public interest, scientific or historical research purposes or statistical purposes shall in accordance with Article 89(1), not be considered incompatible with the initial purposes”Footnote ¹²⁶ and thus it is considered lawful under Article 6(4) GDPR, even if such further processing is not based upon the data subject’s consent.Footnote ¹²⁷

The joint consideration of the possibility of a broad consent for the initial processing of health data for research purposes under Article 9(2)(a) GDPR, as interpreted in light of recital 33 GDPR and the recalled Working Party’s guidelines on consent, as well as the mentioned default presumption of compatibility regarding secondary processing for research purposes, show how a very weak impulse by the data subject through a broad consent could apparently legitimize potentially infinite cycles of processing activities for various, different research purposes. In this respect, it is important to observe that the derogation of the purpose limitation rule for research would enable not only the sharing of sensitive health data among different businesses, but also the re-use of data by different research teams within broader corporate teams. For example, this is the case within big tech companies where there are often no separate research departments. Nonetheless, since the derogation to the purpose limitation principle is limited to research, the data should not be further used within a same corporate team for purely commercial, non-research-driven purposes. Here, the principle of segregation of personal data processing,Footnote ¹²⁸ similar to what is clearly set out in the Data Governance Act for data sharing entities,Footnote ¹²⁹ would be paramount in guaranteeing a clear respect of the purpose limitation principle. However, the borders between research-based and commercial-based data processing activities conducted within a same corporate unit could be quite difficult to draw, even if their corresponding personal data processing are correctly mapped in the records. In this specific case, when data is used for commercial purposes by a corporate unit, no default compatibility rule can apply and the relevant data should be processed in accordance with a full application of the purpose limitation principle demanding that datasets are processed in consistency with the “specified, explicit and legitimate” purposes for which the data has been originally collected. Accordingly, a proper respect of this principle requires to use the data only for the specific project for which they have been collected and not for other projects/purposes.

Yet, there is an inherent tension between recital 33 GDPR, not binding by definition, and the mentioned Working Paper 29 guidelines under the regime of the Data Protection Directive on the one hand and the recalled notion of consent under the GDPR –that need to be specific pursuant to Article 7 GDPR.

A way forward putting at ease those tension might emerge from the systemic interpretation we envisage. For instance, blanket consent might be more welcome if and when it is related to public interest research or in favor of public good institutions. Furthermore, blanket consent might be “more” acceptable when the same data processing is assisted by another suitable legal basis.

In any event, it is possible to sustain the general stricter scrutiny for the validity of consent in the research domain needs to be read in connection with recital 33 GDPR and that the formula clearly uses the language of the protection of the fundamental right to data protection but actually opens the way to both 1) blanket consent, as long as it unfolds “with recognized ethical standards for scientific research”, and 2) to select specific research projects’ objective aim of consent, or entities-subjective criteria, as assumed in the Tiziana case by the DPA and confirmed by the proposed Data Governance Act.

Under these premises, the legal basis of the explicit consent is to be aligned to the legitimate basis under Article 9(2)(e) GDPR, regarding the processing of sensitive data that are “manifestly made public by the data subject”, since it equally implies the release of personal data based on the data subject’s will. However, it is particularly problematic, since it could be applied to all the data that is “made public” online, in social networks or in specific online communities, without the need of a consent, be it of specific or of broad nature, or the enactment of safeguards offering the outer limits of the perimeter of a lawful data processing of sensitive data. This basis could thus potentially legitimate free flows of sensitive data as a result of their publicity. Nonetheless, the applicability of general data subjects’ rights under Chapter III GDPR still assures the preservation of a certain degree of individual control over such data flows and the ability to challenge the requirement of being “manifestly made public.”

In line with the guidance provided by referral 33 GDPR, personal data can be “manifestly made public” by selecting, for instance, kinds of project or data controllers creating a very simple avenue for data subjects’ contribution to research. In a sense, data subjects are enabled to directly express their consent to a given and known data controller or to express their will towards unidentified data controllers with the ability of setting the terms of this implied consent by publication. Note that, by managing their autonomy along the lines of Article 9(2)(e) GDPR, data subjects simplify data controllers’ compliance without burdening them with further latches even when data subjects select projects or data controllers they want to contribute to.

II. The Public Interest-Oriented Regime under Article 9(2)(i) and Article (9(2)(g)

Shifting from data subject-based regimes to controller-based legal bases for the processing of health data, the GDPR allows for many exceptions to the general prohibition of processing special categories of data, as health data.

For our purposes, however, we are interested in the notion of public interest directly concretized by Article 9(2)(i) GDPR referring to the purposes of “protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.”Footnote ¹³⁰ The link between public interest and the protection of the right to health as enshrined in some Member States’ constitutions has been assessed by the Article 29 Data Protection Working Party,Footnote ¹³¹ which has underlined how every processing activity that is functional to the protection “against serious cross-border threats to health” or the safeguard “of high standards of quality and safety of health care” are to be considered of public interest-oriented nature. In the absence of further indications, it has however left controllers to set the boundaries of what is necessary to safeguard “high standards of quality and safety of health care.”

The public health interest exception offered by Article 9(2)(i) GDPR clearly encompasses, among others, post market studies, observational studies, and pharmacovigilance activities. Note, however, that these processing activities must be grounded in “Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.”Footnote ¹³² The public interest clause is employed in many ways at both normative and policy level and is mostly defined on a case-by-case basis. In the absence of a determination by national legislators, the guidelines of data protection authorities are to be taken into consideration.Footnote ¹³³ Here, what is relevant is that the GDPR qualifies in terms of public interest the research—post-market, observational studies, pharmacovigilance—ensuring “high standards of quality and safety of health care and of medicinal products or medical devices.” In this way it appears to legitimize personal data processing for public interests that at the same time serve also private interests. Post market studies and product monitoring, although fulfilling legal duties, clearly serve legitimate and business interests of data controllers generating data that under the GDPR regime can more easily be further processed for secondary research using the presumptions of “non-incompatibility in Article 5(1)(b) GDPR, the compatibility test in Article 6(4) GDPR, and the general research regime in Article 89 GDPR.

Within the system of the General Data Protection Regulation, the public interest aim embedded in the legal basis under Article 9(2)(i) GDPR regarding sensitive data is to be aligned to the one generally envisaged under Article 6(1)(e) GDPR, regarding processing activities that are “necessary for the performance of a task carried out in the public interest.”Footnote ¹³⁴ The notion of “the task carried out in the public interest” has been interpreted by the U.K. Data Protection Authority in accordance with an objective criterion based on the nature of the purpose of the processing and not on the nature of the controller,Footnote ¹³⁵ clarifying that any organization either private or public can rely on this basis.Footnote ¹³⁶ This approach appears consistent with the one also upheld by the European Data Protection Board, which has specified that the processing of personal data for the purposes of clinical trials’ procedures is to be considered as a task carried out in the public interest, when “the conduct of clinical trials directly falls within the mandate, missions and tasks vested in a public or private body by national law.”Footnote ¹³⁷

As the Article 29 Data Protection Working Party had already outlined under the Data Protection Directive, the public interest clause is an expression of the flexibilities within data protection law, enabling to strike the appropriate balance between the protection of data subjects’ rights and other collective interests.Footnote ¹³⁸ It is worthwhile noticing that article 9(2)(i) GDPR does not expressly mention the need to “respect the essence of the right to data protection,” as does, for instance, article 9(2)(g) GDPR. This because article 9(2)(j) GDPR assumes that the general framework for “medicinal products or medical devices” already “provides for suitable and specific measures to safeguard the rights and freedoms of the data subject” and thus already respects such an essence. Otherwise, the provision and the recalled rules would be in violation of the Treaties and subject to be struck down by the European Court of Justice (ECJ).

Overall, the notion of “the essence of the right to data protection” is recalled for instance also under Article 23(1) GDPR, allowing for Union or Member State laws’ restrictions to the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34. Under EU law the elements constituting the essence of the fundamental rights to personal data protection are basically listed under Article 8(2) of the EU Charter of Fundamental Rights According to this provision the principles of purpose specification, fairness in processing on a legitimate basis laid down by law along with the right of access to one’s own personal data and the right together with the control by an independent authority. Along these lines, the ECJ has concluded that legislation not providing for any possibility of pursuing legal remedies to access, rectify or erase their personal data “does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter.”Footnote ¹³⁹

The fact that Article 9(2)(i) GDPR does not recall the requirement to respect “the essence of the right to data protection” allows, with the mentioned caveats, higher pressure on the right to personal data protection when public health or “quality and safety of health care and of medicinal products or medical devices” are at stake. This is well reflected by Article 23 GDPR, which explicitly allows EU or Member States laws to restrict the applicability of—and thus set derogations to—Articles 12–22 GDPR or Article 5 GDPR, establishing fundamental data protection principles such as, amongst others, the principle of data minimization and accuracy, when the processing serves “important objectives of general public interest of the Union or of a Member State,” as public health.Footnote ¹⁴⁰ Also Article 17(3)(c) GDPR, which directly refers to Article 9(2)(i) GDPR, admits derogation to data subjects’ right to erasure when the derogation is needed for “reasons of public interest in the area of public health.” Moreover, as will be better shown below other derogations under Article 14(5)(b) and Article 89(2) GDPR can be allowed for with respect to processing activities under Article 9(2)(i) GDPR.

However, as the GDPR clarifies, the balance between the competing interests of data subjects and data controllers always has to respect the “essence” of the right to data protection in accordance with the proportionality principleFootnote ¹⁴¹ and through the enactment of suitable and specific measures to safeguard data subjects’ fundamental rights and interests.Footnote ¹⁴²

The importance of anchoring personal data processing activities carried out for public interest purposes to the parameters of proportionality and necessity has been underlined also by the ECJ,Footnote ¹⁴³ which has affirmed that “the protection of the fundamental right to respect for private life at the European Union level requires that derogations from the protection of personal data and its limitations be carried out within the limits of what is strictly necessary.”Footnote ¹⁴⁴ This means, firstly, that if another legal basis more respectful of the data subjects’ rights and interests, such as consent, can be relied upon by the controller for the achievement of the same purpose, then this must be chosen.Footnote ¹⁴⁵ Yet, these clarifications were suggested under the previous data protection regime when the exception envisaged by Article 9(2)(i) GDPR did not exist. Secondly, exactly the principles of proportionality and necessity assure that the data subjects’ rights as set by Chapter III GDPR are not undermined or somehow restricted in case of processing for public interest reasons. This means that the data subjects shall maintain control of such processing activities through their information rights and their corresponding reaction tools.

A further limit for the respect of the essence of the right to data protection is directly given by the principle of purpose limitation, which harshly cuts out from the realm of public interest-oriented processing activities those that serve different purposes, as commercial purposes. This is directly acknowledged by recital 54 GDPR, stating that the processing of personal data concerning health for public interest purposes shall not result in the same data being processed for other purposes by third parties, as employers or insurances and banking companies.Footnote ¹⁴⁶ However, here the principle of purpose limitation finds a special discipline for research under Article 5(1)(b) GDPR, the presumption of compatibility if Article 89 GDPR is applied, and Article 6(4) GDPR, a test for further use.

In short, the GDPR offers a different and more data-controller-oriented regime for the research aims mentioned under Article 9(2)(i) GDPR moving along the spectrum by authorizing data processing without consent and opening to further research uses, provided appropriate safeguards are offered. These are instances in which both public and private research aims are pursued and in which clearly research is mostly run by private—and for-profit entities.

The scaling of possibilities in our spectrum of data protection regimes for research finds another instance—reflecting the proportionality principle described above—in Article 9(2)(g). Contrary to Article 9(2)(i) which is specific for “public interest in the area of public health,” Article 9(2)(g) is of general relevance and requires—in addition to the requirements provided by Article 9(2)(g)—that the public interest is “substantial” and that the legislation defining it along with the needed safeguards respects “the essence of the right to data protection.”

III. The Research-Based Regime under Article 9(2)(j) GDPR

The third category of data protection regimes progressively offering a more liberal legal framework regards processing activities over special categories of data conducted for research purposes. Research is indeed an autonomous legal ground for the processing of special categories of data, as health data, under Article 9(2)(j) GDPR, which states the legitimacy of the processing when this is “necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” if:

1. a) In accordance with Article 89(1);

2. b) is based in Union or Member State law, which will thus have to define the activities that fall under the scope of research as a legitimate basis for the processing of special categories of data;

3. c) it is proportionate to the aim pursued, consistently with the proportionality under art. 5(1)(b);

4. d) it respects the essence of the right to data protection;

5. e) it is subject to suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. ^{Footnote 147}

As can be derived, the legitimate basis under Article 9(2)(j) GDPR is shaped similarly with respect to the public interest-oriented ground for processing under Article 9(2)(g) GDPR. The major difference between the two legitimate bases is given by the explicit link of the former to Article 89(1) GDPR. Conversely, it is interesting to notice that both the considered provisions, unlike what occurs under Article 9(2)(i) GDPR, make reference to the respect of the essence of the fundamental rights to data protection. This is not surprising since the legitimate bases respectively regarding research under Article 9(2)(j) GDPR and the public interest 9(2)(g) GDPR are of very general scope and do not precisely list the sectors, respectively for research and the public interest, to which these legitimate bases apply, to the contrary of the provision under Article 9(2)(i) GDPR that makes a specific list of the cases relevant for “the public interest in the area of public health.”

This regime requires the safeguards enacted by the controller to assure the respect of the principle of data minimization. The principle as generally expressed under Article 5(1)(b) GDPR is certainly applicable also to the processing for public interest purposes and to consent as a legitimizing basis for processing. Nonetheless, the explicit reference to the principle under Article 89(1) GDPR—recalled by Article 9(2)(j) GDPR—suggests that in case of processing activities for research purposes grounded in the legitimate basis of research there must be a strengthened compliance with data minimization goals: To the larger maneuvering room for data controllers corresponds a smaller ability to contractually derogate exactly because data subjects have reduced avenues to monitor the actual enforcement of the data minimization principle. The legislator sets it as a driving principle to data controllers, calling to its strict adherence exactly because appropriate safeguards are established by data controllers themselves policed only by the principle of accountability but not, eventually, by the exercise of data subjects’ rights.

Indeed, this stricter interpretation of the safeguards under Article 9(2)(j) GDPR with respect to the ones justified under Article 9(2)(g) GDPR is to be better understood considering the possibility to derogate to data protection principles and rights available to controllers undertaking research activities. This softening in the data protection system requires tighter data protection measures from the controllers’ side to comply with the “essence of the right to data protection” recalled by Article 9(2)(j) GDPR. The switching of the power of setting the stage for data processing from data subjects—consent and manifestly public data—to data controllers—for research purposes without consent—signaled by the constraints to data subjects’ rights revolves around more defined boundaries to set up appropriate safeguards, and above all the respect of the data minimization principle. When the general data protection principles as the one of purpose and storage limitation under Articles 5(1)(b) and 5(1)(e) GDPR and other data subjects’ rights are derogated, then the protection of the “essence of the right to data protection” needs to be achieved by other means, and cannot suffer a compression also of the data minimization principle around which revolves the indications of Article 89 GDPR in term of safeguards.

Under these premises, the next sections will analyze the special data protection research regime as normatively shaped by the Regulation, identifying the derogations it sets in case of research activities for research purposes and providing some first interpretative guidance regarding the required safeguards on how GDPR opens the personal data flow.

IV. The EU Data Protection Rules for Research: The Derogations

On a general level, it can be outlined that the rules applicable to processing activities encourage on the one hand the processing of personal data for research purposes through significant derogations to ordinary data protection principles and rights. These derogations are nonetheless paired with the requirement of enacting appropriate measures to safeguard data subjects’ fundamental rights and freedoms under Article 89(1) GDPR. The framework resulting from the combined reading of these provisions offers the parameters for the research exemption applicable whenever the processing over personal data is carried out for research purposes, irrespective of the legitimate basis on which the processing relies.

The derogations in case of processing for research purposes involve, first, important data protection law principles, as the principle of storage limitation under Article 5(1)(e) GDPR and the principle of purpose limitation under the above-recalled default compatibility rule under Article 6(4) and Article 5(1)(b) GDPR offering a presumption of compatibility. The mentioned provisions in turn derogate to the principle of data minimization established under Article 5(1)(c) GDPR. The default compatibility rule proves to be particularly difficult in the interplay of different legitimate bases and of data protection regimes for research, as will be assessed below.

Also, data subjects’ rights as the right to be forgotten under Article 17(3)(c) and (d) GDPR can be derogated in case the enactment of the right impairs the achievement of the research objectives. Specific attention is to be given also to the possible derogation under Article 14(5)(b) GDPR to data subjects’ right to be informed when the processed data is collected from third party sources and not directly from the data subjects, in case the “provision of such information proves impossible or would involve a disproportionate effort.”Footnote ¹⁴⁸ This last derogation is quite far-reaching since it allows controllers processing health data for research purposes to diminish the information they have to disclose to the data subjects in the privacy notice.

The two derogations to the right to erasure, under Article 17 (3)(c) and (d) GDPR, and the right to be informed, under Article 14(5)(b) GDPR, appear to be structurally incompatible with the legitimate basis of consent. In this respect indeed, the data subject has established a direct relationship with the data controller through its consent. The eventual withdrawal of consent would automatically block the processing activities of the data subject’s personal information, with a de facto erasure of the relevant data from the controllers’ databases, in consistency with the principle of storage limitation under Article 5(1)(e) GDPR. The provision indeed requires data controllers to store data as long as it is “necessary for the purposes for which the personal data are processed.” In case of consent withdrawal this necessity to store the data would be radically voided, this leading to an automatic data erasure. Similarly, with respect to the data subject’s right to receive information under Article 14 GDPR, the fact that the subject has given its consent first presupposes the release by the controller of the information needed to shape an informed consent. In second stance, the existence of a consent from the data subject itself eases the provision of information to the data subject by the data controller, thus excluding a situation in which the data controller faces an impossibility or a “disproportionate effort” to provide the relevant information, as required under Article 14(5)(b) GDPR.

On the contrary, the concerned derogations are highly relevant when the processing is based on the other legitimate bases not only under Article 9(2)(j), but also under Article 9(2)(i) GDPR, which is expressly recalled under Article 17(3)(c) GDPR. In this case, indeed the derogations directly facilitate the achievement of the particular objectives of the processing in the context of public health interventions and of research enquiries. Accordingly, the derogations can be relied on by data controllers also in case of secondary processing of datasets that were originally processed on the basis of the data subjects’ consent and that are then grounded in the pursuing of a public health or pure research goals.

When the data are directly collected from the data subject, the controller still needs to comply with information duties under Article 13 GDPR, unless, as described by recital 62 GDPR, “the provision of information to the data subject proves to be impossible or would involve a disproportionate effort.”

In addition to the derogations directly established by the Regulation, under Article 89(2) GDPR Member States can issue further derogations from data subjects’ right to access under Article 15 GDPR; right to rectification under Article 16 GDPR; right to restriction of processing under Article 18 GDPR; and ultimately the right to object under Article 21 GDPR. These derogations can be provided only when the full enforcement of data subjects’ rights “are likely to render impossible or seriously impair the achievement of the objectives of that processing” and these derogations are necessary for the fulfilment of the purpose.Footnote ¹⁴⁹ Additional derogations by national laws to data subjects’ rights under Articles 12–22 GDPR are permitted by the recalled provision under Article 23(1)(e) GDPR when the processing targets public health objectives.

These national-based derogations under Articles 89(2) and 23(1)(e) GDPR should be applicable only when the processing for research purposes is based on the legitimate grounds under Article 9(2)(i)–(j) GDPR, and not when these are based on consent under Article 9(2)(a) GDPR (Table 1): consent and the controller-data subject relationship directly activated by consent should indeed pose data controllers in the ease of protecting the mentioned data subjects’ rights. Conversely, the specificities of processing operations for reasons of public interest in the area of public health, Article 9(2)(i) GDPR, or for research purposes, Article 9(2)(j) GDPR, may well justify the establishment of the mentioned derogations by national laws, in light of the excessive burden data controllers could face for satisfying data subjects’ requests in these particular processing circumstances.

Just as in the recalled GDPR-based derogations, however, national legislations need to assure that appropriate conditions and safeguards for the processing are enacted and respected. The effective restraints to processing activities regarding sensitive data will largely depend on how burdensome the derogations and correspondent safeguards defined at national level will be.Footnote ¹⁵⁰

In light of these derogations to the mentioned principles and rights, the data protection regimes for research purposes under Articles 9(2)(i)–(j) GDPR appear to undercut data subjects’ control prerogatives over their sensitive data and, with that, to shift the control over the data processed for research purposes onto data controllers. As can be seen from Table 2 below, the derogations to data subjects’ rights under Chapter III are always possible for processing activities conducted for public health purposes. This suggests the controller-oriented nature of these data protection regimes, to be placed at the opposite edge in a descriptive spectrum with respect to the data subject-oriented regime for research under Article 9(2)(a) GDPR and its subjective control rationales.

Table 1. Data Protection Regimes for Research under Article 9(2) GDPR

Table 2. The Data Protection Derogations for Research under the GDPR

In light of the recalled derogations, the research-based data protection regimes under Articles 9(2)(i)–(j) GDPR, mitigate ordinary data controllers’ regulatory burdens so as to enhance the free-flow of sensitive data for research and innovation objectives. However, this de-regulatory stance over the processing for research purposes regards only ordinary data protection requirements and should be compensated by the requirement to establish safeguards that are appropriate to the protection of data subjects’ fundamental rights and freedoms as required under Articles 89(1) GDPR. It is thus time to delve more in these safeguards.

V. The Data Protection Rules for Research: The Safeguards

While medical research is being fueled by the exchange of scientific information and the resulting cooperation among different stakeholders of both the private and the public sector, the development of adequate data protection enhancing techniques is essential for creating the needed trust for data integration and aggregation practices. This is directly acknowledged by both Article 89(1) GDPR, requiring the enactment of “appropriate safeguards” in the form of “technical and organizational measures” and Article 9(2)(j) GDPR requiring the performance of “suitable and specific measures” for safeguarding data subjects’ fundamental rights and freedoms.

The mentioned requirements of “suitable and specific” measures or “appropriate safeguards” reflect the legislator’s intention to set onto data controllers the choice to decide on a case-by-case basis—and thus considering the research projects’ peculiarities—which are the safeguards that best protect data subjects’ rights without impairing the objectives of the processing activities. This is why the Regulation does not list the safeguards that need to be enacted in the context of research activities, but rather takes a dynamic approach so as to maximize their effectiveness in the highly varied data-driven research environment. Article 89(1) GDPR asks data controllers to identify and properly implement the safeguards for the protection of data subjects’ and patients’ fundamental rights.

In accordance with the layered research data regimes, a fundamental criterion for assessing the appropriateness and suitability of the safeguards to be enacted by the controller is related to the invasiveness of the derogations mentioned in the previous paragraph: This means that the more a controller leverages on the derogations the Regulation or Member States laws allow, the tighter the safeguards to be enacted should be.

Accordingly, from an opposite perspective, the enactment of these safeguards should be read as a direct precondition for the enjoyment of the derogations outlined above. As a result, the research-based regime concretely applicable to processing activities variously carried out for research purposes is the result of a double fine-tuning process, in accordance with which the more derogations the controller avails himself, the stricter the safeguards that she will enact should be. Such interpretation is directly suggested by the guidance offered by Article 89 GDPR, which, firstly stresses that “technical and organizational measures” shall ensure “in particular … the principle of data minimization.” It does not rule out the other principles not already limited by Article 5 GDPR, but it clearly indicates that data minimization is not negotiable for the reasons we stressed before. Secondly, it sets a cryptic obligation and indication to use “further processing which does not permit or no longer permits the identification of data subjects …”—anonymous data—if the purposes of processing can be fulfilled with these data. This is in line with Article 2 GDPR and referral 26 GDPR as well as with Article 6(4) GDPR at least as a safeguard for further processing. Note, however, that such a notion can be fine-tuned for the interest of the data controller as well by pairing the choice of selecting processing modalities which do not require identification. Under Article 11 GDPR, indeed, if the controller is able to demonstrate that it is not in a position to identify the data subject, and upon informing the data subject, if possible, Articles 15–20 GDPR shall not apply—except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification. For example, separating permanently a pseudonymized dataset from the dataset of the corresponding identifiers can easily fulfil this anonymity safeguard discharging the data controller by several burdens. Thirdly, in the alternative, it suggests implementing pseudonymization techniques, stating that the employment of such technique is encouraged “as long as (the research purposes) can be fulfilled in this manner.” Additionally, it imposes a principle of segregation of data processing since derogations are strictly connected to research purposes and cannot spillover other data processing purposes.Footnote ¹⁵¹ Finally, it links all the “appropriate safeguards … for the rights and freedoms of the data subject” to the overall architecture of the regulation: “in accordance with this Regulation.” This statement at the beginning of Article 89 is not without consequences because in line with the principle of accountability with greater technical discretion for the data controllers comes greater responsibilities and the burden to prove that the selected technical and organizational measures are appropriate. De facto, Article 89 GDPR offers both instructions and rules setting a roadmap for data controllers.

In light of this clarification, further relevant “technical and organizational measures” can be derived from the general provisions of the General Data Protection Regulation, as the ones regarding data protection impact assessments under Article 35 GDPR. For the purposes of such assessments, the potential derogations to data subjects’ rights even when they satisfy the strict requirements of Article 89(2) GDPR, which states “in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes,” clearly flag a potential high risk for rights and freedoms due to their limitation. Thus, the preliminary analysis whether a data processing requires a DPIA pursuant to Article 35 GDPR might be more demanding and should certainly take into account the derogations and safeguards. Yet, this is routine under the GDPR framework and does not add further burdens.

Another relevant safeguard could be related to the employment of data protection certification mechanisms as seals or marks, if developed by Member States, the supervisory authorities, the Board, and the Commission in accordance with Article 42 GDPR. As the same provision underlines, these seals and marks would be relevant for showing controllers’ compliance in processing operations with technical standards and thus with GDPR. Similarly, data protection measures by design and by default under Article 25 GDPR would structurally internalize and assure compliance to data protection lawFootnote ¹⁵² and require taking in proper consideration the peculiarities of the research purposes and derogations.

With specific reference to health-related data, Article 9(4) para GDPR allows Member States to establish “further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.” This means that national laws can establish specific safeguards required for the protection of data subjects’ interests in the context of health research projects. Once again, delegating national legislators does not help a uniform regulatory landscape and opens to a sort of rush to the bottom among Member States as in the fragmented American system. Nevertheless, the bottom line remains the GDPR itself ensuring appropriate safeguards and limiting the risk of a race to the bottom.

Overall, the mentioned system of safeguards for the processing of data for research purposes is directly aimed at conforming the goals of research data flows to the protection of data subjects’ rights and freedoms, as potentially impaired by the loss of control over the processed information resulting from the derogations to some of data subjects’ rights. Yet, once a systemic reading of the GDPR is in place, the mechanisms designed do not reveal to be burdensome for data controllers wile facilitating the free flow of data.

VI. The Interaction Between Differential Data Protection Regimes

As the above analysis has shown, processing activities for research purposes can be based on different lawful bases under the GDPR and are subject, irrespective of the chosen lawful basis, to the outlined research exception shaped by the mentioned derogations and the additional obligations to enact relevant safeguards borne by controllers.

Against this backdrop, a first question arises related to the interaction between the exceptional data protection regime regarding processing operations carried out for research purposes, based on any of the above-outlined legitimate bases, and the “ordinary” data protection regime applicable to processing activities conducted for non-research related but purely commercial purposes, as profiling operations and decisions regarding data subjects. Suggestions regarding the borderlines between the two different regulatory regimes can be drawn from recital 162 GDPR, which states the prohibition of processing data collected for statistical purposes “in support of measures or decisions regarding any particular natural person.”Footnote ¹⁵³

The stated prohibition, as read in consistency with the principle of segregation described above under Article 89(1) GDPR, can be extensively applied in case processing activities for research purposes result into further, “secondary” commercial-oriented processing, deriving from the “practical” economic employment of the statistical models designed and constructed in the context of research projects.Footnote ¹⁵⁴ In other words, general models developed for research or statistical purposes should not be used for singling out individuals. Thus, the derogatory data protection regime for research would not apply. The example given by recital 162 GDPR regarding statistical data thus beautifully illustrates the idea of segregation of research results from their non-research use. In this respect, the key factor is keeping the research promises of “statistical confidentiality” as a counterpart to processing personal data necessary “for the production of statistical results.” After all, it just echoes the basics of processing data for statistical purposes. As recital 162 GDPR illustrates, further research uses would be allowed while further non-research-oriented ones—that are those used “in support of measures or decisions regarding any particular natural person”—would not, unless consent is given.

In addition, the recalled principles enshrined in both Article 89(1) GDPR and recital 162 GDPR can provide precious guidance in order to set further boundaries among different research activities.

As the Italian cases involving Tiziana Life Sciences illustrate, processing activities of health data can be extremely complex and be related to different types of research, in terms of different research entities potentially taking part to established research projects, and of the possibilities of secondary uses of employed health datasets to radically different research projects in terms of scope and aim. Although both the administrative and the judicial decisions have been given under the Italian data protection legal framework preceding the European reform, both the decisions are interesting for the purposes of the interpretation of the subsequent framework under the General Data Protection Regulation.

More precisely, the mentioned cases well highlight the uncertainties on the applicability of the research exception regime in case of processing activities carried out for research purposes by a third-party recipient of a research-valuable dataset. These uncertainties relate directly to:

1. 1) The applicability of the presumption of compatibility pursuant to Article 5(1) (b) or the need to assess compatibility according to Article 6(4) and eventually acquire a new consent with the related information duties as it occurs in the case of mergers codified under Article 14 GDPR;

2. 2) The applicability of the more favorable provision under Article 9(2)(j) GDPR. As has been recalled, following the default compatibility rule set out under Articles 6(4) and 5(1)(b) GDPR, if the secondary processing is conducted for research purposes, controllers do not have to seek anew consent from data subjects but would still need to provide information pursuant to Article 14 GDPR, as long as the provision of such information does not prove impossible or requires a “disproportionate effort.”Footnote ¹⁵⁵

3. 3) The possibility to withdraw consent since under Article 7(2) GDPR it is always possible. The question thus arises regarding whether after withdrawal of consent by data subjects the legal basis on research is still eligible. The second decision by the Italian data protection authority seems to suggest a negative answer to this question. Conversely, the European Data Protection Board’s Opinion on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation, has stated that “the withdrawal of consent does not affect the processing operations that are based on other lawful grounds.”Footnote ¹⁵⁶ The European Commission, on its side, has suggested that the compatibility analysis for secondary uses of data is never allowed when the original legal basis is consent.Footnote ¹⁵⁷

The choice to apply one or the other data protection regime, will largely depend on the definition of the scope of the specific research purpose. Thus, it will depend on whether the mentioned compatibility rule applies also to a different third-party organization, carrying out private and for-profit oriented research activities—as the one carried out by a company as Tiziana—in the form of different research projects that are not strictly related to the research projects for which the health data were originally collected.Footnote ¹⁵⁸

According to the broad interpretation of research under recital 159 GDPR, the decision of the Tribunal of Cagliari would be more adherent to the newly established, controller-friendly, research-based data protection framework,Footnote ¹⁵⁹ as based either on specific, sectoral blanket consents, as the ones described above, or on Articles 9(2)(i) or 9(2)(j) GDPR as legitimate bases alternative to the one of consent. In this perspective, both decisions by the Italian Data Protection Authority suggest the practical opportunity to handle different types of research differently.

The EDPB itself has underlined that in the data protection regime for research “the rules contain a special regime affording a degree of flexibility for genuine research projects that operate within an ethical framework and aim to grow society’s collective knowledge and wellbeing”Footnote ¹⁶⁰ and alludes to the difficulty “to distinguish research with generalizable benefits for society from that which primarily serves private interests.” A borderline difficult to trace. In the Tiziana cases genetic research could clearly benefit mankind but the fact that for-profit research could be performed by processing personal data that were collected explicitly for non-profit research purposes, casted and casts doubts on whether the presumption of compatibility would stand the test of Article 5(2)(b), Article 6(4), and Article 7.

To address these persisting interpretative doubts, the next paragraph will propose a framework that differentiates data protection regimes within the research-based regime as shaped in the black letters of the General Data Protection Regulation. This framework is primarily based on the distinction between for profit and public interest-based research.

As the last section will demonstrate, there is direct correspondence between loss of control and free flow of personal information objectives only in this last case. Conversely, when private or public data are processed for commercial-oriented research purposes, the loss of subjective control over processed data needs to be compensated with safeguards for the protection of data subjects’ fundamental rights and freedoms, which come to restrain research data flows.

I. From Public Interest Research to For Profit-Oriented Research

The exploitation of private or public data pools by businesses for profit-oriented research, as the one conducted by Tiziana Life Science Corporation in the aforementioned ruling, may pose higher risks for the protection of data subjects’ rights and freedoms, including to any form of moral objection and overture to specific kinds or goals for the research itself, including data philanthropy. In the Tiziana case, many citizens consensually volunteered to pursuing data-philanthropy aims that might lead the transfer for further use to fail the test under Article 6(4) GDPR. Such assessment is to be primarily conducted in accordance with a risk-based evaluation required by the same Regulation under the data protection impact assessment. Accordingly, the principles of proportionality and necessity—first of all—would require processing activities conducted for for-profit research purposes to rely on the legitimate basis that is more respectful of data subjects’ interests and rights, that is consent. Consent and the related possibility of its withdrawal structurally assures a higher degree of control, also if it is related only to certain research areas as suggested by recital 33 GDPR. In addition to this, taking into account the safeguards for the essence of the fundamental right to data protection, consent allows for a negotiation around the willful conferment of personal data. The effectiveness of such control is mitigated by the presumption of compatibility under Article 6(4) and 5(1)(b) GDPR, enabling further processing for research purposes. Exactly in the view of the necessity of data subjects’ stronger control prerogatives, the same mentioned principles advocate a strict interpretation of such compatibility rules, to restrict the further flows of research data to the realm of data subjects’ self-informational determinations, and to what is proportionate for the prevention of greater risks to the same data subjects. In other words, changing the contextFootnote ¹⁷⁵ from merely altruistic goals to also for-profit ones might lead to failing the compatibility test.

Note, however, that it is not a clear-cut solution. Indeed, if genetic data under the Tiziana cases were made “manifestly made public by the data subject” without limitations, the further use would be clearly permissible. Similarly, if the informed consent had a scope compatible with the further use or a sufficiently large–although specific as required by the GDPR–blanket consent was acquired.

In the same vein of setting parameters for the research “privileges,” also, the derogation to the principle of storage limitation under Article 5(1)(e) GDPR should be restricted to the storage that is strictly necessary to the performance of the specific research project and not be stretched for other purposes. According to a similar perspective, the possibility to derogate to the information duty under Article 14(5)(b) GDPR should also be restrained by applying a higher standard of impossibility or “disproportionate effort” of providing information by the controller. What is disproportionate for public interest research might not be for profitable interests.

Conversely, research for profit can also benefit from the derogations if appropriate safeguards are provided, for instance, selecting “processing which does not require identification.Footnote ¹⁷⁶ Equally, the derogations to ordinary data protection rights could be circumscribed to the sole derogations directly allowed by the Regulation and not be aggravated by Member States laws.

This interpretative possibility is to be directly drawn from Article 89(4) GDPR establishing a principle of segregation: privileges only apply to research purposes and do not extend to other purposes. A striking example can be offered by research for marketing and the use of the research outputs for marketing. While personal data processing for scientific studies on marketing would enjoy the research privileges, the use of the same data for purely marketing purposes would not in consistency with the principle of segregation as illustrated also by recital 162 GDPR stressing that the results of statistical purposes processing operations should not be used “in support of measures or decisions regarding any particular natural person.”

It remains unclear if the same proportionality and necessity principles guide a more severe interpretation of when, in the case of commercial-oriented research, the actioning of data subjects’ rights would “render impossible or seriously impair the achievement” of set research objectives, as required by Article 89(2) GDPR.

On the side of the safeguards required under Article 89(1) GDPR, the same principles of proportionality, fairness and segregation suggest the enactment of higher context-sensitive safeguards for preventing research processing activities to result into the processing of health data for pure, non research-based, commercial purposes. Such processing is indeed prohibited under Article 9(1) GDPR, unless the data subject gives explicit and specific consent for these purposes as required under Article 9(2)(a) GDPR. This suggests a higher threshold of “appropriateness” of the safeguards to be employed under Article 89 GDPR with respect to private or public health data pools employed for commercial-oriented research. More precisely, the safeguards should be appropriate whenever these prevent uses of data that would not be acceptable for the data subjects. A higher appropriateness threshold regarding the safeguards to be enacted would thus feed confidence and trust in privately conducted health research, otherwise impaired by the weakening of individual control over treated health data.

In terms of the requirements under Article 89(1) GDPR, this requires a close scrutiny of the:

1. 1) adherence to the principle of data minimization;

2. 2) requirement to use anonymized data for the purposes of the research activities; or if this is not possible to use pseudonymization techniques;

3. 3) respect to the principle of data segregation;

4. 4) principle of accountability as generally supporting the whole system of data protection safeguards.

A more precise identification of relevant safeguards can be defined in consideration of the possible harms stemming from a processing operation. In case of processing activities that are likely to result in a high risk to the rights and freedoms of natural persons, these harms are to be identified by the controllers’ data protection impact assessment under Article 35 GDPR. Harms stemming from the processing of private data pools can be related to the data subjects’ moral suffering related to the disclosure of sensitive health conditions, stigmatizations, and the generation of stereotypes regarding certain groups in the health sector and beyond. Moreover, the processing of data for the purposes of for-profit research easily results into purely commercial activities, as monitoring and marketing by third parties, also potentially triggering profiling activities, which are formally prohibited under Article 22 GDPR. Processing activities of sensitive data conducted for research purposes may thus engender heavy intrusions in data subjects’ personal lives, to be accurately addressed through the establishment of adherent safeguards.

II. Keeping Public Interest Research on the Go

A different standard of data protection emerges for public interest-oriented research. Both private and public research organizations can potentially be involved in public interest-oriented research activities. Examples of public interest-oriented research areas can be found in Article 9(2)(i) GDPR, listing the protection against serious cross-borders threats to health, the accomplishment of high standards of quality and safety of health care and of medicinal products or medical devices. Additional suggestions with respect to public interest-related sectors can be found in recital 54 GDPR, further referring to “morbidity and disability,” “the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.” Research related to these sectors is thus certainly to be considered of public interest-oriented nature, disregarding the public or private nature of its funding. Here a simple example can be research related to post-market surveillance where private, for-profit, and public interest walk hand in hand.

Note however, that national implementations of the GDPR have offered a more stringent test. For instance, the UK Data Protection Act 2018 establishes that the processing will only meet the requirement under the research exception for a basis in UK law if the processing not only is conducted for research purposes and is carried out in accordance with Article 89(1) GDPR, that is the enactment of adequate safeguards, but is also conducted in the public interest.Footnote ¹⁷⁷ This public interest requirement applies to any research processing of health data reliant upon the research exception, whether carried out by private or public bodies. The public interest is envisaged under UK law whenever there is a trade-off between the individual interests in data protection and the benefits of research, which justifies the fact that the data subjects who are individually affected have a reason to accept those interferences. This is exactly the case of research in the interest of the data subject, mentioned by recital 159 GDPR.

Conversely, in the absence of such a trade-off, personal interferences are not acceptable if not grafted in an express consent of the data subject, exceptionally allowing an interference in their personal sphere. As anticipated, following this same logic, recital 162 GDPR regarding the processing of personal data for statistical purposes suggests that the results of these processing operations should not be used “in support of measures or decisions regarding any particular natural person.”

Against this backdrop, the acceptability of the processing of sensitive data is to be defined on the basis of a proportionate balance between the reasons for protection of data subjects’ fundamental rights and other fundamental rights, such as the right to health, promoted by research activities over health data.

This acceptability criterion could justify research activities in a legitimate basis that is more controller-oriented as the one under Article 9(2)(j) GDPR. This appears exactly to be acknowledged by Article 110 of the Italian data protection law, which states that processing activities for research purposes do not require data subjects’ consent if the research activities that are carried out are defined on the basis of Union or national laws as required under Article 9(2)(j) GDPR, or in case the retrieval of consent would make the achievement of research objectives impossible or otherwise impair them seriously. The Italian provision thus well reflects how with respect to processing for research purposes, the principles of necessity and proportionality allow a detachment from individual control rights.

In the same perspective, exactly the public interest nature of research activities could justify the possibility to interpret the default compatibility rule under Articles 5(1)(b) and 6(4) GDPR in a broader manner when it comes to the further processing of data for public interest-oriented research purposes; and the storage of employed data for longer periods taking advantage of the flexibilities under Article 5(1)(e) GDPR.

Likewise, acceptability of research activities from the data subjects’ perspective could sustain the derogation to information duties under Article 14(5)(b) GDPR even when safeguards would not trigger the application of Article 11 GDPR. Such derogation would be directly motivated upon the impossibility or “disproportionate effort” for the data controller to provide to data subjects relevant information, while accommodating individual and collective fundamental rights, as it occurs in the case of public health emergencies.

Based on the same reasoning, compliance with the other data subjects’ rights under Chapter III GDPR would be more likely to “render impossible or seriously impair the achievement” of public interest research objectives, thus justifying derogations under Member State laws as allowed under Article 89(2) GDPR.

With respect to this type of research, control rationales may be less stringent in accordance with a risk-based evaluation as the one conducted through the data protection impact assessment. Conversely, free flow of research data goals may gain priority, with the recalled limit provided under recital 162 GDPR. This may justify lower burdens for data controllers with respect to the safeguards under Article 89 GDPR, which would need to be modulated in consistency with the public-oriented nature of the enacted research activities. This means that in case of public interest-oriented purposes of the research, as the development of a vaccine, the safeguards could be restrained to the minimum normative requirements, to what is necessary to fuel data subjects’ confidence that the data is used only in a manner that is acceptable for the community.

As a regular test, the public oriented nature of the research indicates that the driving public interest benefits of a given data processing clearly outweigh the risks to the fundamental right to data protection and does not crashes its essence while for-profit reasons do not weigh in. In this perspective, public interest-targeted research should surely imply controllers’ observance of the general data protection principles recalled by Article 89(1) GDPR, expressly referring to “safeguards in accordance with this Regulation.” As occurs for commercial-based research, the principle of accountability is central also for public interest-oriented research to ensure the essence of personal data protection is not hindered. Processing activities for public interest research purposes should thus also comply with the minimum standard set by Article 89(1) GDPR, particularly regarding the principle of data minimization and the enactment of data pseudonymization techniques.

III. Mixing Interests in Private-Public Research

With respect to mixed private-public health datasets employed for research purposes, the data protection research regime should be calibrated based on the influence that commercial undertakings have within established research partnerships or organizations. The degree of influence of these entities indeed determines the risk of commercial “capture” of research results, especially when for-profit interests weigh in.

The involvement of for-profit organizations and thus their influence in the governance of research projects and results can be derived from specific parameters. In this respect, the Copyright Directive mentions some parameters that can be relevant also for the purposes of data protection. In particular, recital 12 of the Directive refers the influence by commercial-oriented organizations in research activities to “structural situations” as a qualified shareholder control or the presence of specific members of for-profit organizations in the management of research projects. These structural situations may engender a direct control by these organizations over research infrastructures and thus over initiated research patterns. As the recital suggests, these structural situations may in turn favor a preferential access to the results of the research by for profit organizations. Note also that such preferential access would be dealt with in separate agreements.

In the event a “decisive influence” of for-profit organizations over the established research partnership or organization exists, safeguards should be as strict as in the case of a fully for-profit conducted research. Conversely, in case the control of the research endeavors over mixed private-public datasets primarily resides onto the public entity, the identified mentioned data protection flexibilities could be exploited to the maximum.

However, under the GDPR, it is not who funds the research that matters, but its scope. The reason why this is so and why it is a better solution can be clarified by an example. Using the dichotomy under the Copyright Directive could prove to be difficult with respect to private-public partnerships established for grounds of public health protection, as is occurring in the fight against the Coronavirus pandemic. For instance, in the collaboration between private and public actors, as in the “Innovative Medicines Initiative,” based on a public-private partnership between the European Commission and the pharmaceutical industry,Footnote ¹⁷⁸ it might trigger the enactment of higher data protection safeguards and lower derogations from the ordinary regime, merely because of the presence of commercial-oriented stakeholders. Nonetheless, purposes of public health protection, and the need of immediate research actions, could conversely suggest a relaxation of data protection checkpoints. In the specific cases where mixed health data pools are employed for research purposes in the public interest in the area of public health, such as for the protection against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, the higher level of restrictions on the processing of special categories of personal data can be relaxed, in accordance with what is required for the processing for public interest purposes under Article 9(2)(j) GDPR, disregarding the public or private nature of the subjects involved.Footnote ¹⁷⁹