ASA Privacy and Confidentiality Committee

The European Union’s (EU) recently adopted General Data Protection Regulation (GDPR) marks a major transition in data privacy protections in the European Union. And it may affect approaches to data access and confidentiality protections more broadly, including in US research and other statistical activities.

After four years of preparation and debate, the GDPR was approved and adopted by the EU Parliament in April 2016 and went into effect May 25, 2018. Many detailed daily practices remain to be worked out, including extraterritorial enforcement, but one thing is certain: The GDPR means more bureaucracy for all involved.

The GDPR replaces the Data Protection Directive. (A regulation—as is the GDPR—is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal all EU countries must achieve. However, it is up to the individual countries to decide how.) Unlike the current EU privacy directive, an EU regulation does not require any enabling legislation by member nations. It is designed to harmonize data privacy laws across Europe, protect and empower all EU residents’ data privacy, and reshape the way organizations across the region approach data privacy. The regulation applies to EU members and nation states that are not EU members but are members of the EU economic area.

In this increasingly data-driven world where privacy cannot be completely guaranteed, the GDPR seeks to protect EU residents’ privacy and against breaches and misuses of “personal data.” Personal data is defined in a broad context as any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified—directly or indirectly—in particular by reference to an identifier such as a name; identification number; location data; online identifier; or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Some personal data is categorized as special data, which is essentially sensitive personal data covering religious or philosophical beliefs, health, racial or ethnic origin, trade union membership, political beliefs, sex life or sexual orientation, genetic data, and biometric data (including photos when used for the purpose of uniquely identifying a natural person) of individuals. The collection and use of special data is subject to greater restrictions than other types of personal data.

Pseudonymization is the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information. This is the central feature of data protection by design. The GDPR looks favorably upon data controllers that keep “additional information” separate. To explain further, direct identifiers (name, Social Security number, or contact information) should be kept in a separate file from indirect identifiers, which can reveal identities if combined with additional data points. Personal data that has been pseudonymized (e.g., key-coded or as described above) falls short of being anonymized and therefore can fall within the scope of the GDPR, depending on how difficult it is to attribute the pseudonymized data to a particular individual.

The GDPR has important extraterritorial applications. It applies to personal information on EU residents even when they are outside the EU. It applies not only to personal data controllers and processors located in the EU, but also to those located outside the EU if their activities involve personal information on EU residents.

Coverage is triggered if the activities relate to offering goods or services to EU residents, irrespective of whether payment is required (e.g., over the internet), and monitoring behavior that takes place in the EU. When personal information on non-EU residents (e.g., for US residents) is transferred to an EU data controller or processor, that data becomes subject to the GDPR (Article 3).

Of course, breaking privacy is always a serious activity. Under GDPR, breaking privacy is now costly. Organizations—processors and controllers—in breach of GDPR can be fined up to 4% of the annual global turnover or 20 million euros (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements (e.g., not having sufficient customer consent to process data or violating the core of Privacy by Design concepts).

Main Topics

Main topics in the GDPR include the following:

• In the GDPR, conditions for consent have been strengthened. Requests for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
• Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.”

GDPR has increased data transparency and empowers data subjects. It gives data subjects the right to obtain from the data controller confirmation of whether personal data concerning them is being processed, and if so, where and for what purpose. The controller shall provide a copy of the personal data, free of charge.

The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in Article 17, include the data no longer being relevant to original purposes for processing or a data subjects’ withdrawing consent.

Privacy by design is also included in the GDPR. Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically, “The controller shall … implement appropriate technical and organisational measures … in an effective way … in order to meet the requirements of this Regulation and protect the rights of data subjects.” Article 23.

GDPR and Research

Research occupies a privileged position in the GDPR. By harmonizing privacy legislation across the EU member states and carving out exemptions for scientific, historical, statistical, and health research, the GDPR seeks to reconcile the often-competing values of privacy and innovation.

The research regime set out in Article 89 expressly allows across the EU the following:

• Broad consents for scientific research where consent cannot be secured for all specific purposes at the outset of data collection
• Further use of personal data for scientific or statistical research as a secondary compatible purpose
• The right of the data subject to object to processing of personal data (unless necessary in public interest)
• Restriction of the right of a data subject to exercise their “right to erasure” if it is likely to significantly impair processing for scientific research purposes
• Relaxation of the storage limitation principle granting the ability to store personal data for longer periods
• Isolated transfers of personal data to third countries taking into account legitimate expectations of society for an increase in knowledge

Additionally, information obligations in scientific research do not apply if they would involve a disproportionate effort. Consideration of this takes into account the number of data subjects and age of the data and appropriate safeguards must be adopted. Furthermore, there is “no right to be forgotten” if it is likely to significantly impair processing for scientific research purposes. Use of the Article 89 research regime is subject to the following conditions:

• Appropriate safeguards to protect the right and freedoms of the data subject
• Adequate technical and security measures entrenching the principle of data minimization and using pseudonymized data as default
• Compliance with recognized ethical safeguards

The grounds that researchers can use to process personal data are the following:

• Consent of the data subject/research participant for the research purpose(s).
• Legitimate interests of the data controller (or a third party). In determining what these legitimate interests are, you need to ensure you balance the interests of the controller with any prejudice to the rights and freedoms or the interests of the data subject. In assessing whether the data controller has a legitimate interest, you need to take into account the reasonable expectations of the data subject. Public authorities cannot base processing on this ground.
• Performance of a public interest task or exercise of official authority.

GDPR and EU-US Privacy Shield

Under both the GDPR and the earlier directive, the EU doesn’t allow the transfer of data on EU residents outside the EU unless the country is deemed to have adequate data privacy laws. Unfortunately, the EU has deemed that the United States does not currently have adequate data privacy laws, but organizations can navigate this by adhering to the EU-US Privacy Shield.

The EU-US Privacy Shield is a program in which participating US companies are considered to have adequate data protection and can therefore facilitate the transfer of EU data. The EU-US Privacy Shield’s predecessor, the Safe Harbour Framework, was overhauled because the EU did not consider this agreement strict enough on data protection for their citizens. The GDPR protects the data of all EU residents, regardless of whether they currently live in the EU.

Being certified under the EU-US Privacy Shield can give your company a jump-start on fulfilling the GDPR’s standards and provide legal clarity and direction on the EU’s data protection laws, but it will not guarantee total GDPR compliance. It is also important to note that the EU-US Privacy Shield will be revisited every year and could change, so it is important to have an assigned employee/person to stay current with all the updates.

Helpful Resources

General Data Protection Regulation (GDPR) Guidance Note for the Research Sector: Appropriate Use of Different Legal Bases Under the GDPR.

What You Need to Know About the EU-US Privacy Shield and the GDPR.

ICO (2018) Guide to the General Data Protection Regulation (GDPR). Information Commissioner’s Office.

ICO (2017) Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now. Information Commissioner’s Office.

Insights Association (2017) GDPR: FAQs on the EU General Data Protection Regulation.

Maldoff, G. (2016) Top 10 Operational Impacts of the GDPR: Part 8 – Pseudonymization. The Privacy Advisor.