On 10 September 2021, the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) published proposed reforms to the UK’s data protection regime – currently embodied in the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 – in a 146-page document entitled, Data: A new direction. In it, the Government opines that “data is now one of the most important resources in the world” and that with the exit of the UK from the European Union, the country is in a position to “have the freedom to create a bold new data regime: one that unleashes data’s power across the economy and society for the benefit of British citizens and British businesses whilst maintaining high standards of data protection”.
The consultation document makes a big deal about creating a more “pro-growth and pro-innovation data regime”, characterising the current regime as “unnecessarily complex or vague, and […] continu[ing] to cause persistent uncertainty over three years after its introduction”. The word “innovation” appears 62 times in the document and the word “innovate” appears 17 times, meaning more than once every two pages. The message is clear: what is driving this proposed reform is a desire to promote growth and innovation, primarily with a view to boosting British business.
In this blog post, I take issue with the discourse of “innovation” as an unalloyed good (lest we forget Cambridge Analytica), and the positioning of the current data protection regime as a block on innovation and a source of disproportionate and burdensome regulation. Specifically, I focus my analysis on the portion of the DCMS consultation document that speaks to scientific research (section 1.2 in Chapter 1 of the document). As I argue below, Data: A new direction proposes a radical overhaul of the existing data protection regime that risks creating uncertainty and confusion in the research community, rather than alleviating such concerns. Moreover, the proposed reforms do insufficient justice to the adequacy agreement the UK has agreed with the European Commission since June 2021 to enable ongoing flows of personal data between the two blocs. More particularly, the proposal generates increased risk to the fundamental rights of data subjects (including as research participants and patients). This means that far from promoting (responsible) innovation, were the UK Government’s data protection proposals to go ahead, innovation in research is more likely to be thwarted in the absence of sustained public trust in responsible use of personal data and adequate safeguards in place.
Let me focus on three specific proposals in the consultation document that bring these concerns into stark relief.
‘Consolidate and bring together’
First, the Government is proposing “to consolidate and bring together” the research-specific provisions across the UK GDPR and Data Protection Act 2018, as they view the existing provisions too fragmented and confusing. Ostensibly, consolidation will allow researchers to navigate the relevant law more easily. However, there is no evidence presented in the consultation document that the research community is, in fact, finding difficulty in working through the existing provisions and structure of the data protection regime. Indeed, my own experience in working with research funders, international research consortia, and funded projects is that the challenge is not in making sense of the provisions because they are “dispersed across the existing legislation”; rather, problems arise with those bodies that exercise access decisions over data sharing (see below). This suggests a problem of overly-strict interpretation, not legislative structure. The data protection legislation, comprising primarily the two statutes Data Protection Act 2018 and UK GDPR, is drafted in a way that promotes logical coherence and structure, largely moving from principles (e.g. Article 5 UK GDPR) and general rules to specific rules within specific sectors, including scientific research. Before any restructuring takes place, careful consideration must be given to the effects, including incidental, this would have on data protection legislation as a whole, given the careful attention that has been given to drafting both primary pieces of legislation in a coherent manner. Moreover, details are lacking in the consultation as to what “consolidation and bringing together” would entail for the research-specific provisions as currently drafted (e.g. Article 89 UK GDPR), and it is unclear if the Government considers “consolidation” as distinct from “bringing together” (e.g. removal of provisions, combining of provisions), and if so, what this means for the current provisions in the law. Finally, no amount of restructuring of the legal architecture will address problems of interpretation of the laws themselves.
A new lawful ground for scientific research
Second, the Government proposes to create a new, separate lawful ground for scientific research that would support researchers to select the best lawful ground for processing personal data. Interestingly, the European Commission’s original proposed text for the GDPR in January 2012 included a provision at draft Article 6(2) that stated, “[p]rocessing of personal data which is necessary for the purposes of historical, statistical or scientific research shall be lawful subject to the conditions and safeguards referred to in Article 83 [now Article 89].” This proposal did not survive the trilogue negotiations, and ultimately, what remains in data protection legislation is the scientific research exemption for processing special category data under Article 9(2)(j). It continues to remain unclear today that any expected benefit from introducing a new lawful ground under Article 6 would outweigh the drawbacks this would create for both researchers and data subjects, including concern about maintaining the adequacy agreement with the EU/EEA, which is crucial in turn for maintaining the UK’s reputation as a world leader in research (given our beneficial ties with European collaborators on many research projects across different fields of research). And this is not only a question of reputation. There are serious potential logistical issues that arise for international research (which is particularly prominent in the biomedical sector): to what extent, if at all, will a new UK data protection regime sufficiently align with the European one insofar as scientific research is concerned? How will researchers and data custodians be able to assess the scale of (mis)alignment? The greater the degree of regulatory divergence that emerges, the greater the likelihood of adding yet more layers of bureaucracy, with the research community having to juggle two regimes – whereas at least at the moment we know the regimes align. This can hardly be said to promote an environment where innovation in the scientific research sector can flourish.
There is uncertainty how this new lawful ground would interact with the existing special category processing exemption for scientific research under Article 9(2)(j), and there is uncertainty how this would interact with existing lawful grounds that are commonly used for scientific research, specifically Article 6(1)(e) for public bodies and Article 6(1)(f) for commercial organisations. It is worth recalling that consent is not commonly relied upon for scientific research, and moreover, is explicitly not encouraged by bodies such as the Health Research Authority as the appropriate lawful ground for scientific research.
Lastly, it is also unclear what (new) suitable safeguards would be in place, in addition to those already present in Article 89(1), to enable this new lawful ground to have resonance. It is worth noting that this proposal for a new lawful ground is particularly of concern given that “scientific research” is understood to have a broad meaning that encompasses commercial/privately funded organisations, not to mention research conducted by “citizen scientists” (i.e. those undertaking research activities in their home and who may not have institutional affiliation and proper bona fides to conduct scientific research). Now, a new lawful ground to process personal data for scientific research would in principle be available to such organisations. Yet, we know from extensive empirical research conducted in the UK (by groups such as Understanding Patient Data) that the public is considerably more sceptical of research involving their personal data when the entity is a commercial organisation. A new, separate lawful ground for scientific research, if drafted broadly and without robust safeguards in place, could lead to misuse and severe undermining of public trust. Indeed, even a well-meaning aim to enable more data processing for scientific research, and despite the existence of appropriate safeguards, could create the risk of undermining trust-building exercises with the public and eroding researchers’ social licence to operate, i.e. to process personal data in the absence of data subjects’ consent yet still with data subject and public support. Any new regime would require mechanisms to monitor and manage such a risk. Thus, ironically, and as noted above, the bureaucracy surrounding research might increase as a result.
No more information obligation to data subjects for further processing for research purposes
As a third example of concern regarding the proposed reforms in the area of scientific research, the Government proposes to disapply the current requirement in UK GDPR Article 13 for data controllers who collected personal data directly from the data subject to provide further information to the data subject prior to any further processing. More specifically, the Government proposes to replicate the Article 14(5)(b) exemption in Article 13. Briefly put, Article 14(5)(b) provides an exemption for controllers who process data collected indirectly from data subjects from providing information to the data subjects where there would be disproportionate effort to do so. The Government states this proposal to carry over the exemption into Article 13 would take effect only where that further processing is for a research purpose and where it would require a “disproportionate effort” for controllers to provide further information. As for rationale, the Government states that this existing information provision requirement under Article 13 “can be a barrier for research organisations. The effort and resource required to fulfil the requirement to contact data subjects may in some cases lead to research being viable.” No evidence is cited that this information provision obligation has been a serious impediment for the research community.
More significantly, there is concern that the Government is conflating a duty to provide information to data subjects with a duty to contact data subjects. UK GDPR Article 12(1) stipulates quite clearly that “The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means” (emphasis added).
To my knowledge, this information provision obligation does not mean, as is suggested in the consultation document, that controllers have a requirement “to contact data subjects”; rather, they have an obligation to provide information in a concise, transparent, intelligible, and easily accessible form, and that may be accomplished by electronic means such as provision on a website. This is a sine qua non for fulfilling the transparency principle under Article 5. This information provided to data subjects is usually contained in a notice, statement, or policy. The Article 29 Data Protection Working Party has made it clear that, under Article 13, a controller must be proactive in providing the information to a data subject, meaning that “the data subject must not have to take active steps to seek the information covered . . . or find it amongst other information, such as terms and conditions of use of a website or app” (2018). This, however, is not to be conflated with a duty to contact each individual data subject.
In consequence, the obligation is to provide information rather than an obligation to contact data subjects directly. Understood thus, it is difficult to view this obligation as one that requires such significant amount of time and resource that it would “lead to research being unviable”. Indeed, there is concern that replicating the terms of Article 14(5)(b) in Article 13 would significantly risk undermining data subject rights and undermine public trust in research, especially since Article 13 covers situations in which personal data are collected directly from data subjects. And again, there is no evidence provided in the consultation document, nor have I come across any indications of evidence in my own research, that the research community is facing difficulties complying with this information provision obligation under Article 13. Finally, as the consultation itself notes, removing this obligation creates risk that data processing would no longer remain “fair”, as per the principle in Article 5(1).
Data: a step in the wrong direction for research
There are many other areas of concern in this 146-page document, including other proposed reforms to the research provisions that the Government believes will help promote innovation. Alas, these three specific proposals alone should give us reason to pause and reflect on the risks associated with radically overhauling the data protection regime just a few years after the GDPR has gone into effect. This is particularly so because of the very real risks that it specifically creates for data subjects. For years, the UK has been a world leader in research and innovation within an existing European and internationally orientated data protection regime. This is, in my view, precisely because of the robust yet proportionate and pragmatic regulatory frameworks built around both research activities (be they clinical trials, human embryo research, social science research, and so on) and the processing of personal data. In the realm of data protection, an appropriate balance is struck between the free flow of data across the UK and internationally and the ability for researchers to process personal data, as against the importance of protecting and promoting the fundamental rights of data subjects, including respect for their private lives and their right to data protection. Overhauling the data protection regime will disrupt this careful balance to the likely strong detriment of both the research community and research participants/patients alike. The UK will be the worse for it. If the UK Government wishes to improve the regulatory environment for researchers, it would do better to start with clarifying and rationalising information governance processes within public bodies (including NHS Digital), which is the source of some criticism within the research community. Phrased another way, it is not law that’s the concern (be it data protection law or the common law duty of confidentiality, the latter of which necessarily differs across the UK); instead, it’s the interpretation of law, often in overly strict ways, that leads to problems. The solution is not to overhaul law, but rather to enable bodies – through guidance, recommendations, best practices, training and so on – to have the confidence to interpret the law in a way that continues to maintain harmonised alignment with the EU data protection regime and that therefore continues to strike an appropriate balance between promoting research and responsible innovation and maintaining high standards of data protection.
Edward Dove is Lecturer in Health Law and Regulation at Edinburgh Law School and Deputy Director of the Mason Institute.