The European Union General Data Protection Regulation
What is the European Union General Data Protection Regulation (EU GDPR)?
The General Data Protection Regulation (GDPR) is a European privacy law in effect as of May 25, 2018. GDPR protects the personal data of individuals located in the European Economic Area (EEA), which includes the European Union, the United Kingdom, Iceland, Liechtenstein and Norway. When organizations, including UC, offer goods or services to people in the EEA or monitor the behavior of individuals in the EEA, any Processing of Personal Data must meet the requirements of GDPR. This includes UC’s research activities that involve the collection or analysis of Personal Data from individuals living in the EEA.
When does the EU GDPR apply to human subjects research activities?
Under GDPR, Personal Data refers to any information that can identify, or be used to identify individuals located in the EEA, otherwise known as a Data Subject. The law affords Data Subjects certain rights relating to the Processing of their Personal Data. Processing broadly refers to any use of Personal Data, and includes accessing, storing, combining and even deleting Personal Data. Further, Data Subjects have even greater rights under GDPR with respect to how more sensitive data, such as racial, ethnic, or health-related data, is processed.
Among other requirements, GDPR requires that Data Subjects, including research subjects, be informed about the Processing of their Personal Data. This obligation to inform can be met by providing the proper information in a notice of privacy made available to Data Subjects. Other uses of Personal Data in the research context, specifically the use of more sensitive data, the transfer of Personal Data to the United States, as well as the use of Personal Data to make decisions or predictions that could significantly affect a Data Subject (such as using Personal Data to enroll a Data Subject in a treatment arm of a study), require consent from the Data Subject.
What is Personal Data?
Personal Data is defined as “any information that relates to an identified or identifiable natural person.” Different pieces of information, which, when collected or used together can lead to the identification of a particular person, constitute Personal Data. The following types of Personal Data are some examples of Personal Data:
- A name and surname
- A home address
- An e-mail address of an individual
- An identification card number
- An Internet Protocol (IP) address
- A cookie ID
- Phone identifiers
- Demographic, behavioral or health-related information that could identify a person
Personal Data is more broadly defined than the types of data protected by any one U.S. federal or state privacy law, such as under the Health Insurance Portability and Accountability Act (HIPAA) or the Family Educational Rights and Privacy Act (FERPA).
Coded data, referred to as Pseudonymized Data, is also subject to GDPR. Pseudonymized Data is Personal Data that can no longer be attributed to a specific Data Subject without the use of additional information such as a code key, provided that such additional information is kept separately and is subject to security measures to ensure that the Personal Data used in the research cannot be attributed to an identified or identifiable individual. Though Pseudonymized Data is still subject to GDPR, pseudonymization is an appropriate was to safeguard Personal Data. In fact, GDPR requires that Personal Data be pseudonymized if the purpose of the research can be accomplished by using Pseudonymized Data.
Data about individuals is not subject to GDPR only when it is anonymized. Anonymization is a high standard under GDPR: all direct and indirect identifiers of an individual must be removed, and the researcher must implement safeguards that ensure that the data can never be re-identified. For data to be truly anonymized under GDPR, the anonymization must be irreversible.
When GDPR Applies: Notice and Consent Requirements
GDPR requires that where Personal Data of a Data Subject in the EEA is collected, used, or accessed for research purposes, the researcher must provide the Data Subject specific information in a notice of privacy and, and under certain circumstances, must also obtain the explicit consent of the Data Subject for certain processing activities. (See Guidance on GDPR Notice and Consent.)
- GDPR Definitions
- Informed Consent and Privacy Notice [Chapter 3, Articles 12-14]
- Secondary Research [see also W29 Guidelines]
- Data Transfers [see also Chapter 4 Article 26, and standard international contractual clauses]
- Breach of Personal Data [Chapter 4 Articles 33-34]
- Fines for Infringement of this Regulation [Chapter 8 Article 83]