Seebohm-15-09-15_GDPR_WMA_KORR

.
The Reform of
European Data Protection Law
– Why does it matter to the discussion? –
RA Annabel Seebohm, LL.M.
Legal Advisor, World Medical Association
The WMA Copenhagen meeting On Health Databases and Biobanks
Copenhagen, 15 September 2015
Outline
• European Commission Proposal
• Stakeholder
• European Parliament
• Council
• Conclusions
• Outlook
European Commission Proposal
Objectives
• Harmonize the current patchy data protection laws in
Member States by a single European regulation
• Adapt data protection law to the needs of the
21st century
• Privacy by design
European Commission Proposal
Process
• European Commission proposal January 2012
• European Parliament amendments March 2014
• Council amendments June 2015
• Trilogue negotiations June – December 2015
European Commission Proposal
Aspects
• Principles: Data minimisation and purpose limitation
• Consent: Processing of personal data is lawful only if
based on consent, contract, compliance with a legal
obligation or a claim.
• Safeguards: Processing of sensitive data including
data concerning health is prohibited unless:
– explicit consent is given or
– sector specific exemptions apply allowing processing
which is necessary e. g. for healthcare and research
without explicit consent provided national laws and
specific safeguards/guarantees are in place.
Stakeholder
Stakeholder
Stakeholder
Stakeholder
Stakeholder
Stakeholder
European Parliament
European Parliament
European Parliament
European Parliament
European Parliament
European Parliament
Article 81
Processing of personal data concerning health
In accordance with the rules set out in this Regulation, in particular with point (h) of Article 9(2), processing of personal data concerning health must
be on the basis of Union law or Member State law which shall provide for suitable, consistent, and specific measures to safeguard the data subject’s
interests and fundamental rights, to the extent that these are necessary and proportionate […]
European Parliament Final
1a. When the purposes referred to in points (a) to (c) of paragraph 1 can be achieved
without the use of personal data, such data shall not be used for those purposes,
unless based on the consent of the data subject or Member State law.
1b. Where the data subject’s consent is required for the processing of medical data
exclusively for public health purposes of scientific research, the consent may be
given for one or more specific and similar researches. However, the data subject
may withdraw the consent at any time.
1c. For the purpose of consenting to the participation in scientific research activities
in clinical trials, the relevant provisions of Directive 2001/20/EC shall apply.
2. Processing of personal data concerning health which is necessary for historical,
statistical or scientific research purposes shall be permitted only with the consent
of the data subject, and shall be subject to the conditions and safeguards referred
to in Article 83.
2a. Member States law may provide for exceptions to the requirement of consent for
research, as referred to in paragraph 2, with regard to research that serves a high
public interests, if that research cannot possibly be carried out otherwise. The data
in question shall be anonymised, or if that is not possible for the research
purposes, pseudonymised under the highest technical standards, and all necessary
measures shall be taken to prevent unwarranted re-identification of the data […]
Council
Article 83
Derogations applying to processing of personal data for archiving
purposes in the public interest or for scientific, statistical and
historical purposes
[…]
2. The appropriate safeguards referred to in paragraphs 1 and 1a
shall be laid down in Union or Member State law and be such to
ensure that technological and/or organisational protection
measures pursuant to this Regulation are applied to the personal
data […], to minimise the processing of personal data in
pursuance of the proportionality and necessity principles, such as
pseudonymising the data, unless those measures prevent
achieving the purpose of the processing and such purpose cannot
be otherwise fulfilled within reasonable means.
Council
Article 5
Principles relating to personal data processing
1. Personal data must be:
(a) processed lawfully, fairly and in a transparent manner in relation to
the data subject;
(b) collected for specified, explicit and legitimate purposes and not
further processed in a way incompatible with those purposes;
further processing of personal data for archiving purposes in the
public interest or scientific, statistical or historical purposes shall
in accordance with Article 83 not be considered incompatible with
the initial purposes;
Conclusions
• Notwithstanding lingering questions as to the principle
of purpose limitation (and the reuse of data plus
consent needed), the Commission and Council
approaches reaffirm the status quo in scientific
research in that it‘s „Member States business“.
• A harmonised European approach towards scientific
research including the use of health data bases and
biobanks appears desirable.
• To achieve a harmonised European approach by law –
as of today – appears unrealistic. Also, data protection
law may not be the right place to resolve ethical
questions pending in medical research.
• Are codes of conduct a possible alternative?
Outlook
Article 38
Codes of conduct
[…]
1a. Associations and other bodies representing categories of
controllers or processors may prepare codes of conduct, or amend
or extend such codes, for the purpose of specifying the application
of provisions of this Regulation, such as:
(a) fair and transparent data processing;
(aa) the legitimate interests pursued by controllers in specific contexts;