Research related to vaccine development, or objectives aimed at containing COVID-19 that focus on social benefits, may be able to rely on “public interest” under Article 6(1)(e) as a legitimate basis for processing data. EDPB guidelines set out that public interest is one of the most suitable and lawful grounds for processing scientific research related to the coronavirus.[1] To decide whether public interest is applicable depends on the domestic law of member states.[2]Medical law may provide safeguards for researchers to process personal data for health research related to the coronavirus. Private organisations such as testing companies, pharmaceutical companies, and university research teams may not be able to rely on public interest as lawful grounds to process genetic data. Hence, they may need to seek an alternative.

“Legitimate interests” under Article 6(1)(f) could one such alternative. Different from other lawful grounds under Article 6, legitimate interests do not have a specific objective scope.[3] This flexibility leaves room for the controller to process personal data as long as there are reasonable grounds.[4] A controller can rely on legitimate interests, provided that they do not outweigh “the interests or fundamental rights and freedoms of the data subject”. It is the responsibility of the controller to measure their own legitimate interests, as well as determine if they will be detrimental to the interests of an individual. To rely on this, controllers must balance “lawfulness, fairness, and transparency”.[5]

Article 6(1)(f) sets out a three-step test to see if there are legitimate interests.[6] Controllers must show that: (1) they have a legitimate interest to collect and process the personal data for research, (2) it is necessary to process said data, and (3) that it does not outweigh the interests of the individual.[7]

For the first step, controllers must show that they have a precise desired outcome at the time of processing the information.[8] Generic reasons are not sufficient to meet the criteria[9] and subjects can prevent the controller from processing the data via a “data subject access request”[10] if they feel that the legitimate interests are unreasonable.[11]As such, the burden of proof lays with the controllers and they must show valid and justiciable reasons.[12] The second step, which is not an absolute approach, considers whether it is “proportionate and adequate” for the controller to process the data for specific health research purposes.[13] The third step, which is a proportionate approach, prevents the interests of the controller from overriding the rights, interests, and freedoms of the individual. However, there is room for interpretation here, as the GDPR does not define the scope of “rights, interests, and freedom”, while Recital 75 simply explains that processing data should not pose any risks to an individual, including “physical, material, or non-material damage”.[14]

Reasonable expectations play an important role in processing the data. Article 6(1)(f) sets out a balance test, whereby the interests of data subjects are prioritised over the interests of the controller. First, controllers are required to be transparent, with data subjects needing to be clearly informed as to how their data is used.[15] Data subjects are also allowed to control and withdraw their data at any time.[16] Second, the balance test is objective, and takes into consideration the expectations of a reasonable person when collecting and processing their data for research purposes.

The relationship between an individual and controller is a core factor used to measure if there are reasonable expectations. Recital 47 states that, when adopting legitimate interests, the “reasonable expectations of data subjects based on their relationship with the controller… such as the client relationship” must be considered.[17] However, legitimate interest is not a power play that can override the interests, rights, and freedoms of the data subject as long as there is a reasonable expectation.[18]

Generally speaking, legitimate interests only apply to the private sector. Though Recital 157 does not specify whether health research conducted by a private entity can rely on legitimate interests, it highlights the social benefits of scientific and health research by stating that “researchers can obtain new knowledge of great value with regard to widespread medical conditions” for “improving the quality of life”.[19]

There are other lawful grounds for health care and treatment as set out in Article 6. However, these are not related to health research. Article 6(1)(c) concerns the legal obligations of the controller[20] and allows public health authorities to use personal data to report on positive diagnosis cases and monitor who came into close contact with patients.[21]Furthermore, as set out in Article 6(1)(d), the controller is allowed to use personal data in the vital interests of individuals, such as in critical life situations.[22] However, this raises the question as to whether there are individual vital interests in terms of health research, since health research aims to improve the general health standard of society rather than fulfilling an individual vital interest.[23] As such, this article is not valid grounds for processing data in health research. However, it may be lawful if processing personal data is used in health research for vaccine trials or for tracing the source of positive diagnosis cases. In this case it would be related to the vital life interests of the subjects, since the research is looking to contain the spread of the virus and reduce the chance of infection.[24]

Nevertheless, WP29 clearly states that the vital interests of the data subject, as set out in Article 6(1)(d), does not apply to massive data processing, despite the fact that it is used for mitigating public health crises.[25] Furthermore, the EDPB does not consider vital interests as being a lawful basis for processing personal data to track and monitor the behaviour of data subjects.[26]

Recital 50 lays down a compatible legal basis for further processing personal data for scientific research. This regulation also allows data to be processed further if “the processing is compatible with the purposes for which the personal data were initially collected”, and thus no other lawful grounds are needed.[27] Furthermore, Recital 50 covers “retrospective use” for health data.[28] As such, researchers could potentially rely on original lawful grounds for processing data for another objective, despite it not being the initial objective to collect the data. For example, public authorities could first process data for virus testing and then re-use the data for health research. In this instance, the initial purpose for processing the data is for virus testing, and the secondary purpose is for health research.

Under Recital 50, researchers may be able to process the data for secondary research in developing a vaccine, which would be based on the original legitimate grounds. However, it should be “compatible with the original purposes”.[29]Article 5(1)(b) sets out that “further processing for archiving purposes in the public interest, scientific research purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes”.[30] As long as scientific research coincides with public interest and appropriate safeguards are adopted, it seems likely to suggest that the research is compatible with the initial purposes.

The EDPS highlights that there is no specific permission for subsequently processing the data by the new controller for health research purposes under Article 5(1)(b).[31] It should take into account whether it is “incompatible with the initial purpose”. However, the wording “compatible” is vague. As a result, the subsequent controllers may take unfair advantages from the unclear meaning of “compatible” to process the data.[32] The EDPB did not express its view on collecting and processing data for scientific research in the recent guidelines. Due to the broad scope of compatibility, the new controller may wish to use Article 5(1)(b) and Recital 50 as a Trojan Horse to further process health data for research related to COVID-19. That said, it may fragment the principles of GDPR. Nevertheless, the data subjects should be informed that their data will be used for secondary research under Article 13(3). [33] It is worth noting that this article only applies if there is no “disproportionate effect”.[34]

Genetic data falls within the special categories of personal data under Article 9 of the GDPR. Article 9(1) explains that processing genetic data and health data is not allowed unless it fulfils the requirements as set out in Article 9(2). Therefore, it is not sufficient for researchers to process genetic data for health research merely based on lawful grounds, as discussed above. They are also required to obtain another legitimate basis in special categories to collect and process health data for research.[35]

Explicit consent is one of the options to process health data. Article 9(2)(a) explains that “explicit consent for one or more specified purposes” is required. Adopting explicit consent for scientific research is based on “automated individual decision making”[36] and “the data subject should be informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards”.[37] The EDPB suggests that explicit consent should be made by a statement, of which the participant clearly expresses consent for scientific research.[38] However, in practice, there are difficulties in interpreting the definition of “specific” consent. Broad consent under Recital 33 is an option, but WP29 provides guidelines where “stricter interpretation and high degree of scrutiny is required”[39]. The EDPS also affirms that health research should comply with the “sector-related methodological and ethical standards”. [40] This restrictive approach may impose additional challenges to the controller, who may wish to seek an alternative to process genetic data for health research.

The controller may consider relying on the legitimate basis of public interest in Article 9(2)(i), or scientific research in Article 9(2)(j) for processing genetic data for health research related to COVID-19. Article 9(2)(i) sets out the criteria that “public interest in the area of public health such as protecting against serious cross-border threats to health” is a lawful basis.[41] As such, health research for containing the global pandemic, preventing the spread of infection, and exploring COVID-19 treatments, meet the requirements of this article. The controller is required to adopt specific measures and references which comply with EU law or national law to process genetic data for health research specifically related to the pandemic.[42]

Another option is related to scientific research purposes under Article 9(2)(j), as it allows a wider scope of scientific research, without specifically making reference to COVID-19. If the controllers wish to rely on this basis, they must show that it is “necessary for archiving health research purposes” and comply with the safeguards under Article 89(1).[43] It also takes into account “the right to data protection and provide for suitable and specific measures to safeguard the rights and interests of the participants”.[44]

Recital 52 further explains that health research is allowed if it is “provided by Union and Member State Law and subject to suitable safeguards”.[45] However, the wordings “suitable and specific measures to safeguard” in Article 9(2)(j) are rather broad, which might refer to adopting pseudonymisation and proportional tests to minimise the risks of processing and transferring genetic data.[46] Although GDPR does not specify the scope of these wordings, Article 89 provides safeguards and derogations which include right of access[47], rectification[48], restriction of processing[49], and object[50] of data subjects.[51] Recital 156 provides further explanations on the derogations, explaining that member countries should comply with the recital when processing sensitive data for health research.[52]

Furthermore, Article 89(1) sets out the safeguards for processing health data, but they are rather vague and allow member countries to define their own safeguards.[53] Pseudonymisation is required under Article 89(1). If the controllers obtain approval from public authorities such as research ethic committees[54], they could adopt identifiable data without obtaining prior consent from the data subject for health research purposes.[55] In this instance, the relevant authorities would take overall social benefit into consideration. Although this prevents pseudonymisation from constraining health research for COVID-19, it would help to identify the source of infection[56] and may open Pandora’s box when it comes to processing genetic data in the future. In which case, professional secrecy rules under domestic legislation might be the final defence.[57]

Article 9(4) allows member countries to impose additional constraints on processing sensitive data, which therefore allows member states to pass their own laws on genetic data for health research. This divergence between countries has created an obstacle for cross-border health research for developing a COVID-19 vaccine. There are two proposals for expediting genetic data. First, countries should establish controlled access, which monitors and controls researchers when processing identifiable data in health research.[58] Second, enhancing data security such as encryption is also an option.[59] However, the EDPB has not provided clear guidelines on processing genetic data among member states during the pandemic.[60] It is hoped that the GDPR will establish clear safeguards for health research.

[1] European Data Protection Board “Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (2019) art. 70.1.b. at <https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_opinionctrq_a_final_en.pdf> [accessed 21 October 2020].

[2] Regina Becker, Andrian Thorogood and Michael J.S. Beauvais “COVID-19 Research: Navigation the European General Data Protection Regulation” (2020) Journal of Medical Internet Research at p.3.

[3] ICO “What is the ‘legitimate interests’ basis?” at < https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/> [accessed on 22 October 2020].

[4] Ibid.

[5] ICO “What is the ‘legitimate interests’ basis?” at < https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/> [accessed on 22 October 2020].

[6] ICO “What is the ‘legitimate interests’ basis?” at < https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/> [accessed on 22 October 2020].

[7] ICO “What is the ‘legitimate interests’ basis?” at < https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/> [accessed on 22 October 2020].

[8] Ibid.

[9] Ibid.

[10] Luke Irwin “The GDPR: How to respond to data subject access requests” (2020) at < https://www.itgovernance.eu/blog/en/the-gdpr-how-to-respond-to-data-subject-access-requests> [accessed 22 October 2020].

[11] Luke Irwin “The GDPR: Legitimate interest – what is it and when does it apply?” (2020) at < https://www.itgovernance.eu/blog/en/the-gdpr-legitimate-interest-what-is-it-and-when-does-it-apply> [accessed 22 October 2020].

[12] Luke Irwin “The GDPR: How to respond to data subject access requests” (2020) at < https://www.itgovernance.eu/blog/en/the-gdpr-how-to-respond-to-data-subject-access-requests> [accessed 22 October 2020].

[13] ICO “What is the ‘legitimate interests’ basis?” at < https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/> [accessed on 22 October 2020].

[14] GDPR of 2018, Recital 75.

[15] ICO “What is the ‘legitimate interests’ basis?” at < https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/> [accessed on 22 October 2020].

[16] Ibid.

[17] GDPR of 2018, Recital 47.

[18] ICO “What is the ‘legitimate interests’ basis?” at < https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/> [accessed on 22 October 2020].

[19] GDPR of 2018, Recital 157.

[20] GDPR of 2018, Article 6(1)(c).

[21] Regina Becker, Andrian Thorogood and Michael J.S. Beauvais “COVID-19 Research: Navigation the European General Data Protection Regulation” (2020) Journal of Medical Internet Research at p.3.

[22] GDPR of 2018, Article 6(1)(d).

[23] Regina Becker, Andrian Thorogood and Michael J.S. Beauvais “COVID-19 Research: Navigation the European General Data Protection Regulation” (2020) Journal of Medical Internet Research at p.3.

[24] Regina Becker, Andrian Thorogood and Michael J.S. Beauvais “COVID-19 Research: Navigation the European General Data Protection Regulation” (2020) Journal of Medical Internet Research at p.3.

[25] Article 29 Data Protection Working Party “Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC” (2014) at < https://ec.europa.eu/justice/article-29/press-material/public-consultation/notion-legitimate-interests/files/20141126_overview_relating_to_consultation_on_opinion_legitimate_interest_.pdf> [accessed 23 October 2020].

[26] European Data Protection Board “Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak” (2020) at < https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_with_annex_en.pdf> [accessed 23 October 2020].

[27] GDPR of 2018, Recital 50.

[28] Mahsa Shabani and Pascal Borry “Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation’ European Journal of Human Genetics (2018) 26:149-156 at p153.

[29] Ibid.

[30] GDPR of 2018, Article 5(1)(b).

[31] European Data Protection Supervisor “A Preliminary Opinion on data protection and scientific research” (2020) < https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf> [accessed on 23 October 2020].

[32]Dove ES “The EU General Data Protection Regulation: Implications for International Scientific Research in the Digital Era” J Law Med Ethics (2019) 46(4): 1013-1030 (10.1177/1073110518822003).

[33] Mahsa Shabani and Pascal Borry “Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation’ European Journal of Human Genetics (2018) 26:149-156 at p153.

[34] GDPR of 2018, Recital 62.

[35] Regina Becker, Andrian Thorogood and Michael J.S. Beauvais “COVID-19 Research: Navigation the European General Data Protection Regulation” (2020) Journal of Medical Internet Research at p.4.

[36] GDPR of 2018, Article 22(2)(c).

[37] GDPR of 2018, Article 49(1)(a).

[38] European Data Protection Supervisor “A Preliminary Opinion on data protection and scientific research” (2020) at p.19 < https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf>.

[39] Article 29 Data Protection Working Party Guidelines under Regulation 2016/679 (2018) [accessed 24 October 2020]. It states that ‘when special categories of data are proceed on the basis of explicit consent, applying the flexible approach of Recital 33 will be subject to stricter interpretation and requires a high degree of scrutiny’. See also Victoria Chico “The impact of the General Data Protection Regulation on health research” (2018) British Medical Bulletin, Volume 128, Issue 1, December 2018, Pages 109–118 at <https://academic.oup.com/bmb/article/128/1/109/5184942>.

[40] European Data Protection Supervisor “A Preliminary Opinion on data protection and scientific research” (2020) at p.12 < https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf>. EDPS sets out three criteria for scientific research under the scope of special data protection regime which are ‘personal data are processed’, (2) ‘relevant sectoral standards of methodology and ethics apply, including the notion of informed consent, accountability and oversight and (3) ‘the research is carried out with the aim of growing society’s collective knowledge and wellbeing, as opposed to serving primarily one or several private interests’. See also Speech by Giovanni Buttarelli (12 April 2018), op. cit., p.2. And opinion of AG Mancini in Case 234/83 Gesamthochshule Duisburg v Hauptzollamt Munchen-Mitte [1985] ‘scientific activities must be interpreted as including activities carried on by a public or private establishment engaged in eduction or research for the purpose of further the acquisition, development, exposition or dissemination of scientific knowledge’.

[41] GDPR of 2018, Article 9(2)(i).

[42] European Data Protection Board, ‘Guidelines – Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak’, [2020] at p8.

[43] GDPR of 2018, Article 9(2)(j).

[44] Ibid.

[45] GDPR of 2018, Recital 52. See also Gabe Maldoff “How GDPR changes the rules for research” (2016) at < https://iapp.org/news/a/how-gdpr-changes-the-rules-for-research/>.

[46] Georgieva L and Docksey C. “Processing of special categories of personal data” In: Kuner C, Bygrave LA, Docksey C, the EU General Data Protection Regulation (GDPR): A Commentary New York Oxford University Press (2020). See also Article 29 Data Protection Working Party “Advice paper on special categories of data (“sensitive data”)” (2011) at < https://ec.europa.eu/justice/article-29/documentation/other-document/files/2011/2011_04_20_letter_artwp_mme_le_bail_directive_9546ec_annex1_en.pdf> [accessed on 25 October 2020].

[47] GDPR of 2018, Article 15.

[48] GDPR of 2018, Article 16.

[49] GDPR of 2018, Article 18.

[50] GDPR of 2018, Article 21.

[51] GDPR of 2018, Article 89(2).

[52] Mahsa Shabani and Pascal Borry “Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation’ European Journal of Human Genetics (2018) 26:149-156 at p153.

[53] Mahsa Shabani and Pascal Borry “Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation’ European Journal of Human Genetics (2018) 26:149-156 at p154.

[54] Ethic committees access the potential risk that the research may cause to the data subject. They take into consideration the overall social benefits and the costs to an individual.

[55] Mahsa Shabani and Pascal Borry “Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation’ European Journal of Human Genetics (2018) 26:149-156 at p154.

[56] Mc Call B “European Parliament supports data protection reforms” (2014) Lancet 383:11 15. See also Di lorio C, Carinci F and Oderkirk J “Health research and systems’ governance are at risk: should the right to data protection override health? Meth Ethics (2014) 40:488-92.

[57] Regina Becker, Andrian Thorogood and Michael J.S. Beauvais “COVID-19 Research: Navigation the European General Data Protection Regulation” (2020) Journal of Medical Internet Research at p.4.

[58] Shabani M, Knoppers BM and Borry P “From the principles of genomic data sharing to the practices of data access committees” EMBO Mod Med. (2015) 7:057-9. See also Ohm P. “Broken promises of privacy: responding to the surprising failure of anonymization” UCLA Law Rev. (2010) 57:1701. Ohm is of the view that “Researchers should be allowed to release full, unscrubbed database to verifiably trusted third parties, subject to new controls on use, and new penalties for abuse”.

[59] Mahsa Shabani and Pascal Borry “Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation’ European Journal of Human Genetics (2018) 26:149-156 at p154.

[60] European Data Protection Board “Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak” (2020) at <https://edpb.europa.eu/sites/edpb/files/files/file1/ edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf>[accessed 25 October 2020]