Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [hereinafter GDPR].Google Scholar

Decision of the EEA Joint Committee No 154/2018 of July 6, 2018 amending Annex XI (Electronic communication, audiovisual services and information society) and Protocol 37 (containing the list provided for in Article 101) to the EEA Agreement [2018/1022]. Membership of the EEA has grown to 31 states as of 2018: the 28 EU member states (which still includes the United Kingdom at the time of writing), as well as three of the four member states of the European Free Trade Association (EFTA): Iceland, Liechtenstein, and Norway. The other EFTA member, Switzerland, has not joined the EEA, but has a series of bilateral agreements with the EU that allows it also to participate in the internal market. Switzerland is currently revising its Federal Act on Data Protection to accord with the GDPR and maintain its “adequacy” status under Art. 45 of the GDPR.Google Scholar

Secretary's Advisory Committee on Human Research Protections (SACHRP), “Attachment B - European Union's General Data Protection Regulations,” March 13, 2018, available at <https://www.hhs.gov/ohrp/sachrp-committee/recommendations/attachment-b-implementation-of-the-european-unions-general-data-protection-regulation-and-its-impact-on-human-subjects-research/index.html> (last visited November 19, 2018). (last visited November 19, 2018).' href=https://scholar.google.com/scholar?q=Secretary's+Advisory+Committee+on+Human+Research+Protections+(SACHRP),+“Attachment+B+-+European+Union's+General+Data+Protection+Regulations,”+March+13,+2018,+available+at++(last+visited+November+19,+2018).>Google Scholar

Dove, E.S. and Phillips, M., “Privacy Law, Data Sharing Policies, and Medical Data: A Comparative Perspective,” in Gkoulalas-Divanis, A. and Loukides, G., eds., Medical Data Privacy Handbook (Cham: Springer, 2015). See also Information Commissioner's Office (ICO), Big Data, Artificial Intelligence, Machine Learning and Data Protection (2017), available at <https://ico.org.uk/media/for-organisations/documents/2013559/big-data-ai-mland-data-protection.pdf> (last visited November 19, 2018); House of Lords Select Committee on Artificial Intelligence, AI in the UK: Ready, Willing and Able? (2018), available at <https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf> (last visited November 19, 2018).Google Scholar

Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [hereinafter Data Protection Directive].Google Scholar

In theory, the GDPR has direct effect in Member States and its default rules are always in place in the absence of national legislation. For an up-to-date list of EU Member State GDPR implementation laws and drafts, see IAPP, “EU Member State GDPR Implementation Laws and Drafts,” available at <https://iapp.org/resources/article/eu-member-state-gdpr-implementation-laws-and-drafts/> (last visited November 19, 2018). See also M. Fazlioglu, “What the GDPR Requires of and Leaves to the Member States,” available at <https://iapp.org/media/pdf/resource_center/GDPR-Derogations-Whitepaper-FINAL.pdf> (last visited November 19, 2018).+(last+visited+November+19,+2018).+See+also+M.+Fazlioglu,+“What+the+GDPR+Requires+of+and+Leaves+to+the+Member+States,”+available+at++(last+visited+November+19,+2018).>Google Scholar

Under Article 2(d) of the GDPR, processing of personal data by competent authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, is subject not to the GDPR, but rather to a separate EU law: Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (otherwise known in shorthand as the Law Enforcement Directive).Google Scholar

GDPR, Art. 2(c).Google Scholar

California Consumer Privacy Act of 2018, A.B. 375. See generally L. de la Torre, “GDPR matchup: The California Consumer Privacy Act 2018,” IAPP Privacy Tracker, July 31, 2018, available at <https://iapp.org/news/a/gdprmatchup-california-consumer-privacy-act/> (last visited November 19, 2018).+(last+visited+November+19,+2018).>Google Scholar

HIPAA Privacy Rule (“Standards for Privacy of Individually Identifiable Health Information: Final Rule”), 45 CFR Part 160 and Subparts A and E of Part 164.Google Scholar

Tzanou, M., “Data Protection as a Fundamental Right Next to Privacy?” International Data Privacy Law 3, no. 2 (2013): 88–99, at 89.CrossRefGoogle Scholar

Poullet, Y., “Is the General Data Protection Regulation the Solution?” Computer Law & Security Review 34, no. 4 (2018): 773–778, at 778.Google Scholar

OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980, revised 2013), available at <http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm> (last visited November 19, 2018).+(last+visited+November+19,+2018).>Google Scholar

Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS No. 108 (1981), available at <https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108> (last visited November 19, 2018). In 2018, the Council of Europe adopted an amending Protocol which updates Convention 108. As with Convention 108, the amending Protocol is open to any country in the world to sign. See Council of Europe, Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data (2018), available at <https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016807c65bf> (last visited November 19, 2018).+(last+visited+November+19,+2018).+In+2018,+the+Council+of+Europe+adopted+an+amending+Protocol+which+updates+Convention+108.+As+with+Convention+108,+the+amending+Protocol+is+open+to+any+country+in+the+world+to+sign.+See+Council+of+Europe,+Modernised+Convention+for+the+Protection+of+Individuals+with+Regard+to+the+Processing+of+Personal+Data+(2018),+available+at++(last+visited+November+19,+2018).>Google Scholar

For a more complete history, see Bygrave, L.A., Data Privacy Law: An International Perspective (Oxford: Oxford University Press, 2014), at 54–56.Google Scholar

Data Protection Directive, supra note 5, Recitals 3, 5, 7 (promoting data flow across the EU) and Recitals 2, 3, 10, 11 (emphasizing the importance of protecting data subjects’ rights).Google Scholar

GDPR, Recital 9.Google Scholar

Charter of Fundamental Rights of the European Union (2000/C 364/01), Art. 8(1) (“Everyone has the right to the protection of personal data concerning him or her.”)Google Scholar

GDPR, Recital 9. See also Poullet, Y., “EU Data Protection Policy. The Directive 95/46/EC: Ten Years After,” Computer Law & Security Review 22, no. 3 (2006): 206–217, at 206.Google Scholar

Townend, D., “The Politeness of Data Protection: Exploring a Legal Instrument to Regulate Medical Research Using Genetic Information and Bio-banking” (PhD thesis, Maastricht University, 2012), at 48.Google Scholar

Id. See also Beyleveld, D. et al., eds., Implementation of the Data Protection Directive in Relation to Medical Research in Europe (Aldershot: Ash-gate, 2004).Google Scholar

See e.g. Albrecht, J.P., “How the GDPR Will Change the World,” European Data Protection Law Review 2, no. 3 (2016): 287–289.Google Scholar

GDPR, Art. 5.Google Scholar

GDPR, Art. 30(1).Google Scholar

GDPR, Art. 5.Google Scholar

GDPR, Art. 25.Google Scholar

GDPR, Art. 35.Google Scholar

GDPR, Art. 30.Google Scholar

GDPR, Art. 37. The UK's Information Commissioner's Office (ICO) somewhat explores the meaning of “large scale” and points out a DPO will be necessary for hospitals that process patient data. See Information Commissioners’ Office, “Consultation: GDPR DPIA Guidance” (2018), available at <https://ico.org.uk/media/about-the-ico/consultations/2258459/dpia-guidance-v08-post-comms-review-20180208.pdf> (last visited November 19, 2018). (last visited November 19, 2018).' href=https://scholar.google.com/scholar?q=GDPR,+Art.+37.+The+UK's+Information+Commissioner's+Office+(ICO)+somewhat+explores+the+meaning+of+“large+scale”+and+points+out+a+DPO+will+be+necessary+for+hospitals+that+process+patient+data.+See+Information+Commissioners’+Office,+“Consultation:+GDPR+DPIA+Guidance”+(2018),+available+at++(last+visited+November+19,+2018).>Google Scholar

In July 2018, due to the timing of the breaches, Facebook was fined £500,000 by the UK's Information Commissioner's Office, which was the highest allowed under the predecessor Data Protection Act 1998. See Hern, A. and Pegg, D., “Facebook Fined for Data Breaches in Cambridge Analytica Scandal” The Guardian, July 11, 2018, available at <https://www.theguardian.com/technology/2018/jul/11/facebook-finedfor-data-breaches-in-cambridge-analytica-scandal> (last visited November 19, 2018). (last visited November 19, 2018).' href=https://scholar.google.com/scholar?q=In+July+2018,+due+to+the+timing+of+the+breaches,+Facebook+was+fined+£500,000+by+the+UK's+Information+Commissioner's+Office,+which+was+the+highest+allowed+under+the+predecessor+Data+Protection+Act+1998.+See+Hern,+A.+and+Pegg,+D.,+“Facebook+Fined+for+Data+Breaches+in+Cambridge+Analytica+Scandal”+The+Guardian,+July+11,+2018,+available+at++(last+visited+November+19,+2018).>Google Scholar

GDPR, Art. 83(5).Google Scholar

GDPR, Art. 83(4).Google Scholar

GDPR, Art. 7(2).Google Scholar

GDPR, Art. 6(1)(a).Google Scholar

GDPR, Art. 7(3).Google Scholar

GDPR, Art. 7(4).Google Scholar

GDPR, Art. 15.Google Scholar

GDPR, Art. 17.Google Scholar

GDPR, Art. 20.Google Scholar

GDPR, Art. 21.Google Scholar

GDPR, Art. 22.Google Scholar

GDPR, Art. 3(1).Google Scholar

GDPR, Art. 3(2).Google Scholar

GDPR, Art. 27. Importantly, this obligation does not apply to data processing which is 1) occasional, 2) does not include, on a large scale, processing of special categories of data (e.g. health-related data and genetic data), and 3) is unlikely to result in a risk to the rights and freedoms of data subjects, taking into account the nature, context, scope, and purposes of the processing. The obligation also does not apply to data processing performed by a public authority or body.Google Scholar

GDPR, Art. 3(3).Google Scholar

SACHRP, supra note 3.Google Scholar

GDPR, Art. 4(1).Google Scholar

Patrick Breyer v. Bundesrepublik Deutschland, Case C-582/14 (October 19, 2016). This case involved the predecessor 1995 Data Protection Directive, but the ratio endures.Google Scholar

S. and Marper v. United Kingdom [2008] ECHR 1581, Application nos. 30562/04 and 30566/04.Google Scholar

See Mourby, M. et al., “Are ‘Pseudonymised’ Data Always Personal Data? Implications of the GDPR for Administrative Data Research in the UK,” Computer Law & Security Review 34, no. 2 (2018): 222–233. Mourby and colleagues argue convincingly that pseudonymized data can produce anonymous data for third parties, provided that pseudonymization is irreversible and re-identification is impossible as far as third parties are concerned.Google Scholar

45 CFR § 164.514(b).Google Scholar

In 2014, the Article 29 Data Protection Working Party issued an Opinion that highlighted various anonymization techniques and assessed their merits. This Opinion still has resonance under the GDPR. See Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques (WP216) (2014).Google Scholar

These six legal bases are: (1) consent from the data subject; (2) necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) necessary for compliance with a legal obligation to which the controller is subject; (4) necessary in order to protect the vital interests of the data subject or of another natural person; (5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and (6) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.Google Scholar

GDPR, Art. 9(2)(a)-(j). Some Member States based in the civil law tradition (e.g. Germany), however, adopt the Roman law principle that when there is a general condition and a specific condition, the specific condition replaces the general. Thus, in this case, they take the position that Article 9 is lex specialis, i.e. a specific (special) condition about the legal basis for processing that replaces the general Article 6 requirements. They see this as important in preventing the circumvention of the high barriers introduced by Article 9 — especially compared to Art. 6(1)(b) and Art. 6(1) (f) — which has no equivalent in Article 9. Other Member States, including those based on common law tradition (i.e. the UK) do not take this position and adopt the one mentioned in the main text of this article. See generally, F. Molnár-Gábor, “Germany: A Fair Balance between Scientific Freedom and Data Subjects’ Rights?” Human Genetics (forthcoming).Google Scholar

Dove, E.S., “Collection and Protection of Genomic Data,” in Gibbon, S. et al., Routledge Handbook of Genomics, Health and Society (New York: Routledge, 2018), at 163–164.Google Scholar

SACHRP, supra note 3.Google Scholar

Declaration of Helsinki (2013), para. 32.Google Scholar

GDPR, Art. 22(2)(c). An exception to this obligation is either where the automated decision is necessary for entering into, or performance of, a contract between the data subject and a data controller; or is authorized by EU or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests.Google Scholar

These exceptions to the general rule prohibiting transfer of Europeans’ personal data to third countries are an adequacy decision pursuant to GDPR, Art. 45(3) and “appropriate safeguards” pursuant to Art. 46.Google Scholar

GDPR, Art. 49(1)(a).Google Scholar

Article 29 Working Party, Guidelines on consent under Regulation 2016/679 (WP259 rev.01) (2016), at 18-19.Google Scholar

Id., at 28.Google Scholar

Id.Google Scholar

The European Data Protection Board has replaced the Article 29 Working Party as the independent European body that contributes to the consistent application of data protection rules throughout the European Union, and that promotes cooperation between the EU's data protection authorities. See European Data Protection Board, available at <https://edpb.europa.eu/edpb_en> (last visited November 19, 2018). (last visited November 19, 2018).' href=https://scholar.google.com/scholar?q=The+European+Data+Protection+Board+has+replaced+the+Article+29+Working+Party+as+the+independent+European+body+that+contributes+to+the+consistent+application+of+data+protection+rules+throughout+the+European+Union,+and+that+promotes+cooperation+between+the+EU's+data+protection+authorities.+See+European+Data+Protection+Board,+available+at++(last+visited+November+19,+2018).>Google Scholar

Information Governance Alliance, “The General Data Protection Regulation: What's New,” available at <https://digital.nhs.uk/binaries/content/assets/legacy/pdf/1/n/iga_-_gdpr_what%27s_new_guidance_v1_final.pdf> (last visited November 19, 2018), at 15. The core members of the Information Governance Alliance are the Department of Health, NHS England, NHS Digital, and Public Health England. (last visited November 19, 2018), at 15. The core members of the Information Governance Alliance are the Department of Health, NHS England, NHS Digital, and Public Health England.' href=https://scholar.google.com/scholar?q=Information+Governance+Alliance,+“The+General+Data+Protection+Regulation:+What's+New,”+available+at++(last+visited+November+19,+2018),+at+15.+The+core+members+of+the+Information+Governance+Alliance+are+the+Department+of+Health,+NHS+England,+NHS+Digital,+and+Public+Health+England.>Google Scholar

GDPR, Art. 6(1)(f). See also Taylor, M.J. et al., “When Can the Child Speak for Herself? The Limits of Parental Consent in Data Protection Law for Health Research,” Medical Law Review 26, no. 3 (2018): 369–391.Google Scholar

Information Commissioner's Office, “Guide to the General Data Protection Regulation: Legitimate Interests,” available at <https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/> (last visited November 19, 2018). (last visited November 19, 2018).' href=https://scholar.google.com/scholar?q=Information+Commissioner's+Office,+“Guide+to+the+General+Data+Protection+Regulation:+Legitimate+Interests,”+available+at++(last+visited+November+19,+2018).>Google Scholar

GDPR, Recital 47.Google Scholar

GDPR, Art. 6(1)(e). The Explanatory Notes to the UK's Data Protection Act 2018, example, state that “a [public] university undertaking processing of personal data necessary for medical research purposes in the public interest should be able to rely on [GDPR] Article 6(1)(e) [i.e. performance of a task carried out in the public interest].” See Explanatory Notes, Data Protection Act 2018, at para. 85, available at <http://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpgaen_20180012_en.pdf> (last visited November 19, 2018). (last visited November 19, 2018).' href=https://scholar.google.com/scholar?q=GDPR,+Art.+6(1)(e).+The+Explanatory+Notes+to+the+UK's+Data+Protection+Act+2018,+example,+state+that+“a+[public]+university+undertaking+processing+of+personal+data+necessary+for+medical+research+purposes+in+the+public+interest+should+be+able+to+rely+on+[GDPR]+Article+6(1)(e)+[i.e.+performance+of+a+task+carried+out+in+the+public+interest].”+See+Explanatory+Notes,+Data+Protection+Act+2018,+at+para.+85,+available+at++(last+visited+November+19,+2018).>Google Scholar

GDPR, Recital 41 and Art. 6(3).Google Scholar

For previous discussion of a draft version of the GDPR as well as the final version, and its implications for scientific research, see Dove, E.S., Townend, D., Knoppers, B.M., “Data Protection and Consent to Biomedical Research: A Step Forward?” Lancet 384, no. 9946 (2014): 855; E.S. Dove, B. Thompson, and B.M. Knoppers, “A Step Forward for Data Protection and Biomedical Research,” Lancet 387, no. 10026 (2016): 1374-1375.CrossRefGoogle Scholar

GDPR, Recital 159 (emphasis added).Google Scholar

Health Research Authority, “Safeguards,” available at <https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-detailed-guidance/safeguards/> (last visited November 19, 2018).+(last+visited+November+19,+2018).>Google Scholar

GDPR, Art. 9(2)(h).Google Scholar

GDPR, Art. 9(2)(i).Google Scholar

GDPR, Art. 9(2)(j).Google Scholar

GDPR, Recital 61. See also Health Research Authority, “GDPR Guidance,” available at <https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/> (last visited November 19, 2018).+(last+visited+November+19,+2018).>Google Scholar

Id.Google Scholar

GDPR, Arts. 15, 16, 18, 21.Google Scholar

GDPR, Art. 21(6).Google Scholar

GDPR, Recital 50 and Art. 5(1)(b).Google Scholar

GDPR, Art. 45(1). See also Stoddart, J., Chan, B., and Joly, Y., “The European Union's Adequacy Approach to Privacy and International Data Sharing in Health Research,” Journal of Law, Medicine & Ethics 44, no. 1 (2016): 143–155.CrossRefGoogle Scholar

Privacy Shield Framework, available at <https://www.privacyshield.gov/welcome> (last visited November 19, 2018).+(last+visited+November+19,+2018).>Google Scholar

Privacy Shield Framework, “FAQs,” available at <https://www.privacyshield.gov/article?id=How-to-Join-Privacy-Shield-part-1> (last visited November 19, 2018).+(last+visited+November+19,+2018).>Google Scholar

GDPR, Arts. 46(2) and (3), 47.Google Scholar

GDPR, Art. 49(1)(a).Google Scholar

GDPR, Art. 49(3).Google Scholar

GDPR, Art. 49(1)(d).Google Scholar

GDPR, Recital 111.Google Scholar

GDPR, Recital 112.Google Scholar

GDPR, Recital 113.Google Scholar

Id.Google Scholar

See also Health Research Authority, “GDPR Guidance,” supra note 77.Google Scholar

See GDPR Arts. 6, 8, 9, 22, 89. In the non-scientific research context, Member State derogations are also allowed in GDPR Arts. 10, 23, 36, 37, 38, 49, 58, 83, 87, 88, and 90. See generally Fazlioglu, supra note 6.Google Scholar

For a theoretically-based argument as to why guidance is important, see Laurie, G. et al., “Charting Regulatory Steward-ship in Health Research: Making the Invisible Visible?” Cambridge Quarterly of Healthcare Ethics 27, no. 2 (2018): 333–347.Google Scholar

See BBMRI-ERIC, available at <http://www.bbmri-eric.eu/> (last visited November 19, 2018).+(last+visited+November+19,+2018).>Google Scholar

See Code of Conduct for Health Research, available at <http://code-of-conduct-for-health-research.eu/> (last visited November 19, 2018).+(last+visited+November+19,+2018).>Google Scholar

GDPR, Art. 46(2)(e).Google Scholar

On this point, see also Dove, E.S., “Bio-banks, Data Sharing, and the Drive for a Global Privacy Governance Framework,” Journal of Law, Medicine & Ethics 43, no. 4 (2015): 675–689.Google Scholar