Health Data in Data-driven Research: Processing under the GDPR’s Scientific Research Exemption
(2024) JURM02 20241Department of Law
Faculty of Law
- Abstract
- The digitalization of the healthcare sector has resulted in an increasing source of health data, enabling the implementation of artificial intelligence (AI) in healthcare. There is great optimism that AI will have a significant impact on all areas of healthcare. The processing of health data is generally prohibited by the General Data Protection Regulation (GDPR). However, article 9(2)(j) GDPR provides for an exemption when the processing is carried out for sci-entific research purposes. The scientific research regime in the GDPR further includes exceptions from principles and obligations and allows for derogations from several data subjects’ rights. The scope of the scientific research exemption is not entirely clear, as the GDPR does not... (More)
- The digitalization of the healthcare sector has resulted in an increasing source of health data, enabling the implementation of artificial intelligence (AI) in healthcare. There is great optimism that AI will have a significant impact on all areas of healthcare. The processing of health data is generally prohibited by the General Data Protection Regulation (GDPR). However, article 9(2)(j) GDPR provides for an exemption when the processing is carried out for sci-entific research purposes. The scientific research regime in the GDPR further includes exceptions from principles and obligations and allows for derogations from several data subjects’ rights. The scope of the scientific research exemption is not entirely clear, as the GDPR does not contain a binding definition of “scientific research purposes” and as rules may vary by Member State.
The thesis examines the legal impact of the GDPR in relation to Swedish companies engaging in data-driven research, by asking to what extent Swedish companies can claim the scientific research exemption in Article 9(2)(j) GDPR when processing health data. In Swedish law, ethical review pursuant to the Swedish Ethical Review Act is required to process health data under the scientific research exemption. Therefore, the relationship between “scientific research purposes” in the GDPR and “research” as defined in the Ethical Review Act is examined. The thesis concludes that neither the GDPR nor the Ethical Review Act preclude private entities or activities that are undertaken with a commercial interest. As the definition of research in the Ethical Review Act focuses on the acquirement of new knowledge and the theoretical and/or practical value of research, the thesis argues that the definition sets forth a higher threshold of what constitutes research than the GDPR. Companies that are primarily driven by commercial interests might have difficulties clarifying the scientific value of their activities. A disadvantage is that the definition of research in the Ethical Review Act and its territorial scope do not align with that of the GDPR, creating a fragmented legal framework within the EU.
Secondly, the thesis asks how the scientific research regime and its implementation in Swedish law balance the interests of data subjects against the interests of controllers, and how this balance might affect data-driven research. It concludes that the scientific research regime appears at first sight to shift the balance of interests significantly in favor of the controller. However, it is often required that the provisions' application would render impossible or seriously impair the achievement of scientific research, thereby narrowing the scope of the framework. The thesis highlights Sweden’s passive stance in terms of legislation, for example by refraining from introducing the possibility to derogate from certain rights of the data subject. While this may adversely affect the flexibility of companies engaging in data-driven research, the biggest challenge is to overcome the conflict between the GDPR and research involving substantial amounts of personal data. (Less) - Abstract (Swedish)
- Digitaliseringen av hälso- och sjukvårdssektorn har resulterat i en ständigt
växande tillgång till hälsodata, vilket möjliggör implementeringen av artificiell intelligens (AI) inom hälsosektorn. Det finns en stor tilltro till att AI
kommer att ha en betydande inverkan på alla delar av hälso- och sjukvården.
Behandlingen av hälsodata är i allmänhet förbjuden enligt EU:s dataskyddsförordning (GDPR). Artikel 9.2 j GDPR föreskriver dock ett undantag när
behandlingen utförs för vetenskapliga forskningsändamål. Bestämmelserna
om vetenskaplig forskning i GDPR medger vidare undantag från principer
och skyldigheter samt tillåter undantag från vissa av den registrerades rättigheter. Omfattningen av undantaget för vetenskaplig forskning är... (More) - Digitaliseringen av hälso- och sjukvårdssektorn har resulterat i en ständigt
växande tillgång till hälsodata, vilket möjliggör implementeringen av artificiell intelligens (AI) inom hälsosektorn. Det finns en stor tilltro till att AI
kommer att ha en betydande inverkan på alla delar av hälso- och sjukvården.
Behandlingen av hälsodata är i allmänhet förbjuden enligt EU:s dataskyddsförordning (GDPR). Artikel 9.2 j GDPR föreskriver dock ett undantag när
behandlingen utförs för vetenskapliga forskningsändamål. Bestämmelserna
om vetenskaplig forskning i GDPR medger vidare undantag från principer
och skyldigheter samt tillåter undantag från vissa av den registrerades rättigheter. Omfattningen av undantaget för vetenskaplig forskning är däremot inte
klarlagt, eftersom GDPR saknar en bindande definition av ”vetenskapliga
forskningsändamål” och eftersom reglerna kan variera mellan medlemsstaterna.
Uppsatsen undersöker GDPRs rättsliga inverkan på företag som bedriver dataintensiv forskningsverksamhet, genom att utreda i vilken utsträckning
svenska företag kan åberopa undantaget för vetenskaplig forskning i artikel
9.2 j GDPR vid behandling av hälsodata. Enligt svensk rätt föreskrivs etikprövning enligt etikprövningslagen som ett krav för att behandla hälsodata
med stöd av undantaget. Förhållandet mellan ”vetenskapliga forskningsändamål” i GDPR och definitionen av ”forskning” i etikprövningslagen utreds
därför. Uppsatsen drar slutsatsen att varken GDPR eller etikprövningslagen
utesluter privata aktörer eller kommersiella intressen. Eftersom definitionen
av forskning i etikprövningslagen fokuserar på inhämtandet av ny kunskap
och forskningens teoretiska och/eller praktiska värde, anses den uppställa
högre krav för vad som utgör forskning än GDPR. Företag som primärt drivs
av kommersiella intressen kan ha svårt att tydliggöra det vetenskapliga värdet
i sin verksamhet. En nackdel är att definitionen av forskning i etikprövningslagen och dess territoriella tillämpningsområde inte överensstämmer med
GDPRs, vilket skapar ett fragmenterat regelverk inom EU.
Uppsatsen undersöker vidare hur GDPRs regelverk kring vetenskaplig forskning och implementeringen av detta i svensk rätt balanserar den registrerades
intressen mot den personuppgiftsansvariges, samt hur denna avvägning kan
påverka dataintensiv forskningsverksamhet. Uppsatsen drar slutsatsen att bestämmelserna vid första anblick tydligt är till förmån för den personuppgiftsansvarige. Det krävs dock ofta att tillämpningen av bestämmelserna skulle
göra det omöjligt eller mycket svårare att uppfylla de särskilda ändamålen,
vilket begränsar tillämpningsområdet. Uppsatsen belyser att Sverige har agerat passivt i lagstiftningshänseende, till exempel genom att avstå från att införa möjligheten att föreskriva undantag från vissa av den registrerades rättigheter. Även om detta kan ha en negativ inverkan på flexibiliteten för företag som bedriver dataintensiv forskning är den största utmaningen att hantera
den konflikt som finns mellan GDPR och dataintensiv forskningsverksamhet. (Less)
Please use this url to cite or link to this publication:
http://lup.lub.lu.se/student-papers/record/9152390
- author
- Bockasten, Anna LU
- supervisor
- organization
- course
- JURM02 20241
- year
- 2024
- type
- H3 - Professional qualifications (4 Years - )
- subject
- keywords
- EU-law
- language
- English
- id
- 9152390
- date added to LUP
- 2024-06-11 11:37:38
- date last changed
- 2024-06-11 11:37:38
@misc{9152390,
abstract = {{The digitalization of the healthcare sector has resulted in an increasing source of health data, enabling the implementation of artificial intelligence (AI) in healthcare. There is great optimism that AI will have a significant impact on all areas of healthcare. The processing of health data is generally prohibited by the General Data Protection Regulation (GDPR). However, article 9(2)(j) GDPR provides for an exemption when the processing is carried out for sci-entific research purposes. The scientific research regime in the GDPR further includes exceptions from principles and obligations and allows for derogations from several data subjects’ rights. The scope of the scientific research exemption is not entirely clear, as the GDPR does not contain a binding definition of “scientific research purposes” and as rules may vary by Member State.
The thesis examines the legal impact of the GDPR in relation to Swedish companies engaging in data-driven research, by asking to what extent Swedish companies can claim the scientific research exemption in Article 9(2)(j) GDPR when processing health data. In Swedish law, ethical review pursuant to the Swedish Ethical Review Act is required to process health data under the scientific research exemption. Therefore, the relationship between “scientific research purposes” in the GDPR and “research” as defined in the Ethical Review Act is examined. The thesis concludes that neither the GDPR nor the Ethical Review Act preclude private entities or activities that are undertaken with a commercial interest. As the definition of research in the Ethical Review Act focuses on the acquirement of new knowledge and the theoretical and/or practical value of research, the thesis argues that the definition sets forth a higher threshold of what constitutes research than the GDPR. Companies that are primarily driven by commercial interests might have difficulties clarifying the scientific value of their activities. A disadvantage is that the definition of research in the Ethical Review Act and its territorial scope do not align with that of the GDPR, creating a fragmented legal framework within the EU.
Secondly, the thesis asks how the scientific research regime and its implementation in Swedish law balance the interests of data subjects against the interests of controllers, and how this balance might affect data-driven research. It concludes that the scientific research regime appears at first sight to shift the balance of interests significantly in favor of the controller. However, it is often required that the provisions' application would render impossible or seriously impair the achievement of scientific research, thereby narrowing the scope of the framework. The thesis highlights Sweden’s passive stance in terms of legislation, for example by refraining from introducing the possibility to derogate from certain rights of the data subject. While this may adversely affect the flexibility of companies engaging in data-driven research, the biggest challenge is to overcome the conflict between the GDPR and research involving substantial amounts of personal data.}},
author = {{Bockasten, Anna}},
language = {{eng}},
note = {{Student Paper}},
title = {{Health Data in Data-driven Research: Processing under the GDPR’s Scientific Research Exemption}},
year = {{2024}},
}