Juristica International

1. Introduction

There is ongoing discussion about what constitutes 'scientific research' in the meaning of the General Data Protection Regulation *1 (GDPR), Article 9 (2)(j). *2 The question is crucial because the associated scientific research regime enables extensive limitations to data subjects' rights to privacy and self‑determination. If the activity falls within the scope of scientific research in the meaning applied by the GDPR, the researcher may escape from the need to obtain data subjects' consent and also be exempted from following some basic principles set forth in the GDPR – e.g., those for storage limitations and transparency. *3 In addition, the European Union (EU) or national law may allow derogations from data subjects' rights, among them the data subject's right to access one's data. *4 This makes the scientific research regime attractive not only to academic researchers but also to commercial entities conducting profit-oriented research. Concern has been expressed that commercial research might not contribute to the common good to an extent sufficient for justifying such a flexible scientific research regime. *5

Some authors have suggested that to avoid stretching the scientific research regime to an overly wide scope, regulators should specify public interest as a prerequisite for conducting scientific research with health data without the data subject's consent. *6 'Public interest' is an undetermined legal term and an ambiguous concept. *7 There are various theories of public interest in the context of scientific research involving health data. *8 For example, it has been explained as 'improving a better understanding of underlying mechanisms leading to ill-health or to better options for prevention or treatment' *9 but also as 'substantial expected advancement of the health-related interests of members of a group whose interests are, or should be, of particular concern to the society in question'. *10

Some Member States have explicitly stated in their national laws that scientific research conducted with health data in the absence of the data subject's consent must be in the public interest, while others have not. *11 This is possible in that the GDPR does not – at least explicitly – require that the scientific research be in the public interest yet does allow Member States to choose their policies. *12

The article analyses based on the examples of Estonia and Finland whether national law should require the existence of public interest behind any processing of health data in scientific research without the data subject's consent. This discussion shows that, whether public interest is explicitly required by the legislation or not, in Estonia the requirement exists at least to some extent in connection with mandatory ethics review and in Finland in the data permit procedure. The article also shows that in the future, under the proposed European Health Data Space Regulation *13 (EHDS), Member States may retain the public interest standard through the ethics review requirement in their national law.

The analysis below begins by examining the GDPR, on which the national laws of Estonia and Finland rely (in Section 2), then delves into the national regulations of Estonia and Finland (in Sections 3 and 4, respectively), before reflection on the change that the EHDS holds potential to bring (in Section 5).

2. The GDPR’s public interest requirement

In one option, the processing of health data for scientific research is possible on the basis of the GDPR’s Article 6 (1)(f) (processing is necessary for the purposes of legitimate interests) in combination with Article 9 (2) j) (processing is necessary for scientific research). The data subject's consent is not required unless the EU or the Member State's national law requires it. In addition, as the paper’s introduction points out, the GDPR does not require the scientific research in question to be in the public interest. *14 However, Member States may set a public interest requirement in their national laws, according to Article 9 (2)(j) and 9 (4).

Even though the GDPR does not explicitly impose the condition of the relevant scientific research with health data being in the public interest, one should look at whether the concept of scientific research itself entails the requirement of public interest. While the GDPR does not define scientific research, Recital 159 states that the term should be interpreted in a broad manner that encompasses technological development and demonstration, applied research, and privately funded research. This does not hint at a requirement of public interest. On the other hand, Recital 157 stresses registry-based research's importance for obtaining new knowledge about medical conditions that hold great value and that can aid in improving the quality of life for a number of people. According to Recital 53, scientific research with health data should be based on EU or Member State law, which has to meet an objective of public interest. Relying on these recitals, one might argue that what is deemed processing of health data for scientific research must be in the public interest. However, even though the GDPR recitals refer to some extent to public-interest-linked requirements, they are contradictory and do not have binding legal force. *15 The body of the GDPR meanwhile does not set any requirement of public interest in connection with scientific research, even though it could have done so in a manner analogous to its addressing of archiving purposes, which explicitly need to be in the public interest according to its Article 9 (2)(j).

The EU institutions have made efforts to clarify the concept of scientific research and its relationship with the public interest. The European Data Protection Board (EDPB) has stated that scientific research in the context of the GDPR means a research project set up in accordance with the relevant sector-related methodology and ethics standards, in conformity with good practice. *16 The European Data Protection Supervisor (EDPS) has stated, similarly to GDPR recitals 53 and 157, that 'flexibility is afforded on the assumption that research occurring within a framework of ethical oversight serves, in principle, the public interest' and that 'the role of research is understood to provide knowledge that can, in turn, improve the quality of life for a number of people and improve the efficiency of social services'. *17

Nonetheless, the opinions of the EU institutions are considered soft-law instruments, the legal force of which is not clear, *18 and authors of legal literature have interpreted the notion of scientific research in several ways. Ducato has understood scientific research in the GDPR’s context as any activity aimed at generating new knowledge and advancing the state of the art in a given field. *19 Verhenneman is of the view that, even though legal uncertainty remains, scientific research does not necessarily have to serve the public interest, while it still must have value to society. *20 Slokenberga has been critical of the EDPS's opinion, arguing that it does not adequately consider the complex reality in which scientific research takes place and commercialisation as a means to drive scientific advances forward. *21

Therefore, as long as there are no clarifications from the EU legislator or case law of the Court of Justice of the European Union (CJEU), the definition of scientific research remains a grey area. *22 Bentzen has stated that, by not defining scientific research, the GDPR may extend the privilege it affords to an unintentionally broad range of actors and activities and, unless the term ‘scientific research’ is clarified, it cannot function as a safeguard against misuse. *23

Considering the ambiguity of the concept of scientific research and its relationship with the public interest as articulated in the GDPR, one finds that among the roles of a Member State is to set the standard for ‘public interest’ in the national law. The following sections illustratively describe how this has been done in Estonia, through mandatory ethics review, and in Finland, via a data permit procedure wherein the criteria for scientific research are assessed. However, as the concept of scientific research should be interpreted autonomously and uniformly throughout the EU, *24 setting the public interest standard through the national interpretation of scientific research alone is not a solid foundation, in that the future case law of the CJEU may influence national practices.

3. Estonia’s requirement for a public interest

3.1. The public interest requirement in Estonian legislation

The processing of health data for scientific research is regulated by Section 6 of the Estonian Data Protection Act *25 (EDPA), which is the national law in the meaning of the GDPR’s Article 9 (2)(j), Article 9 (4), and Article 6 (1)(e). Even though the explanatory memorandum accompanying the EDPA refers to the last of these three only, it is clear that the EDPA also regulates the processing of health data in the meaning of GDPR Article 9 (2)(j) and makes use of the discretion left to Member States on the basis of the GDPR’s Article 9 (4). This interpretation is supported by the explanatory memorandum's references to GDPR Article 89 and Recital 159, which regulate or explain the processing of personal data for scientific research. *26 Processing of health data for scientific research is possible also on grounds of the GDPR’s Article 9 (2)(j) in combination with Article 6 (1)(f), which is unlike the combined application of GDPR Article 9 (2)(j) and GDPR Article 6 (1)(e) in that it does not require the existence of a public interest. *27

According to the EDPA’s Section 6 (1), health data may be processed without the consent of the data subject for scientific research in a pseudonymised form or a form that provides an equivalent level of protection. Under the same act’s Section 6 (3)(2), processing of the data in a form that enables identification of the data subject requires overriding public interest. This requirement for an overriding public interest applies also to the processing of pseudonymised data, according to the Data Protection Inspectorate of Estonia. *28 An alternative interpretation in the legal literature is that the requirements of Section 6 (3)(2), including the one related to an overriding public interest, apply to the processing of directly identifiable personal data only, excluding pseudonymised data. *29

The latter interpretation is in line with the systematic interpretation of the EDPA’s Section 6 (2 and 3), from which one can conclude that, in the context of that act’s Section 6, the concept of data 'enabling identification of the data subject' does not cover pseudonymised data. *30 Furthermore, had Section 6 (3) been meant to extend as far as pseudonymised data, there would have been no need to stress that it applies to data in 'a form which enables identification of the data subject’, given the EDPA's coverage of personal data only and not anonymised data. Therefore, it is not clear what kind of data processing must serve an overriding public interest: processing of directly identifiable data only or also pseudonymised data. It seems that the law requires only the processing of directly identifiable data to be in an overriding public interest, rather than pseudonymised data, the latter being much more commonly used in scientific research.

3.2. The role of ethics committees in assessing public interest

The EDPA’s Section 6 (4) foresees a need for an ethics-committee review in cases of scientific research based on health data. This includes assessing whether there is an overriding public interest in processing health data in a 'form enabling identification of the data subject', however ambiguous the nature of the latter form might be.

Estonia has three widely known active ethics committees in the arena of scientific research that makes secondary use of health data. These are the Estonian Committee on Bioethics and Human Research and two regional committees. *31 From relying on official communication with the author, it may be concluded that the ethics committees assess the public interest in scientific research or at least its contribution to the common good regardless of the form in which the health data are processed. *32 At the same time, the ethics committees admit that there is no uniform definition of public interest, and the aims behind each application and the potential results of the proposed efforts need to be assessed on a case-by-case basis. *33 Among the examples of research in the public interest cited by one of the regional ethics committees is research that enables the enhancement of health policies or more effective treatment, better availability of treatment, or more effective organising of screening. *34 In contrast, a research project is not in the public interest when the sole object of the activity is to make a profit, with no medically or scientifically new and important knowledge being developed. *35

The example of the Estonian Committee on Bioethics and Human Research shows that the ethics review itself includes assessment of public interest in the scientific research context. This is so irrespective of whether there is a requirement of public interest set by law. The tasks of the ethics committee include finding a balance between the protection of fundamental rights and the purposefulness of the research. *36 No approval will be granted when the research may take pursuing the common good in an irrational direction or when the research does not have scientific value. *37 Furthermore, the ethics committee relies on the ethics rules that are set for the relevant field(s). *38 For scientific research involving the secondary use of health data, the WMA Taipei Declaration *39 is of relevance. One reads under the declaration’s point 5 that ‘[h]ealth research represents a common good that is in the interest of individual patients, as well as the population and the society'. The explication continues with point 8’s statement: 'Research and other Health Databases and Biobanks related activities should contribute to the benefit of society, in particular public health objectives.' The tasks and ethics principles described mean that the ethics committee assesses the public interest regardless of whether the law explicitly requires the processing of health data for scientific research to be in the public interest.

However, the ethics review may function as a tool for assessing public interest only when the following conditions are met: 1) review is mandatory, 2) all ethics committees follow similar standards, and 3) the committees have sufficient human and financial resources for carrying out the assessment.

Even though, under the EDPA’s Section 6 (4), an ethics review is always mandatory in Estonia for health data processing in scientific research that lacks a data subject's consent, the explanatory memorandum on the EDPA gives an impression that no ethics committee approval is required in cases of data held in pseudonymised form. *40 However, this interpretation is in line with neither the wording of the law nor the understanding of the Estonian Data Protection Inspectorate *41 and, therefore, should not be relied upon. Although the country has no case law specifying when an ethics review is required, divergence from the wording of the law to the detriment of the data subject in the manner suggested by the explanatory memorandum accompanying the EDPA would not be justified.

Problematically, in Estonia, a researcher may escape the requirement to serve a public interest by applying to an ethics committee that follows looser standards. This is possible because the law does not specifically regulate which ethics committee the researcher intending to process health data has to turn to, except in cases of data requested from the national health information system or the Estonian Biobank. Neither does the law regulate the ethics committees' standards or activities, though there are some exceptions. *42 Therefore, there should be a framework in place that ensures similar standards for assessing public interest.

A further crucial factor is that ethics committees might not be able to analyse and assess the applications, including the meeting of public interest requirements, in much detail when lacking suitable human and financial resources. A heavy workload and insufficient financial resources have also been recognised as an issue in Estonia. *43

3.3. Preliminary conclusions from the Estonian setting

The Estonian example shows that assessment of the public interest in scientific research with health data can, in principle, be achieved via mandatory ethics review. This is true notwithstanding whether the law sets a public interest requirement for conducting scientific research with health data. However, this article does not offer any conclusions whether and, if so, to what extent the ethics committees’ practice actually encompasses assessing public interest, since in-depth analyses of the committees' decisions are beyond the scope of this paper.

4. The public interest requirement in the case of Finland

4.1. The public interest requirement in Finnish legislation

In Finland, the secondary use of health data for scientific research is regulated by the Act on the Secondary Use of Social and Health Data *44 (the Secondary Use Act) and the Finnish Data Protection Act *45 (the FDPA). According to the Secondary Use Act, the researcher needs a data permit before processing health data for scientific research. *46 When the data needed are controlled by several public data controllers, the private sector, or Kanta Services *47 , the application for this permit must be submitted to Findata *48 , the national data permit authority for the social and health-care sector. In other cases, the application must be submitted to the public body controlling the health data directly. *49 The discussion here focuses on Findata, the most obviously pertinent entity in the situations at issue.

For Finland, the FDPA’s Section 6 repeats the principle stated in the GDPR according to which the ban on processing special categories of data does not apply to scientific research (see §6, point 7). Even though at first sight the Finnish law may give the impression that scientific research needs to be in the public interest, as FDPA Section 4 point 3 refers to GDPR Article 6 (1)(e), which in turn refers to 'tasks carried out in the public interest', *50 this is not the case. Neither the Secondary Use Act nor the FDPA requires that scientific research be in the public interest. Conducting scientific research is also allowed directly on the basis of legitimate interests; this restriction does not require the processing activity to be in the public interest. *51

As noted above with regard to Estonia, a public interest requirement may be derived from mandatory ethics review. However, Finland has no mandatory ethics-review terms similar to Estonia’s. *52 Guidelines, not laws, suggest applying for an ethics review in particular cases wherein the risks arising from use of health registries’ data are greater. *53 Findata’s data permit procedure does not judge whether the research project should be submitted for an ethics committee’s approval. *54 Therefore, researchers may gain access to health data without ethics approval. In these circumstances, an ethics-review mechanism cannot function as an effective measure for assessing the public interest in the research.

4.2. Interpretation of scientific research in Finnish practice

Despite the lack of public interest or ethics-review requirements in its law, Finland has set a standard for public interest – through the interpretation of 'scientific research' applied in national practice. The criteria that must be met before one obtains access to health data for scientific research purposes have been established in Finnish case law. Dating from 2013, these dictate:

1) an appropriate research plan,

2) sufficient scientific qualifications of the project staff,

3) fulfilling the requirements of autonomy and openness, and

4) the main goals for the study being scientific. *55

In the case giving rise to this interpretation, a research company was refused access to health data associated with asthma-related products in the prescription register of the Social Insurance Institution (Kela). The intended research project was funded by a pharmaceutical company, which, problematically, also had the right to comment on the results of the research before publication. In the view of Kela, the entity in the position to decide on granting access to the data, it would not have been possible for such a project to obtain research results that are appropriate in a scientific sense. Kela received the impression that the proposed research was an effort to promote the co-operating pharmaceutical company's sales by publishing a study report that paints a positive picture of that company's products.

The research company's appeal was not successful in court. The court concluded that the possibility of the pharmaceutical company influencing the content of the publications presenting the research had not been ruled out. The court also found that it could not be concluded with sufficient certainty that the main goals of the research were scientific. *56

Therefore, under the notion of 'scientific research', it was not deemed permissible to conduct a study that possibly aimed to promote the commercial interests of one company. Instead, an independent and objective contribution to general scientific knowledge would have been required before access to health data for scientific research could be granted. It can be argued that this condition is a requirement of public interest in the scientific research context.

The above-mentioned case law remains relevant today for both Findata, which considers the scientific research criteria in the course of its data permit procedure, and the data protection authority. *57 This is true notwithstanding opinions that the GDPR might expand the scope of the Finnish national interpretation of scientific research. *58

Finally, it is noteworthy that in Finland innovation and development activities, which often serve commercial interests, are distinguished from 'scientific research', with the former being defined as 'the application and use of technical and business information and existing other information together with personal data when the goal is to develop new or significantly improved products, processes or services'. *59 For the latter activities, Findata will prepare the relevant datasets and the applicant may obtain access to aggregate-level data only, not to personal data. *60

4.3. Preliminary conclusions from the Finnish setting

The Finnish example shows that the notion of ‘scientific research’ may be substantiated on a national level in a way that incorporates public-interest-related requirements such as the criterion of contributing autonomously and objectively to general scientific knowledge. Accordingly, even though the law does not require ‘scientific research’ to be in the public interest, the public interest is still assessed to some extent in the data permit procedure, wherein the criteria related to scientific research are assessed. Detailed analysis of Findata data permit decisions extends beyond the scope of this article, so no conclusions are drawn here as to the extent to which Findata practice has continued to assess the criteria for ‘scientific research’.

5. The public interest requirement in the European Health Data Space Regulation proposal

5.1. The new framework and the public interest requirement in the EHDS proposal

The proposed EHDS *61 may change the scope of ‘scientific research’ and its relationship with the public interest as well as general rules for secondary use of electronic health data. EHDS is meant not to replace the GDPR but to complement it. *62 Under the instrument as proposed, holders of health data are required to grant access to the health data held to a national central data-access body that coordinates the secondary data use and decides on granting data permits to applicants. *63 The mechanism resembles the Finnish national Findata system, which was taken as an example in the work to develop the proposal. *64

An important change is suggested via Article 34 (1) of the proposal, which extends the list of purposes for which health data may be processed without the data subject's consent *65 through the inclusion of activities described thus:

(f) development and innovation activities for products or services contributing to public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;

(g) training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;

(h) providing personalised healthcare consisting in assessing, maintaining or restoring the state of health of natural persons, based on the health data of other natural persons.

In the proposed EHDS, ‘scientific research related to health or care sectors’ is listed separately from these activities. *66 The EHDS proposal does not foresee mandatory ethics review for the intended processing activities or assessment of the qualifications of a data permit applicant’s staff. *67 Interestingly, the EHDS proposal assumes that all of the secondary-use activities under it rely on GDPR Article 9 (2)(h)–(j), without specifying which activity is linked with what legal basis. *68 Under the GDPR, these activities may be carried out without the data subject's consent principally under the scientific research exemption (per Article 9 (2)(j)) or for reasons of public interest in the field of public health (per Article 9 (2)(i)). Relying on the EHDS proposal, the data user conducting these activities need not demonstrate the legal basis under GDPR Article 9 (2) any longer, but the existence of the legal basis is assumed. *69 Therefore, under the proposed EHDS, the activities would neither have to meet the criteria set for ‘scientific research’ nor have to be explicitly in the public interest. That situation would be contrary to the general logic of the GDPR according to which a concrete legal basis stemming from Article 9 (2) is always needed for the processing of health data.

Another possible interpretation addressing the legal basis issue would be that what qualifies as scientific research under the GDPR would become, for example, an innovation and development activity under the EHDS. *70 However, the proposal does not confirm that interpretation; hence, it creates legal uncertainty. Also, in the case described, the extent to which the relevant innovation and development activity should meet the criteria for scientific research remains unclear, because scientific research has been listed separately from innovation and development activities for the EHDS as proposed. *71 For clarity and full compliance with the GDPR, the proposal should be amended.

According to Recital 41 of the EHDS proposal, access to data for secondary use should contribute to the general interest of society, yet the standard the proposal sets for 'the general interest of society' remains unclear. Similarly to the GDPR, the proposal does not define scientific research or impose a public interest requirement connected with conducting it. As for the new processing activities listed in Article 34 (1)(f–h), the proposal sets requirements such as ‘contributing to public health or social security’ or ‘ensuring high levels of quality and safety of health care’, criteria that are very general. It would probably not be difficult for any applicant to demonstrate an intention to meet them. As the EDPS and EDPB have suggested, the EHDS proposal should circumscribe when there is a sufficient connection with public health or social security, to achieve a balance adequately taking into account the objectives pursued by the proposal and the protection of personal data. *72 Article 35 of the proposal, which prohibits data processing carried out for the development of products or services that may harm individuals and societies at large, clarifies only the extreme cases wherein the required standard is not met. Therefore, the proposal does not foresee a clear public or general interest standard for the processing of health data.

5.2. Member States' discretion in the proposed EHDS system

According to the GDPR’s Article 9 (4), Member States may foresee further rules on processing health data, including a public interest requirement for processing health data in scientific research. Under the EHDS proposal, it is questionable whether this will be possible in cases covered by the EHDS. According to the explanatory memorandum on the proposal, the regulation is intended ‘to prevent the fragmentation that resulted from inconsistent use of the relevant clauses in the GDPR (e.g. Article 9 (4))’. *73 In Article 63 of the proposal, it is explicitly stated with regard to the context of international access and transfer of health data that Member States may set further conditions in accordance with GDPR Article 9 (4). A similar provision is not present elsewhere. Therefore, the discretion left to Member States is a matter of some doubt.

Nevertheless, there may be a route for setting a public interest requirement through ethics-review requirements expressed in national laws. According to Article 45 (4) of the proposal, the data permit applicant shall provide 'information on the assessment of ethical aspects of the processing, where applicable and in line with national law'. According to Recital 46, the ethics evaluation should be based on its own merits.

It must be stressed that at the national level ethics approval may typically be required for scientific research only and not for other activities covered by the proposal. *74 In those conditions, for example, those development and innovation activities that are not considered scientific research do not go through an ethics review. It bears reiterating that under the proposed scheme they also need not meet scientific research criteria or clear standards of public or general interest. In consequence, the data subject's health data might easily get processed without there being fair justification. For setting an appropriate standard for accessing health data, one option is to extend the national law's ethics-review requirements to encompass all activities listed in Article 34 (1)(f–h) of the proposal. In the review mandated, a standard of public or general interest can be employed, with the assessment of compliance being conducted accordingly.

6. Conclusion

Analysis shows that, as the GDPR does not assure that the 'scientific research' regime applies in only cases wherein the scientific research is in the public interest, it is up to the Member States to set the relevant public interest standard in their national laws.

The experiences of Estonia and Finland have demonstrated that it is possible to set a public interest standard also without the national legislation explicitly requiring existence of a public interest. The Estonian example illustrates how public interest may be assessed in mandatory ethics review. The Finnish example, in turn, attests that assessing fulfilment of the criteria for 'scientific research' in a national data permit procedure entails evaluating the existence of a public interest to some extent. Therefore, to protect data subjects' right to privacy and self-determination, it is not always necessary to set a requirement of public interest explicitly in legislation. However, with regard to the Finnish case, it must be borne in mind that relying merely on the national interpretation of 'scientific research' which is the autonomous concept of EU law is risky, since future case law of the CJEU might change the way in which Member States have to interpret the notion.

In the future, the proposed EHDS may reduce the discretion of Member States to choose their policies on public interest standards. However, Member States may still retain the public interest standard through an ethics-review requirement imposed by their national law. This should extend equally to scientific research and the other activities listed in Article 34 (1)(f–h) of the proposal, to avoid unintended limitations to the data subject's right to privacy and self-determination.