- Purpose of the GDPR
The GDPR is not about privacy. The word ‘privacy’ occurs only once in the GDPR, in reference to a European Parliament Directive on privacy supplementary to the GDPR. But what is the purpose of the GDPR?
The official title of the General Data Protection Regulation (GDPR) reads as follows:
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Therefore, the two purposes of the GDPR are:
- Encouraging the free movement of data, including personal data
- The protection of these personal data.
The GDPR indicates, in a technology neutral manner (hence the general, open data standards nature of the GDPR), that certain rights and obligations apply to the processing of personal data and for this it defines specific roles and corresponding responsibilities. The GDPR specifies how these rights can be exercised, how this is monitored, and what kind of sanctions are in place. An often-heard statement about the GDPR is, “you’re not allowed to do anything with personal data any more”. However, it is actually the opposite: by properly applying the principles laid down in the GDPR, a lot can be done – after all, the entire purpose of the GDPR is to ensure the free flow of personal data!
The researcher and the GDPR
Let us take a look at this from the perspective of a researcher. The example below describes the steps to be taken mentally by every researcher when going from being GDPR compliant to embracing privacy as second nature.
In the spotlight
Rights and obligations in the GDPR
The image below effectively summarises the GDPR. Here the rights of a research participant are contrasted with the obligations of the researcher, in terms of the responsible handling of personal data and appropriate protection for this.
As mentioned earlier, the GDPR is a law based on principles. It is always about assessing whether the two purposes of the GDPR are fulfilled:
1. Encouraging the free movement of personal data
2. Protecting these personal data as well as possible
This assessment and the resulting measures vary depending on the research project. It involves making a reasonable assessment of the risks with respect to the research participants, weighing up these risks, and determining appropriate, proportional measures to mitigate these risks. For example, by not collecting more personal data than is necessary for the research purpose. To ensure this, researchers may ask themselves questions such as:
- What sensitive and other kinds of data would I need to collect from the research participants?
- What would be the consequences if a third party were to gain unauthorised access to these data?
- What kind of harm could someone cause with these personal data?
- What would it mean for the data subjects if their personal data were to fall into the wrong hands?
It is easy to think of many examples where there would be very serious consequences if unauthorised persons were to gain access to certain personal data, such as research projects where interviews with paedophiles, war criminals, or coup plotters in a dictatorship are part of the research data. But, in practice, most research projects do not involve this kind of sensitive information, so accordingly the measures to be taken may also be more limited.
Finally, research participants may also be harmed by stigmatisation and disclosure of the group. For example, if in an observational study of fathers from village X, which examines the quality of interaction between the fathers and their minor children, a publication of the research results discloses that there were many important areas for improvement in this interaction for a majority of these fathers.
The GDPR - not an absolute right
Please note: the right to privacy is not an absolute right. Recital 4 in the GDPR articulates this as follows:
The processing of personal data should be designed to serve mankind.
The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.
This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
Hence, while privacy is a fundamental human right, other rights may outweigh it in certain contexts, for example, in the case of a pandemic such as the Covid-19 crisis. In these situations, public health interests may prevail over the fundamental right to privacy, for example, when a government mandates a particular tracking app for coronavirus infections. In doing so, the government infringes upon the right to privacy but in the service of a (at the time) greater priority: public health.
In this example, the GDPR can serve as a guide to designing the tracking app to be as privacy-friendly as possible, by building privacy into the design of the app. The goal here would be to arrive at a positive-sum situation, where privacy is respected in the app while improving public health. And perhaps, from a privacy standpoint, it will turn out that a digital app is not the best solution for registering people but that it is safer for our personal data to simply note down your name and phone number on a piece of paper every time you visit a restaurant or other venue.
So although the GDPR is an important law, it is not the most important law in every context. There are situations where other interests outweigh our privacy, as the GDPR itself explicitly states in Recital 4.