The Human Brain Project (HBP) is a data-driven project, based on comprehensive use of Information and Communication Technologies (ICTs) and cloud technology for strategic research and theoretical studies. The General Data Protection Regulation (GDPR) regulates the processing and free movement of personal data by data controllers and processors and is directly applicable in all European Union (EU) member states.
For research organisations such as the HBP, the GDPR aims to create a supportive framework to facilitate exchange and processing of data using safeguards to ensure that personal information can be used appropriately while protecting personal rights to privacy and enhancing public trust.
To some extent, scientific research has a privileged position under the GDPR subject to appropriate measures in place to protect the rights of data subjects and ensure data minimisation. In view of this, scientific data within the HBP is subject to the general default provisions of the GDPR and some of these duties are more onerous than under previous data privacy laws. With fines of up to €20 million, or 4% of an organisation’s global turnover, it is imperative that the new and enhanced duties imposed by the GDPR are recognised and complied with by the HBP as a beacon for good practice and as a model of ethical and legal compliance.
One of the main issues that the HBP is faced with is international flow of personal data to and from countries outside the EU. It is important that the HBP is aware of the implications of international data transfers, in particular, how data received from third countries should be handled in compliance with the GDPR, while still preserving data value.
In order to balance the competing interests between data utility and data minimisation, the GDPR lays down some conditions for data processors and controllers to comply with for onward transfer of personal data to a third country and vice versa. International data transfers must be subject to restrictions under the GDPR to ensure that protection travels with the data.
Adequate levels of protection
Firstly, transfer of personal data to third countries outside the EU will not be permitted unless those countries ensure adequate levels of protection. In view of this, the European Commission, through an Implementing Act, provides a list of third countries deemed to have adequate level of protection, either through domestic legislations or international commitments for ensuring and enforcing compliance with the data protection rules. In assessing adequacy of protection the European Commission will consider a range of adequacy criteria such as the rule of law and implementation of data protection rules; existence of independent supervisory bodies in the third country with the responsibility of ensuring adequate data protection compliance; and international commitments of the third country in relation to personal data protection.
Appropriate safeguards for personal data
However, given the relatively low number of countries on the list that qualify as having ‘adequate’ levels of protection, it is incumbent on data controllers and processors within the HBP to deploy further measures for international data transfers that provides appropriate safeguards for personal data. In view of this, personal data may also be transferred to a non EU country if the third country has implemented appropriate safeguards.
One of these includes Standard Contractual Clauses or model clauses. These are the most frequently used legitimization mechanisms to validate international transfer of personal data to non-EU countries. They involve pre-approved contracts and obligations from the European Commission applicable to data importing and exporting of personal data in line with EU standards.
Another significant provision in relation to international data transfers in the GDPR is Binding Corporate Rules (BCR). This is a global set of rules developed on European privacy standards adopted on a voluntary basis by global companies. Due to the global nature of multinational companies, personal data is constantly shared beyond jurisdictions and national borders. The BCR is therefore considered as a flexible, bespoke solution to data exports within the corporate group which avoids the impracticalities of multiple standard contractual clauses among subsidiaries.
In the absence of adequate level of protection or appropriate safeguards, the GDPR further highlights some derogations for specific situations where transfer of personal data outside the EU will be allowed. One of this is where the data subject has given explicit consent to the proposed transfer after being informed of possible risks related to the transfer due to the absence of adequacy standards or appropriate safeguards. Another instance is for non-repetitive transfers involving limited number of subjects necessary for pursuing legitimate interests. In this situation, it is important that the controller takes into account the overriding rights and freedoms of the data subjects, while also carrying out relevant risk assessments to provide necessary safeguards for the protection of personal data.
Finally, overcoming limitations on international data transfers in any Future Emerging Technologies (FET) project can be quite challenging, especially in terms of legal compliance. For the HBP, identifying and implementing the right measures to safeguard adequate level of protection in every case of personal data transfer can be very onerous. However, with the growing advent of technology, globalization and cyber security, it is unlikely that a softer approach will be adopted by the EU. The onus therefore, lies on HBP to ensure adequate compliance by developing a working data protection compliance mechanism that aligns with the adequacy criteria developed by the European Commission and also undertake a legal commitment to abide by it through Standard Contractual Clauses or Binding Corporate Rules.
This blog post is based on the talk given at the session ‘Keeping research compliant: The General Data Protection Regulation (GDPR), ethics support, and the HBP’ at Human Brain Project Summit in Maastricht (The Netherlands), 16-18 October 2018.
Dr Simisola Akintoye is VC 2020 Lecturer in Law at De Montfort University (Leicester, UK). She researches in the field of corporate governance (with particular interest in fraud regulation), corporate social responsibility (focusing on emerging and developed economies) and Information Technology law (with special interest in data protection and ethical responsibility). She is part of Ethics Support team of the Human Brain Project.