The amount of data in existence that can be used for research is increasing in an exponential fashion. Similarly, the ability of individuals (both technically and legally) to to collect, assemble and deliver their data for research purposes is also increasing. These developments have boosted movements and attitudes that have often been termed as 'citizen science'. This movement relates broadly to the idea that individuals can play an active role in collecting personal data and providing it for scientific research. In doing so it is argued they are able to boost the chances that certain types of research may occur. Central to the concept of citizen science is the idea that data should be portable, i. e. that individuals should be able to transfer their data from various sources to research institutions.
This article looks at the phenomenon from a legal perspective, focusing on the the role data portability as a legal right has to play in boosting this movement. In particular, it will focus on the right of data portability as described in the EU’s recent General Data Protection Regulation (the GDPR). In doing so it will look at how the GDPR facilitates the right of data portability throughout the European Union, and potentially to jurisdictions beyond its borders. The ability of individuals to use this right to have their personal data transferred from existing data controllers to research institutions may allow initiatives associated with concepts of citizen science to prosper. As this article discusses however, there are a number of aspects concerning the formulation of this right within the GDPR that may serve to lessen its impact.
Section 2 of this article discusses the concept of citizen science and why it has been growing in prominence in recent times. Section 3 discusses the importance of data portability to citizen science. Section 4 will look at how the GDPR introduces a right of data portability and how it thus offers potential for individuals interested in participating in citizen science based initiatives. It also looks at how the GDPR leaves areas of data processing that will not be subject to the right of data portability and the likely effects this may have on citizen science. Section 5 analyses what the limited application of the ‘right to data portability to limited legal bases for the processing of personal data is likely to mean. Section 6 discusses the likely territorial application of the right to data portability and its implications for citizen science initiatives to op-operate on an international level.
2 Citizen science as a growing phenomenon
Citizen science is not a new phenomenon but it is certainly a growing trend that is allowing important changes in the way scientific research is occurring (Devictor, Whittaker, and Beltrame 2010). Prominent examples of citizen science go back hundreds of years, including for example a prominent experiment in 1830s Britain that involved hundreds of members of the public to monitor 650 different costal locations (Madison 2014). Whilst there are numerous other examples in the intervening period of the use of large groups of private individuals to coordinate and execute the collection of data for experimental purposes the phenomenon of citizen science had been greatly boosted in recent times. This is due to developments in the both the digitization of personal data and the ability to coordinate and share such data that have come with the development of the online web and social media (Newman et al. 2012). This is primarily for two reasons. First, the digitisation of personal data allows individuals to record and organise their data in ways that were not previously possible. This includes the capture of new forms of data (though the Internet of Things (IOT) and devices such as ‘wearables’) and the ability to store and organise it more efficiently e. g. using mobile phones, powerful personal computers and online storage. Second, online connectivity, including through social media platforms allows data subjects to contact each other and researchers. This allows the formation of groups who have the desire to promote scientific research in certain areas through the collection, organisation and sharing of personal of data concerning a particular issue. These developments have allowed individuals to come together and pool potentially interesting data in ways that were not previously possible. Individuals may for example be able to learn through social media that there are others that share health issues that requires further research. Using wearables and access to electronic health records individuals for instance can in theory pool large longitudinal data sets that are potentially interesting to researchers (Purcel and Rommelfanger 2017).
Such endeavours are seen as being conducive to research in potentially different ways with visons of what actually constitutes citizen science that vary in breadth and scope (Silvertown 2009). A narrower view sees an important role for groups of engaged individuals to be able to respond to open calls by researchers to come forward with data on a particular issue. In such a vision researchers remain both the inspiration and architects of the research programme that is to be carried out. They may conceive of the need for it and design the experiment in question, appealing to individuals to come forward with useful data that they have collected in order to allow the experiment in question to be carried out. In such a scenario the data subject can be thought of as a benevolent form of ‘free labour’; that makes itself available to a research project in order to further its aims.
A broader and perhaps more ambitious conception of citizen science sees the citizen as the true master of the research in question (i. e. in place of the research institution). In such a vision, it is the citizen (i. e. the data subjects themselves) who through networking and discussion see the need for research to be conducted in a certain area.1 It is their ability to collect, store and collate the data that they see as being useful that provides them with the power to induce certain forms of research (Evans 2017). In being able to create such pools of data they are able to attract researchers who may find the research opportunity it presents to be attractive. The ability to collect, store, collate and transmit such data to interested researchers represents a source of power for citizen scientists potentially allowing them collectively bargain with competing research institutions and and ensure that the type of research they want occurs.2 This latter interpretation of citizen science sees the individual lay person acting more out of self-interest (rather than a sense civic virtue) and through the power that comes of grouping with other similarly minded individuals, deciding what research is to take place (in place of the professional scientist and the institution he or she is attached to).
Of course, these points exist on a spectrum at either end of potential manifestations of citizen science. There are many manifestations that are possible between the two and many that may share elements of both. Individuals may for example become citizen scientists both out of self interest and a a result of a sense of civic duty (Morris and Aguilera 2012). Similarly it may well be difficult in reality to draw a clear line in discerning whether research is proposed and conducted because of the availability of data through active citizen science or whether such citizen scientists are mobilised in response to institutional calls for research data. Whatever the particular manifestation, there are a number of criteria that must be met in order for citizen science to occur. These include, the ability to record data, the ability to store it, the ability to access it, and that it is portable (i. e. that it can be transferred to a research institution). The importance of transferability or portability is discussed below.
3 The importance of data portability to citizen science
(i) The need for both ‘interoperability’ and ‘transferability’
All of the requirements described above (i. e. the ability to record and observe) are without doubt indispensable for citizen science to occur. Even if they are fulfilled however the ability to transfer (or share) data (i. e. that it is portable) is a sina qua non for citizen science to occur. Even if individuals are able to record and store their data, practicing citizen science will not be possible in situations where individuals and groups of individuals are not able to transfer useful personal data to interested researchers. The same goes if data subjects are simply provided with access to their personal data by a data controller (imagine for example the provider of a mHealth service). Access alone to personal data (a well established right in data protection law)3 may mean little if it if it does not equate to a possibility to transfer data to researchers for further analysis (Hunter 2016). Rights of access to one’s personal data as is traditionally found in data protection laws may not be sufficient to fully facilitate citizen science. This is because to ensure portability two important elements are required, elements that may not be present in traditional rights to access data. The most important aspects of these elements are described below.
A requirement of interoperability – A right to access for instance may not not provide a right to receive personal data in a form that is ‘interoperable’ with the processing systems of another potential controller, including those of a potential research institution. This was for example the situation with the right to access in the EU Data Protection Directive (95/46/EC). Providing data in a form that is ‘intelligible’ to the data subject does not entail providing data in a form that is functionally readable by other controllers. ‘Intelligible’ would rather seem to refer to the ability of humans to be able to comprehend the data that is provided (and does not refer to interoperability with other processing systems) (Article 29 Working Party Guidelines, p. 14). Intelligible can thus best be thought of as a duty to provide data, even if complex in some manner that will allow human data subjects to comprehend it in terms of it what can be deduced from it. In the modern information society, where data sets may be enormous and complex, this may in reality translate into a duty to effectively summarise the data in ‘human readable format’ so that the data subject can understand it. Providing data in its raw form would be unlikely to meet a duty to provide intelligible data, largely because it would be meaningless to the data subject (largely because such data would be stored in a way that is machine readable). In this regard the right to access found in GDPR Article 14(3) certainly goes further than the Directive 95/46/EC does stating:
The controller shall provide a copy of the personal data undergoing processing. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
Whilst a requirement of providing personal data in “a commonly used electronic form” goes far further in providing requirements in terms of interoperability (see further discussion in Section 4), it still provides arguably little in terms of direct transferability (discussed below)
A duty to facilitate a data transfer – A Right to Access does not provide any any right to have data transferred to a third party, including a research institution. Transferability is important because it places the responsibility of data transfer with the data controller and not the data subject. This is important for a number of reasons.
Perhaps most importantly the data controller is likely to have a higher level of technical ability and experience than the data subject. It may have numerous personnel other organizational strengths (in comparison with an individual data subject). It may also importantly possess a key advantage in terms of economies of scale. This is because a single service provider, especially if it is a large one with a key position in the market, may receive many requests from individuals who whish that their data is transferred to a particular research institution. In such a context it will likely be a far more simple affair for one or a few data controllers to contact and liaise with a particular research institution (than it would be for thousands of data subjects). In such a manner discerning the necessary technical and organizational arrangements that must be made in order to facilitate transfer is likely to be far more efficient. An alternative scenario whereby research institutions had to liaises individually with every data subject on technical adjustments that would have to be made in order to facilitate transfer would in reality entail many more technical discussions between research institutions and individual research subjects. Furthermore, such discussions would likely be much more difficult given that individual research subjects would not be likely to possess the same technical knowledge or abilities. The ability of data subjects to comply with the technical requirements for transfer posed by the research institution are likely to be much less than it would be for a large data controller. Alternatively, whilst research institutions might in certain circumstances be willing to take on the all the responsibility themselves for making data compatible for their research ends, the ability to do so would be severely reduced where all data is provided by research subjects on a completely individual basis. In such instances data may vary in format or even the method in which it is delivered (e. g. by online file transfer, by DVD or by email). Taking on such variability would represent a costly affair that could well hamper research. The ability therefore to deal with one or a few data controllers who would transfer numerous data sets would be advantageous and encourage research institutions to engage with citizen science initiatives.
4 The GDPR and its right to data portability
In what may be seen as an advance for the concept of citizen science the GDPR includes a new right to data portability. Article 20 states:
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
There are two things that are immediately apparent and of potential relevance to this paper. The first is that there is a right to receive code in a ‘machine readable format’ (also found with the GDPR’s strengthened ‘right of access’’ (Article 14(3)). This appears to supplement the GDPR’s right to access (discussed above) and link it firmly with a right to data portability. This is important from the perspective of interoperability of the data in question and thus increasing the chances that it can be used for the purposes of scientific research. The second is that is bestows the right upon a data subject of asking for direct transfer to another controller. As Section 3 discusses this requirement is important from the perspective of citizen science given that for a number of reasons, it may often be the original data controller and not the data subject who is best placed to execute the transfer of data. Article 20 can therefore be thought of as improvement of the situation vis-à-vis the needs of citizen scientists. As the following pages of this paper will discuss, this will facilitate citizen science activities in a number of areas and should therefore be welcomed. At the same time there are however a number of important elements that will likely serve to limit the ability of individuals and researchers to use this article to further citizen science. The most important are summarized in the sections below.
4.1 Limits to the concept of ‘machine readable’
Whilst the concept of ‘machine readability’ might sound promising it is important not to read it in too expansive a manner. In particular, a duty upon data controllers to produce machine readable data to not entail an obligation to make such data compatible for all purposes that might be desired. As the Article 29 Working Party points out on (p. 13) “portability aims to produce interoperable systems not compatible systems”. The latter (i. e. compatibility) would entail an obligation upon the data controller to ensure that the data provided was directly compatible with the intended purposes and processing systems of the proposed new controller (to whom the data was to be passed). Although such a vision would make things easier for both the data subject and the new controller (who would receive data that would be directly ready for use) this would represent a heavy (if not impossible burden) on the original controller.4 This is because all of the burden in terms of ensuring compatibility would fall almost entirely upon that original controller. This would entail ensuring that the data that was being transferred was completely compatible (i. e. ready to use) with whatever processing systems were being used by the new controller. Given that there could be numerous different formats and systems used by a new controller this would effectively mean a duty to modify and tailor data to the needs of any data controller that a data subjected demanded transfer to. Such a duty would likely act as a deterrent to data processing in general given that data controllers would have to ensure that they had the capacity (in terms of both personnel and technical expertise) to make such modifications if they were demanded.
It is for such reasons that a duty of ‘compatibility’ of transferred data is not realistic. It also explains why the Article 29 working party emphasized that Article 20 of the GDPR amounted to a duty of ‘interoperability’ (this duty is reflected in GDPR recital 68). This represents a lower threshold and consequently poses less of a burden on the original data controller. Such a duty represents a shared burden where not only the original data controller but also the new one (a research institution in this context) would have to make efforts so as to ensure compatibility. This is because interoperability is normally taken as referring to a a duty to use one of a number of commonly available formats. As the Article 29 Working Party guidelines state (p. 15):
As such, data portability implies an additional layer of data processing by data controllers, in order to extract data from the platform and filter out personal data outside the scope of portability (such as user passwords, payment data, biometric patterns, etc.). This additional data processing will be considered as an accessory to the main data processing, since it is not performed to achieve a new purpose defined by the data controller.
Although such formats may not be directly compatible with the processing systems of a new controller they should be in such a form that that new controller will be able to work upon and make compatible. Interoperability thus entails work for both the original controller, who must ensure that the data meets such a format and for the new controller who will have to further process the data into a new form that is compatible with its desired purposes. Such a duty can not thus be considered as representing a maximum facilitation of citizen science though it may however be a more realistic requirement. This is because Article 20 will still entail a large amount of work on behalf of a research institution in order to make data compatible. Given that this will require resources that research institutions do not always have, it may arguably in some instances discourage their willingness to engage in projects that involve citizen science and article 20 requests for data portability.
4.2 A right of transferability only applies to personal data provided by Data Subjects
Another important caveat that should be placed on the right of data portability as described by the GDPR is that it applies only to personal data as provided by the data subject. This can be split into two separate requirements i. e. (i) that the data be personal in nature and (ii) that it be provided by the data subject.
Requirement (i) may appear self evident given that the GDPR in general only applies to personal data. It would therefore be bizarre to expect that a right of data portability as described in the GDPR could be applied to data that was not of a personal nature. Despite being self evident this limitation nonetheless has some important implications. It means for example that any data that has been anonymized does not fall under such a right. Recital 26 of the GDPR confirms that it does not apply to anonymous data. This includes for example data that although now anonymous may have been derived using what was previously personal data (that may have been subsequently deleted). Even though such data may have been derived from their personal data, a data subject will have no right to demand that such data be transferred to another controller for purposes of scientific research.
Requirement (ii) applies to data that may even be personal in nature. It places a limit on the types of personal data that are subject to the right under Article 20 to the data that the data subject has himself provided. This importantly excludes all other forms of secondary personal data that has been derived from further processing. This will include for example the results of various forms of analysis that have been performed on the original data that had been provided by the data subject. Such a limitation exits inter alia to protect the commercial secrets and strategies of commercial data processors who may have developed innovative forms of data analysis (Lagos 2013). This exception however is likely to limit the application of the right to data portability in a number of areas that could be of interest from the perspective of citizen science. Imagine for instance the analysis of lifestyle data or the data that had been provided by data subjects through wearable or other IoT devices. Such analysis could have enormous research potential. Indeed, it may be such analysis (and not simply the storage of the data) that represents the unique selling point of many data monitoring or storage services (Lupton 2016; Purcel and Rommelfanger 2017; Swan 2013). Imagine a commercial organization for example that offers fitness enthusiasts the ability to (though wearable devices) monitor and upload their data to a cloud service and have various forms of analysis provided to them concerning their performance and ways in which they may be able to improve Such analysis may provide data subjects with knowledge and useful perspectives that might not be apparent from the data alone. Such data may for similar reasons also be appealing from the perspective of citizen science. The analyses performed on such primary data may furthermore be highly innovative in nature and not easily repeatable by other parties (for this reason it may often be considered a commercial secret), including by researchers and research institutions. An assumption therefore that research institutions maybe able to perform such an analysis may be misplaced (particularly for example when one compares the relative resources and technical expertise of certain multinational data controllers (e. g. Google, Amazon etc.) and those possessed by individual research institutions). Even if it were possible, it might entail the use of resources that may not in reality be at the disposition of a particular research institution. As a result of this the lack of applicability of article 20 of the GDPR to such data means that data subjects will not be able to use it to invoke the transfer of various forms of data that could be particularly valuable for scientific research.
It should be noted that this issue does not only apply to commercial service providers in the area of fitness/lifestyle data but also controllers in a number of other important areas also (Bellazzi and Zupan 2008; Murdoch and Detsky 2013). This could include the providers of various medical or healthcare services that involve the analysis of personal data. Imagine for instance healthcare institutions that performed various analytic techniques to draw conclusions on the health status of individuals. This could be through an analysis of their medical records or data taken from various monitoring devices. Once again, although such data could in theory be useful for scientific research it will not be covered by the the right to data portability. The same would also apply to other data that could be useful for research purposes including relating to social media (Morris and Aguilera 2012). Such data is the subject of constant and complex analysis for commercial reasons such as improving targeted advertising. Such analysis may involve the discovery of correlations and relationships that would be of immense interest inter alia to those interested in scientific research given the potential links with areas ranging from medicine to sociology to economics. Such data will not however be covered by article 20 GDPR.
5 The importance of the grounds for the processing of the data in question
(i) Grounds for processing to which article 20 GDPR is applicable
Article 20 is also limited given that it only applies to data that is processed on the basis of two (of the many) grounds that are described in the GDPR. These cover data that is processed after obtaining the “express consent” of the data subject or alternatively that the processing was “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.5 These grounds will cover some but by no means all of the potential types of personal data that might be thought to be of use to citizen scientists. The first may for example cover the types of relationship described above where individuals agree through formalized processes of consent to provide their data so as to have it stored and or further processed. This could include for instance lifestyle monitoring services or certain forms of processing related to healthcare (where consent is the basis for processing - see discussion in (ii) below)). It may also interestingly include data that had previously been provided to researchers or scientific institutions precisely for the purpose of research (again where consent was the legal basis for processing - see discussion in (ii) below). Imagine for instance where a data subject had consented to provide his or her medical, socioeconomic or other data to a research project in the past. Given that such data may conceivably be of interest to other subsequent research projects at other institutions it is possible that data subjects might want to make use of the their rights under article 20 to transfer their data in order to facilitate research. The reuse of research data is indeed something that has been encouraged more and more in recent years (with the term ‘recycling’ often being used in a metaphor that seemingly sees not using ‘old data’ as being wasteful) (Dyer 2007; Kaye 2012; Murdoch and Detsky 2013). Such reuse of old research data could be seen as being compatible with many of the aims of citizen science.
With regards to to the second ground discussed above one can imagine various contracts that may have been concluded with various organizations to provide services or deliver physical products. Imagine for instance streaming services for movies or music, online stores such as Amazon etc. Whilst such information may appear banal viewed from the perspective of a single individual, on a larger scale (i. e. where such data is available for many individuals) it may provide extremely useful research material, allowing important information relating to socioeconomic factors or even health status. Article 20 thus provides the option of transferability for such data.
(ii) Grounds for processing that are not covered by article 20
The two grounds discussed above, though important, represent only two of many potential grounds for processing described within the GDPR. This essentially means that many types of processing that are permitted under the GDPR will not be covered by the right to data portability. Whilst a full consideration of the relevance of all such types of data processing to citizen science is beyond the scope of this paper6 some potentially striking examples (given their obvious relevance to research) are immediately obvious and are discussed below.
Processing is necessary for the purposes of preventive or occupational medicine – Whilst the processing of health data is possible on the basis of explicit consent, this is not the only, or perhaps the most important grounds for the processing of such data within the healthcare sector (Mantovani and Quinn 2013; Quinn et al. 2013). This is because there exists another legal basis that permits the processing of heath data for processes of occupational medicine. This ground currently exists in Article 9(2) of the GDPR The equivalent provision within Directive 95/46/EC (which has seemingly been widened within the GDPR) was traditionally used to process medical data within the bounds of an ongoing treatment relationship with an officially recognised medical professional who was subject to rules on confidentiality.7 Such a ground has been traditionally used to process patient data in ways that were required as a result of continued treatment within a particular practice or institution. It is such an exception that allows a patient’s data to be further processed without having to continuously re-obtain consent, something which would be extremely laborious in large institutions. The practical value of such a grounds for processing is that medical professionals and institutions do not have to continuously ask patients for consent to process their data each time they have a new consultations or undergo a new procedure. The availability of this pragmatic and frequently used ground for processing means that an enormous quantity (if not most) of personal medical data is processed in such manner. Given that article 20 does not apply to processing performed using such grounds this means that large quantities of health data may not be subject to requests for transfer to a third party.
This may be unfortunate for citizen science enthusiasts given the potential for research use of such data (Tene and Polonetsky 2013; Jensen, Jensen, and Brunak 2012). Patient health records for example may go back years and contain data on health, lifestyle and socioeconomic factors that are extremely useful for research (Jensen, Jensen, and Brunak 2012; Murdoch and Detsky 2013). The fact that article 20 does not apply to such data does not mean of course that it can not be used for research. There is nothing to stop researchers requesting the data in question from healthcare providers and indeed from such providers providing the data (if they so wish). They can not however be compelled to transfer such data, either by the data subject or the research institution. Likewise patients will still enjoy a right of access to their medical data and will be able to receive a copy and then transfer it themselves to researchers or a research institution. This however is subject to the many practical difficulties discussed in Section 3 and must be considered to be an inferior option (in terms of facilitating citizen science at least).
Processing is necessary for archiving purposes in the public interest, scientific or historical research – Data used in and produced by scientific research may often be suitable for use in subsequent research. To a certain extent it could be argued that there is a role for citizen science in facilitating such reuse. This could occur for example were groups of research subjects are able to demand that their research data be passed to further institutions for further research. As discussed above, where the processing of such data was based upon consent this may be possible. As with the processing of data for medical purposes however, whilst consent is an important grounds for for processing of personal data by researchers or research institutions, it is by no means the only one. This is because Article 9(2) of the GDPR also provides that ‘Scientific Research’ is itself a valid ground for the processing of personal data. There are therefore two grounds that exist in the GDPR for those wishing to conduct scientific research. The former (i. e. consent) may often be seen as appealing from an ethical perspective (indeed it may often be demanded by ethics bodies based at research institutions. It does entail however a number of disadvantages (Quinn 2017). These notably include the administrative complexity of organizing (the creation, dissemination and storage) consent forms, the potential difficulty in tracing all data recipients, instances where data subjects may not possess the capacity to give consent (e. g. the young or those with a lack of cognitive capacity). Given these issues consent may often not be feasible and in suitable circumstances (where important conditions are met) researchers may process personal data without the consent of those involved (i.e. under the scinetific research exception provided by Article 9(2)(j). Where this is the case researchers may, if a number of conditions are met, process personal data for scientific research without consent (Quinn 2017). This legal basis for processing is often useful in large research projects that depend upon the use of extremely large data sets (e. g. potentially harvested from electronic health records) and where obtaining consent would not be feasible. Unfortunately for citizen scientist enthusiasts the data used in such research will not be subject to the right of transferability. This is of particular consequence given that research projects using this grounds for processing are likely to be large in nature and therefore represent an extremely rich source of data.
6 Transfer outside of the EU
The world of modern research is truly global. The availability of online connectivity and the ability to share information means that individuals may want, and be able, to share their data with research institutions that are not located close by in physical terms. Such potential for worldwide collaboration increases the chances that individuals or groups of individuals may be able to find a research institution that could perform useful research on their data (Bonney et al. 2014). Conversely, where individuals are restricted to small geographic areas or alternatively certain legal jurisdictions, the chances of such a ‘fit’ between potential research subjects and institution is reduced.
The good news (for advocates of citizen science) is that the one of the raisons d’être is actually to facilitate the sharing of data over a wider area. It has for instance, as one of its main aims, the facilitation of the sharing of data throughout the EU. Indeed, as the GDPR itself states, it “seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States.” As a result EU Data Protection legislation, including the GDPR (see recital 3) aims to create a situation where it is possible to move data around the European Union as if it was a single legal jurisdiction. Moving data, inter alia for the purposes of citizen science from one part of the EU to another should therefore pose few problems (where of course data protection requirements have been met).8
The price of such a liberty to move personal data around Europe however is the ability to transfer data outside of the EU. This is because, as the GDPR points out, the ability to allow free movement of personal data across the EU can be permitted because of the existence of the same standards of data protection throughout the Union. This allows data subjects to be sure that if their data is transferred from one part of the Union to another a similar standard of protection will apply. This balance however does not hold for potential transfers outside the EU. There the regulatory situation vis-à-vis data protection may be different, if not inferior. This makes it difficult for for European data subjects to have confidence that their data will be handled in a similar manner, or even have an idea of how such data may be handled. It is for this reason that the GDPR (and its predecessor Directive 95/46/EC) imposes important restrictions on the transfer of data outside of Europe.
In principle personal data can not be transferred out of the EU unless one of a number of conditions are met. These include for example an adequacy decision on the part of the EU Commission. This can occur where the Commission agrees that a “ third country, a territory or one or more specified sectors within that third country … ensures an adequate level of protection”( GDPR Article 45(1)). Such a decision may occur where the commission, after considering a number of factors described in the GDPR has decided that an adequate level of protection will be provided concerning the use of personal data (GDPR Article 45(2)). This includes the level of the rule of law in the jurisdiction concerned (also taking into account any data protection legislation), the existence of an data protection supervisory bodies, and any international agreements that may exist with the state in which the jurisdiction in question is based.
These conditions are not however essential for the transfer of personal data to or between researchers based outside the European Union. This is because the GDPR allows the transfer of personal data outside the European Union in the event that informed consent of the data subject has been secured (Article 49(1)(a)). This is seemingly a good fit with the right to demand a transfer of one’s data under the GDPR. This is because article 20 self-evidently appears to imply the need for the data subject to proactively make a request for such a transfer. In the event that such a request concerned a transfer outside of Europe it would seemingly be important (where a Commission adequacy decision does not exist), in order to be in compliance with Article 49 of the GDPR, to provide the requisite information so that the data subject could legitimately provide explicit consent to a transfer of his or her data outside the EU. This would likely include information concerning the fact that no adequacy decision existed, what the implications of such an absence are in layman’s terms and the situation concerning data protection in both the jurisdiction the data will be transferred to and the specific context the data will be processed in. This requirement to provide sufficient information for informed consent will require the data controller (i. e. who is to transfer the data) to investigate whether the Commission had made an adequacy finding concerning the jurisdiction in question and if not to research and take into account both the laws applicable to the new data controller and its own particular organizational situation. This is because in order to provide the type of information that is required to provide truly informed consent it will be necessary for the data controller (i. e. who is to conduct the transfer) to become aware of such information and then to convey it to the data subject so that it can be understood. In this regard a request for a transfer to a data controller outside of Europe would differ importantly from that within Europe. This is because unlike the case with the latter, in the former the data controller (who is to transfer the data) must make enquiries about the ability of the potential new data controller to fulfill data protection obligations and explain the results of such enquires to the data subject that made the request.
There is doubt however about whether data controller would in reality have to honour such a request for a data transfer outside of Europe. The author of this paper would submit that there is some ambiguity in the GDPR about whether a data subject has the right to compel a data controller to transfer outside of Europe. This uncertainty arises for two main reasons. First, article 20 itself does not explicitly refer to such a situation. Second, the articles of the GDPR that relate to data transfers outside the European Union also do not refer to the right of transferability described in Article 20. Given this, it seems likely that some data controllers may seek to deny the applicability of article 20 to situations where they receive a request for transfer outside Europe is made and no adequacy decision has been made by the Commission. The author would submit that this may be seen as reasonable given that data controllers would be required to investigate the legal situation in the new jurisdiction and the organizational context of the new controller (including its abilities to provide for data protection requirements). Such requirements are not part of article 20 in its normal context (i. e. transfers within the EU) and thus make its applicability in extra EU transfers questionable as they represent a burden that do not appear to be envisaged in article 20 itself. Case law may ultimately be needed to settle this question.9
At present we live in a time where there are grave concerns over the privacy of our data in the social media age. Whilst such concerns are well merited it is important to remember that concerns surrounding the use of our personal data are not only related to privacy. More specifically whilst there are occasions where we may wish to prevent large and powerful data controllers from doing certain things with our data (i. e. negative obligations), there are on other occasions where we may want to compel them to do something (i. e. positive obligations). This article looks at one such instance, the ability to of data subjects to compel data controllers to transfer their data to another controller, in this case for purposes of ‘citizen science’.
In addition to technological and cultural developments, the developing legal landscape will play a major role in deciding what is and what is not possible in terms of citizen science.10 One of the most important of these developments in the notion of of ‘a right of data portability’’ in the GDPR. This right will allow data subjects to ask data controllers to transfer their personal data to a new data controller. Such a right is important to citizen science for a number of reasons. First, individuals often do not collect and assemble potentially useful data alone. Rather they often do so with the aid of third parties, for example the use of online storage platforms that allow data to be accessed and manipulated in useful ways. Where individuals want to make such data available for research there may thus often be a need to have data transferred from one controller to another (e. g. a research institution). Second, the ability to transfer the data directly between data controller and research institution may be appealing because individual data subjects may not have the technical knowledge or correct infrastructure to receive and transport it themselves. Such a right opens up the possibility of using economies of scale to boost data transfers related to citizen science. This may occur where where data controller and research organizations are able to coordinate and arrange transfers – for instance where, in the case of one large data controller, many data subjects have come forward and asked that their data be transferred to a particular research institution. The possibility to arrange such transfers on a coordinated basis would reduce investments in terms of time and cost for both data controllers and research institutions and thus make many forms of potential research more feasible. Third, a right to data portability as found in the GDPR goes beyond a right to access which has long existed under Directive 95/46/EC. This is because unlike a right to access, which only provides for the provision of data to the data subject in ‘an intelligible form’, the right to data transferability allows for the data in question to be provided to the new controller in a form that is ‘interoperable’. This is important because depending solely on a ‘right of access’ would not only involve intermediate transfer through the data subject (and all the technical and organizational problems this may bring), but would also not include a requirement of ‘interoperability’ with the potential processing systems that might be used by a research institution. Such a requirement means that the data should be provided directly to the research institution in a way that would allow them to use it for their desired method of processing.
As this paper discussed however, there are important limits to the right of transferability at least as recognized in the GDPR. Four issues were outlined in this paper that will to various extents, limit the extent of which this right can be used to further concrete instances of citizen science. First, an important limitation is that the right of portability only applies to personal data that was provided by the data subject themselves. This rules out its application to data that was derived by further processing of that data. This will have the effect of ruling out the applicability of the right of portability to important datasets that will contain potentially valuable information for researchers. This includes analysis of self-monitoring data (e. g. from fitness or dietary) platforms, various forms of analysis carried out for commercial purposes (e. g. advertising targeting) and for the purposes of healthcare.
A second factor is the concept of ‘interoperability’ itself. As the Article 29 working party clearly stated, interoperability does not equate to compatibility. Whilst the latter would entail providing data in a ready to use format, the former requires only the provision of data in a manner that would allow it to be rendered useable. Such a concept accepts the likelihood that a new data controller will have to further process such data in order to render it useful for its purposes. It is therefore likely that research institutions will have to conduct work on the data being transferred in order to render it compatible. This could serve as a disincentive where the resources of potential research institutions may be limited.
A third important factor is that the right of transferability is limited to instances where the data held was being processed on the legal grounds that i) informed consent was provided by the data subject in questions or ii) in order to fulfil a legally binding contract. Whilst such legal grounds will cover a large range of contexts that could be of importance to citizen science it will not cover many others. This may include for example, large amounts of data of data that is held held in the electronic health records of medical institutions. Such data is often processed under another legal basis i. e. for the ‘purposes of preventive or occupational medicine’. Likewise, the right of transferability will not apply to data that is being processed for purposes of ‘scientific research’ (i. e. without relying on consent as a legal basis). This means that individuals will in many cases not be able to demand researchers who have been using their data to subsequently transfer it to another research institution. These limitations on the right of transferability will dilute its potency and its potential usefulness to desired instances of citizen science inter alia ruling out its application to important sources of potential research data.
In addition to these explicit limitations of the right to transferability (as described in the GDPR) a fourth factor arises through a number of ambiguities that give rise to uncertainties surrounding its potential territorial application. Whilst the GDPR seemingly confirms that a right of transferability will apply in instances where transfer is sought anywhere within the EU, it is not certain as to whether it applies to requests made for the transfer of data to controllers based outside of Europe. This is because whilst certain conditionally must exist to allow external transfer (e. g. the existence of an EU Commission Adequacy Decision or the existence of binding corporate rules on the use of data) such conditionality can be dispensed with where the transfer in question is associated with the provision of explicit consent on the part of the data subject. Given that such consent can be obtained by the data controller when a portability request is made, one might reason that this exception could also be made to apply to Article 20 requests outside the Union. Doubts as to such an assumption may however be fuelled by the fact that such an exercise would entail potentially significant efforts the part of the existing data controller, including the need to ascertain the status of the proposed new data controller and the jurisdiction in which it is based. Given that such efforts are not consistent with the light investigational duties that are invoked within article 20 of the GDPR itself (i. e. on transfers within the EU), its applicability to transfers outside the EU is at the very least debateable.
Bellazzi, R., and B. Zupan. 2008. “Predicitive Data Mining in Clinical Medicine: Current Issues and Guidelines.” International Journal of Medical Informatics 77: 81–97.
Bonney, R., J. Shirk, T. Phillips, A. Wiggins, H. Ballard, A. Miller-Rushing, and K. Parish. 2014. “What Next for Citizen Science?.” Science 343 (6178): 1436–37.
Bonney, Rick, Caren B. Cooper, Janis Dickinson, Steve Kelling, Tina Phillips, Kenneth V. Rosenberg, and Jennifer Shirk. 2009. “Citizen Science: A Developing Tool for Expanding Science Knowledge and Scientific Literacy.” BioScience 59(11): 977–84. doi:.
- Export Citation
Bonney, Rick, Caren B. Cooper, Janis Dickinson, Steve Kelling, Tina Phillips, Kenneth V. Rosenberg, and Jennifer Shirk. 2009. “Citizen Science: A Developing Tool for Expanding Science Knowledge and Scientific Literacy.”)| false BioScience59(11): 977–84. doi: 10.1525/bio.2009.59.11.9.
Devictor, Vincent, Robert J. Whittaker, and Coralie Beltrame. 2010. “Beyond Scarcity: Citizen Science Programmes as Useful Tools for Conservation Biogeography.” Diversity and Distributions 16(3): 354–62. doi:.
Dyer, C. 2007. “Stringent Constraints on Use of Patients’ Data are Harming Research.” British Medical Journal 335: 1114–15.
Evans, Barbara J. 2017. “Barbarians at the Gate - Consumer Driven HEalth Data Commons and the Transformation of Citzen Science.” American Journal of Law & Medicine 42(4): 651–85. doi:.
Hoffman, S. 2015. “Citizen Science - the Law and the Ethics of Public Access to Medical Big Data.” Berkley Technology Law Journal 30 (3). doi:.
Hunter, P. 2016. “The Big Health Data Sale: As the Trade of Personal Health and Medical Data Expands, It Becomes Necessary to Improve Legal Frameworks for Protecting Patient Anonymity, Handling Consent and Ensuring the Quality of Data.” EMBO Rep 17(8): 1103–05. doi:.
- Export Citation
Hunter, P. 2016. “The Big Health Data Sale: As the Trade of Personal Health and Medical Data Expands, It Becomes Necessary to Improve Legal Frameworks for Protecting Patient Anonymity, Handling Consent and Ensuring the Quality of Data.”)| false EMBO Rep17(8): 1103–05. doi: 10.15252/embr.201642917.
Jensen, P., L. Jensen, and S. Brunak. 2012. “Mining Electronic Health Records: Towards Better Research Applications and Clinical Care.” Nature Reviews Genetics 13: 395–405.
Kaye, J. 2012. “The Tension between Data Sharing and the Protection of Privacy in Genomics Research.” Annual Review of Genomics and Human Genetics 13: 415–31.
Kelling, S., D. Fink, F. A. La Sorte, A. Johnston, N. E. Bruns, and W. M. Hochachka. 2015. “Taking a ‘Big Data’ Approach to Data Quality in a Citizen Science Project.” Ambio 44(Suppl 4): 601–11. doi:.
Lagos, L. 2013. “Why the Right to Data Portability Likely Reduces Consumer Welfare- Antitrust and Privacy Critique.” Maryland Law Review 72 (2): 341–380.
Lupton, D. 2016. The Quantified Self. Cambridge: John Wiley & Sons.
Madison, M. 2014. “Commons at the Intersection of Peer Production, Citizen Science, and Big Data: Galaxy Zoo.” In Governing Knowledge Commons, edited by B. Frischmann, M. Madison and K. Strandburg. Oxford: Oxford University Press.
Mantovani, E., and P. Quinn. 2013. “mHealth and Data Protection – The Letter and the Spirit of Consent Legal Requirements.” International Review of Law, Computers & Technology. doi:.
Morris, M. E., and A. Aguilera. 2012. “Mobile, Social, and Wearable Computing and the Evolution of Psychological Practice.” Prof Psychol Res Pr 43(6): 622–626. doi:.
Murdoch, T., and A. Detsky. 2013. “The Inevitable Application of Big Data to Health Care.” Journal of the American Medical Association 309 (13): 1351–1352.
Newman, Greg, Andrea Wiggins, Alycia Crall, Eric Graham, Sarah Newman, and Kevin Crowston. 2012. “The Future of Citizen Science: Emerging Technologies and Shifting Paradigms.” Frontiers in Ecology and the Environment 10(6): 298–304. doi:.
Purcel, R., and K. Rommelfanger. 2017. “Biometric Tracking from Professional Athletes to Consumers.” The American Journal of Bioethics 17 (1): 72–74.
Quinn, P. 2017. “The Anonymisation of Research Data — A Pyric Victory for Privacy that Should Not Be Pushed Too Hard by the EU Data Protection Framework?.” European Journal of Health Law 24. doi:.
Quinn, P., A. Habbig, E. Mantovani, and P. De Hert. 2013. “The Data Protection and Medical Device Frameworks? Obstacles to the Deployment of mHealth across Europe?.” European Journal of Health Law 20 (2): 185–204.
Swan, M. 2013. “The Quantified Self: Fundamental Disruption in Big Data Science and Biological Discovery.” Big Data 1(2): 85–99. doi:.
Tene, O., and J. Polonetsky. 2013. “Big Data for All- Privacy and User Control in the Age of Analytics.” Northwestern Journal of Technology and Intellectual Property 11 (5): 239–74.
For further discussion on this see an article publish on the online site ‘The Conversation entitled “Expanding citizen science models to enhance open innovation” available at: https://theconversation.com/expanding-citizen-science-models-to-enhance-open-innovation-61554.
That data subjects might want access to their data is something that has been long recognised in data protection. The original European Data Protection Directive (95/46/EC) Data Protection (in recital 41) recognised a right of data subjects to access their data stating: “Whereas any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing; whereas, for the same reasons, every data subject must also have the right to know the logic involved in the automatic processing of data concerning him, at least in the case of the automated decisions…)”
As the Article 29 Working Party guidelines state (p. 13): Given the wide range of potential data types that could be processed by a data controller, the GDPR does not impose specific recommendations on the format of the personal data to be provided. The most appropriate format will differ across sectors and adequate formats may already exist, but should always be chosen to achieve the purpose of being interpretable. Formats that are subject to costly licensing constraints would not be considered an adequate approach.
In terms of “consent”, there are in reality two legal grounds given that there are two type of consent foreseen in the GDPR. The first is the “unambiguous informed consent” described in Article 6(1) that applied to the use of personal data in general. The second is explicit consent for the use of special forms of data (e. g. health data) described in Article 9(2).
Numerous grounds for the processing of sensitive and non-sensitive data are described in articles 6 and 9 of the GDPR.
Article 29 Data Protection Working Party. 2007. Working Document on the Processing of Personal Data Relating to Health in Electronic Health Records (EHR), 00323/07/EN WP 131.
It should however be recognized that Member States are, according to Article 9(4) of the GDPR able to maintain their own respective laws that create additional requirements for sensitive data. This means that there may for example be extra requirements on inter alia the transfer of health data. Such requirements may vary on a state by state basis according to Member State Law.
See Article 29 Working Party Opinion on Data Portability, p. 6.