COVID-19 Research: Navigating the European General Data Protection Regulation

Researchers must collaborate globally in order to rapidly respond to the COVID-19 pandemic. In Europe, the General Data Protection Regulation (GDPR) regulates the processing of personal data, including health data of value to researchers. Even during a pandemic, research still requires 1) a legal basis for the processing, 2) an additional justification for the processing of sensitive data and 3) a basis for any transfer outside Europe. The GDPR does provide legal grounds and derogations that can support research addressing a pandemic, if these measures are proportionate to the aim pursued and accompanied by suitable safeguards. During a pandemic, a public interest basis may be more promising for research than a consent basis, given the high standards set out in the GDPR. However, the GDPR leaves many aspects of the public interest basis to determination by individual Member States, who have not fully or uniformly made use of all options. The consequence is an inconsistent legal patchwork displaying insufficient clarity and impeding joint approaches. The COVID-19 experience provides lessons for national legislatures. Responsiveness to pandemics requires clear and harmonized laws, which consider the related practical challenges and support collaborative global research in the public interest.

Keywords: COVID-19; GDPR; health research; pandemic; data privacy; data protection; regulation

Suggested Citation: Suggested Citation

Becker, Regina and Thorogood, Adrian and Ordish, Johan and Beauvais, Michael J.S., COVID-19 Research: Navigating the European General Data Protection Regulation (May 5, 2020). Available at SSRN: https://ssrn.com/abstract=3593579 or http://dx.doi.org/10.2139/ssrn.3593579