The objective of this article is to present an overview of the data protection aspect in SHAPES project and more generally, provide an understanding on the complex nature of the requirements an actor planning to process personal data must consider.
SHAPES project aims to support healthy living for older individuals by collecting a wide range of service providers together and forming easy-to-access services for different situations in life. Piloting the services and receiving feedback are essential parts of the project to be successful. Many of the services provided come really close to the end-users. They are all somehow connected to digital devices and may involve, for example, speech-based assistant, activity tracking or monitoring some specific health-related parameters. For the services to be usable, it is mostly required to know the age, weight, height and some other basic information of the participant. In other words, personal data is processed in SHAPES pilots, and processing of personal data in EU is governed by the General Data Protection Regulation (2016/679, GDPR).
SHAPES research project contains 7 different pilot themes (PT), ranging from smart living environment for healthy ageing at home (PT1) to cross-border health data exchange (PT7). Each pilot theme is divided into two or more Use Cases that are connected to that specific pilot theme. For example, in PT1 contains 3 Use Cases:
- UC1: Wellbeing monitoring and assessment
- UC2: Social connection
- UC3: Competent usage of digital technologies.
Each Use Case is piloted in different pilot sites, where is the pilot lead and others replicating sites.
GDPR assigns a large set of legal obligations for an actor planning to process personal data. In some situations, though, there remains a possibility for the Member States legislator to regulate the details. Hence, in a pan-European project such as SHAPES, the actors involved in processing are required to pay special attention to national data protection rules as well.
How are the responsibilities determined?
The two most crucial roles of data protection in SHAPES project are the roles of controller and processor. These roles need to be understood well before starting any kind of processing of personal data, as the legislation assigns different obligations depending on which role is assumed.
Data controllers are entities who decide the purposes and means of a processing operation. According to Article 24 GDPR, it is the controller who needs to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with data protection laws. In SHAPES, the pilot sites make those decisions and therefore are considered to be the controllers.
Processor is a natural or a legal person that processes personal data on behalf of a controller. In SHAPES, mostly the technical partners are the processors as they focus on providing the technical solutions required for the services of SHAPES. Following the distinguishment made EDPB (European Data Protection Board 2020b, p. 15), the processors can only decide on the “non-essential means” of the processing, such as the choice of used hardware or other practical aspects of implementation. The controller makes decisions on the essential means, such as what data shall be processed and who shall have access to the data.
What makes the processing lawful?
Article 6(1) GDPR states that processing shall be lawful only if one of the lawful bases listed under it applies. Although there are other possible legal bases for conducting research, consent can be seen as most appropriate in the context of SHAPES pilots, as the data is collected directly from the data subjects, who are the end-users. By using consent, it is rather simple for the data subject to exercise the data subject’s rights, such as right to be forgotten, at any point of the processing. An explicit consent is an appropriate basis also for processing special categories of personal data meant in Article 9.
The elements of a valid consent are provided in Article 4(11). The Article states that consent by the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to the data subject.
It has to be noted that the ethical consent for participating the research and the consent for processing personal data are two different things. This means, for example, that if a data subject for some reason wants to stop participating in the research project, the data subject can still allow SHAPES researchers to process the personal data collected so far. As one of the requirements for a valid consent is being freely given, it is important that the data subject does not suffer any detriment if the consent is withdrawn.
Even when a data subject consents to processing of personal data, many responsibilities remain on the controller: not everything goes even after that. The consent must be given to a specific purpose, and the controller may not exceed the limits of it without gaining an additional consent for the new purposes. Still, according to EDPB, the consent may cover different operations, as long as these operations serve the same purpose (European Data Protection Board 2020a, p. 14). Also, although not meant for circumventing the requirement of specificity, Recital 33 GDPR states that data subjects should be allowed to give their consent to certain areas of scientific research as it is not often possible to fully identify the purpose of processing at the time of data collection. Therefore, in some pilot sites, the consent will be asked for conducting research for a limited duration even after the research project ends, as it can be still seen as serving the original goals of SHAPES.
Assessing how the processing affects the data subjects
In Article 35 is described the obligation to conduct a data protection impact assessment (DPIA). Generally, a DPIA is required when a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. Still, the European data protection authorities have emphasised that the controllers’ general obligation to implement measures to appropriately manage risks for the rights and freedoms of the data subject still remains, even when the criteria for “high risks” would not be met (Article 29 Data Protection Working Party 2017, p. 6). Therefore, it has been agreed that every SHAPES pilot conducts a DPIA. It is decided within the Use Cases whether there will be a single DPIA that applies to all the pilot sites or will the pilot lead and the replicating sites make their own documents.
There are three main documents used in the DPIAs:
- General DPIA document, where for instance, it is described how the data protection principles (for example, lawfulness, fairness and transparency) are implemented in the pilot in question.
- In descriptions spreadsheet document the general information of partners involved, their contact information, categories of personal data and the purposes for them are listed in simple and accessible form.
- Finally, there is the risk assessment document, where the partners involved are required to identify the risks, their root causes and possible consequences, along with their probability and impact. The pilots need to plan and implement the mitigation actions in accordance with the risk severity.
The pilot sites are instructed to keep their documents up to date as the project goes on in case any changes to the plans emerge.
Performing a DPIA serves multiple purposes. By carefully making a DPIA the controller plans and maps the details of a processing operation. This includes identifying all the other actors in the chain of processing. A set of crucial legal obligations will be planned before the processing takes place, which enhances the protection of the data subjects, but also, fortifies the legal position of the controller itself: a controller can demonstrate compliance with data protection rules with a DPIA.
It can be seen that besides all the other possible legal rules applying to the activity in question, only following the data protection legislation requires a great deal of attention. Identifying the roles in processing operation can sometimes be complicated and, as stated, the roles determine the responsibilities. Different legal bases are determined mainly by the purposes of the processing and assign different obligations for the data controllers. In some cases, the obligation to conduct a DPIA can be subject to interpretation as well.
Failing to comply with the data protection rules goes not without consequences, as every EU Member State has its own data protection authority that can be contacted by anyone suspecting that an actor is processing personal data against the rules. The authorities can also carry out investigations on their own initiative. If an infringement is detected, a temporary or definitive limitation on processing can be imposed, or ultimately, an administrative fine. The more complex the processing operation, the more expertise it requires to comply with the rules. Hence, many actors planning to process personal data are practically forced to seek legal assistance.
- Article 29 Data Protection Working Party 2017. Guidelines on Data Protection Impact Assessment and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679.
- European Data Protection Board 2020a. Guidelines 05/2020 on Consent.
- European Data Protection Board 2020b. Guidelines 07/2020 on the concepts of controller and processor in the GDPR.
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.