General Data Protection Regulation (GDPR) 2016/679 (GDPR), effective from 2018, established a series of principles and rules aimed at facilitating the circulation of data for research purposes.
In order to allow data to be used for research purposes, Article 9(2)(j) of the GDPR permits the processing of special data, including health-related data, if necessary for archiving purposes in the public interest or scientific research. The permissions should be in accordance with Article 89(1), based on EU or national law, proportionate to the aim pursued, respect the essence of the right to data protection, and provide for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject.
Article 9(4) of the GDPR stipulates: “Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health”.
With Legislative Decree No. 110 of 2018, and in line with the aforementioned Article 9, Italy harmonised the GDPR to the domestic legal system, incorporating further limitations — stringent rules with regard to medical and biomedical research — and amending the previous Article 110 of the Privacy Code.
Article 110 of the Privacy Code required consent as the legal basis for processing data for research purposes. Should this not be possible, the last sub-paragraph of Article 110(1) stipulated that a number of requirements had to be met. The competent ethics committee had to provide a positive assessment. Appropriate measures had to be adopted to protect the rights, freedoms and legitimate interests of the data subjects. An impact assessment had to be prepared. There had to be prior consultation with the Guarante (the Italian data protection authority) who would analyse, in concrete terms, the compliance of the data processing intended.
These provisions led to heavy resource burdens on our research centres and significant delays in research activities compared to other European research partners, delays that we cannot afford, especially given the impact of artificial intelligence.
The above-mentioned last sub-paragraph of Article 110 (1) of the Code was, in fact, a closing provision aimed at allowing the processing of personal data, which should have been subject to the consent of the data subjects but this consent was not obtainable, to be carried out anyway when the objectives behind processing that data could not be achieved in any other way (for example, through the use of anonymous data or by involving data subjects that are contactable).
For a long time, that article served as the legal basis for processing special data in the context of medical, biomedical and epidemiological research in relation to studies not carried out on the basis of specific legislation and in cases where it would not be possible to obtain consent from the data subjects.
It is important to highlight that in the field of medical research, a significant portion of the activity is dedicated to retrospective observational (or non-interventional) studies. These studies are conducted by analysing events that have already occurred (observations pertaining to the past). They include, for example, most epidemiological studies, and so Article 110 has had a significant impact on this activity.
For this type of research, when the processing is necessary for conducting studies using data (possibly derived from biological samples) collected previously for healthcare (or, where derived from biological samples, for health protection), the research necessarily involves secondary use of the data collected. And that means having to apply the provisions that pertain to the processing of personal data carried out for scientific research purposes (provisions with requirements relating to the processing of special categories of data in accordance with Article 21(1) of Legislative Decree no. 101 of 10 August 2018, and Legislative Decree no. 146 of 5 June 2019).
Therefore, such a project must document that there are very particular or exceptional reasons why informing the interested parties would be impossible or would involve disproportionate effort, or that there is a risk that the objectives of the research would otherwise be impossible to achieve or seriously jeopardised. Among the reasons that may be provided are ethical reasons and organisational impossibility. With reference to the latter, the provisions also regard the processing of data about those who, further to every reasonable effort made to contact them, are found to be deceased or non-contactable.
In recent years, the next procedural step has been the requirement to draft an impact assessment in accordance with Article 35 of the GDPR. This procedure is aimed at identifying, assessing and managing the risks associated with a specific type of processing and it involves prior consultation with the Garante (data protection authority).
This process proved to be very long and complex, and sometimes caused researchers, perceiving it as a heavy bureaucratic requirement, to abandon their objectives. Among the critical issues highlighted was the time required to obtain the opinion of the Garante (data protection authority) since, in most cases, additional investigations were necessary to address specific critical issues identified based on the documentation provided. This extended the period provided for in Article 36(2) of the GDPR from 8 weeks to 6/8 months or more.
It should also be noted that in order to verify the findings highlighted by the data protection authority, it was often necessary to modify the documentation pertaining to the study, including the protocol, which thus had to be resubmitted for the approval of the ethics committee, thus further extending the timeline.
In order to put an end to these delays, and with a view to promoting medical research (observational, translational, interventional, single- or multi-centre, non-profit, clinical trials), art. 44, paragraph 1 bis of Act no. 56 of 29 April 2003 intervened. Article 44 was effectively modified via the amendments of Decree-Law No. 19 of 2 March 2024 on the subject of further urgent provisions for the implementation of the National Recovery and Resilience Plan (PNRR) (24A02201) (Official Journal (General Series) No. 100 of 30-04-2024 – Ordinary Supplement No. 19).
Among the studies to be sent to the Garante data protection authority are some (such as online documents no. 9953841 and no. 9988614) that envisage, as a secondary purpose, that the data collected would subsequently be processed with algorithmic logic, using artificial intelligence tools and predictive logics based on machine learning systems.
In this regard, the Garante (data protection authority), first highlighting the provisions of Article 22 of the GDPR, should refer to the judgment of the Council of State (no. 8472 of 13 December 2019) which, based on analysis of supranational law, clarifies three principles that must be complied with in the examination and use of IT tools:
– the principle of knowability: everyone has the right to know about the existence of automated decision-making processes and to receive meaningful information about the logic used;
– the principle of non-exclusivity of algorithmic decision-making;
– the principle of algorithmic non-discrimination (under recital no. 71 of the GDPR). In fact, it is “necessary that the data controller implements appropriate technical and organisational measures in order to ensure, in particular, that the factors that lead to data inaccuracies are rectified and that the risk of errors is minimised in order to guarantee the security of personal data” (section III of Campania regional administrative court judgment no. 05119 of 11 November 2022).
Furthermore, the Garante (data protection authority) should refer to joint opinion no. 5/2001 of the European Data Protection Board and the European Data Protection Supervisor concerning the proposal for a regulation by the European Parliament and the European Council laying down harmonised rules on artificial intelligence (the Artificial Intelligence Act of 21 April 2021). The joint opinion welcomes the risk-based approach on which the proposal is based, highlighting the centrality of the concept of human oversight to ensuring the right not to be subjected to a decision based solely on automated processing.
Image: Photo by Harlie Raethel on Unsplash
