Legal Barriers to Open Data Sharing
The recently published Study on legal barriers to open data sharing - Data Protection and PSI takes a closer look at legal barriers to data sharing within the context of the European Commission’s Open Research Data Pilot in Horizon 2020. The study investigates two legal issues for the implementation of the Pilot, i.e., data protection law and public sector information (PSI).
The study first describes the European legal framework, focusing on the Data Protection Directive (95/46/EC) and its implementation in selected EU Member States. The comparison of six Member States reveals that the directive has not been consistently implemented, but that the legal situation still differs across Europe. Additionally, the study also looks at future changes and policies, such as the General Data Protection Regulation (2016/679/EU(GDPR)). Special focus is placed on leading data protection principles.
Following, the focus shifts to the Open Research Data Pilot, in particular to the open use of research data in the Pilot and the impact of data protection rules on such use. The study refers to the Commission’s experiences with the Open Research Data Pilot and basic examples of repository use forms and emphasises that anonymisation of personal data is the best way comply with both the Pilot and data protection rules.
The second part of the study explores the question of how legislation on public sector information (PSI), in particular the 2003 PSI Directive (2003/98/EC) and its revision in 2013 (2013/37/EU), impacts access to and re-use of materials held by public libraries, including university and research libraries. The PSI Directive sees transparency of PSI as an instrument to drive the economic activity of the private sector. As such, the goal of the directive is to establish consistent re-use conditions for these materials, yet again the situation is far from harmonised. The findings show that since universities hold a unique position compared to other public institutions, they are excluded from the full scope of the PSI Directive. However, this enables (university) libraries to define their active role in today’s digital environment and encourages them to digitise and open up their collections in a consistent manner, promoting re-use at EU level.
The study finishes with concrete policy recommendations to improve the current legal situation in relation to research data. The core issues for Open Research Data and data protection, put into the perspective of the different levels of policy making, are: Requirements for anonymisation (and harmonisation), reduction of requirements for consent, extension of specific research privileges, and definition of research purposes. The main issue for public sector information is the inclusion of university libraries in the PSI Directive.
- Europe-wide standards for anonymisation are needed.
- Under the regime of the GDPR, the European Data Protection Board could issue guidelines concerning anonymisation.
- Furthermore, codes of conduct should be used, in particular, to differentiate between personal and anonymised data. For example, LIBER could issue codes of conduct. However, since codes of an association may only be binding for its members, data sharing should then be restricted to those who agreed to the codes of conduct.
- One could think about lowering the requirements for consent for specific research purposes so that the data subject would no longer have to be informed about all potential subsequent purposes of data processing
- However, this would require a modification of the GDPR.
(3) Extension of Specific Research Privileges
- Extending the currently limited and not all-encompassing research privileges and legal permissions provided by the GDPR is another option to enable a broader use of research data.
- But again, this would require a modification of the GDPR.
(4) Definition of Research Purposes
- To reduce the uncertainty of what is meant by “research purposes”, this term should be further specified.
- Under the regime of the GDPR, the European Data Protection Board may establish common criteria.
- Codes of conduct may also give guidance concerning the interpretation of “research purposes”.
(5) Changes to the Commission’s Open Data Research Policy
- In contrast to the current policy approach, narrowing the users having access to research data, including personal data, may reduce the risk of re-identification and make data sharing among a circle of researchers more legitimate.
- A repository or at least a register of available research data, containing information on which data are stored, where, for what (research) purposes, and on any other conditions that apply could be developed.
- From the data subject’s perspective it might be an option to implement a new form of consent to different uses of their data throughout their relationship with a data service provider.
(6) Open Research Data and PSI
- The next review of the PSI Directive should clarify the EU’s stance concerning university libraries.
- It should be carefully assessed how libraries interpret their role and how competition between different institutions may enhance free access to documents, including licensing guidelines.
- University libraries should disclose and clarify their relationship with universities they are affiliated with, including their general strategy towards making documents accessible. They should transparently describe to what extent their public task falls within the scope of the PSI Directive and how interested parties can request specific material for reuse.
- Machine-readable format, open format and formal open standards should be fostered in order to facilitate interoperability.
- Concerning charging fees for making documents available, it should be left to the institutions and to Member States to decide how to handle the commercial/non-commercial price differentiation, as long as the goals and reasons for different pricing are made transparent.