What is the Impact of the new GDPR (General Data Protection Regulation) on Open Science?

Question

Since 25 May 2018 the new General Data Protection Regulation (GDPR) law is implemented in all EU countries. What is its impact on the ideal of Open Science?

Answer 1

This is not a law Q&A, but if questions are asked about a law, then I think answers should refer to paragraphs of that law or to legal commentaries. We are scientists, so let's refer to facts!

As a matter of fact, the GDPR contains a lot of research exemptions. These exemptions are so numerous and permissive that even commercial entities like LinkedIn try to justify their use of non-pseudonymized user data for market research with them. But I digress.

I am unable to summarize the already compressed article linked above, so let me just quote its conclusion:

Conclusion

Although the GDPR creates heightened obligations for entities that process personal data, it also creates new exemptions for research as part of its mandate to facilitate a Digital Single Market across the EU. Specifically, the GDPR exempts research from the principles of storage limitation and purpose limitation so as to allow researchers to further process personal data beyond the purposes for which they were first collected. Research may furnish a legitimate basis for processing without a data subject’s consent. The Regulation also allows researchers to process sensitive data and, in limited circumstances, to transfer personal data to third countries that do not provide an adequate level of protection. To benefit from these exemptions, researchers must implement appropriate safeguards, in keeping with recognized ethical standards, that lower the risks of research for the rights of individuals.

If you prefer slides, this deck is a nice intoduction to the GDPR for researchers and research data managers, with research-specific regulations starting on slide 13.

Overall, I think that the GDPR will not hinder Open Science in the long run. Those who have handled data correctly in the past will not have to learn a lot of new things. Ultimately, the GDPR will make sure that research can and will be done openly and fairly because its transparency rules make backroom research unviable.

Answer 2

First, the GDPR is only relevant for scientifc data from human participants (i.e., irrelevant for most scientific disciplines).

Second, the GDPR is only relevant for personal data. If the data provided by human subjects is anonymous (e.g., most of psychology's data), the GDPR does not apply.

For our own lab (at a psychology department), it had the following impact:

• We revamped our consent forms. In case of personal data which cannot be anonymized, we ask for consent to share it.
• We make better checks whether data sets really are anonymous before making them open.
• We tried to improve our operational security (e.g., safer handling of pseudonym lists).

Answer 3

I don't think GDPR worsens the situation (at least not in Germany). As far as I understand it, personal data can be made available if the value to society is greater than privacy concerns for subjects. I think this is even a point where publishing open data about people has become "easier".

I think it is a good time now to discuss these issues about open personal data: When is the benefit to the world greater than the harm to the people in the data set?

I cannot answer this question at all.

Also we should consider alternatives to open data: What other options do we have to make the data accessible for research other than making it available online (E.g. distributed analyses etc.)?