Will the trilogue on the EU Data Protection Regulation recognise the importance of health research

The discussion about the European regime for processing personal data is entering a new phase. After the European Commission had proposed a new General Data Protection Regulation (GDPR) in 2012, the European Parliament proposed a different version in May 2014. The proposal of the European Parliament of the GDPR restricts processing personal data by requiring informed consent, regardless of the purpose the data will be used for and regardless of whether or not privacy enhancing technologies are applied. Although there are a number of situations where the version of the European Parliament proposes alternatives, informed consent seems set to become the default. In this version of the GDPR, informed consent is not only required for directly identifiable data with names, addresses or other identifiers of people, such as IP addresses, but is deemed to be necessary for all data that is not anonymous. After all, the version of the Parliament distinguishes only two types of data: personal vs. anonymous. Many comments have argued how this version could seriously jeopardise (public) health research.1-3 Informed consent for the use of data in health research cannot be based on the dichotomy of personal vs. anonymous data. In spite of the use of privacy enhancing technologies, data in health research is highly likely to contain indirectly identifiable variables, simply because of its granularity. Moreover, data that may identify subjects is needed for research in children’s diseases (age classes in months) or effects of environmental exposure (location) …