The Public Interest Requirement in the Secondary Use of Health Data in Scientific Research: The Examples of Estonia and Finland

Abstract

The General Data Protection Regulation (GDPR) foresees a flexible data processing regime for conducting scientific research with health data. This regime also enables extensive limitations on data subjects' rights to privacy and self-determination. Concern has been expressed that the notion of 'scientific research' may encompass conducting also profit-oriented commercial research that might not justify such limitations to data subjects' rights. Some authors have suggested a restriction on benefiting from the flexible scientific research regime: public interest should be set as a prerequisite for any scientific research employing health data without the data subject's consent. While the GDPR does not explicitly require that scientific research be in the public interest, it allows Member States to choose their policies. In light of this, the article examines the examples of Estonia and Finland to analyse whether national law should require the processing of health data in scientific research in the absence of the data subject's consent to be in the public interest. The article demonstrates on the basis of the two countries’ examples that it is possible to set a public interest standard without explicitly requiring the existence of a public interest via national legislation. Considering the future, the article also shows that, under the proposed European Health Data Space regulation, Member States may retain the public interest standard through the ethics-review requirement in their national law.