Since the new Swedish law on research databases is delayed, there is a proposal to extend the current temporary law on certain registries for research about what heredity and environment mean for human health (until December 31, 2017).
The Swedish Data Protection Authority rejects extension, because major deficiencies noted previously have not been addressed and since the requirements for purpose identifications are not sufficiently specific and explicit.
Regarding specific and explicit purposes, the Authority gives special weight to a statement by the European so-called Article 29 Working Party, cited in the opinion:
- “The purpose of the collection must be clearly and specifically identified: it must be detailed enough to determine what kind of processing is and is not included within the specific purpose, and to allow that compliance with the law can be assessed and data protection safeguards be applied. For these reasons a purpose that is vague and general, such as for instance ‘improving user’s experience’, ‘marketing purposes’, ‘IT-security purposes’ or ‘future research’ will – without more detail – usually not meet the criteria of being ‘specific’.”
This I regard as problematic in two ways.
First: In the cited statement the Article 29 Working Party equates the purpose “future research” with purposes like “improving the user experience” and “marketing purposes”. It is unclear if one can equate research purposes with such purposes, since researchers do not intend to return to the persons whose data are collected, to give them specifically profiled consequences. Personal data circulate in a categorically different way in research.
Secondly: The website of the Article 29 Working Party begins with a disclaimer. The group emphasizes that all material on the website solely reflects the group’s views, not the position of the European Commission. The group only has an advisory status and acts independently.
The group’s reasoning about research purposes can be questioned, and it seems to relinquish at least some of the authority that the Data Protection Authority ascribes to it in its opinion.