Report: OpenAIRE Legal Policy webinars

Data and copyright: what you need to know 

The first presenter, CREATe's Thomas Margoni, discussed how copyright and related rights to copyright classify and regulate data. His presentation concentrated on the aspect of data ownership, i.e., whether non-personal data can be owned and, if yes, by whom. Dr Margoni effectively subdivided the issue into three sub-categories: 

1. data as such (structured and unstructured data): data as such is commonly excluded from copyright protection. International and national copyright laws are clear that ideas, procedures, methods of operation, mathematical concepts and the like are not protected by copyright law. Only original expressions which constitute intellectual creations attract protection (see e.g. Arts. 2 WCT, 9(2) TRIPs, Art. 2 Berne and most legal traditions requiring originality); 
2. databases (a collection of systematically or methodically arranged and individually accessible data):  factual information and data as such commonly fall short of these requirements. Regarding databases, the EU SGDR (Sui Generis Database Right) protects original and non-original databases whose making required a substantial investment in obtaining, verifying or presenting (but not in creating) the data. In this case, protection is against acts of extraction and reuse of substantial amounts of data.
3. data contained in works of authorship (e.g. information contained in a scientific article): information contained in a work, is usually not protected as such. Nevertheless, often an authorisation (e.g. exception, licence, etc) is necessary due to the fact that in the digital environment most uses require the making of a copy (even if temporary, indirect or in part) which is often an infringement of the copyright in the underlying work. This explains the importance of exceptions and limitations such as the Text and Data Mining (TDM) exceptions contained in some national and, more recently, in Union law. However it also highlights a paradox: information that is not afforded protection due to its crucial importance for fundamental rights such as freedom of expression and scientific enquiry becomes de facto protected in the digital environment when it is contained in qualifying works. 

 Research data and the GDPR

In the following presentation, Dr Prodromos Tsiavos provided an overview of the relationship between research data and the General Data Protection Regulation (GDPR). After a brief review of GDPR objectives, namely the need to balance lawful personal data processing with the free flow of data within the Digital Single Market, Dr Tsiavos discussed the legal elements of personal data relevant for research. He focused primarily on the fundamental aspect of the correct identification of the proper legal basis to process data for research purposes.

In addition, Dr Tsiavos highlighted how the ethical framework also plays an essential role, because it sets forth additional rules for researchers that often complement and supersede legal requirements. Article 89 GDPR provides a definition of scientific research and under which circumstances it may form the basis for lawful processing of personal data. Dr Tsiavos also discussed the extent to which research could fall under the scope of public interest, where he emphasised the form of further processing and the need to ensure appropriate safeguards (e.g. data pseudonymization) are in place. Moreover, Dr Tsiavos examined how to process special categories of data – previously known as "sensitive data" – a category of particular importance in the post COVID19 era. Specifically, in relation to the legal basis, Dr Tsiavos provided an example to explain how public interest, contract and consent can be applied in scientific data processing. In this case, tracing the life cycle of personal data is vital, particularly in the form of a detailed data management plan, including data collection, data management and also data sharing.

Regarding data subject rights, Dr Tsiavos  stresses the following points:

• The data subject must be informed particularly where data aren't obtained from the data subject;
• The definition of data erasure and the way in which such a right may be exempt in the case of processing for purposes of scientific research; 
• Even when the data subject objects to such processing, researchers may reject these objections if the processing is necessary for reasons of public interest, but is rendered impossible for research purposes because of  the exercise of such right
• Additionally, national laws may provide further derogations from the GDPR for data processing necessary for scientific research. 

Data sharing and the GDPR: practical pointers 

Jacques Flores Dourojeanni (Research Data Management Consultant Utrecht University Library) was the third and last speaker. Following up on the previous presentation, Flores Dourojeanni explained how personal data may be lawfully collected in a research setting. He highlighted that, within universities, informed consent is commonly used as the legal basis for processing personal data since it fulfils both the legal and ethical obligations that researchers hold towards their participants.

Flores Dourojeanni elaborated further on the significance of the purpose limitation principle. He explained that the GDPR distinguishes between two types of data use: 

• Primary use relates to data collected directly for a specific research purpose whereas secondary use relates to the further processing of data that is already collected;
• Secondary use of data is important since it provides a means to compliantly re-use personal data for research purposes. The GDPR allows the secondary use of data for research purposes only if appropriate technical and organisational measures are applied to ensure that the privacy of the data subjects is adequately protected. These include but are not limited to pseudonymization, minimization, encryption and access control.

In the last part of the presentation, Flores Dourojeanni gave some practical advice on how to formulate informed consent forms to facilitate data sharing. He stressed the need to be granular about the personal data collected and transparent about the methods used to process the data. Moreover, he warned researchers to avoid making promises which would be very difficult or impossible to maintain, such as fully anonymizing the data or promising to destroy the data. True anonymization, per the GDPR, is quite difficult to achieve and often devalues the power of the data, whereas promising to destroy the data works against the original aim to share this data with other researchers.