Science and Privacy: Data Protection Laws and Their Impact on Research
While privacy laws differ in their scope, focus, and approach, they all involve restrictions on the collection, use, sharing, or retention of information about people. In general, privacy laws reflect a societal consensus that privacy violations can lead to a wide range of financial, reputational, dignitary, and other harms, and that excessive collection and harmful uses of personal information should therefore be constrained. These laws require organizations to comply with a number of obligations concerning personal information. In practice, these requirements can lead organizations to refrain from collecting certain data, only use data with the consent of the individual, or to delete data after a certain timeframe or at the request of the individual. Further, the global trend is toward both more and stricter privacy laws. At the same time, scientific research is increasingly using the tools of data analytics and machine learning. These tools rely on “big data” and the idea that powerful computers and sophisticated analytical tools can examine very large data sets to reveal new insights and discoveries. Scientists believe this data-driven approach to research will lead to stunning breakthroughs in medicine, education, and many other fields that can dramatically advance human knowledge and well-being. The tension between these two trends is clear. Most privacy laws acknowledge and address that tension. While privacy laws aim to restrict harmful data practices, they typically also are designed to allow for, or even encourage, uses of personal information that are beneficial and valuable to the individual or society. The inherent tension is often resolved by including reasonable exceptions in the laws to allow for necessary or beneficial data uses. But these exceptions are not complete exemptions from privacy obligations; even such beneficial uses of personal information typically remain subject to other protections in privacy laws such as an obligation to maintain the security of the data. Protecting individual privacy is an important part of any use of personal information for research purposes. Organizations that collect, retain, use, or share personal information to advance scientific research should always handle that information with care, protect it from inadvertent disclosure or misuse, and be transparent about the use and protection of that data. But if privacy laws do not take into account and make allowances for the beneficial uses of personal information for research, the advancement of science, the expansion of knowledge, and the realization of new discoveries can be seriously impaired. This article addresses how privacy laws can and should allow for scientific research while still providing meaningful protections for personal information. Part I discuses key principles found in many privacy laws and how each can potentially impact scientific research. Part II describes several prominent privacy laws across different jurisdictions and how each addresses research as a type of data use. Part III briefly discusses the distinction between academic or public-interest research and commercial research. Finally, Part IV provides specific recommendations to lawmakers and regulators on how privacy law should address and accommodate scientific research.