Abstract
The implementation of the European Union’s (EU) General Data Protection Regulation (GDPR) in the Republic of Croatia did not include derogations for scientific research purposes at the national level except for official statistical purposes. Research has shown that the Croatian Personal Data Protection Agency (AZOP) received very few inquiries related to personal data protection from academic and research institutions in Croatia, both before and after GDPR, but received many general inquiries and non-research-related reports. This chap uses Croatia as a case study to assess two explanations for this: that data protection is managed well in Croatian research, or that potential ethics issues in research data protection are not sufficiently recognized. This chap summarizes research findings exploring these issues, the inferences that can be drawn, and lessons learned that could contribute to research ethics processes in other European Member States.
You have full access to this open access chapter, Download chapter PDF
Similar content being viewed by others
Keywords
- Data protection
- General Data Protection Regulation (GDPR)
- Croatian Personal Data Protection Agency (AZOP)
- Data Protection Officer (DPO)
- Ethics assessment
5.1 Introduction
Replacing the EU's previous Data Protection Directive (Directive 95/46/EC), enacted in October 1995, the new General Data Protection Regulation (EU) 2016/679 (GDPR) enforced on May 25, 2018, primarily aimed to provide individuals control over their personal data and at the same time to unify the regulation within the EU (EU 2016). The GDPR introduced new obligations and more significant sanctions when compared to the previous directive (EU 1995). The GDPR offers possible derogations (e.g. for Article 9) and may impose additional requirements when appointing a Data Protection Officer (DPO) (Article 37) or when conducting Data Protection Impact Assessments (DPIA) as per Article 35. In Croatia, to ensure full implementation of the General Data Protection Regulation, the Act on the Implementation of the General Data Protection Regulation (Official Gazette, No. 44/2018) was enacted on May 25, 2018. Unfortunately, derogations for scientific research purposes were not implemented on the national level in the Republic of Croatia, except for official Croatian statistical purposes (Article 33) (Parliament 2018b; Puljak et al. 2020).
This made the use of personal data for scientific research in Croatia even more challenging compared to other EU countries that implemented proposed derogations for scientific purposes (such as in the Republic of Austria) (Parliament 2018a; DSB 2018). To explore the impact and implementation of GDPR on science and research in the Republic of Croatia, a study was prepared in cooperation with the Croatian Personal Data Protection Agency (known as AZOP based on its Croatian name, Agencija za zaštitu osobnih podataka), which is a member of the European Data Protection Board (EDPB). At first, we wanted to explore the possible level of issues related to personal data protection and associated with science and research in Croatia. We searched for all reported cases to AZOP coming from academic and research institutions across Croatia. Our findings showed that from January 2015 till the end 2019, AZOP received only 37 requests about personal data protection related to the use of data for research purposes (Puljak et al. 2020). Taking account of a large number of research institutions in Croatia, and the explored time-frame of five years which included the period before and after the implementation of GDPR, this number appears surprisingly low. However, the number of general requests and non-research-related data breach requests reported to AZOP were much higher when compared to those coming from academic and research institutions across the Republic of Croatia.
5.2 Implementation
The full implementation of GDPR pushed the numbers of citizens’ complaints to a higher level, showing a positive impact of GDPR on citizens’ personal data protection awareness. However, we also detected that in many cases, citizens misinterpreted their rights as AZOP did not find a valid ground to initiate official administrative procedures which would follow reported cases from the side of citizens.
Nevertheless, the focus of our interest remained with the implementation of GDPR in scientific and academic institutions across Croatia. The question that sparked our interest was why such a low number of requests for opinion were addressed to AZOP from academic and research institutions. Is the situation related to personal data protection in the academic and research environment so good that no complaints were coming from that area? Do research institutions in Croatia have some perfect system when dealing with protecting personal data so that there was no need for official intervention from the side of AZOP which would follow some of those rare, reported requests related to the use of personal data for research purposes? In an environment where derogations of GDPR for scientific purposes were not sufficiently implemented at the Croatian national level and knowing that complexity of research under the GDPR increased (Quinn 2021), that probability appeared less likely. That is why we assumed that the possible explanation for that effect might be the low awareness of GDPR implications for research work conducted in academic and research institutions in Croatia. To resolve that puzzle, our next step was to explore whether the responsibilities of DPOs (EC 2021) were appropriately recognized in their institutions, what kind of support they could count on and from who, what kinds of problems they face in their working positions and whether they have additional opportunities for professional advancement and continuous education in the field of data protection. Importantly, we also wanted to explore the relationship between DPOs and Research Ethics Committees in institutions where such committees had been established.
5.3 Background
Previous studies had emphasized the lack of formal training and the nature of the broad discussion on ethics that may occur in the work of Research Ethics Committees (Sperling 2021) and the appearance of inconsistencies between ethics committees’ reviews (Trace and Kolstoe 2017). Furthermore, other studies showed that the heterogeneity of opinions between ethics board members, especially when the protection of the institution's interests are questioned, may lead to poor relations and mistrust between ethics committees and researchers (Guillemin et al. 2012).
However, Ethics Committees in academic institutions are seen as a crucial control mechanism for keeping the research ethical. Considering the fast and rapid development of new technologies, and the exponential growth of personal data used for research purposes, the role of Ethics Boards and Committees appears more important than ever. Questions related to the use of personal data in scientific research are increasing, especially in the EU after implementing the GDPR. Since not all EU countries implemented derogations of GDPR for scientific purposes, issues related to personal data protection are often exhausting the capacities of Ethics Boards and Committees. Personal data protection is one of the fields which may lead to "ethics overkill", the term which relates to demanding unnecessary ethical requirements, even where compliance is not possible (Nature 2014). In a large Horizon 2020 grant applications system (Kinderlerer 2016) involvement of a large number of new expert evaluators is crucial to keep the evaluation procedure fair. Unfortunately, that may potentially lead to the opposite situation—an unfair implementation of the system. Simply due to inexperience, new experts may simply “tick the box” in situations where they are uncertain or not sufficiently knowledgeable on some questions related to ethics. In our recent retrospective study performed on more than 79,000 MSCA H2020 applications, we found that one of the most commonly identified ethics categories, both by applicants in their "ethics self-assessment" form and during the ethics review procedures performed by ethics experts, was the "protection of personal data" (De Waele et al. 2021).
For all issues related to personal data protection, after introducing the GDPR, ethics review boards may also rely on a newly mandated Data Protection Officer (DPO) (EDPS no date). Assuming that DPOs might face difficulties with the implementation of GDPR in their institutions, we were very interested in investigating how DPOs function in their institutions, to possibly detect any hurdles or obstacles which may influence their work and to explore the previously mentioned relationship between Ethics Boards or Committees and DPOs.
Evidently DPOs should continuously develop their skills and broaden their knowledge in the field of personal data protection to be able to fulfill all tasks and duties described in Article 39 of the GDPR. Still, the GDPR did not set any legal obligations for that, nor were such duties introduced as mandatory at the national level. Furthermore, Article 37, recital 5 of the GDPR, states that "the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices" (EU 2016). When speaking about science and research in Croatia, we indicated two possible problems in the ethics review process associated with the use of personal data protection for research purposes. First, there is no specific legal obligation for institutional Ethics Committees to consult DPOs in the process of granting approvals in matters related to personal data protection, and second, above the recommendation that the DPOs should be knowledgeable in the field of data protection and should continuously develop their knowledge and skills in that area, there is no obligatory legal requirement to require DPOs to constantly develop their skills and knowledge in data protection. At the time point when we conducted our survey on DPOs across the Republic of Croatia, we did not come across any publication which explored the quality of DPOs’ work output and their support to institutions where they are appointed.
5.4 DPOs and Ethical Research
To explore the relationship between DPOs and Ethics Boards and to explore the current position of DPOs in institutions across Croatia, together with AZOP we prepared a research study based on a cross-sectional online survey which was then completed by more than 700 DPOs across the Republic of Croatia (Mladinić et al. 2021).
As first, our study showed that institutions in the Republic of Croatia did not appropriately use the time between the adoption of GDPR in 2016 until the enforcement in the May of 2018. Namely, our findings showed that the median time period DPOs served at some institution was 18 months. Considering that this research was conducted between November 2020 and March 2021, our findings led us to a clear and disappointing conclusion that the majority of DPOs were appointed after the enforcement of GDPR only because of the formal legal obligation set by GDPR. An even more disappointing finding was that most surveyed DPOs claimed that they had no or minimal previous knowledge in personal data protection. An unclear explanation of the "expert knowledge" which the DPO is required to understand (Article 37 of the GDPR) did not set any specific requirement to demonstrate that candidates for the position of DPO would possess sufficient knowledge in the field of personal data protection which would enable them to fulfil all duties and tasks set for the DPO according to the GDPR. Obviously, institutions used that vague GDPR definition to appoint the DPO according to their institutional, organizational needs based on available staff and not based on the appropriate institutional data protection strategies. That vague and unclear description of the GDPR Article 37 without clearly defined rules or potential penalties for appointment of DPOs who do not possess appropriate background knowledge and skills, allowed institutions to appoint anyone to the position of DPO. Without clear appointment parameters, institutions were able to appoint anyone as DPO, just to fulfil a legal obligation. We found that the majority (92%) of surveyed DPOs in our study (Mladinić et al. 2021) were already employed by their institutions when they were appointed as a DPO. Indeed, such an appointment strategy was the easiest solution for institutions.
To test DPOs’ basic knowledge regarding personal data protection we set two basic questions: one to describe the difference between anonymization and pseudonymization and the second to appropriately select privacy policy items. Unfortunately, on the first question, around forty percent partially correct or completely wrong answers were given, while only twenty percent of the tested DPOs correctly selected all ten privacy policy items. Our findings correlate with previously published claims that DPOs do not possess any in-depth knowledge of how to apply the GDPR (Sidlauskas 2019).
In our research (Mladinić et al. 2021), only a small number of DPOs indicated a research or an educational institution as their employer. Even in that small sample, it was clear that they received just a few research-related questions which were in line with previously published data (Puljak et al. 2020; Dinu 2018). Surprisingly, most DPOs (59% of surveyed DPOs) did not receive any single request for an opinion or a single complaint regarding personal data processing from the side of citizens/responders. That was in contradiction with results from this same study showing a DPO's strong perception of a workload increase associated with the introduction of GDPR. Namely, even though only 36% of the surveyed DPOs responded to questions related to the changes induced by the GDPR, the most common answers were related to the increase in the workload, tasks and administration. Our research did not explore the specifics of the stated increase in workload, but their feeling of such additional workload may be associated with the fact that the majority of tested DPOs in our survey did not show basic knowledge about personal data protection, nor did they conduct basic processes related to personal data protection for which they were supposed to. We also found that most of the DPOs did not analyze personal data processing activities in their organization, and also, they did not conduct or participated in a data protection impact assessment.
Considering that most DPOs indicated that they could perform their work independently, it seems that most DPOs were not fully aware of their duties and responsibilities while serving as DPOs in their institutions.
5.5 DPOs and Ethics Committees
Furthermore, our study (Mladinić et al. 2021) showed that only around thirty percent of DPOs claimed to have an ethics committee in their institution where they worked. From those which indicated having an ethics committee in their institution, only a few DPOs received some official request or were contacted by their institutional ethics committee and the majority was not involved in that committee's work in any way. These results may indicate that from the one side, researchers rarely contact DPOs or Ethics Committees regarding questions related to data protection as they do not sufficiently recognize the ethical issues which may arise from the inappropriate implementation of the personal data protection. Furthermore, only a few DPOs were involved in institutional ethics committees, mainly as administrative support and only a few were involved as a committee member. One of the most worrying findings from our survey was that most of those DPOs did not know whether they were sufficiently competent to answer the potential questions of an ethics committee. Even though only 11% of those DPOs replied on our question about what might help them, their institutions or their Ethics Committees to increase their effectiveness and productivity in tasks related to personal data protection, their answers clearly pointed to the DPOs needing additional education.
5.6 Summary Conclusion
Our results point to the need for continuous education or continuous professional development (CPD) of DPOs and a better definition of "expert knowledge" needed for a DPO appointment. Furthermore, our study indicates the pressing need for CPD of DPOs in personal data protection and possibly some standardization in DPO education even though the GDPR does not prescribe the certification of the DPOs.
Such standardized DPO education might be based on a voluntary certification procedure that will include standardized and professional education conducted from the side of national data protection agencies. However, such voluntary certification would not mean that certification would be considered as an end-stage in the DPOs’ education process; on the contrary, a DPO must continue in education since the personal data protection issues keep evolving with the development and introduction of new and previously unknown technologies (Hirsch et al. 2019).
Even though we consider that we solved one part of the puzzle in the relationship between the DPO and Ethics Committees, the second part of that riddle, with the emphasis on Ethics Committees’ perceptions and potential problems which they face in the area of personal data protection in their ethics assessment procedures, especially after the introduction of GDPR, still remains to be answered in future research.
Finally, questions on how to reconcile the needs of usage of personal data for scientific research purposes together with the individuals’ rights to preserve their rights related to personal data are coming to a critical time point. Clear guidance from the side of EC structures dealing with personal data protection or national governmental structures in this area is more than needed. Recognizing the need to help relevant stakeholders and to further clarify the application of the GDPR to the processing of personal data for scientific research purposes, on April 30, 2021, the EDPB organized a special remote stakeholder event (EDPB 2021). All this points to the need for further improvement and updating of the current GDPR version, especially in relation to the use of personal data in scientific purposes. Our work showed the need for further improvement of GDPR especially in relation to article 37 (Designation of the data protection officer) and article 89. Moreover, it seems that paragraph 2 of article 89 (Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes) mentioning potential use of derogations which is given to the Member State law must be additionally encouraged and it might require further clarifications.
References
De Waele, I., D. Wizel, L. Puljak, and Z. Koporc. 2021. Ethics appraisal procedure in 79,670 marie skłodowska-curie proposals from the entire European HORIZON 2020 research and innovation program (2014–2020): A retrospective analysis. PLoS ONE 16 (11): e0259582. https://doi.org/10.1371/journal.pone.0259582.
Dinu, M.S. 2018. New data protection regulations and their impact on universities. In Elearning Challenges and New Horizons, Vol 4, eds. I. Roceanu, S. Topor, C. Holotescu, C. Radu, F. Nitu, G. Grosseck, and M. Radoi, 26–33. Bucharest: ‘Carol I’ National Defence University Publishing House.
DSB, Austrian Data Protection Authority. 2018. https://www.data-protection-authority.gv.at/data-protection-laws/relevant-data-protection-laws.html. Accessed 31 Dec 2021.
EC, European Commission. 2021. What are the responsibilities of a Data Protection Officer (DPO)? https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/data-protection-officers/what-are-responsibilities-data-protection-officer-dpo_en. Accessed 31 Dec 2021.
EDPB, European Data Protection Board. 2021. EDPB Stakeholder Event on processing of personal data for scientific research purposes. European Data Protection Board. https://edpb.europa.eu/news/news/2021/edpb-stakeholder-event-processing-personal-data-scientific-research-purposes_en. Accessed 31 December 2021.
EDPS, European Data Protection Supervisor. No date. Data Protection Officer (DPO). https://edps.europa.eu/data-protection/data-protection/reference-library/data-protection-officer-dpo_en. Accessed 31 Dec 2021.
EU, The European Parliament and the Council. 1995. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In OJ L 281: Official Journal of the European Union.
EU, The European Parliament and the Council. 2016. Regulation (EU) 2016/679 of the European parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). In L 119/1: Official Journal of the European Union.
Guillemin, M., L. Gillam, D. Rosenthal, and A. Bolitho. 2012. Human research ethics committees: examining their roles and practices. Journal of Empirical Research on Human Research Ethics 7 (3): 38–49. https://doi.org/10.1525/jer.2012.7.3.38.
Hirsch, Francois, Ron Iphofen, and Zvonimir Koporc. 2019. Ethics assessment in research proposals adopting CRISPR technology. Biochemia Medica (zagreb) 29 (2): 020202. https://doi.org/10.11613/bm.2019.020202.
Kinderlerer, J., and D. Schroeder. 2016. Assessment of the Ethics Appraisal Process of Horizon 2020. Director General DG-RTD, European Commission.
Mladinić, A., L. Puljak, and Z. Koporc. 2021. Post-GDPR survey of data protection officers in research and non-research institutions in Croatia: a cross-sectional study. Biochemia Medica (zagreb) 31 (3): 030703. https://doi.org/10.11613/bm.2021.030703.
Nature, Editorial. 2014. Ethical overkill. Nature 516 (7530): 143–144. https://doi.org/10.1038/516143b.
Parliament, Republic of Austria. 2018a. Federal Act concerning the Protection of Personal Data (DSG).
Parliament, Republic of Croatia. 2018b. Implementation of the general data protection regulation. Official Gazette 44/2018.
Puljak, Livia, Anamarija Mladinic, Ron Iphofen, and Zvonimir Koporc. 2020. Before and after enforcement of GDPR: Personal data protection requests received by Croatian Personal Data Protection Agency from Academic and Research Institutions. Biochemia Medica (Zagreb) 30(3). doi: https://doi.org/10.11613/bm.2020.030201.
Quinn, Paul. 2021. Research under the GDPR – a level playing field for public and private sector research? Life Sciences, Society and Policy 17 (1): 4. https://doi.org/10.1186/s40504-021-00111-z.
Sidlauskas, A. 2019. Opportunities for DPO (Data Protection Officer) occupational training and improvement. In 13th International Technology, Education and Development Conference, ed. Chova, L.G., Martinez, A.L., and Torres, I.C. 808–814. Valenica: International Academy of Technology, Education and Development.
Sperling, D. 2021. “Like a sheriff in a small town”: status, roles, and challenges of ethics committees in academic colleges of education. Journal of Empirical Research on Human Research Ethics 16: 290–303. https://doi.org/10.1177/15562646211005253.
Trace, S., and S.E. Kolstoe. 2017. Measuring inconsistency in research ethics committee review. BMC MedIcal Ethics 18 (1): 65. https://doi.org/10.1186/s12910-017-0224-7.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2022 The Author(s)
About this chapter
Cite this chapter
Koporc, Z. (2022). Data Protection in Croatia: An Indicator of Ethics Processes in Research Institutions. In: O'Mathúna, D., Iphofen, R. (eds) Ethics, Integrity and Policymaking. Research Ethics Forum, vol 9. Springer, Cham. https://doi.org/10.1007/978-3-031-15746-2_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-15746-2_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15745-5
Online ISBN: 978-3-031-15746-2
eBook Packages: MedicineMedicine (R0)