19
Fri, Apr
46 New Articles

Could Hunger for (Personal) Data Bring Benefits to Society?

Could Hunger for (Personal) Data Bring Benefits to Society?

Serbia
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

As the terms “hunger” and “benefits” in most cases exclude each other and expectations of all interested parties are high on both ends, we spent hours listening carefully
to what lecturers and panelists of our data protection conference were saying, to summarise ideas and solutions to a complex question from the headline.

Valuable solutions result from different approaches and expectations of different stakeholders – citizens, scientists, projects, digitalisation and technology leaders, regulators and commerce. Is Serbia, as a regional digitalisation leader, capable of aligning the hunger for (personal) data, dignity and well-being of its citizens? It is a difficult ‘exam’ to pass.

As it was the case throughout the past, hunger has always represented the primary condition for any kind of innovation. Some might call it by many different names such asthe birth of an idea, the desire for improvement, and the intention to contribute to the community, but in its essence, it is hunger.

Although in the literal and etymological sense, hunger and benefits are mutually exclusive terms, in the specific case, the global community has waited for this type of ‘’starvation’’ to appear as it is a conditio sine qua non when it comes to improving all those aspects that we had the opportunity to hear about at the conference.

The main idea of the policymakers is to collect, i.e. to transfer genetic and biomedical data from the state institutions carrying out genome sequencing and processing biomedical data and store them on an online platform managed by the Office for Technological Development and E-Government – forming genetic and biomedical repository with an aim:

• to connect collected data with patients’ health electronic records to be used by
HCPs;
• to (pseudo) anonymise personal data and to enable access to data, data sharing, and manipulation by researchers and commerce.

Biomedical data which are to be collected are: patient therapy and realised prescriptions data, patient laboratory analysis/report data, medical documentation related to the patient, and radiology reports. The following benefits are expected: development of precision medicine and better patient treatment, early diagnostics, improved registries of diseases, increase of NGS capacities, development of genetic data standards, integration of various electronic healthcare systems, increase of the number of clinical studies conducted in Serbia, etc.

Yet, the regulatory framework to implement the above stated objectives is still unknown
and vague.

Issues identified:

a. Legal ground for processing genetic and biomedical data

i. As an online platform will be used by participants in research to register and provide consents (both “medical” and for processing of personal data), the platform shall be structured in the manner that both consents shall be managed by participants and data subjects. The particular question is how to obtain both consents for new research (in case the concept of broad consent cannot be applied, i.e., the next purpose substantially differentiates from the previous one). Some lecturers and panellists from institutions carrying out research confirmed that they obtain new consent each time when the purpose of processing/research is different, i.e., contact participants to ask for consent. In cases where thousands of participants are involved, the option to implement the concept of dynamic consent, i.e., to provide participants/data subjects with a possibility to opt-out (in case of implementing “broad consent”). The results of the research (personal data) can be used for further research in line with Article 5 (1) (b) and Article 9 (2) (j) of GDPR – the same arguments can be applied to further processing of personal data for scientific and research purposes, resulting from conducted clinical trials. Article 9 (2) (j) of GDPR shall be transposed in the Serbian national framework as this provision requires form Member States to specify the scope of its applicability of this legal basis, i.e. when this legal basis can be applied;

ii. As per collection, storage and further processing of genetic and biomedical data transferred by state institutions, legal grounds such as legitimate interest or task carried out in the public interest (Article 6) and Article 9 (2) g)-j) may be considered. In case the processing is based on legitimate interest, controller(s) shall carry out a
legitimate interest test to evaluate whether such interest is overridden by the interests or fundamental rights and freedoms of the data subjects, which require protection of personal data (using the Commissioner model – available its website). In case the processing is performed in a task carried out in the public interest, conditions set out in Article 14 of the Serbian Data Protection Act must be met – this means that public interest shall be envisaged by the law including the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; processing operations and processing procedures, including measures to ensure lawful and fair processing. As per research purposes, the same arguments as in item i) shall be applied.

b. Data Protection Impact Assessment

Controllers shall carry out Data Protection Impact Assessment (DPIA) in case of:
i. processing on a large scale of special categories of data;
ii. use of new technologies or technological solutions for the processing of personal data with the possibility of use of personal data for analysis or prediction of the health of natural persons;
iii. processing of personal data by crossing, connecting or checking congruency from more sources.

The controller shall, prior to processing, carry out DPIA which shall contain:
a. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
b. an assessment of the necessity and proportionality of the processing operations irelation to the purposes;
c. an assessment of the risks to the rights and freedoms of data subjects; and
d. the measures envisaged addressing the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Serbian Data Protection Act, taking into account the rights and legitimate interests of data subjects and other persons concerned.

According to the opinion of the Commissioner presented at the conference, the most common mistakes the controllers make when carrying out are the following:
i. not all AI systems pose risks for personal data and rights and freedoms of data subjects;
ii. capacities of the parties involved – controllers, joint controllers, processors in all phases of the processing activity including development, deployment, and use of AI systems. It would be of particular importance for controllers/s and/or processors to understand their roles in the course of implementation of the concept of policymakers;
iii. wrong legal ground for processing;
iv. “function creep” – undefined or poorly defined purpose of the processing;
v. lack of responsibilities for processing posing additional risks;
vi. insufficiently diverse trained data or inappropriate data for the intended purpose which may lead to discrimination of citizens.

The Commissioner should issue DPIA guidelines at the beginning of next year.

c. Anonymisation

In case of being used for developing algorithms or another kind of research either by researchers from state institutions or commerce, personal data must be anonymised. The question is which anonymisation technics to apply, who will perform anonymisation technics and which requirements these legal entities shall fulfil, and which competent body decides makes the decision whether applied anonymisation technics really make the personal data anonymised to prevent abuse of personal data.

On the other side, experts at the conference stressed that completely anonymised data may not meet the requirements of the intended research (“garbage in – garbage out”) and for this reason, controllers should apply one or more legal basis (above) when sharing personal data for the purpose of research and development of IA algorithms.

d. Pending regulatory framework

The Serbian Government formed Working Group with the task to draft Guidelines for Development, Application and Use of Trustworthy and Responsible Artificial Intelligence. The draft is recently finalised and could be found at the following link The Guidelines should serve as transitional solution – until enactment of the law governing IA. Experts at the conference mentioned that Law on Repository of Genetic and Biomedical Data shall be enacted next year.

By Ivan Milosevic, Partner, JPM Jankovic Popovic Mitic

JPM Partners at a Glance

We are a full service commercial law firm in Serbia, with over 30 years of successful practice in SEE region and true and lasting partnerships with our clients.

Our diverse teams of lawyers are focused on practice in specific legal areas, handling some of the most high-profile multijurisdictional matters in energy, project development, mining, foreign investments, corporate and commercial. We are highly sought-after for legal advice in creative industries, environmental law and white-collar crime, as well as intellectual property, international arbitration, labor and data protection

As an exclusive member of Lex Mundi – the world’s premiere network of leading independent law firms, we interconnect and reach globally. Regionally, we advise clients in Montenegro directly, through well established partnership with ‘JPM Montenegro Partner Vukmirovic Misic law firm’ and close working relationships with selected first-rate firms in the region. Working together with our domestic and international clients on their most significant transactions and around entry to Serbian market, allows us to operate as the perfect hub for SEE and other cross-border transactions.

Our clients operate in increasingly competitive landscape and we are identifying new methods of using legal technology, to help them increase efficiency, save time and streamline work processes - document management, billing and accounting. By adopting LUMINANCE AI platform for legal professionals, we use machine-learning for contract analyses across our practice groups, as well as eDiscovery revolutionary software to simplify operations in all forms of litigation.

With exclusive access to EQUISPHERE – Lex Mundi Innovative service model, our clients can design their own legal team by choosing the best lawyers in the relevant jurisdictions, sharing documentation and communicating with all teams at any time, from a single point of contact.

Consistently recognized as a top-tier law firm, both by clients and leading independent legal directories Chambers & Partners, Legal 500 and IFLR1000, we remain committed to delivering highest quality service to our clients and help them succeed in overcoming cross-border challenges. We remain committed to continuously share our knowledge by regularly publishing articles, giving lectures and organizing international conferences.

Firm's website: http://jpm.rs/