Examples of CoCs

• Relating to research & data protection

• Relating to ICTs and AI

• Relating to RRI

• Mentioned in the Draft Guideline

• CoC-related issues in the Critical Analysis

• Academic articles on:

  • CoCs and GDPR

  • CoCs and RRI

EU-level, under GDPR

None approved so far under Art. 40 of the GDPR

EU-level, under GDPR

One submitted:

Code of Conduct on Data Protection in Online Gambling.

(In Malta. Multi-year preparation process, and 18-24 months for approval.)

EU-level, under GDPR

Some being submitted for approval, formulated, conceptualized, etc.:

• EU Cloud Code of Conduct (SCOPE Europe)

• Code of Conduct on Health Research (BBMRI-ERIC)

• Code of Conduct on Language Research (CLARIN)

EU-level / EU-funded Guidance on Research

• RESPECT Code of Practice for Socio-Economic Research.

• Guidelines on Data Protection Issues Relating to European Socio-Economic Research.

• European Charter for Researchers.

• European Code of Conduct for Research Integrity.

• Global Code of Conduct for Research in Resource-Poor Settings.

EU-level / EU-funded Guidance on Research

• Code of Practice on Secondary Use of Medical Data in European Scientific Research Projects.

• Preliminary Opinion on Data Protection and Scientific Research, by the European Data Protection Supervisor.

• EFAMRO & ESOMAR’s Guidance Note for the Research Sector: Appropriate use of different legal bases under the GDPR.

• Guidelines for Responsible Research and Innovation.

• EU Code of Conduct on Agricultural Data Sharing by Contractual Agreement.

EU-level / EU-funded Guidance on Research

The Responsible Innovation Compass project has catalogued 130 publicly funded RRI projects in Europe, including 19 focussed on the ethics component of RRI.

Globally, on AI and Ethics

• At least 84 sets of ethical guidelines on AI

  • 13 from EU member-states and

  • 6 from EU institutions

CoCs on Research and DP in EU member-states

None approved post-GDPR on research.*

Pre-2018 examples like Dutch "Code of Conduct for the Use of Personal Data in Scientific Research"

*Post-2018 examples exist, like Spain's "Code of Best Practices on Data Protection for Big Data Projects", but that's not focussed on research

Research on CoCs & Research

CoCs weren't successful under DPD.

But hope is GDPR has addressed concerns & incentives.

Research on CoCs & Research

Genomics, Language, Bio-banks, etc.

Benefits of CoCs include harmonization, increase legal certainty due to specificity.

Research on CoCs & Research

Pessimism:
(Koscik & Myska)
"It is difficult to find an institution that would have the mandate to speak for a research community" (ALLEA, EUA?)

Research on CoCs & Research

Pessimism:

"We presume that the adoption of a Europe-wide code of conduct for data protection in research is very unlikely."

Research on CoCs & Research

Pessimism:

"Each research discipline uses specific methods and many scientific disciplines do not need to process personal data at all."

Research on CoCs & Research

However:

"… likely that individual codes of conduct will be adopted for some narrow research fields and specific research-related activities such as biobanking, genomic research, social networks research, and sociological surveys."

Six issues:

(1) harmonization of data protection practices to enable cross-country research within the EU.

Only Art. 40 CoCs and EDPB guidance can address. Scholarly opinions can't. 

Unlikely that non-Art. 40 CoC can address adequately. (Harmonization required.)

Six issues:

(2) question of when, under which legal bases, and under what circumstances, reuse of personal data for a secondary purpose of research is permissible.

Unlikely that non-Art. 40 CoC can address adequately.

Six issues:

(3) whether multiple legal bases can be used for processing the same personal data (either simultaneously, or sequentially)

Unlikely that non-Art. 40 CoC can address adequately.

Six issues:

(4) differentiating between a research subject’s consent for participation in research from consent for processing and use of their personal data

Art. 29 Working Party opinion exists, so that can be incorporated into a non-Art. 40 CoC.

Six issues:

(5) applicability of data protection laws to deceased persons

Unlikely that non-Art. 40 CoC can address adequately. (Harmonization required.)

Six issues:

(6) lack of uniformity and clarity on national safeguards for research purposes under Article 89 of the GDPR.

Unlikely that non-Art. 40 CoC can address adequately. (Harmonization required.)

Trade-off between width of applicability and depth of guidance.

Most CoCs & guidelines on research don't deal with data protection in depth, with some exceptions like EDPS's "Preliminary Opinion" and EFAMRO & ESOMAR’s "Guidance Note for the Research Sector".

No extant CoCs under Art. 40

Most CoC-related issues raised by Critical Analysis can't be addressed by non-Art. 40 CoCs

>130 EU-funded RRI projects exist

(including at least 19 on RRI & ethics, and many guidelines, good practice documents, frameworks, etc.)

>84 documents on AI and Ethics

(including at least 19 from the EU region)

CCRRI is "specifically aimed to produce a set of basic ethical standards and guidelines for researchers working in the ICT field".

But the PANELFIT project aims to "facilitate the implementation of this new regulation" (GDPR).

So we take it that CCRRI should focus on data protection within RRI.

CCRRI can't be a CoC under Article 40 of the GDPR

CCRRI can't address most of the CoC-related issues in the Critical Analysis

There are few CoCs on data protection in research, but the PANELFIT Guidelines on Data Protection Ethical and Legal Issues in ICT Research and Innovation will already provide extensive guidance on this issue.

Any CCRRI will need to be distinguished both from existing EC-funded CoCs on RRI, as well as the PANELFIT Guidelines themselves.

There's a trade-off between being applicable to all forms of research and providing specific guidance.