 Alright. Yeah, thanks a lot for the introduction. I can assure you that I'm also very happy to be back in Barcelona. It's been some time since I've been here. I don't tell you which year. I was last year some time ago and it's always great to be back to the sunshine coming from a country where it's still very cold and cloudy and sometimes rainy. I'm very happy to present the results of a legal study today, although I have to admit I didn't do most of the work, but most of the work was done by Niels Dietrich, who is also present here, but I'm happy to present the results of this study. As Pedro mentioned, we already conducted in the previous phase of the project a legal study on copyright and database protection. This part of the project now was related to privacy and data protection, so these are the main legal issues concerning dealing with research data. Things are changing very fast and we finished the last study on copyright last year. This year in January the European Commission introduced a proposal, or it's still a communication, on also new schemes of protection of non-personal data. So it's possible that within the course of this year there will be at least a big discussion on data producers right, even about data which are not personal data. So of course this will also have a big effect on the research field, although of course the Commission is also thinking of making exception for research field in this new scheme. But this is still a developing discussion, so we will see in the course of the year how things will turn out on this issue. But my issue today is data protection, and of course lawyers don't even or many, very often don't have a good reputation for different reasons. One reason is that you make nice projects and do a lot of nice things and then in the end turns out this is not possible and that is not possible because of legal restrictions. And I'm a bit in the same role today, talking about data protection is very difficult these days because we have in Europe very strict rules on data protection. The problem with these strict rules is that they are strict but it's very difficult to implement them. And that's the basic problem we have with data protection law. We have a nice theoretical building of data protection but when it comes to implementing it in practice it gets very difficult. So if you would exaggerate a bit you could say it's dead law more or less because it's very difficult to really implement data protection as it should be. But nevertheless we have to look at what the law is and what possibilities we have to cope with this problem. And the concept of our study was to look into data protection rules to the extent they put a framework on processing data within the research field, especially within the open research data pilot. And the second part of the study was related to the PSI rules, public sector information which is a different scheme. PSI is meant to provide access to data which is stored in public institutions. But I will focus today because of lack of time on the first part on the data protection rules. And the study was conducted from January 2015 to December 2016. And the idea was to analyze data protection barriers to sharing in the context specifically of the open research data pilot. The legal methodology is basically quite simple. We look at the legal framework and try to find out applying this legal framework to the subject at hand which is in this case the open research data pilot and find out which barriers exist and how we could alleviate these impediments to sharing of data in this context. So within Horizon 2020 the commission is running open research data pilot. As you might know, the pilot is aiming at improving and maximizing access and reuse of research data. And as we heard already in the morning, it will be becoming a steady institution, even a legal entity. So the idea of course is to really have a central institution for exchange and sharing of research data. The projects taking part in the pilot are obliged to first deposit the research data in a data repository and to take measures to enable third parties to access, mine, exploit, reproduce and disseminate the research data. This means basically it's a use about open access. If we look at data protection framework there are some rules in place already for a long time. The data protection discussion started in the 60s of the 20th century and a very basic foundation of data protection is the European Charter of Fundamental Rights which guarantees the protection of personal data. Article 8 of this Charter says everyone has the right to protection of personal data concerning him. In Europe we have this concept of personal data which is a bit different from the privacy concept we have in the US and other parts of the world. Privacy is more about protecting a personal sphere against intrusion whereas the European concept is more directed as having a right of self-determination on your personal data and by this way protecting your privacy. So this is the first problem already we have in data protection that we have different concepts in different parts of the world. And of course data flows are global so already there's some clash between different concepts of data protection if you look at it on a global perspective. We have a European directive from 1995 which harmonized data protection legislation in the member states. The effect of harmonization is always difficult to assess. For example we made a study a couple of years ago that even basic definitions in data protection vary from member state to member state so having a directive doesn't mean we have completely harmonized law but still we have some leeways for national legislators to make their own rules within this framework. We have now the situation that since May 2016 we have a general data protection regulation which will enter into force in 2018 which is next year. And the difference between a directive and regulation is that the regulation is enforced directly so it doesn't have to be implemented by the member states but takes force directly. And the idea of course of the commission behind this was to create a higher level of harmonization of data protection rules within Europe. But having a regulation doesn't mean that the national legislator doesn't have to do anything anymore but also the national legislator now can make implementing legislation to implement this regulation. And we can already see from the developments recently that the effect of this regulation may be the contrary which means that we will even have more dispersed situation within Europe. Why? Because of course the national legislators try to again find their own ways within the framework set by the regulation. We have been in Germany now in the process of making implementing legislation and the third draft is already out and is very heavily criticized even by data protection specialists for going too far in implementing national policies against the regulation. So it's far from sure that we will have more harmonization by this regulation as was the goal of the European legislator by implementing this regulation. Looking at data protection rules of course the first question is which is the scope of application. Basically data protection law applies to data which concern some kind of personal relationship or relation to a person. Talking about data of course the difference between data and information is that data is the state of information in storage and transport so basically we're talking about information and to identify if data protection laws apply we have to look does the information contain any information that can be related to a person. This is the first big problem already we have in data protection because there are different theories how far or how narrow we have to construe this personal relationship. Basically most of the information we have can somehow be related to a person for example that you are sitting here I see your face you're sitting here it's personal information that you as a person are sitting here or we had with Google we had a problem that Google was taking pictures of houses with the street and the number of the house is it personal information? It could be because of course people are living in the house and the street number in the house can be used to identify the person. So this is already disputed in data protection law how narrow or how broad does this personal relationship have to be construed. The definition would be any information relating to an identified or identifiable natural person the data subject and of course as I mentioned the key element is a possible identification of a person. Some examples I put here name address images voice recordings and of course we again distinguish in data protection law between personal information and sensitive information sensitive information is especially protected information about health about biological traits about sex and so on and sex life and so on are very sensitive and enjoy special protection in data protection law. Within coming to the pilot research data shall be made openly available and reusable and of course the question is what is research data? The commission defines research data information in particular facts or numbers collected to be examined and considered as a basis for reasoning discussion or calculation and examples of research data as you all know includes statistics, experiments, measurements, observations in field work, survey results, interview recordings and so on and you can imagine already from this definition which is very broad that many of the data concerned in the research field are personal data starting with data about health in the health sector which are even sensitive data but up to measurement or field work where researchers go out in the field and of course also the fact that somebody measures something in the field at a certain time in a certain location is personal data. It's also personal data that is where data protection laws apply. So the problem we have here as you can see is not only that it's that there are different legal theories on how to broad or how to narrow to construct this but also to find out in a specific case if there are personal data present or not. So you cannot make a general rule to say this is personal data that is personal data but you always have to look at the specific case to determine if personal data is present or not and this makes it a bit difficult to make a general statement about the application of data protection law even in the research field so we have to evaluate this on a case-by-case basis and especially close to data protection rules of course when in any way natural persons are involved either in doing the research or as an object of this research that we're talking about. I mentioned some fields here, medicine, biotechnology, social sciences where very often this research contains information that can be traced to individuals and hence qualify as personal data. So if we start from the outset that personal data are present then the next step is what does it mean for using the data, for exchanging the data and the basic rule of course is data protection law, data protection rules restricts the possibilities of processing personal data. For data protection we have the rule that processing is generally forbidden, prohibited and only permitted in specific cases. One case is that there's a statutory permission so the legislator says in these cases it is permitted to process the data for example in employment relationship or in any contract, contractual relationship we have to process data to implement the contract so in this case it's permitted. The second pillar is consent and consent means the data subject whose data are processed has to agree that the data processing takes place and this is talking about the internet or connected environments this is the main basis for permitting data processing to have consent. Of course there are certain preconditions to consent but they are very difficult to fulfill and I will try to explain why it's the case. Processing is very broad so in the citation from the General Data Protection Regulation which we enter into force next year any operation or set of operations which is performed upon personal data or sets of personal data. Collection, recording, organization, structuring, storing and so on dissemination, transmission and so on so it's a very broad concept to which data protection rules apply any operation and connection with personal data. Within the pilot the research data should be deposited in a research data repository and which means the data must be uploaded into an online research data archive and the third party shall be able to access and reuse this research data and of course all these steps are involving some kind of processing to which data protection laws would apply uploading as well as reuse of data and processing. The basic rule is as I mentioned that there has to be a permission and coming to this permission especially to the requirements as to consent to which I mentioned one of the main restrictions is the purpose limitation which means data have to be collected according to a specified legitimate purpose and they can only be processed within this purpose they have been collected for. The same is true for consent. If I consent to processing of my personal data it has to be within a specified purpose to which I consent. If I change the purpose later I need a new consent and this purpose limitation is one of the big restrictions we have in data protection and it's one of the biggest problems we have in the research field because of course you're collecting data and you don't know what you need the data for in 10 years or in 5 years and so the purpose may change very quickly and data protection law would tell us you need a new consent or a new permission if you change the purpose and that will be very difficult in practice of course to first to find out if the purpose has changed and then to get a new consent. So taking data protection rules strictly already faces the first big challenge with this purpose limitation and this is not changing with the new general data protection regulation which also has this principle of purpose limitation. Second principle applying here is data minimization. It's also the concept of data protection law to have as little processing as possible to reduce the risks to your information self-determination. It's also a concept from the 70s where you had mainframe computers and somebody was responsible for this mainframe computer and processing the data and today you have network environments but the principle of minimization doesn't work in this environment anymore. It's very difficult to implement it but still we have this as a basic principle of data protection law which means processing should be limited to the minimum amount necessary. And also means that personal data should only be processed if the purpose of the processing could not reasonably be fulfilled by other means. If you will look at the pilot from this perspective the pilot should enable third parties to access and reuse the data without any restriction and the data shall be available within the time limit and usable beyond the original purpose for which the data were collected and you can see already the conflict that comes out of this aim of the data pilot if you look at it at the background of these two principles I mentioned. So the basic result which is also the result of our study is basically what the data pilot is aiming at is clearly at odds with the basics of data protection law which means mostly purpose limitation and data minimization and the conclusion would be personal data cannot be made available on an open access basis as is required in the open research pilot. It's a bit shocking of course result also within the project and as a lawyer you always try to look at it okay what can we do about the situation how can we make it possible to achieve what we want to do and of course there are always ways lawyers always find ways as far as possible to make things possible so we can also look at some exceptions that may apply to the research field in data protection law for example in the general data protection regulation we have a specific exception for processing and storage of personal data for scientific purposes. The problem with this exception is that the intended use has to be bound on a specific purpose again of research and they have to be appropriate safeguards in particular to ensure respect for the principle of data minimization so the principles don't go away but they still stay even in this new regulation and again we have to align this even this exception for scientific purposes to a specific purpose which is the basic problem. There were some attempts in the legislative process to make a broader exception in the scientific field to make possible big data but in the end there was a compromise which again restricted the use of personal data even for big data applications. So if we look at the pilot of course the deposition of the research data and open access repository is not connected to a specific purpose of research and not even to research purposes at all again we have a situation that what the pilot is doing is at odds with data protection framework. Data are made available for any purposes scientific or not appropriate safeguards to ensure are not in place so open access use of personal data and thus participation of the pilot cannot be legitimized with the research exemptions so with the research exemptions that specifically are provided for in the data protection those we cannot really justify an open access principle for the repository. So we look at the second pillar maybe consent is working and consent as I mentioned in network environments is the basic instrument to enable data processing. Consent means that the data subject must be must give his consent under certain conditions must be freely given this must be specific informed and unambiguous. Again we have here specific which means also related to a certain purpose you have to know about this purpose before your consent and your consent has to be freely given which means you must have some kind of choice to give the consent. Specifically this freely given is the biggest problem today on the internet but because usually service provider says we advise you about what we're doing with your data but if you don't consent we don't provide you the service. Is this freely given consent or not? This is one of the big problems we have in a legal discussion also basically there are some areas for example employment relationship where we say this is not freely given consent because there's an imbalance between the parties but in a normal service internet service the legal doctrine is still that this is freely given consent although maybe I don't have an alternative and there's also some attempts to change this to put the focus more on consent and the alternatives I have. If I have some other service providers and still stick with this provider then consent is freely given but it's still not very clear where to draw the line in this case. So consent also has some requirements and as I mentioned already it also requires a clear and concise definition of the purpose and again we have the purpose which is the main problem also with the data pilot so also consent as a permission to data processing is related to a specific purpose of processing that has to be the basis for consent and has to be also informed. The data subject has to be informed about this. Looking at the research pilot again the purposes of the further use of the data and the recipients are unclear. Basically any uses not just specific ones should be possible in the future for the data deposit in the repository and also the data will be transferred to all third parties retrieving them and under these circumstances at least in our view it's also not possible to fulfill the requirements of specific and informed consent which means open access use of personal data and the participation in the pilot cannot be delegitimized by consent. So what other solutions do we have to dissolve this conflict we have here and of course the big exit for the problem seems to be anonymization. Anonymization means that the relation of the information to a person will be erased and this means we don't have personal data anymore this means data protection law don't apply anymore. So the result of anonymization could be that we fall out of the scope of data protection laws and then we can do with the data whatever we want. But now again the but as a lawyer I have to say but the problem with anonymization is how effective is it and if you talk to informatic people they will tell you it doesn't work it's not possible. You just need three features of information to align information to a person. So again there's a big uncertainty here in this anonymization. It seems to be the big way out of all the problems but if you look at closer it's not because then again the question is from a legal perspective do we acknowledge the current ways of anonymization as being sufficient to get us out of the data protection law or do we say it's so risky to anonymization it's not so efficient not to exclude any personal relationship for the future. So this is also a bit grey area still in data protection law isn't it possible later to re-identify the person again and then we're back into data protection law. So again of course this has to be evaluated on a case by case basis and certain factors have to be acknowledged in this evaluation for example what data is freely available in public registers what information is held by other institutions how can we combine this data at what costs and so on but again it's a big uncertainty as far as anonymization is concerned. So to sum up basically the pilot aims at making research data generated by projects freely available and reusable on an open access basis if such research data include personal data data protection rules are applicable the use of personal data within the pilot is at odds with leading data protection principles and the open access use of personal data cannot be legitimized by research exception or consent of the data subject data protection risk can be excluded by effective anonymization of the data but also this anonymization as I mentioned is not still clear if it's really the big way out of all the problems. Looking into the future we have to first take into account this regulation I mentioned already which takes force in May 2018 but this regulation will not change the basic principles I mentioned so this will still be in place in my view this regulation is already outdated before it comes into force because it doesn't take any account of the realities of network environment but it's still more or less based on the model of big mainframe computers where we have a data processor that has control over all the activities the second problem we have with this regulation is that it took a long time and a big effort to establish this regulation and if you talk to people from the commission they say we won't touch upon this topic for a very long time because this is politically hot topic so this means also that it will be very difficult to change data protection rules on a statutory level it has to be done in Brussels and Brussels doesn't want to touch upon it anymore so as the technical environment business models are changing all the time it is very difficult to adapt the law to this so what we could look at is to look at the level below the statutory level to look at self-regulation mechanisms to look at standard contract terms that could be ways to alleviate the problem a bit for example there is also the so-called article 29 group of data protection commissioners who do some kind of interpretation of the law which is very influential in practice and this could be soft ways to a bit shift things in favor of more freedom for research processing of data either through making a favorable interpretation of the law or through standard term contracts the other option we could look for is if we have this big problem with the purpose limitation one alternative would be not to make open access but to control who is putting which data on the repository to have some kind of control procedure inserted in between that could be a safe, legally safe way to get out of the problems the other option is to say ok we have a conflict we have to see how things work out in practice and if there would be any problems that's what the big internet companies are doing they just do things the way they want and then if some problems comes up they try to negotiate with authorities to find some national solutions and it's working quite fine for them of course there are big global companies which don't have to be afraid even of national legislatures because they're so big that they make their own laws I think open air is not as big yet to be so powerful to make their own rules so still there have to be ways to be found to get out of this concept this is conflict, sorry one idea would also be if you look at the future to alleviate a bit the requirements for consent to lower it for example allow for general consent for the data subject to all kind of research related purposes if this will hold in front of courts we have to see if it's still specific enough from the data protection perspective we could also look at extending research privileges to allow broader use of personal data at least for research purposes but again in the end this would have to be done by the legislator and I mentioned already the problems we have with legislation on this field especially on the European law level of course we can always make as scientists we can also make recommendations to the legislator and one recommendation coming from our project would also be to the legislator to create a bit more leeway for processing data in research context but I mentioned already the problems that are involved with this thank you for the intention so far and of course I'm happy to take any questions and participate in discussion we have time for only one question because we will have the panel discussion after these first two sessions but we can have time for one question thank you I try to make it short it's usually impossible but I'm Leigh Flaxen and I'm from the IT center of science in Finland I mostly work in the RDA context I have a couple of quick comments I think one of the major problems we are facing today is that we don't really know who knows the data if we think of the data the authorities the hospital is collecting is it our data or is it the hospital's data or is it somebody else's and that introduces quite a lot of problems and this goes to the my data for example which is a small effort but anyway the other thing is also that the politicians don't understand really that the anonymization of things it's not going to work because combining data and doing research massively search among different databases will reveal any way all the details that we see from the Google already they know much more of our diseases or whatever we are suffering from and so we are trying to protect something which Google already knows I completely agree with you we have your basic conflict that's not only working for the research field but in general the data protection laws are too strict to be working in practice and something has to be done about this there's of course a policy discussion but as I mentioned the rules are now fixed for many years at least in Europe the first question you mentioned is very interesting who owns the data and this is not a question of data protection law but it's a question of property law we have now a big discussion for two years should we establish some kind of ownership for data in general which will also include personal data and I mentioned this in the beginning this discussion will unfold during this year and will be very interesting to see what the commission gets out of it I would suggest that as far as it looks now I'm a bit involved in this also as far as it looks now we will not have a property right on data in general what we might get is something like access rights to data which means the situation now is that many data are held by private companies and in fact they are kept as property although it's not property in a legal sense they are kept under control of big companies, Google, Facebook and so on and the idea now is to create more freedom or more free flow of information and data by creating access rights for certain classes of data for example data or information which is necessary for big data applications so what you might get is a right of institutions to get access to certain kind of data held by big companies which is a very interesting concept and we will have big conflicts about this I'm sure about it because big players will defend themselves against on different levels but this is a very interesting discussion so this discussion who owns data is going on to my I have a very clear position on this it's not possible to own data because data is basically information in this stage of storage and transport if I protect data or if I create property right in data I create a property right in information and information is essential for all communication and for all life in society and you cannot create property rights in information that's my position but we will see how it turns out on a European level thank you do not forget your questions because we have the panel discussion so we have time let's move to the second presentation