Both the offering of personalised nutrition services and research into it raise significant questions under data protection laws in the EU. In May 2018, the General Data Protection Regulation (GDPR) went into effect. In addition, various national laws of EU countries have been amended to supplement the GDPR. Together, they create a mix of rules that is difficult to digest for companies and researchers. In this contribution we set out some of the main features of EU data protection law that affect personal nutrition efforts.
The GDPR applies to the collection, use and export of personal data, which is a very broad concept that may include data that does not directly reveal a person’s identity. It would obviously include name, address, and associated data (like dietary preferences and test results) of an individual utilising a personalised nutrition service. But the concept is much broader than that. For example, key-coded data—which is regularly used in scientific research—is often still considered to be personal data (pseudonymised data) subject to the GDPR. Only truly anonymous data—a high standard to achieve in the EU—is considered outside the scope of the GDPR.
Much of the personal data collected in personalised nutrition offerings or used for research qualifies as ‘special data’ under the GDPR because it relates to the health of individuals or consists of genetic information. The concept of health data is interpreted broadly and includes glucose levels, sample test results and even body mass index (BMI).
What this means for personalised nutrition
The GDPR generally prohibits the collection and use of such special data unless a justification can be found in the GDPR or national law. For personalised nutrition offerings based on health data, the only available justification is through user consent. This consent must be explicit, informed and precise. It cannot be tied to uses that are unrelated to (or incompatible with) the offering. As a result, consent to use an individual’s data for this type of service must be supplemented by separate consents for any unrelated uses—such as marketing or sharing the data with business partners. Individuals must be free to withdraw their consent at any time.
On the side of scientific research, the GDPR contains a number of broad and useful exceptions, among others with regards to consent. First, the GDPR accepts that consent for research can be broadly stated (so not particularly precise) because the objectives of scientific research can be difficult to predict and may change over time. The GDPR also contains even broader derogations in favour of scientific research and lifting consent requirements. Unfortunately, since the GDPR allows member states to maintain or create their own rules in relation to health and genetic data, these derogations do not always apply so broadly and remain subject to conditions and restrictions that may differ from one member state to the other.
Beyond the EU
For companies outside the EU, it is useful to know that borders do not necessarily stop the GDPR. This can occur in two ways. First, companies not established in the EU but targeting their services at EU residents are fully subject to the GDPR for the personal data they collect (regardless of the EU resident’s nationality). Such companies have to appoint a representative in one of the EU member states where they collect personal data. Second, if the relevant personal data was first collected in the EU (for example, by an affiliate or a business partner), these parties cannot transfer the data outside the EU without additional safeguards (unless the country of destination has been formally considered to offer ‘adequate’ protection by the EU, which is only the case for about a dozen countries so far). These safeguards occur most commonly in the form of dedicated transfer contracts and similar instruments, or in some cases (although less favoured by regulators), the individual’s consent.
It goes without saying that in a complex regulatory regime like the GDPR, the sharing of (special) personal data is often complex. A number of options are nevertheless available. For example, parties could only share anonymous data; but, as indicated above, that is a high standard to meet and often data will lose much of its use if it is overly aggregated. Alternatively, the parties could rely on consent, but then the consent must be sufficiently clear and/or a new consent must be obtained for additional purposes, which is often difficult or undesirable. In new projects, parties can also present themselves as jointly responsible (joint controllers), which means each party can use the collected data even if those uses are not entirely similar, subject to the transparency requirement.