Challenges in Data Protection and Transfer: Navigating GDPR Compliance, Identifiability Assessment, and Data Minimization in the Context of Open Science.

• To assess whether the data is personal data, and thus whether the General Data Protection Regulation 2016/679 (GDPR) applies: Data identifiability must inter alia be assessed in light of data uniqueness, combination and specificity of variables, and the possibility of linkage with other datasets, combined with the planned total storage time, available resources and likely technological advances in this timeframe. The legal threshold for considering data anonymous/anonymized is very high, and the reidentification literature shows an increasing ability to identify individuals in research datasets. Data may have been deposited in research repositories at a time when it was anonymous, and it may now be considered identifiable and thus personal data.
• Personal data transfers outside the European Economic Area (EEA): Data transfer also includes the provision of remote data access. There are currently legal difficulties with transferring data to several countries, including some of the main research partner countries of EU researchers, such as the USA where both transfer to federal institutions and the use of US cloud providers is problematic. Similar challenges apply to data transfers to international organizations, including the United Nations.
• The principle of data minimization – that personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed – is challenging to reconcile with Open Science.

This passage is part of D2.4: Report on Social and Legal Implications and Challenges Related to OS written by Heidi Beate Bentzen, Teodora Konach, Signe Mežinska.