Governance of academic research data under the GDPR—lessons from the UK

forms part of a proportionality test: the disclosure must involve the least interference with the right to respect for private and family life which is required for the achievement of the legitimate aim pursued. 62


Introduction
The General Data Protection Regulation (GDPR or 'the Regulation') 1 provides EU Member States with a new power to make exemptions for academic expression. The obvious question which arises, and which this article aims to address, is whether academics processing data for research therefore stand to have greater freedom under the GDPR?
We answer this question by using the UK as a case study. The UK has made generous use of what we will call the 'academic derogation' in Article 85 GDPR, and as such provides a useful example of what academic exemptions could look like at their fullest extent. While some cross reference is made to jurisdictions such as Malta, Ireland, and Austria which have passed similar national laws, the main focus of this article is on the GDPR and the UK exercise of its research-related derogations. This national example illustrates the intersection of data protection and human rights law which both gives rise to, and limits, academic freedom in data processing.
The second part of this article examines the academic derogation itself. We outline how the UK has exercised the Article 85 derogation to create academic exemptions, and consider how the GDPR's requirement that these exemptions be made only where 'necessary' to reconcile freedom of expression and information with the right to data protection is likely to limit their scope in practice. Third and fourth part examine other GDPR derogations which may impact upon academic research data: namely the research derogation in Article 89, and the potential for future derogation under Article 23.
The common thread running through our review of these GDPR derogations is the way in which the scope of any resulting exemptions is analysed. Scope, we suggest, encompasses not only the potential breadth of application (ie the number of scenarios in which an exemption could hypothetically be claimed) but also the threshold (the test an academic researcher would have to satisfy to successfully claim the exemption in practice).

Key Points
The General Data Protection Regulation (GDPR) includes a new power for Member States to pass exemptions for the purpose of 'academic expression'.
This may appear to provide greater freedom to researchers working under the new EU data protection regime.
Using the UK as a case study, however, it is evident that even a full exercise of the academic derogation is likely to be limited by the GDPR's requirement of necessity, and by privacy rights wherever they are engaged.
Ultimately, the GDPR provisions applicable to universities as public authorities are likely to have greater impact on academic data processing in public institutions; a shift which is not conducive to greater freedom in research data processing.
Taking the 'vertical' and 'horizontal' axes of scope into account, it is evident that the threshold of the exemptions is set high either by restrictions in the GDPR itself, or by the privacy rights which apply across the European Union.
Finally, the last section considers the delineation the GDPR makes between private and public sector organizations. As the UK explicitly designates universities as public authorities for the purposes of the GDPR, it provides a clear example of the way in which the 'bundle of obligations' 2 reserved for public authorities under the GDPR may impact upon academic processing. We focus in particular on the role of consent as a basis for processing in research, and the concern expressed in the GDPR as to whether such consent can be 'freely given' to a public authority. It is this concern for the freedom and autonomy of data subjects, as part of the public authority obligations in general, which we suggest constitutes the norm for academic research data processing under the GDPR. As such, it seems the Regulation will for the most part bring about more new scrutiny than new freedom for academic researchers.

The academic derogation
There are a number of reasons why the derogation in Article 85 GDPR may appear to create greater freedom for researchers. Most obviously, there is its provision of a new power for Member States to pass exemptions from the GDPR for the purposes of academic expression. The terms on which this power is provided, including reference to the right to freedom of expression 'and information' which the Regulation instructs Member States to reconcile with data protection, are an additional factor. Finally, the term 'academic expression' is inherently (and perhaps inevitably) open-ended, creating a broad range of potential application.
This section analyses these apparent sources of greater academic freedom, before considering the extent to which the threshold requirement of 'necessity' limits the likely scope of the freedom in practice. Beginning with the GDPR itself, Article 85 gives Member States the power to derogate from the Regulation, wherever such deviation is necessary to: reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.
The potential for derogation from the GDPR for these purposes is significant, encompassing all Articles within nine out of the 11 chapters of the Regulation. 3 These chapters include Chapters II (principles), III (data subject rights), IV (obligations of data controller and processors) and V (transfer of data to third countries or international organizations), thus covering the key obligations to which a data controller would otherwise be subject. This is, however, broadly consistent with the previous provision for special purposes derogation within Directive 95/46 EC ('the Directive'). 4 For our present purposes, the most important innovation in Article 85 GDPR (as compared to its predecessor in the Directive) is the addition of 'academic' to the special purposes. Otherwise, the special purpose derogation is similar to the Directive in that it does not discriminate between journalistic, academic, artistic or literary purposes, however different these operations may be in practice. Member states are given free rein to derogate for any or all of these purposes, equally or not as the case may be.
In one sense, Article 85 GDPR appears more liberal than the equivalent provision it replaces in the Directive. The Directive required that the processing be 'solely' 5 for the special purposes, and the derogations to be: 'necessary to reconcile the right to privacy with the rules governing freedom of expression.' 6 The GDPR, on the other hand, requires reconciliation of: 'the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information.' The change may be subtle, but it suggests Member States are no longer obliged to take into account privacy rights as a whole, but rather the right to data protection as embodied in the GDPR itself, when passing national exemptions from the Regulation. As it has been argued that the right to data protection differs in nature and scope from the right to privacy, 7 this transition may appear significant. As we demonstrate in the next section, however, this does not mean the right to privacy no longer impacts upon data processing in an academic context; simply that considerations of privacy are not as prominent within by the GDPR itself. Additionally, the above-cited text of Article 85 GDPR requires Member States to consider the right to freedom of expression 'and information', potentially adding a further dimension, and greater weight, to the principles in favour of derogation. The new drafting is a fuller reflection of this right as articulated in Article 10 of the European Convention on Human Rights (ECHR), 8 the principles of which are effectively transposed into EU law via the Charter of Fundamental Rights ('the Charter') 9 in the intervening years between the Directive and the Regulation. It would be a natural consequence of this shift for a slightly different balance to be struck under the GDPR, even in spite of the importance the Regulation otherwise affords to the principles of data protection.
Given the new importance attributed to the right to impart information, it is less surprising that the inclusion of 'academic purposes' in Article 85 is another innovation of the Regulation. The addition of academic purposes followed years of discussions, dating back to 2012, with UK funding organizations supporting its inclusion for the benefit of academic research, 10 particularly research which would not be covered by the scientific research exemptions now set out in Article 89 GDPR. 11 The idea of placing journalism and academic social science research on a more equal footing within data protection law was also met with academic support. 12 Article 11 of the Charter, on which the derogations in Article 85 GDPR are based, 13 reads as follows: Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.
It seems novel that a public authority such as a university should require legal protection from interference from other public authorities in its free expression. It appears almost to posit two diametrically contrasting views of academic research: as a service to society carried out under the aegis of a public authority, and as free individual expression requiring protection from the State. This apparent contradiction in the way universities may be viewed under the GDPR may be an illusion, however. Whether these two models of academic research are likely to conflict in practice will depend upon the impact these exemptions will have on academic data governance. We will explore this potential impact with regard to breadth of application, as well as the threshold for application, of the UK academic exemptions.

Scope of the UK academic exemptions
The simplest measure of the breadth of the UK academic derogations is the number of GDPR provisions from which UK data controllers could claim an exemption for such purposes. From this perspective, the DPA 2018's exercise of the derogation offers an impressively comprehensive regime of exemptions. It comprises, inter alia: a defence to the crime of unlawfully obtaining personal data; 14 a defence to the crime of re-identifying de-identified data without the data controller's consent 15 (although this is technically not a derogation from the GDPR but rather from a national provision, recommended by UK's National Data Guardian for Health and Care as a protection for anonymized patient data used in health research); 16 a defence to the crime of processing data which has been illegally re-identified; 17 an additional ground for processing special categories of personal data in order to uncover dishonesty or mismanagement; 18 exemptions from all GDPR data subject rights (except the right not to be subject to significant decisions based solely on automated processing), and all the principles relating to the processing of data except for accountability and security. 19 To expand upon the final bullet point, while paragraph 26(9) of Schedule 2 DPA 2018 does not exercise the full extent of the academic derogation, the following table illustrates the extent to which key GDPR principles, rights, and obligations could be curtailed for academic purposes: It is evidently not fair to say that the UK has exercised the Article 85 derogation to the fullest possible extent, but the exemptions academics can claim would counter the majority of principles and data subject rights in the GDPR. All requirements to process data lawfully, including the need to have an appropriate lawful basis for processing, could be overruled. The transparency obligations, one of the cornerstones of the GDPR, could also be negated-along with the need to ensure accuracy and minimization of data. 20 Significant provisions which are not included in the permissible exemptions include those governing the general responsibilities of a data controller, 21 their relationship with a processor, 22 the need to keep records of processing, 23 cooperate with a supervisory authority, 24 and ensure adequate security of processing. 25  of processing is also protected by the preservation of Article 5(1)(f). Clearly, the free expression Article 85 GDPR protects is only deliberate expression and information through personal data; accidental revelation of personal information through inadequate security would not fall within this protected right. 26 This is an interpretation evidently shared by Malta 27 and Ireland, 28 who have also specifically excluded Article 5(1)(f) from their academic exemptions. Austria has preserved Article 5 in its entirety, 29 but allows more exemptions from data controller obligations. 30 The greatest concern which arises from a review of the UK exemptions, therefore, relates more to the potential absence of lawfulness, transparency, fairness, data minimization and the availability of data subject rights, than to the structure and organization of the controller's processing. Nonetheless, it will be interesting to see how much the continued effect of Article 35 (the duty to prepare a data protection impact assessment) which is not included within the exemptions, will limit the exercise of the other exemptions. Presumably, even when exemptions are claimed from the lawfulness principle, or from data subject rights, the controller will still have to conduct a data protection impact assessment where there is a high risk to individuals' rights and freedoms, and mitigate against these risks wherever possible. Other reasons why necessity and proportionality must be considered are discussed below under 'threshold', but the continued application of Article 35 strongly suggests that exercise of academic exemptions should be planned, and proportionate to the risks posed to data subjects. 31 This is consistent with the guidance provided by the UK Information Commissioner's Office (ICO) that use of all GDPR exemptions should be justified and documented. 32

'Academic material'
An additional measure of scope is the likely definition of 'academic material': the central concept on which the exemptions hang. Academic purposes are not defined in the GDPR or the DPA 2018, but 'academic material' intended for publication is a prerequisite to disable the GDPR provisions listed in the table above. 33 This, in turn, is never defined within the DPA 2018. The Charter refers to the need to respect 'academic freedom', but does not provide further detail. 34 In the context of the freedom of expression and information, on which the Article 85 derogation is based, 35 some gloss was provided by the Court of Justice of the European Union in the Erdogan case: In determining whether speech has an 'academic element', it is necessary to establish: a) whether the person making the speech can be considered an academic; b) whether that person's public comments of utterances fall within the sphere of his or her research; and c) whether that person's statements amount to conclusions or opinions based on his or her professional expertise and competence. These conditions being satisfied, an impugned statement must enjoy the utmost protection under Article 10. 36 None of these criteria are reflected in the text of the DPA 2018, which adopts an interpretation of the derogations which is 'actor neutral' (ie referring to special purposes and not to special actors). 37 It is possible that the ICO might take them into account when determining whether data are processed 'only' for academic purposes, 38 but the regulator's criteria has yet to be concretized, and as such it is difficult to speculate at this stage. This is not necessarily a deficiency in the DPA 2018, however. It would be difficult to be too prescriptive about the breadth of academic material, and what constitutes valid information, opinions or ideas. It would be almost paradoxical for parliament to attempt to safeguard freedom of expression, while at the same time attempting to impose its own definition of legitimate academic discourse.
While the breadth of 'academic material' is not necessarily a deficiency in the DPA 2018, it nonetheless creates scope for confusion or controversy between academics and their institution, particularly as regards the identity of the data controller of the exempted data. Even taking the Erdogan gloss into account, all that would be required for 'academic material' is an individual who could fairly be termed an academic, a connection between said individual's field of research and the information in question, and a conclusion or opinion based on their professional competence. This is too broad a principle for it to be clear whether the 'academic material' needs to be held or controlled by an academic institution. For example, in the well-publicised case of Aleksandr Kogan's use of Facebook data (the results of which allegedly came into the possession of Cambridge Analytica) the University of Cambridge was clear that no University resources or facilities, and none of the data collected for his academic research, were used for this work. 39 This was sufficient for the UK regulator to focus their investigation on Dr Kogan's private company, rather than his academic employer. 40 If a researcher in a similar position were to process data under DPA 2018, outside of their academic employment but using their professional competence to draw conclusions intended for publication, there is nothing in the foregoing analysis to suggest they would not be entitled to rely on academic exemptions, even relating to fundamental data protection principles such as that of lawfulness. The DPA 2018 thus contains a significant potential lacuna in respect of 'spin out' academic processing, although (as argued in the next subsection) the continuing application of privacy rights may be a saving grace for affected data subjects.
There is also nothing within the DPA 2018 to prevent an academic who processes data within the course of their employment from moving institution and taking their exempted data with them, as the purpose of the academic material could move with the researcher. The phrasing in the Erdogan judgment focuses on the academic expertise of an individual, and even the DPA 2018's 'with a view to publication' could refer to the intention of a particular individual to publish the results of their data processing. That said, nothing within data protection law is capable of bestowing intellectual property rights on an academic. Even if said individual were to leave a university, taking their professional competence and intention to publish with them, the DPA 2018 could not assist if the terms of their employment meant intellectual property rights in their research data remained with their university. An interesting situation might arise if the university could not replace this individual with someone with similar competence and intention to publish-in this instance the university might retain IP in the data, but lose the basis on which to rely on any academic exemptions under DPA 2018.
If the potential scope of the exemptions is broad, albeit perhaps justifiably, it is all the more important that an appropriate threshold is set to prevent abuse of academic freedom. This is considered in the next subsection.

Threshold for the academic exemptions
Starting with the test as set out in the DPA 2018 itself, the criteria a controller would have to satisfy under can be summarized as follows: Regardless of the flexibility in Article 85 GDPR, under UK law the personal data must be processed only for academic purposes, this being a point the ICO has power to determine; 41 Academic purposes constitute any processing with a view to the publication by a person of academic material which has not been previously published by the controller; 42 The controller must reasonably believe that the publication of this material would be in the public interest; 43 taking into account the importance of the public interest in the freedom of expression and information 44  (a) the processing is being carried out with a view to the publication by a person of journalistic, academic, artistic or literary material, and (b) the controller reasonably believes that the publication of the material would be in the public interest.
This does not include any requirement that academic material be previously unpublished, or that processing should be 'only' with a view to such publication. At the same time, however, if a data subject were to make a claim under Article 82 GDPR (for compensation as a result of infringement of the Regulation), the ICO could make a determination within those proceedings that the personal data are not processed 'only' for the special purposes, or for the sake of previously unpublished material. 47 If the processing were only for the sake of previously unpublished academic material, such proceedings must be stayed, 48 but otherwise the controller could presumably be held liable for the processing. Furthermore, it seems from the face of the Act that 'with a view to' means that the processing must anticipate publication, meaning the exemption would no longer be available post-publication. This is less appropriate in an academic context as it might be within journalism, as academics may be required by journals to retain data post publication for validation purposes. They may even be obliged to share said data by public funders. Although the 'archiving in the public interest' exemptions might offer some assistance in this context, we shall demonstrate in Part III that these 'Article 89' exemptions are far more narrow than those afforded for academic processing. The academic exemption relied upon might therefore disappear post-publication. Therefore, it would be foolhardy for a university to rely on the text of Schedule 2 paragraph 26 alone, and the totality of the DPA 2018 must be taken into account. The threshold for the academic exemptions set by the DPA 2018 is thus complex in the sense that it must be read cumulatively across the Act. It is not necessarily more liberal than its counterparts: the Irish Data Protection Act 2018 does not appear to have a 'sole purpose' requirement, and explicitly states that the right to freedom of expression and information must be interpreted in a broad manner. 49 The Maltese Data Protection Act 2018 is interesting, however, in adding: Personal data processed for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes or for the purposes of academic, artistic or literary expression, shall be exempt from compliance with the provisions of the Regulation specified in sub-article (2) where, having regard to the importance of the right of freedom of expression and information in a democratic society, compliance with any of the provisions as specified in sub-article (2)would be incompatible with such processing purposes: Provided that when reconciling the right to the protection of personal data with the right to freedom of expression and information, the controller shall ensure that the processing is proportionate, necessary and justified for reasons of substantial public interest 50 (emphasis added).
This language appears to reflect the requirements for lawful interference with a fundamental right, as though the legislation anticipates the possibility that data processing under the special purposes exemptions would engage data subjects' privacy rights. While it cannot be assumed that processing personal data for academic research will always engage such rights, information of a private nature will be processed with sufficient regularity in the course of research (particularly social or biomedical scientific research) that this is an important factor to consider, which could significantly restrict the scope of the exemptions in practice.

Privacy rights
Although considerations of necessity and proportionality are not explicitly written into the test for the academic exemptions in the DPA 2018, there are reasons outside the Act itself why these principles should be read into their application in practice.
Firstly, even though the exemptions are the UK's reconciliation of the right to data protection with freedom of expression, the right to privacy 51 as expressed in Article 8 ECHR applies directly in the UK by virtue of the Human Rights Act 1998, which creates a cause of action distinct from data protection law. That is, even if no infringement of data protection regulation had taken place, a data subject could still theoretically bring a claim for breach of their rights under Article 8 ECHR (even if the two are in fact found to align closely in practice).
The Human Rights Act 1998 alone provides grounds to assert that university researchers should respect privacy rights. 52 These rights apply directly to universities 47  if they are public authorities for administrative law purposes. 53 Even if a university is taken to be a private organization, Article 8 ECHR applies indirectly, as it will be brought to bear on the interpretation of their private law duty of confidentiality. 54 Secondly, Article 8 ECHR will influence how the GDPR and supplementing national legislation are interpreted, including the academic exemptions under the DPA 2018. As long as the GDPR applies-and UK's legislation merely supplements its provisions-this framework should be interpreted in line with fundamental rights set out under the Charter, which largely mirror those of the ECHR. This was settled case law under the Directive, 55 and it would be difficult to argue that it should be otherwise under the GDPR given the prominence the Regulation gives to the Charter. The right to data protection as enshrined in the Charter is referred to in the first Recital of the GDPR, setting the tone of the rest of the Regulation. Recital 4 GDPR also adds: This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications.
It therefore seems in no way far-fetched to argue that the GDPR should be interpreted in line with the Charter, as a continuation of the principle established under the Directive. The UK Supreme Court has gone as far as to suggest that separate consideration of the right to data protection was not necessary as: In Volker und Marcus Schecke GbR and Hartmut Eifert v Land Hessen (Cases C-92/09 and C-93/09) [2010] ECR I-11063, the Court of Justice of the European Union (Grand Chamber) held (para 52) that the limitations which may lawfully be placed on the right to the protection of personal data correspond to those tolerated in relation to article 8 of the ECHR. 56 This equation has been followed in the lower courts, where it has been recently accepted that a claim under the Data Protection Act 1998 would add nothing to one under Article 8 ECHR. 57 As the right to privacy in Article 7 of the Charter is expressed in terms substantively identical to Article 8 ECHR, it is convenient to refer to both provisions collectively as 'privacy rights'. This is not to accept a characterization of all GDPR subject rights as equating to Article 8 ECHR rights. Despite the tendency of courts to often equate data protection and privacy rights in their analysis, 58 there are reasons for avoiding a conflation between the two. 59 The rights to access or rectification under Articles 15 and 16 GDPR, for instance, correspond to a notion of privacy-as-control that applies regardless of a potential 'interference with private life'. 60 Nonetheless, we shall be cautious before drawing too rigid a distinction between these different elements of data protection law. All data subject rights could be exempted from for academic purposes, unless such processing was to interfere disproportionately with private life, and thus the precise scope of an academic exemption vis a vis a data subject right, is largely contingent on the specific factual context. 61 For all of these reasons, it is clear that the academic exemptions must be construed in line with privacy rights wherever private information is used in research. The inevitable question is then how these rights limit the scope of the exemptions? The GDPR limits the academic derogation to that which is 'necessary' to reconcile the right to freedom of expression and information with data protection. It therefore follows that the exemptions should go no further than that which is 'necessary' for this reconciliation. As the UK Supreme Court explained in the above-cited case: The meaning of necessary was considered by this court in South Lanarkshire Council v Scottish Information Comr As was explained there at paras 25-27, it is an expression whose meaning depends on the context in which it falls to be applied. Where the disclosure of information constitutes an interference with rights protected by article 8 of the ECHR, as in the present context (as explained at paras 75-77 below), the requirement that disclosure is "necessary" 53 There is some authority to suggest universities may be 'public authorities' from an administrative law perspective in their educational capacities, but not in their private capacity as employers:  forms part of a proportionality test: the disclosure must involve the least interference with the right to respect for private and family life which is required for the achievement of the legitimate aim pursued. 62 Even where no 'disclosure' is involved, and data are merely processed for research, we suggest the principle is the same. If privacy rights are engaged by research data processing, this processing should not exceed that which is necessary for the ultimate academic publication. This appears to correlate best with the requirement in the DPA 2018 that there be incompatibility between the exempted data protection obligation and the academic purpose. In other words, wherever privacy rights are engaged, 'incompatibility' should be read as meaning: 'is it strictly necessary to deviate from the GDPR, or could the academic goal be achieved with a less intrusive (and more compliant) measure?' Therefore, although there is no explicit requirement within the DPA 2018 to weigh the perceived public interest in the ultimate publication of the material against the severity of the effects on the data subject's right to privacy, 63 these considerations must instead be prompted by reading the GDPR in line with privacy rights.
A hypothetical scenario outlining when Article 8 ECHR might impose additional considerations beyond these criteria is set out below, in an example which also illustrates the potentially complex relationship between the different types of exemption: Following the above analysis, it is suggested that the principle of proportionality should be read into the word 'incompatible' in practice, wherever private information is used. Closer analysis reveals a key distinction between the academic exemption and the additional consideration of privacy rights. Under the academic exemption, the researcher must only have a 'reasonable belief' of incompatibility. As a potential arbiter of any infraction, the ICO confirms: A group of scientific researchers is processing a large amount of sensitive research personal data for their project, the findings of which are believed to be in the public interest and are intended for publication. They did not obtain the data directly from the data subjects, but from another centre as part of a data sharing consortium. These researchers have not actively communicated all of the information listed in Article 14 GDPR directly to the individual data subjects, believing that to do so would require a disproportionate effort, and would render their research impossible as it would exhaust their budget.
They note that they could rely on Article 14. 5(b) of the GDPR, and not inform data subjects on the basis of the disproportionate effort involved, but that to do so they would need to have in place safeguards pursuant to Article 89 GDPR. They are concerned about the time and resources these safeguards might involve, and wonder whether this burden might mean the safeguards are 'incompatible' with their purposes (as required by the test in the DPA 2018)? Could they not simply rely on DPA 2018 Schedule 2, para 26(9)(b)(ii), which would exempt them from compliance with Article 14 altogether, and not put in place any safeguards? They could also use similar DPA 2018 exemptions to avoid compliance with other provisions which require Article 89 safeguards, such as the 'research' condition for processing special categories of data under Article 9.
Whether the safeguards Article 89 requires could truly be said to be 'incompatible' with the academic purposes, as opposed to purely 'inconvenient', 64 will depend on the circumstances of the case. However, case law from the European Court of Rights suggests that where large amounts of sensitive data are processed, safeguards protecting these data from abuse are all the more important for compliance with Article 8 ECHR. 65 As such, to avoid infringing privacy rights, a more robust interpretation of 'incompatible', as used in the DPA 2018, may be required.
As such, the researchers may be able to rely on the scientific research exemption, meaning they could rely on Article 14. 5(b) GDPR and only make information about their processing publicly available, rather than incurring the expense of contacting data subjects individually. However, to try to dispense with research data safeguards on the basis that they would be 'incompatible' with their purposes sets the bar for incompatibility too low to be compatible with privacy rights. Therefore, it is unlikely that the academic exemptions in DPA 2018 could be used to avoid putting in place Article 89 safeguards to protect private information.
62 Christian Institute (n 56) at para 56. 63 The ICO's guidance (n 40) suggests data controllers should consider the harm to data subjects when deciding whether the ultimate publication would be in the public interest. We endorse this guidance, but note that it is not a requirement of the DPA 2018 itself.
64 The Information Commissioner's Office has since released guidance confirming that incompatibility must be more than inconvenience: 'Guide to the General Data Protection Regulation/ Exemptions' (note 40) 65 MM v UK App no 24029/07 (ECtHR, 13 November 2012), at para 200.
The ICO does not have to agree with your view -but we must be satisfied that you had a reasonable belief. 66 Likewise, the courts would be likely to apply a 'reasonable range' test and afford some discretion for reasonable belief when considering an exercise of the special purposes exemptions. In the case of an alleged infringement of privacy, however, the court would make its own determination of proportionality, with no allowance for reasonable alternative views. As such, a greater degree of external accountability is established once privacy rights are taken into account, as the extent to which these rights can be impaired is ultimately for the courts to determine.
As a counterexample, the following scenario outlines a situation in which the academic exemptions could supplement the research exemptions, and broaden the flexibility for university researchers: In summary, therefore, while the academic exemptions could apply in a number of scenarios, genuine incompatibility of the GDPR with academic processing is not easy to make out, especially when considered in the context of the duty to respect privacy rights wherever they are engaged by research. The threshold of necessity within Article 85 GDPR is high, particularly when read in line with privacy rights. As such, the impact of the exemptions is likely to be limited in practice.
However, the academic derogation is not the only means by which the GDPR allows member states to pass exemptions for academic research. For scientific, historical and statistical research, the national exemptions enacted under Article 89 GDPR are of equal significance. While these exemptions are of more limited disciplinary scope, and are less radical in their interference with GDPR obligations, they may be more commonly (and less controversially) deployed within academic research. This will be explored in the next section.

The research derogation
The derogation in Article 89(2) GDPR is another respect in which national implementation of the Regulation can impact upon academic research data. Even where academic exemptions are not claimed, universities can still rely on modifications within the research exemptions.
There are a number of contexts in which the GDPR permits such adaption of its general obligations: for scientific or historical research, for statistical purposes, or for archiving in the public interest. Article 89(2) provides: 'Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to A study has obtained data directly from research participants, spending a significant amount of public money on this initial individual level engagement. The information originally provided to research participants was deemed sufficient under the applicable data protection law at the time of collection. However, now that the GDPR is in force, Recital 171 requires the study to bring their research personal data in line with the Regulation. This means imparting additional information to data subjects in order to satisfy the GDPR's enhanced transparency requirements, such as the legal basis on which their data are processed, and the availability of their GDPR rights. Where such information goes to the heart of how data subjects exercise their rights, European level advice is that it should be actively brought to the attention of each data subject, and not simply advertised on a website. 67 The study does not, however, have the resources to go back to the thousands of data subjects to make good this informational deficit, especially as the budget for the study has been all but exhausted.
The analysis of the personal data for the originally stated purpose has not yet completed, and nothing about the way the data are processed has changed. The researchers are satisfied there is no significant impact on the participants, as their personal data are used only in line with their original consent. But compliance with Article 13 to the extent of direct contact with each participant would exhaust the funding, and compromise the ability of the researchers to generate the findings for which the data were originally obtained. This would jeopardise the research for which participants had given up their time and information in the first place.
As the data are intended to generate findings for publication believed to be in the public interest, but a requirement to bring the data fully in line with Article 13 would mean the end of the project and the deletion of the data, in this extreme case the UK academic exemptions may be of some utility. 66  render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.
Article 89(1), in turn, refers to 'appropriate safeguards' for the rights and freedom of the data subject, further specifying: 'Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner.' Article 89, and its requirement of safeguards for the rights and freedoms of data subjects, is thus the gateway to these research modifications of GDPR obligations. Compliance with Article 89 is one condition on which the general prohibition on processing special category data can be set aside for scientific or historical research; 68 and can enable less active compliance with the transparency obligations where data are obtained from a third party. 69 It can also lengthen permitted retention periods, 70 and in some circumstances can exempt data controllers from the application of data subject rights (see below). As successful compliance with Article 89, and its clear (if broad) requirement of 'appropriate safeguards', is necessary for these exemptions, we shall refer to them collectively as 'the research exemptions.' The Article 89 derogation is less fundamental in its scope than the academic derogation, as it does not affect the essential requirements of fair and lawful processing. It is not, for example, a substitute for a legal basis for processing. Nonetheless, it can alter a data controller's obligations in ways which are not insignificant. Article 89 GDPR has been criticized for its broad definition of 'scientific research', and for the vagueness of its key term: 'appropriate safeguards'. 71 It is evidently a derogation which, despite the potential for more regulation of research data publication in earlier drafts, 72 does not provide a detailed framework for research data protection, but rather flexibility for research and archiving, as long as sufficient safeguards are in place.
For our present purposes, the most pertinent aspect of Article 89 is the potential for member states to derogate from certain data subject rights for relevant research, 73 or for archiving in the public interest. 74 This has implications both for research itself and for research data archiving at national level. The UK has exercised these derogations in respect of all possible data subject rights in Schedule 2 DPA 2018. Once the exemptions for scientific and historical purposes from both the GDPR and the DPA 2018 have been applied, these rights are modified as follows:

Continued
The above table may appear complex-such is the intricacy of the interface between the two pieces of legislation-but the net result of setting them side by side is to illustrate that the UK has exercised the Article 89 derogation to the fullest possible extent. This suggests a desire to provide researchers, and research archivists, with the greatest possible degree of freedom which is, nonetheless, consistent with the GDPR. The UK is not unique in this regard: Ireland 87 and Malta 88 have also exercised the Article 89 derogation to the fullest possible extent.
At first glance, it may appear troubling that almost all GDPR data subject rights are derogated from under the UK's implementation of the research exemptions. Furthermore, the main criterion for compliance with Article 89-'appropriate safeguards-is nonprescriptive and open to national interpretation. The only specification the UK provides as to what constitutes an 'appropriate safeguard' for scientific research relates to processing for decisions with respect to the data subject, or which are likely to cause substantial damage or distress. 89 Otherwise, 'appropriate safeguards' are left to largely individual data controller discretion, albeit with some particular emphasis on data minimization. The UK has evidently taken a liberal approach in its implementation of the research exemptions; an approach which could impact upon almost all of the rights which would otherwise be available to research data subjects.
However, there is a note of reassurance which has some parallel with the academic exemptions. If the scope is correctly understood as encompassing both breadth and threshold, it can be seen that the threshold built into Article 89 GDPR is high: Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes. (emphasis added) This contrasts with the Directive which only required 'appropriate safeguards' for research derogation, and not serious impairment. 90 The GDPR, however, requires safeguards and impossibility or serious impairment for the research derogation, setting a higher standard than existed in the Directive.
In conclusion, therefore, while the GDPR introduces broad derogations which may impact upon academic research, where Articles 85 and 89 are concerned their respective requirements of necessity and (at least) serious impairment limit their application in practice. They are evidently exceptions rather than the norm, unless it is accepted that it is the norm for data protection provisions to seriously impair research (which we do not). As the UK has not allowed any academic exemption from Article 35 (the duty to prepare data protection impact assessments), it is hoped that research data processing will be planned in such a way to promote data subject rights, and accommodate them without serious impairment to research.
On balance, this may appear to be a satisfactory reconciliation of data subject rights, privacy rights, the right to free expression and the importance of public These powers to add to the provisions of the DPA 2018 have been termed 'Henry VIII' powers-otherwise known as delegated legal powers under which subordinate legislation is enabled to amend primary legislation. 92 The inclusion of such powers in primary legislation has been increasingly employed by the UK government, not only to regulate administrative and technical procedures, but also matters of principle and policy. 93 For present purposes, the power in section 16(2) of the DPA is crucial: the power in Article 23(1) (GDPR) to make a legislative measure restricting the scope of the obligations and rights mentioned in that Article where necessary and proportionate to safeguard certain objectives of general public interest (may be exercised by way of regulations made by the Secretary of State) While Henry VIII powers are not entirely a novelty of the DPA 2018, the previous power under the Data Protection Act 1998 was merely to exempt personal data from the subject information provisions where other UK enactments restricted or prevented such disclosure. 94 It was, in essence, a practical power to resolve any conflict between the data subject rights in the Data Protection Act 1998 and any other UK legislation, which still required the Secretary of State to consider the interests of the data subject, as well as rights and freedoms of other individuals.
The power bestowed by section 16(2) DPA 2018 is much broader, enabling the Secretary of State to restrict the scope of any rights or obligations under the GDPR, where such restriction is proportionate and necessary for 'objectives of general public interest'. Unlike its predecessor in the 1998 Act, there is no statutory requirement for the Secretary of State to consider the interests of data subjects. However, although broad, the Secretary's discretion is not untrammelled. Secondary legislation of the kind made under section 16(2) could be subject to judicial review both on traditional vires grounds 95 and on the ground of its conformity with fundamental rights. The Supreme Court majority clarified in its recent Public Law Project judgement that a 'restrictive' approach is to be preferred if there are doubts about the scope of the delegated power conferred upon the Secretary of State. 96 When fundamental rights are affected by a measure, UK courts employ the so-called 'anxious scrutiny' test, requiring the public authority to prove that 'the most compelling justification existed' for this infringement. 97 In sum, therefore, although it is not possible to quantify with any certainty the likelihood of the Article 23 derogation being used by the Secretary of State in such a way as impacts upon academic research data governance, this does not appear to be an immediate prospect.
The overarching lesson to be drawn from the UK's response to Articles 85, 89, and 23 GDPR is that the number of available derogations within the Regulation can mean that national implementations are not only complex, with overlapping regimes of restrictions, modifications, and exclusions, but also dynamic and potentially subject to change. Nevertheless, such changes, restrictions and modifications cannot take place in a vacuum. Even in the case of Article 23 where the GDPR does not set thresholds within the derogation itself-unlike the requirement of necessity in Article 85, or that of serious impairment in Article 89-they must still be exercised in accordance with case law wherever privacy rights are engaged. The resulting legislative picture is undeniably complex, and not necessarily static, but the impact upon academic research is limited by the need to respect privacy rights, even when this requirement is not explicitly recognized within the GDPR.

Public authority obligations
Finally, we shall now turn to a very different facet of the GDPR: its greater delineation between public and private sector organizations as compared with the Directive it replaces. A review of these two pieces of legislation indicates that the GDPR specifically mentions public authorities 44 times, dwarfing the five such references in the Directive. Included in these references are the requirement for authorities to process data on a national or EU legal basis wherever they exercise their functions, as opposed to relying on the more general latitude of 'legitimate interests'. 98 They must appoint, support and appropriately resource a Data Protection Officer to oversee the lawfulness of their processing, 99 as well as acting as a public-facing point of contact for transparency purposes. 100 All of these new obligations point towards a greater need for accountability in public authority processing, above and beyond the general enhanced requirements across the public and private sectors. We do not mean to simplify the GDPR's treatment of public authorities, and acknowledge that such institutions also enjoy specific protections, for example from litigation in another Member State or by way of potential national limits on administrative fines. 101 However, as our focus is on academic researchers, and how their relationship with data subjects is regulated under the GDPR, we shall focus on the provisions most pertinent to the question 'to what extent are academics able to process research data as they wish under the GDPR?', as opposed to those pertaining to the consequences of an alleged breach.
To this end, we focus in this final section on consent as a basis for processing data in academic research. The GDPR defines consent as: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. 102 Recital 43 adds: consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is unlikely that consent was freely given in all the circumstances of that specific situation.
Following the DPA 2018's designation of universities as public authorities, this stipulation in Recital 43 has been taken seriously. Guidance issued by the Information Commissioner's Office 103 suggests that public interest may be the most appropriate ground for processing personal data for academic research. This recommendation has in turn been reflected in guidance issued to researchers by a number of UK universities. 104 While the requirement that consent be 'freely given' is not unique to public authorities, any universities classified as public authorities for the purposes of the GDPR (of which there will be many across Europe and beyond) are particularly encouraged to give thought to whether their 'balance' of power with the data subject means they can appropriately rely on this basis in practice. 105 This encouragement to public authorities cannot be dismissed as non-binding exhortation, as authoritative guidance has been issued by the Article 29 Working Party, and subsequently by UK regulators, to the effect that public authorities should avoid reliance on consent as a basis for processing in the performance of their tasks.
Whether it is truly impossible for consent to be freely given in the context of academic research requires careful consideration. Guidelines issued by Article 29 Working Party stress that it is essential that individuals who refuse consent must not be denied access to the public authority's core services. 106 For consent to be 'freely given' it is essential that individuals who refuse to consent are not denied access to the public authority's 'core services.' This risk of detriment is easily identifiable in the relationship between students and their institution, but is less obvious in the context of academic research. Naturally, the risk of detriment could vary depending on the nature of the research. An individual participating in a clinical trial in the hope of combatting life-threatening illness clearly has a much greater dependence on a 'core service' than an interviewee in a qualitative study who stands to gain no personal benefit from the research. 107 Admittedly, concerns about appropriate power balance are not the only reason why UK researchers have been steered away from consent as a basis for processing. The GDPR also requires granularity of consent, and it has been suggested that not every research project is sufficiently defined at the point when consent would be collected from participants to fulfil the enhanced requirements of the GDPR. 108 The requirement to delete data should consent be withdrawn could also prove problematic in cases where data are required to be retained post publication. Nevertheless, should researchers wish to process participant data on the basis of consent, their balance of power with the data subjects will be a very relevant consideration under the GDPR.
Clearly, the role of consent within academic research needs to be re-evaluated if it is not widely commended as a legal basis for processing personal data. Consent may still be required under the common law duty of confidentiality, even when it is not a GDPR basis for processing. This could help to highlight to researchers the purpose of obtaining consent from participants as a justification for using private information, as opposed to a bureaucratic exercise. Reconsideration of the role of consent could also take into account empirical studies of participant views as to why they value consent: as a means for securing their approval of research projects; 109 as a mechanism for respecting their autonomy; 110 or even simply as an act of courtesy during the research project. 111 Regardless of how great a role consent will continue to play in academic research, however, the above analysis illustrates the importance the new obligations placed upon public authorities by the GDPR in an academic context. As the threshold of the exemptions made under the relevant derogations is set high, particularly where private information is used, these obligations are therefore likely to be of greater import to academic research in practice than any new freedoms the GDPR may bring.

Conclusion
In sum, it appears that the GDPR derogations which could, hypothetically, provide for greater freedom in academic research data processing in fact set the bar high for their exercise by Member States. The Regulation only allows for derogation to the extent that it is 'necessary' for academic expression, or would cause impossibility or serious impairment to research. We have seen from the UK's example that these restrictions in the GDPR, combined with the impact of privacy rights wherever they may be engaged by research, significantly limit the scope of academic freedom in personal data processing.
The answer to the question posed at the beginning of this paper-'do academic researchers stand to have more freedom in their data processing under the GDPR?'-therefore appears to be 'no', at least as far as can be established from analysis of the UK's implementation of the Regulation. The derogations should rightly be seen as the exceptions which prove the rule of public authority obligations which apply to many universities within the territorial scope of the Regulation. Our secondary lesson is therefore that the innovations in the GDPR of more significance for academic research are the provisions specifically relating to public authorities. These shifts may be subtle in their impact, but the need for researchers to consider appropriate balances of power with data subjects cannot be ignored under the new Regulation.