Can We Still Archive? Privacy and Social Science Data Archiving After the GDPR

Abstract

This dissertation investigates the impact of new privacy regulations on scientific research data infrastructures. It focuses on the experiences of and outcomes at four European Union (EU) social science data archives—the Czech Social Science Data Archive, the Finnish Social Science Data Archive, Data Archiving and Networked Services, and GESIS — Leibniz Institute for the Social Sciences—during the period after 2016 as they attempted to become compliant with the EU’s new General Data Protection Regulation (GDPR), a revised EU-wide law that brought further restrictions to the use and reuse of personal data. However, as the GDPR and the subsequent national legislation sought to increase protections for an individual’s personal data, they did not significantly consider how the new requirements would affect the research community for whom personal data are vital to creating new knowledge. This research seeks to understand how the changes required to comply with the GDPR have affected the data archives’ abilities to operate. This study is a qualitative, multiple case comparative case study of four national social science data archives. It relies on semi-structured interviews with data archive staff, senior leadership, IT staff, legal advisors, and external stakeholders, document analysis, and data archive usage statistics. At the start of this dissertation, I developed a framework to better understand informational privacy in the contexts of data archives, where an individual’s direct control over their personal data is instead the purview of researchers and data archive staff. This framework conceived of informational privacy as resulting from three other conceptualizations of privacy: derived by regulating the flow of information, the minimization of harm, and a response to technological risks to privacy. My findings support a further revision of this proposed framework that, instead of modeling informational privacy itself, models the actions taken to promote and ensure informational privacy; actions that reflect the three aspects of privacy, with an overarching management component to coordinate these privacy protection efforts, and recognizing the internal and external factors that affect organizational responses. My findings indicate that there were three main factors that determined how the data archives responded to the GDPR: whether (if at all) they adopted a processor or controller role for their personal data, national data protection legislation considerations, and the role of a parent or supervisory organization. Another important finding is that the changes that the data archives did make focused on two of the three concepts of privacy in my model: regulating information flows and minimizing harm, as well as a fourth set of changes intended to manage these efforts. I also found that the GDPR did not have a significant, measurable impact on data archive operations such as archiving new data sets or disseminating data to data users. Instead, the biggest impact of the GDPR on the organizations can be found in the data archive staff mindsets: even though all four archives have long-standing traditions of data protection, the GDPR has reinforced the importance of data protection and data subject privacy in all aspects of their work. This research represents the first empirical study of the GDPR implementation at social science data archives, and provides guidance and lessons learned to research infrastructures in Europe and elsewhere who are adapting to new digital and data privacy legislation and need to balance data subject privacy and the goals of open science.