ArticlePDF Available

Is the GDPR and Its Right to Data Portability a Major Enabler of Citizen Science?

Authors:

Abstract

Citizen science is an emerging trend with an ever greater number of adherents. It involves the collection and contribution of large amounts of data by private individuals for scientific research. Often such data will concern the individuals themselves and will be collected through processes of self monitoring. This phenomenon has been greatly influenced by the Internet of Things (IoT) and the connectivity of a wide range monitoring devices through the internet. In collecting such data use will often be made of the services of various commercial organisations, for example that offer cloud storage services. The possibility of data portability is extremely important in citizen science as it allows individuals (or data subjects) to be able move their data from one source to another (i. e. to new areas of scientific research). This article explores the limits and possibilities that legal rights to data portability offer, in particular the new right as outlined by the European Union’s General Data Protection Regulation. In doing so this article will look at where this right (and how it operates in the international legal context) is able to facilitate the phenomenon of citizen science.
Is the GDPR and its Right to Data Portability a Major Enabler of Citizen
Science?
Paul Quinn
Abstract
Citizen science is an emerging trend with an ever greater number of adherents. It involves the
collection and contribution of large amounts of data by private individuals for scientific
research. Often such data will concern the individuals themselves and will be collected
through processes of self monitoring. This phenomenon has been greatly influenced by the
Internet of Things (IoT) and the connectivity of a wide range monitoring devices through the
internet. In collecting such data use will often be made of the services of various commercial
organisations, for example that offer cloud storage services. The possibility of data
portability is extremely important in citizen science as it allows individuals (or data subjects)
to be able move their data from one source to another (i.e. to new areas of scientific
research). This article explores the limits and possibilities that legal rights to data portability
offer, in particular the new right as outlined by the European Union's General Data
Protection Regulation. In doing so this article will look at where this right (and how it
operates in the international legal context) is able to facilitate the phenomenon of citizen
science.
1. Introduction
The amount of data in existence that can be used for research is increasing in an exponential
fashion. Similarly, the ability of individuals (both technically and legally) to to collect,
assemble and deliver their data for research purposes is also increasing. These developments
have boosted movements and attitudes that have often been termed as citizen science. This
movement relates broadly to the idea that individuals can play an active role in collecting
personal data and providing it for scientific research. In doing so it is argued they are able to
boost the chances that certain types of research may occur. Central to the concept of citizen
science is the idea that data should be portable, i.e. that individuals should be able to transfer
their data from various sources to research institutions.
This article looks at the phenomenon from a legal perspective, focusing on the the
role data portability as a legal right has to play in boosting this movement. In particular, it
will focus on the right of data portability as described in the EU's recent General Data
Protection Regulation (the GDPR). In doing so it will look at how the GDPR facilitates the
right of data portability throughout the European Union, and potentially to jurisdictions
beyond its borders. The ability of individuals to use this right to have their personal data
transferred from existing data controllers to research institutions may allow initiatives
associated with concepts of citizen science to prosper. As this article discusses however there
are a number of aspects concerning the formulation of this right within the GDPR that may
serve to lessen its impact.
Section 2 of this article discusses the concept of citizen science and why it has been
growing in prominence in recent times. Section 3 discusses the importance of data portability
to citizen science. Section 4 will look at how, on the one hand the GDPR introduces a right of
data probability and how it offers potential for individuals interested in participating in citizen
science based initiatives and on the other, it leaves areas of data processing that will not be
subject to the right of data portability and the likely effects this may have on citizen science.
Section 5 analyses what the limited application of the 'right to data portability to limited legal
1
bases for the processing of personal data is likely to mean. Section 6 discusses the likely
territorial application of the right to data portability and its implications for citizen science
initiatives to op-operate on an international level.
2. Citizen Science as a Growing Phenomenon
Citizen science is not a new phenomenon but it is certainly a growing trend that is allowing
important changes in the way scientific research is occurring.1 Prominent examples of citizen
science go back hundreds of years, including for example a prominent experiment in 1830s
Britain that involved hundreds of members of the public to monitor 650 different costal
locations.2 Whilst there are numerous other examples in the intervening period of the use of
large groups of private individuals to coordinate and execute the collection of data for
experimental purposes the phenomenon of citizen science had been greatly boosted in recent
times. This is due to developments in the both the digitization of personal data and the ability
to coordinate and share such data that have come with the development of the online web and
social media.3 This is primarily for two reasons. First, the digitisation of personal data allows
individuals to record and organise their data in ways that were not previously possible. This
includes the capture of new forms of data (though the Internet of Things (IOT) and devices
such as 'wearables') and the ability to store and organise it more efficiently e.g. using mobile
phones, powerful personal computers and online storage. Second, online connectivity,
including through social media platforms allows data subjects to contact each other and
researchers. This allows the formation of groups who have the desire to promote scientific
research certain areas through the collection, organisation and sharing of personal of data
concerning a particular issue. These developments have allowed individuals to come together
and pool potentially interesting data in ways that was not previously possible. Individuals
may for example be able to learn through social media that there are others that share health
issues that requires further research. Using wearables and access to electronic health records
individuals for instance can in theory pool large longitudinal data sets that are potentially
interesting to researchers.4
Such endeavours are seen as being conducive to research in potentially different ways
with visons of what actually constitutes citizen science that vary in breadth and scope.5 A
narrower view sees an important role for groups of engaged individuals to be able to respond
to open calls by researchers to come forward with data on a particular issue. In such a vision
researchers remain both the inspiration and architects of the research programme that is to be
carried out. They may conceive of the need for it and design the experiment in question,
appealing to individuals to come forward with useful data that they have collected in order to
allow the experiment in question to be carried out. In such a scenario the data subject can be
thought of as a benevolent form of 'free labour'; that makes itself available to a research
project in order to further its aims.
1 DEVICTOR, V., WHITTAKER, R. J. & BELTRAME, C. 2010. Beyond scarcity: citizen science programmes
as useful tools for conservation biogeography. Diversity and Distributions, 16, 354-362.
2 MADISON, M. 2014. Commons at the Intersection of Peer Production, Citizen Science, and Big Data:
Galaxy Zoo. In: FRISCHMANN, B., MADISON, M. & STRANDBURG, K. (eds.) Governing Knowledge
Commons. Oxford University Press.
3 NEWMAN, G., WIGGINS, A., CRALL, A., GRAHAM, E., NEWMAN, S. & CROWSTON, K. 2012. The
future of citizen science: emerging technologies and shifting paradigms. Frontiers in Ecology and the
Environment, 10, 298-304.
4 PURCEL, R. & ROMMELFANGER, K. 2017. Biometric Tracking From Professional Athletes to Consumers.
The American Journal of Bioethics, 17, 72-74.
5 SILVERTOWN, J. 2009. A new dawn for citizen science. Trends Ecol Evol, 24, 467-71.
2
A broader and perhaps more ambitious conception of citizen science sees the citizen
as the true master of the research in question (i.e. in place of the research institution). In such
a vision, it is the citizen (i.e. the data subjects themselves) who through networking and
discussion see the need for research to be conducted in a certain area.6 It is their ability to
collect, store and collate the data that they see as being useful that provides them with the
power to induce certain forms of research.7 In being able to create such pools of data they are
able to attract researchers who may find the research opportunity it presents to be attractive.
The ability to collect, store, collate and transmit such data to interested researchers represents
a source of power for citizen scientists potentially allowing them collectively bargain with
competing research institutions and and ensure that the type of research they want occurs. 8
This latter interpretation of citizen science sees the individual lay person acting more out of
self-interest (rather than a sense civic virtue) and through the power that comes of grouping
with other similarly minded individuals, deciding what research is to take place (in place of
the professional scientist and the institution he or she is attached to).
Of course, these points exist on a spectrum at either end of potential manifestations of
citizen science. There are many manifestations that are possible between the two and many
that may share elements of both. Individuals may for example become citizen scientists both
out of self interest and a a result of a sense of civic duty.9 Similarly it may well be difficult in
reality to draw a clear line in discerning whether research is proposed and conducted because
of the availability of data through active citizen science or whether such citizen scientists are
mobilised in response to institutional calls for research data. Whatever the particular
manifestation there are a number of criteria that must be met in order for citizen science to
occur. These include, the ability to record data, the ability to store it, the ability to access it,
and that it is portable (i.e. that it can be transferred to a research institution). The importance
of transferability or portability is discussed below.
3. The Importance of Data Portability to Citizen Science.
(i) The Need for Both 'Interoperability' and 'Transferability'
All of the requirements described above (i.e. the ability to record and observe) are without
doubt indispensable for citizen science to occur. Even if they are fulfilled however the ability
to transfer (or share) data (i.e. that it is portable) is a sina qua non for citizen science to
occur. Even if individuals are able to record and store their data, practicing citizen science
will not be possible in situations where individuals and groups of individuals are not able to
transfer useful personal data to interested researchers. The same goes if data subjects are
simply provided with access to their personal data by a data controller (imagine for example
the provider of a mHealth service). Access alone to personal data (a well established right in
6 One of the most important areas for citizen science that is not focused upon in this paper is within ecology
and environment projects. See: BONNEY, R., COOPER, C. B., DICKINSON, J., KELLING, S., PHILLIPS, T.,
ROSENBERG, K. V. & SHIRK, J. 2009. Citizen Science: A Developing Tool for Expanding Science
Knowledge and Scientific Literacy. BioScience, 59, 977-984. KELLING, S., FINK, D., LA SORTE, F. A.,
JOHNSTON, A., BRUNS, N. E. & HOCHACHKA, W. M. 2015. Taking a 'Big Data' approach to data quality in
a citizen science project. Ambio, 44 Suppl 4, 601-11.
7 EVANS, B. J. 2017. Barbarians at the Gate - Consumer Driven HEalth Data Commons and the
Transformation of Citzen Science American Journal of Law & Medicine, 42, 651-685.
8 For further discussion on this see an article publish on the online site 'The Conversation entitled " Expanding
citizen science models to enhance open innovation" available at:
https://theconversation.com/expanding-citizen-science-models-to-enhance-open-innovation-61554
9 MORRIS, M. E. & AGUILERA, A. 2012. Mobile, Social, and Wearable Computing and the Evolution of
Psychological Practice. Prof Psychol Res Pr, 43, 622-626.
3
data protection law)10 may mean little if it if it does not equate to a possibility to transfer data
to a researchers for further analysis. 11 Rights of access to one's personal data as is
traditonally found in data protection may not be sufficient to fully facilitate citizen science.
This is because to ensure portability two important elements are required, elements that may
not be present in tradtional rights to access data. The most important of these elements are
described below.
A Requirement of Interoperability -A right to access for instance may not not provide a right
to receive personal data in a form that is 'interoperable' with the processing systems of
another potential controller, including those of a potential researcher institution. This was for
example the situation with the right to access in the EU Data Protection Directive (95/46/EC).
Providing data in a form that is 'intelligible' to the data subject does not entail providing data
in a form that is functionally readable by other controllers. 'Intelligible' would rather seem to
refer to the ability of humans to be able to comprehend the data that is provided (and does not
refer to interoperability with other processing systems).12 Intelligible can thus best be thought
of as a duty to provide data, even if complex in some manner that will allow human data
subjects to comprehend it in terms of it what can be deduced from it. In modern information
society where data sets may be enormous and complex, this may in reality translate into a
duty to effectively summarise the data in 'human readable format' so that the data subject can
understand it. Providing data in its raw form would be unlikely to meet a duty to provide
intelligible data, largely because it would be meaningless to the data subject (largely because
such data would be stored in a way that is machine readable). In this regard the right to access
found in the GDPR certainly goes further than the Directive 95/46/EC does stating: 13
"The controller shall provide a copy of the personal data undergoing processing. Where the data
subject makes the request by electronic means, and unless otherwise requested by the data subject, the
information shall be provided in a commonly used electronic form."
Whilst a requirement of providing personal data in "a commonly used electronic form" goes
far further in providing requirements in terms of interoperability (see further discussion in
section 4), it still provides arguably little in terms of direct transferability (discussed below)
A Duty to Facilitate a Data Transfer A Right to Access does not provide any any right to
have data transferred to a third party, including a research institution. Transferability is
important because it places the responsibility of data transfer with the data controller and not
the data subject. This is important for a number of reasons.
Perhaps most importantly the data controller is likely to have a higher level of
technical ability and experience than the data subject. It may have numerous personnel other
organizational strengths (in comparison with an individual data subject). It may also
importantly possess a key advantage in terms of economies of scale. This is because a single
service provider, especially if it is a large one with a key position in the market, may receive
10 That data subjects might want access to their data is something that has been long recognised in data
protection. The original European Data Protection Directive (95/46/EC) Data Protection (in recital 41)
recognised a right of data subjects to access their data stating: "Whereas any person must be able to exercise the
right of access to data relating to him which are being processed, in order to verify in particular the accuracy of
the data and the lawfulness of the processing; whereas, for the same reasons, every data subject must also have
the right to know the logic involved in the automatic processing of data concerning him, at least in the case of
the automated decisions…)"
11 HUNTER, P. 2016. The big health data sale: As the trade of personal health and medical data expands, it
becomes necessary to improve legal frameworks for protecting patient anonymity, handling consent and
ensuring the quality of data. EMBO Rep, 17, 1103-5.
12 Article 29 Working Party Guidelines on the right to data portability. WP242 (13 December 2016) p14.
13 GDPR Article 14(3)
4
many requests from individuals who whish that their data is transferred to a particular
research institution. In such a context it will likely be a far more simple affair for one or a few
data controllers to contact and liaise with a particular research institution (than it would be for
thousands of data subjects). In such a manner discerning the necessary technical and
organizational arrangements that must be made in order to facilitate transfer is likely to be far
more efficient. An alternative scenario whereby research institutions had to liaises
individually with every data subject on technical adjustments that would have to be made in
order to facilitate transfer would in reality entail many more technical discussions between
research institutions and individual research subjects. Furthermore, such discussions would
likely be much more difficult given that individual research subjects would not be likely to
possess the same technical knowledge or abilities. The ability of data subjects to comply with
the technical requirements for transfer posed by the research institution are likely to be much
less than it would be for a large data controller. Alternatively, whilst research institutions
might in certain circumstances be willing to take on the all the responsibility themselves for
making data compatible for their research ends, the ability to do so would be severely
reduced where all data is provided by research subjects on a completely individual basis. In
such instances data may vary in format or even the method in which it is delivered (e.g. by
online file transfer, by DVD or by email). Taking on such variability would represent a costly
affair that could well hamper research. The ability therefore to deal with one or a few data
controllers who would transfer numerous data sets would be advantageous and encourage
research institutions to engage with citizen science initiatives.
4. The GDPR and its Right to Data Portability.
In what may be seen as an advance for the concept of citizen science the GDPR includes a
new right to data portability. Article 20 states:
"The data subject shall have the right to receive the personal data concerning him or her, which he or
she has provided to a controller, in a structured, commonly used and machine-readable format and
have the right to transmit those data to another controller without hindrance from the controller to
which the personal data have been provided."
There are two things that are immediately apparent and of potential relevance to this paper.
The first is that there is a right to receive code in a 'machine readable format' (also found with
the GDPR's strengthened 'right of access''.14 This appears to supplement the GDPR's right to
access (discussed above) and link it firmly with a right to data portability. This is important
from the perspective of interoperability of the data in question and thus increasing the
chances that it can be used for the purposes of scientific research. The second is that is
bestows the right upon a data subject of asking for direct transfer to another controller. As
section 3 discusses this requirement is important from the perspective of citizen science given
that for a number of reasons, it may often be the original data controller and not the data
subject who is best placed to execute the transfer of data. Article 20 can therefore be thought
of as improvement of the situation vis-à-vis the needs of citizen scientists. As the following
pages of this paper will discuss, this will facilitate citizen science activities in a number of
areas and should therefore be welcomed. At the same time there are however a number of
important elements that will likely serve to limit the ability of individuals and researchers to
use this article to further citizen science. The most important are summarized in the sections
below.
14 GDPR Article 14(3)
5
Limits to the concept of 'machine readable'
Whilst the concept of 'machine readability' might sound promising it is important not to read
it in too expansive a maner. In particular a duty upon data controllers to produce machine
readable data to not entail an obligation to make such data compatible for all purposes that
might be desired. As the Article 29 Working Party points out "portability aims to produce
interoperable systems not compatible systems".15 The latter (i.e. compatibility) would entail
an obligation upon the data controller to ensure that the data provided was directly
compatible with the intended purposes and processing systems of the proposed new controller
(to whom the data was to be passed). Although such a vision would make things easier for
both the data subject and the new controller (who would receive data that would be directly
ready for use) this would represent a heavy (if not impossible burden) on the original
controller.16 This is because all of the burden in terms of ensuring compatibility would fall
almost entirely upon that original controller. This would entail ensuring that the data that was
being transferred was completely compatible (i.e. ready to use) with whatever processing
systems were being used by the new controller. Given that there could be numerous different
formats and systems used by a new controller this would effectively mean a duty to modify
and tailor data to the needs of any data controller that a data subjected demanded transfer to.
Such a duty would likely act as a deterrent to data processing in general given that data
controllers would have to ensure that they had the capacity (in terms of both personnel and
technical expertise) to make such modifications if they were demanded.
It is for such reasons that a duty of 'compatibility' of transferred data is not realistic. It
also explains why the Article 29 working party emphasized that Article 20 of the GDPR
amounted to a duty of 'interoperability'.17 This represents a lower threshold and consequently
poses less of a burden on the original data controller. Such a duty represents a shared burden
where not only the original data controller but also the new one (a research institution in this
context) would have to make efforts so as to ensure compatibility. This is because
interoperability is normally taken as referring to a a duty to use one of a number of
commonly available formats.18 Although such formats may not be directly compatible with
the processing systems of a new controller they should be in such a form that that new
controller will be able to work upon and make compatible. Interoperability thus entails work
for both the original controller, who must ensure that the data meets such a format and for the
new controller who will have to further process the data into a new form that is compatible
with its desired purposes. Such a duty can not thus be considered as representing a maximum
facilitation of citizen science though it may however be a more realistic requirement. This is
because Article 20 will still entail a large amount of work on behalf of a research institution
from to make data compatible. Given that this will require resources that research institutions
15 Article 29 Working Party Guidelines on the right to data portability. WP242 (13 December 2016)
16 As the Article 29 Working Party guidelines state (p13): Given the wide range of potential data types that
could be processed by a data controller, the GDPR does not impose specific recommendations on the format of
the personal data to be provided. The most appropriate format will differ across sectors and adequate formats
may already exist, but should always be chosen to achieve the purpose of being interpretable. Formats that are
subject to costly licensing constraints would not be considered an adequate approach.
17 Recital 68 of the GDPR states: "The data subject's right to transmit or receive personal data concerning
him or her should not create an obligation for the controllers to adopt or maintain processing systems which are
technically compatible."
18 As the Article 29 Working Party guidelines state (p15) "As such, data portability implies an additional layer
of data processing by data controllers, in order to extract data from the platform and filter out personal data
outside the scope of portability (such as user passwords, payment data, biometric patterns, etc.). This additional
data processing will be considered as an accessory to the main data processing, since it is not performed to
achieve a new purpose defined by the data controller."
6
do not always have, it may arguably in some instances discourage their willingness to engage
in projects that involve citizen science and article 20 requests for data portability.
A Right of Transferability Only Applies to Personal data
Another important caveat that should be placed on the right of data portability as described
by the GDPR is that it applies only to personal data as provided by the data subject. This can
be split into two separate requirements i.e. (i) that the data be personal in nature and (ii) that it
be provided by the data subject.
Requirement (i) may appear self evident given that the GDPR in general only applies
to personal data. It would therefore be bizarre to expect that a right of data portability as
described in the GDPR could be applied to data that was not of a personal nature. Despite
being self evident this limitation nonetheless has some important implications. It means for
example that any data that has been anonymized does not fall under such a right. This
includes for example data that although anonymous may have been derived using personal
data (that may have been subsequently deleted). Even though such data may have been
derived from their personal data, a data subject will have no right to demand that such data be
transferred to another controller for purposes of scientific research.19
Requirement (ii) applies to data that may even be personal in nature. It places a limit
on the types of personal data that are subject to the right under Article 20 to the data that the
data subject has himself provided. This importantly excludes all other forms of secondary
personal data that has been derived from further processing. This will include for example the
results of various forms of analysis that have been performed on the original data that had
been provided by the data subject. Such a limitation exits inter alia to protect the commercial
secrets and strategies of commercial data processors who may have developed innovative
forms of data analysis.20 This exception however is likely to limit the application of the right
to data portability in a number of areas that could be of interest from the perspective of
citizen science. Imagine for instance the analysis of lifestyle data or the data that had been
provided by data subjects through wearable or other IoT devices. Such analysis could have
enormous research potential. Indeed, it may be such analysis (and not simply the storage of
the data) that represents the unique selling point of many data monitoring or storage
services.21 Imagine a commercial organization for example that offers fitness enthusiasts the
ability to (though wearable devices) monitor and upload their data to a cloud service and have
various forms of analysis provided to them concerning their performance and ways in which
they may be able to improve Such analysis may provide data subjects with knowledge and
useful perspectives that might not be apparent from the data alone. Such data may for similar
reasons also be appealing from the perspective of citizen science. The analyses performed on
such primary data may furthermore be highly innovative in nature and not easily repeatable
by other parties (for this reason it may often be considered a commercial secret), including by
researchers and research institutions. An assumption therefore that research institutions
maybe able to perform such an analysis may be misplaced (particularly for example when
one compares the relative resources and technical expertise of certain multinational data
controllers (e.g. Google, Amazon etc.) and those possessed by individual research
19 Recital 26 of the GDPR confirms that the regulation in general does not apply to anonymized data.
20 LAGOS, L. 2013. Why the Right to Data Portability Likely Reduces Consumer Welfare- Antitrust and
Privacy Critique. Maryland Law Review, 72, 341-380.
21 PURCEL, R. & ROMMELFANGER, K. 2017. Biometric Tracking From Professional Athletes to
Consumers. The American Journal of Bioethics, 17, 72-74. LUPTON, D. 2016. The Quantified Self, John Wiley
& Sons, SWAN, M. 2013. The Quantified Self: Fundamental Disruption in Big Data Science and Biological
Discovery. Big Data, 1, 85-99.
7
institutions).22 Even if it were possible, it might entail the use of resources that may not in
reality be at the disposition or particular research institutions. As a result of this the lack of
applicability of article 20 of the GDPR to such data means that data subjects will not be able
to use it to invoke the transfer of various forms of data that could be particularly valuable for
scientific research.
It should be noted that this issue does not only apply to commercial service providers
in the area of fitness/lifestyle data but also controllers in a number of other important areas
also.23 This could include the providers of various medical or healthcare services that involve
the analysis of personal data. Imagine for instance medical clinic or institution that performed
various analytic techniques to draw conclusions on the health status of individuals. This could
be through an analysis of their medical records or data taken from various monitoring
devices. Once again, although such data could in theory be useful for scientific research it
will not be covered by the the right to data portability. The same would also apply to other
data that could be useful for research purposes including relating to social media.24 Such data
is the subject of constant and complex analysis for commercial reasons such as improving
targeted advertising. Such analysis may involve the discovery of correlations and
relationships that would be of immense interest inter alia to those interested in scientific
research given the potential links with areas ranging from medicine to sociology to
economics. Such data will not however be covered by article 20 GDPR.
5. The Importance of the Grounds for the Processing of the Data in Question.
(i) Grounds for Processing to Which Article 20 GDPR is Applicable
Article 20 is also limited given that it only applies to data that is processed on the basis of
two (of the many) grounds that are described in the GDPR. These cover data that is processed
after obtaining the "express consent" of the data subject or alternatively that the processing
was "necessary for the performance of a contract to which the data subject is party or in order
to take steps at the request of the data subject prior to entering into a contract".25 These
grounds will cover some but by no means all of the potential types of personal data that might
be thought to be of use to citizen scientists. The first may for example cover the types of
relationship described above where individuals agree through formalized processes of
consent to provide their data so as to have it stored and or further processed. This could
include for instance lifestyle monitoring services or certain forms of processing related to
healthcare (where consent is the basis for processing - see discussion in (ii) below)). It may
also interestingly include data that had previously been provided to researchers or scientific
institutions precisely for the purpose of research (again where consent was the legal basis for
processing - see discussion in (ii) below). Imagine for instance where a data subject had
22 HUNTER, P. 2016. The big health data sale: As the trade of personal health and medical data expands, it
becomes necessary to improve legal frameworks for protecting patient anonymity, handling consent and
ensuring the quality of data. EMBO Rep, 17, 1103-5.
23 MURDOCH, T. & DETSKY, A. 2013. The Inevitable Application of Big Data to Health Care. Journal of
the American Medical Association, 309, 1351-1352, BELLAZZI, R. & ZUPAN, B. 2008. Predicitive data
mining in clinical medicine: current issues and guidelines. International Journal of Medical Informatics, 77, 81-
97.
24 MORRIS, M. E. & AGUILERA, A. 2012. Mobile, Social, and Wearable Computing and the Evolution of
Psychological Practice. Prof Psychol Res Pr, 43, 622-626.
25 In terms of "consent", there is in is reality two legal grounds given that there are two type of consent
foreseen in the GDPR. The first is the "unambiguous informed consent" described in Article 6(1) that applied to
the use of personal data in general. The second is explicit consent for the use of special forms of data (e.g. health
data) described in Article 9(2).
8
consented to provide his or her medical, socioeconomic or other data to a research project in
the past. Given that such data may conceivably be of interest to other subsequent research
projects at other institutions it is possible that data subjects might want to make use of the
their rights under article 20 to transfer their data in order to facilitate research. The reuse of
research data is indeed something that has been encouraged more and more in recent years
(with the term 'recycling' often being used in a metaphor that seemingly sees not using 'old
data' as being wasteful).26 Such reuse of old research data could be seen as being compatible
with many of the aims of citizen science.
With regards to to the second ground discussed above one can imagine various
contracts that may have been concluded with various organizations to provide services or
deliver physical products. Imagine for instance streaming services for movies or music,
online stores such as Amazon etc. Whilst such information may appear banal viewed from the
perspective of a single individual, on a larger scale (i.e. where such data is available for many
individuals) it may provide extremely useful research material, allowing important
information relating to socioeconomic factors or even health status. Article 20 thus provides
the option of transferability for such data.
(ii) Grounds for Processing that Are Not Covered by Article 20
The two grounds discussed above, though important, represent only two of many potential
grounds for processing described within the GDPR. This essentially means that many types
of processing that are permitted under the GDPR will not be covered by the right to data
portability. Whilst a full consideration of the relevance of all such types of data processing to
citizen science is beyond the scope of this paper27 some potentially striking examples (given
their obvious relevance to research) are immediately obvious and are discussed below.
Processing is necessary for the purposes of preventive or occupational medicine - Whilst the
processing of health data is possible on the basis of explicit consent, this is not the only, or
perhaps the most important grounds for the processing of such data within the healthcare
sector.28 This is because there exists another legal basis that permits the processing of heath
data for processes of occupational medicine. The equivalent provision within Directive
95/46/EC (which has seemingly been widened within the GDPR)29 was traditionally used to
process medical data within the bounds of an ongoing treatment relationship with an
officially recognised medical professional who was subject to rules on confidentiality.30 Such
a ground has been traditionally used to process patient data in ways that were required as a
result of continued treatment within a particular practice or institution. It is such an exception
26 DYER, C. 2007. Stringent constraints on use of patients' data are harming research. British Medical
Journal, 335, 1114–1115, KAYE, J. 2012. The Tension Between Data Sharing and the Protection of Privacy in
Genomics Research. Annual Review of Genomics and Human Genetics, 13, 415–431, MURDOCH, T. &
DETSKY, A. 2013. The Inevitable Application of Big Data to Health Care. Journal of the American Medical
Association, 309, 1351-1352.
27 Numerous grounds for the processing of sensitive and non-sensitive data are described in articles 6 and 9 of
the GDPR.
28 QUINN, P., HABBIG, A., MANTOVANI, E. & DE HERT, P. 2013. The Data Protection and Medical
Device Frameworks ? Obstacles to the Deployment of mHealth across Europe? European Journal of Health
law, 20, 185-204, MANTOVANI, E. & QUINN, P. 2013. mHealth and data protection – the letter and the spirit
of consent legal requirements. International Review of Law, Computers & Technology,
DOI:10.1080/13600869.2013.801581.
29 This ground currently exists in Article 9(2) of the GDPR.
30 Article 29 Data Protection Working Party. 2007. Working Document on the Processing of Personal Data
Relating to Health in Electronic Health Records (EHR), 00323/07/EN WP 131.
9
that allows a patient's data to be further processed without having to continuously re-obtain
consent, something which would be extremely laborious in large institutions. The practical
value of such a grounds for processing is that medical professionals and institutions do not
have to continuously ask patients for consent to process their data each time they have a new
consultations or undergo a new procedure. The availability of this pragmatic and frequently
used ground for processing means that an enormous quantity (if not most) personal medical
data is processed in such manner. Given that article 20 does not apply to processing
performed using such grounds this means that large quantities of health data may not be
subject to requests for transfer to a third party.
This may be unfortunate for citizen science enthusiasts given the potential for
research use of such data.31 Patient health records for example may go back years and contain
data on health, lifestyle and socioeconomic factors that are extremely useful for research.32
The fact that article 20 does not apply to such data does not mean of course that it can not be
used for research. There is nothing to stop researchers requesting the data in question from
healthcare providers and indeed from such providers providing the data (if they so wish).
They can not however be compelled to transfer such data, ether by the data subject or the
research institution. Likewise patients will still enjoy a right of access to their medical data
and will be able to receive a copy and then transfer it themselves to researchers or a research
institution. This however is subject to the many practical difficulties discussed in section 3
and must be considered to be an inferior option (in terms of facilitating citizen science at
least).
Processing is necessary for archiving purposes in the public interest, scientific or historical
research - Data used in and produced by scientific research may often be suitable for use in
subsequent research. To a certain extent it could be argued that there is a role for citizen
science in facilitating such reuse. This could occur for example were groups of research
subjects are able to demand that their research data be passed to further institutions for further
research. As discussed above, where the processing of such data was based upon consent this
may be possible. As with the processing of data for medical purposes however, whilst consent
is an important grounds for for processing of personal data by researchers or research
institutions, it is by no means the only one. This is because Article 9(2) of the GDPR also
provides that 'Scientific Research' is itself a valid ground for the processing of personal data.
There are therefore two grounds that exist in the GDPR for those wishing to conduct
scientific research. The former (i.e. consent) may often be seen as appealing from an ethical
perspective (indeed it may often be demanded by ethics bodies based at research institutions.
It does entail however a number of disadvantages.33 These notably include the administrative
complexity of organizing (the creation, dissemination and storage) consent forms, the
potential difficulty in tracing all data recipients, instances where data subjects may not
possess the capacity to give consent (e.g. the young or those with a lack of cognitive
capacity). Given these issues consent may often not be feasible and in suitable circumstances
31 TENE, O. & POLONETSKY, J. 2013. Big Data for All- Privacy and User Control in the Age of Analytics.
Northwestern Journal of Technology and Intellectual Property, 11, 239-274. JENSEN, P., JENSEN, L. &
BRUNAK, S. 2012. Mining electronic health records: towards better research applications and clinical care.
Nature Reviews Genetics, 13, 395-405
32 MURDOCH, T. & DETSKY, A. 2013. The Inevitable Application of Big Data to Health Care. Journal of
the American Medical Association, 309, 1351-1352, JENSEN, P., JENSEN, L. & BRUNAK, S. 2012. Mining
electronic health records: towards better research applications and clinical care. Nature Reviews Genetics, 13,
395-405
33 QUINN, P. 2017. The Anonymisation of Research Data — A Pyric Victory for Privacy that Should Not Be
Pushed Too Hard by the EU Data Protection Framework? European Journal of Health Law, 24, doi
10.1163/15718093-12341416.
10
(where important conditions are met) researchers may process personal data without the
consent of those involved. Where this is the case researchers may, if a number of conditions
are met, process personal data for scientific research without consent.34 This legal basis for
processing is often useful in large research projects that depend upon the use of extremely
large data sets (e.g. potentially harvested from electronic health records) and where obtaining
consent would not be feasible.
6. Transfer Outside of the EU
The world of modern research is truly global. The availability of online connectivity and the
ability to share information means that individuals may want, and be able, to share their data
with research institutions that are not located close by in physical terms. Such potential for
worldwide collaboration increases the chances that individuals or groups of individuals may
be able to find a research institution that could perform useful research on their data.35
Conversely, where individuals are restricted to small geographic areas or alternatively certain
legal jurisdictions, the chances of such a 'fit' between potential research subjects and
institution is reduced.
The good news (for advocates of citizen science) is that the one of the raisons d'être is
actually to facilitate the sharing of data over a wider area. It has for instance, as one of its
main aims, the facilitation of the sharing of data throughout the EU. Indeed, as the GDPR
itself states, it "seeks to harmonise the protection of fundamental rights and freedoms of
natural persons in respect of processing activities and to ensure the free flow of personal data
between Member States." As a result EU Data Protection legislation, including the GDPR
aims to create a situation where it is possible to move data around the European Union as if it
was a single legal jurisdiction.36 Moving data, inter alia for the purposes of citizen science
from one part of Europe should therefore pose little problems (where of course data
protection requirements have been met).37
The price of such a liberty to move personal data around Europe however is the
ability to transfer data outside of the EU. This is because, as the GDPR points out, the ability
to allow free movement of personal data across the EU can be permitted because of existence
of the same standards of data protection throughout the Union. This allows data subjects to be
sure that if their data is transferred from one part of the Union to another a similar standard of
protection will apply. This balance however does not hold for potential transfers outside the
EU. There the regulatory situation vis-à-vis data protection may be different, if not inferior.
This makes it difficult for for European data subjects to have confidence that their data will
be handled in a similar manner, or even have an idea of how such data may be handled. It is
for this reason that the GDPR (and its predecessor Directive 95/46/EC) imposes important
restrictions on the transfer of data outside of Europe.
In principle personal data can not be transferred out of the EU unless one of a number
of conditions are met. These include for example an adequacy decision on the part of the EU
Commission. This can occur where the Commission agrees that a " third country, a territory
or one or more specified sectors within that third country ensures an adequate level of
34 Ibid.
35 BONNEY, R., SHIRK, J., PHILLIPS, T., WIGGINS, A., BALLARD, H., MILLER-RUSHING, A. &
PARISH, K. 2014. What Next for Citizen Science? Science, 343, 1436-1437.
36 GDPR Recital 3
37 It should however be recognized that Member States are, according to Article 9(4) of the GDPR able to
maintain their own respective laws that create additional requirements for sensitive data. This means that there
may for example be extra requirements on inter alia the transfer of health data. Such requirements may vary on
a state by state basis according to Member State Law.
11
protection"38 Such a decision may occur where the commission, after considering a number of
factors described in the GDPR has decided that an adequate level of protection will be
provided concerning the use of personal data.39 This includes the level of the rule of law in
the jurisdiction concerned (also taking into account any data protection legislation), the
existence of an data protection supervisory bodies, and any international agreements that may
exist with the state in which the jurisdiction in question is based.
These conditions are not however essential for the transfer of personal data to or
between researchers based outside the European Union. This is because the GDPR allows the
transfer of personal data outside the European Union in the event that informed consent of the
data subject has been secured.40 This is seemingly a good fit with the right to demand a
transfer of one's data under the GDPR. This is because article 20 self-evidently appears to
imply the need for the data subject to proactively make a request for such a transfer. In the
event that such a request concerned a transfer outside of Europe it would seemingly be
important (where a Commission adequacy decision does not exist), in order to be in
compliance with Article 49 of the GDPR, to provide the requisite information so that the data
subject could legitimately provide explicit consent to a transfer of his or her data outside the
EU. This would likely include information concerning the fact that no adequacy decision
existed, what the implications of such an absence are in layman's terms and the situation
concerning data protection in both the jurisdiction the data will be transferred to and the
specific context the data will be processed in. This requirement to provide sufficient
information for informed consent will require the data controller (i.e. who is to transfer the
data) to investigate whether the Commission had made an adequacy finding concerning the
jurisdiction in question and if not to research and take into account both the laws applicable
to the new data controller and the its own particular organizational situation. This is because
in order to provide the type of information that is required to provide truly informed consent
it will be necessary for the data controller (i.e. who is to conduct the transfer) to become
aware of such information and then to convey it to the data subject so that it can be
understood. In this regard a request for a transfer to a data controller outside of Europe would
differ importantly from that within Europe. This is because unlike the case with the latter, in
the former the data controller (who is to transfer the data) must make enquiries about the
ability of the potential new data controller to fulfill data protection obligations and explain
the results of such enquires to the data subject that made the request. There is doubt however
about whether data controller would in reality have to honour such a request for a data
transfer outside of Europe. The author of this paper would submit that there is some
ambiguity in the GDPR about whether a data subject has the right to compel a data processor
to transfer outside of Europe. This uncertainty arises for two main reasons. First, article 20
itself does not explicitly refer to such a situation. Second the articles of the GDPR that relate
to data transfers outside the European Union also do not refer to the right of transferability
described in Article 20. Given this, it seems likely that some data controllers may seek to
deny the applicability of article 20 to situations where they a request for transfer outside
Europe is made and no adequacy decision has been made by the Commission. The author
would submit that this may be seen as reasonable given that data controllers would be
required to investigate the legal situation in the new jurisdiction and the organizational
context of the new controller (including its abilities to provide for data protection
requirements). Such requirements are not part of article 20 in its normal context (i.e. transfers
within the EU) and thus make its applicability in extra EU transfers questionable as they
38GDPR Article 45(1)
39 GDPR Article 45(2)
40 Article 49(1)(a). Article 49 also spells out a number of other exceptions where such a transfer may be
possible. These exceptions are however beyond the scope of this paper and will not be considered futher here.
12
represent a burden that do not appear to be envisaged in article 20 itself. Case law may
ultimately be needed to settle this question.41
7. Conclusion.
At present we live in a time where there are grave concerns over the privacy of our data in the
social media age. Whilst such concerns are well merited it is important to remember that
concerns surrounding the use of our personal data are not only related to privacy. More
specifically whilst there are occasions where we may wish to prevent large and powerful data
controllers from doing certain things with our data (i.e. negative obligations), there are on
other occasions where we may want to compel them to do something (i.e. positive
obligations). This article looks at one such instance, the ability to of data subjects to compel
data controllers to transfer their data to another controller, in this case for purposes of 'citizen
science'.
In addition to technological and cultural developments, the developing legal
landscape will play a major role in deciding what is and what is not possible in terms of
citizen science.42 One of the most important of these developments in the notion of of 'a right
of data portability'' in the GDPR. This right will allow data subjects to ask data controllers to
transfer their personal data to a new data controller. Such a right is important to citizen
science for a number of reasons. First, individuals often do not collect and assemble
potentially useful data alone. Rather they often do so with the aid of third parties, for example
the use of online storage platforms that allow data to be accessed and manipulated in useful
ways. Where individuals want to make such data available for research there may thus often
be a need to have data transferred from one controller to another (e.g. a research institution).
Second, the ability to transfer the data directly between data controller and research
institution may be appealing because individual data subjects may not have the technical
knowledge or correct infrastructure to receive and transport it themselves. Such a right opens
up the possibility of using economies of scale to boost data transfers related to citizen
science. This may occur where where data controller and research organizations are able to
coordinate and arrange transfers – for instance where, in the case of one large data controller,
many data subjects have come forward and asked that their data be transferred to a particular
research institution. The possibility to arrange such transfers on a coordinated basis would
reduce investments in terms of time and cost for both data controllers and research
institutions and thus make many forms of potential research more feasible. Third, a right to
data portability as found in the GDPR goes beyond a right to access which has long existed
under Directive 95/46/EC. This is because unlike a right to access, which only provides for
the provision of data to the data subject in 'an intelligible form', the right to data
transferability allows for the data in question to be provided to the new controller in a form
that is 'interoperable'. This is important because depending solely on a 'right of access' would
not only involve intermediate transfer through the data subject (and all the technical and
organizational problems this may bring), but would also not include a requirement of
'interoperability' with the potential processing systems that might be used by a research
institution. Such a requirement means that the data should be provided directly to the
research institution in a way that would allow them to use it for their desired method of
processing.
41 See Article 29 Working Party Opinion on Data Portability, p6
42 For a good discussion on a number of legal requirements HOFFMAN, S. 2015. Citizen Science - The Law
and the Ethics of Public Access to Medical Big Data. Berkley Technology Law Journal, 30, DOI:
http://dx.doi.org/10.15779/Z385Z78.
13
As this paper discussed however, there are important limits to the right of
transferability at least as recognized to the GDPR. Four issues were outlined in this paper that
will to various extents, limit the extent of which this right can be used to further concrete
instances of citizen science. First, important limitation is that the right of portability only
applies to personal data that was provided by the data subject themselves. This rules out its
application to data that was derived by further processing of that data. This will have the
effect of ruling out the applicability of the right of portability to important data sets that will
contain potentially valuable information for researchers. This includes analysis of self-
monitoring data (e.g. from fitness or dietary) platforms, various forms of analysis carried out
for commercial purposes (e.g. advertising targeting) and for the purposes of healthcare.
A second is the concept of 'interoperability' itself. As the Article 29 working party
clearly stated, interoperability does not equate to compatibility. Whilst the latter would entail
providing data in a ready to use format, the former requires only the provision of data in a
manner that would allow it to be rendered useable. Such a concept accepts the likelihood that
a new data controller will have to further process such data in order to render it useful for its
purposes. It is therefore likely that that research institutions will have to conduct work on the
data being transferred in order to render it compatible. This could serve as a disincentive
where the resources of potential research institutions may be limited.
A third important factor is that the right of transferability is limited to instances where
the data held was being processed on the legal grounds that i) informed consent was provided
by the data subject in questions or ii) in order to fulfil a legally binding contract. Whilst such
legal grounds will cover a large range of contexts that could be of importance to citizen
science it will not cover many others. This may include for example, large amounts of data of
data that is held held in the electronic health records of medical institutions. Such data is
often processed under another legal basis i.e. for the 'purposes of preventive or occupational
medicine'. Likewise, the right of transferability will not apply to data that is being processed
for purposes of 'scientific research' (i.e. without relying on consent as a legal basis). This
means that individuals will in many cases not be able to demand researchers who have been
using their data to subsequently transfer it to another research institution. These limitations
on the right of transferability will dilute its potency and its potential usefulness to desired
instances of citizen science inter alia ruling out its application to important sources of
potential research data.
In addition to these explicit limitations of the right to transferability (as described in
the GDPR) a fourth factor arises through a number of ambiguities that give rise to
uncertainties surrounding its potential territorial application. Whilst the GDPR seemingly
confirms that a right of transferability will apply in instances where transfer is sought
anywhere within the EU, it is not certain as to whether it applies to requests made for the
transfer of data to controllers based outside of Europe. This is because whilst certain
conditionally must exist to allow external transfer (e.g. the existence of an EU Commission
Adequacy Decision or the existence of binding corporate rules on the use of data) such
conditionality can be dispensed with where the transfer in question is associated with the
provision of explicit consent on the part of the data subject. Given that such consent can be
obtained by the data controller when a portability request is made, one might reason that this
exception could also be made to apply to Article 20 requests outside the Union. Doubts as to
such an assumption may however be fuelled by the fact that such an exercise would entail
potentially significant efforts the part of the existing data controller, including the need to
ascertain the status of the proposed new data controller and the jurisdiction in which it is
based. Given that such efforts are not consistent with the light investigational duties that are
invoked within article 20 of the GDPRitself (i.e. on transfers within the EU), its applicability
to transfers outside the EU is at the very least debateable.
14
Bilbliography
BELLAZZI, R. & ZUPAN, B. 2008. Predicitive data mining in clinical
medicine: current issues and guidelines. International Journal of
Medical Informatics, 77, 81-97.
BONNEY, R., COOPER, C. B., DICKINSON, J., KELLING, S., PHILLIPS, T.,
ROSENBERG, K. V. & SHIRK, J. 2009. Citizen Science: A Developing
Tool for Expanding Science Knowledge and Scienti=c Literacy.
BioScience, 59, 977-984.
BONNEY, R., SHIRK, J., PHILLIPS, T., WIGGINS, A., BALLARD, H., MILLER-
RUSHING, A. & PARISH, K. 2014. What Next for Citizen Science?
Science, 343, 1436-1437.
DEVICTOR, V., WHITTAKER, R. J. & BELTRAME, C. 2010. Beyond scarcity:
citizen science programmes as useful tools for conservation
biogeography. Diversity and Distributions, 16, 354-362.
DYER, C. 2007. Stringent constraints on use of patients' data are harming
research. British Medical Journal, 335, 1114–1115.
EVANS, B. J. 2017. Barbarians at the Gate - Consumer Driven HEalth Data
Commons and the Transformation of Citzen Science American
Journal of Law & Medicine, 42, 651-685.
HOFFMAN, S. 2015. Citizen Science - The Law and the Ethics of Public
Access to Medical Big Data. Berkley Technology Law Journal, 30,
DOI: http://dx.doi.org/10.15779/Z385Z78.
HUNTER, P. 2016. The big health data sale: As the trade of personal health
and medical data expands, it becomes necessary to improve legal
frameworks for protecting patient anonymity, handling consent and
ensuring the quality of data. EMBO Rep, 17, 1103-5.
JENSEN, P., JENSEN, L. & BRUNAK, S. 2012. Mining electronic health
records: towards better research applications and clinical care.
Nature Reviews Genetics, 13, 395-405
KAYE, J. 2012. The Tension Between Data Sharing and the Protection of
Privacy in Genomics Research. Annual Review of Genomics and
Human Genetics, 13, 415–431.
KELLING, S., FINK, D., LA SORTE, F. A., JOHNSTON, A., BRUNS, N. E. &
HOCHACHKA, W. M. 2015. Taking a 'Big Data' approach to data
quality in a citizen science project. Ambio, 44 Suppl 4, 601-11.
LAGOS, L. 2013. Why the Right to Data Portability Likely Reduces
Consumer Welfare- Antitrust and Privacy Critique. Maryland Law
Review, 72, 341-380.
LUPTON, D. 2016. The Quanti*ed Self, John Wiley & Sons.
MADISON, M. 2014. Commons at the Intersection of Peer Production,
Citizen Science, and Big Data: Galaxy Zoo. In: FRISCHMANN, B.,
MADISON, M. & STRANDBURG, K. (eds.) Governing Knowledge
Commons. Oxford University Press.
15
MANTOVANI, E. & QUINN, P. 2013. mHealth and data protection – the letter
and the spirit of consent legal requirements. International Review of
Law, Computers & Technology,
DOI:10.1080/13600869.2013.801581.
MORRIS, M. E. & AGUILERA, A. 2012. Mobile, Social, and Wearable
Computing and the Evolution of Psychological Practice. Prof Psychol
Res Pr, 43, 622-626.
MURDOCH, T. & DETSKY, A. 2013. The Inevitable Application of Big Data to
Health Care. Journal of the American Medical Association, 309,
1351-1352.
NEWMAN, G., WIGGINS, A., CRALL, A., GRAHAM, E., NEWMAN, S. &
CROWSTON, K. 2012. The future of citizen science: emerging
technologies and shifting paradigms. Frontiers in Ecology and the
Environment, 10, 298-304.
PURCEL, R. & ROMMELFANGER, K. 2017. Biometric Tracking From
Professional Athletes to Consumers. The American Journal of
Bioethics, 17, 72-74.
QUINN, P. 2017. The Anonymisation of Research Data — A Pyric Victory for
Privacy that Should Not Be Pushed Too Hard by the EU Data
Protection Framework? European Journal of Health Law, 24, doi
10.1163/15718093-12341416.
QUINN, P., HABBIG, A., MANTOVANI, E. & DE HERT, P. 2013. The Data
Protection and Medical Device Frameworks ? Obstacles to the
Deployment of mHealth across Europe? European Journal of Health
law, 20, 185-204.
SILVERTOWN, J. 2009. A new dawn for citizen science. Trends Ecol Evol,
24, 467-71.
SWAN, M. 2013. The Quanti=ed Self: Fundamental Disruption in Big Data
Science and Biological Discovery. Big Data, 1, 85-99.
TENE, O. & POLONETSKY, J. 2013. Big Data for All- Privacy and User
Control in the Age of Analytics. Northwestern Journal of Technology
and Intellectual Property, 11, 239-274.
16
... impactful in establishing long-lasting, consistent, generalized and scalable citizens' engagement processes (Anhalt-Depies et al., 2019, Quinn, 2018. ...
... Short-term financing schemes and fragmentation affect the sustainability and long-term achievements of citizen science projects. Intellectual property, licensing, and data protection are serious challenges that need to be managed (Quinn, 2018). Relevant opportunities offered by citizens' distributed monitoring networks and affordable opportunistic sensing, require government and financial support, multi-sectoral coordination and long-term vision (Dixon et al., 2020). ...
Article
Full-text available
Widely available digital technologies are empowering citizens who are increasingly well informed and involved in numerous water, climate, and environmental challenges. Citizen science can serve many different purposes, from the “pleasure of doing science” to complementing observations, increasing scientific literacy, and supporting collaborative behaviour to solve specific water management problems. Still, procedures on how to incorporate citizens’ knowledge effectively to inform policy and decision-making are lagging behind. Moreover, general conceptual frameworks are unavailable, preventing the widespread uptake of citizen science approaches for more participatory cross-sectorial water governance. In this work, we identify the shared constituents, interfaces and interlinkages between hydrological sciences and other academic and non-academic disciplines in addressing water issues. Our goal is to conceptualize a transdisciplinary framework for valuing citizen science and advancing the hydrological sciences. Joint efforts between hydrological, computer and social sciences are envisaged for integrating human sensing and behavioural mechanisms into the framework. Expanding opportunities of online communities complement the fundamental value of on-site surveying and indigenous knowledge. This work is promoted by the Citizens AND HYdrology (CANDHY) Working Group established by the International Association of Hydrological Sciences (IAHS).
... Article 20 applies to data that has been submitted by an individual subject to data subject consent or a contract, and accordingly has a relatively limited operation. Despite the relatively limited circumstances in which it applies, this right may have a direct impact on citizen science with Internet of Things devices (Quinn, 2018). Therefore, researchers should integrate strategies to deal with these concerns in their study protocol. ...
Book
Full-text available
Social innovations are usually understood as new ideas, initiatives, or solutions that make it possible to meet the challenges of societies in fields such as social security, education, employment, culture, health, environment, housing, and economic development. On the one hand, many citizen science activities serve to achieve scientific as well as social and educational goals. Thus, these actions are opening an arena for introducing social innovations. On the other hand, some social innovations are further developed, adapted, or altered after the involvement of scientist-supervised citizens (laypeople or volunteers) in research and with the use of the citizen science tools and methods such as action research, crowdsourcing, and community-based participatory research. Such approaches are increasingly recognized as crucial for gathering data, addressing community needs, and creating engagement and cooperation between citizens and professional scientists. However, there are also various barriers to both citizen science and social innovation. For example, management, quality and protection of data, funding difficulties, non-recognition of citizens' contributions, and limited inclusion of innovative research approaches in public policies. In this volume, we open theoretical as well as empirically-based discussion, including examples, practices, and case studies of at least three types of relations between citizen science and social innovation: (1) domination of the citizen science features over social innovation aspects; (2) domination of the social innovation features over the citizen science aspects; and (3) the ways to achieve balance and integration between the social innovation and citizen science features. Each of these relationships highlights factors that influence the development of the main scales of sustainability of innovations in the practice. These innovations are contributing to a new paradigm of learning and sharing knowledge as well as interactions and socio-psychological development of participants. Also, there are factors that influence the development of platforms, ecosystems, and sustainability of innovations such as broad use of the information and communications technologies (ICTs) including robotics and automation; emerging healthcare and health promotion models; advancements in the development and governance of smart, green, inclusive and age-friendly cities and communities; new online learning centers; agri-food, cohousing or mobility platforms; and engagement of citizens into co-creation or co-production of services delivered by public, private, non-governmental (NGOs) organizations as well as non-formal entities.
... Public attitudes towards the donation of personal data One of the principal aims of the General Data Protection Regulation 12 is to afford greater control over personal data to the individual 13 , and the right to data portability (Article 20) has provided a legally mandated mechanism that can be used for the general public to obtain and donate their individual digital footprint data (an individual's trail of online data 14 ) for research purposes 15 . We refer to data donation as 'an act of active consent of an individual to donate their personal data for research' 16 . ...
Article
Full-text available
Background: Commercial transaction records, such as data collected through banking and retail loyalty cards, present a novel opportunity for longitudinal population studies to capture data on participants’ real-world behaviours and interactions. However, little is known about participant attitudes towards donating transactional records for this purpose. This study aimed to: (i) explore the attitudes of longitudinal population study participants towards sharing their transactional records for health research and data linkage; and (ii) explore the safeguards that researchers should consider implementing when looking to request transactional data from participants for data linkage studies. Methods: Participants in the Avon Longitudinal Study of Parents and Children were invited to a series of three focus groups with semi-structured discussions designed to elicit opinions. Through asking participants to attend three focus groups we aimed to facilitate more in-depth discussions around the potentially complex topic of data donation and linkage. Thematic analysis was used to sort data into overarching themes addressing the research questions. Results: Participants (n= 20) expressed a variety of attitudes towards data linkage, which were associated with safeguards to address concerns. This data was sorted into three themes: understanding, trust, and control. We discuss the importance of explaining the purpose of data linkage, consent options, who the data is linked with and sensitivities associated with different parts of transactional data. We describe options for providing further information and controls that participants consider should be available when studies request access to transactional records. Conclusions: This study provides initial evidence on the attitudes and concerns of participants of a longitudinal cohort study towards transactional record linkage. The findings suggest a number of safeguards which researchers should consider when looking to recruit participants for similar studies, such as the importance of ensuring participants have access to appropriate information, control over their data, and trust in the organisation.
... A wealth of diverse sources of data have emerged that can be of use for research (Connelly et al. 2016). These can vary from social media activity, phone tracking and efforts at citizen science (where individuals collect their own data for research purposes) Quinn 2018). 1 The ability to collect and combine any of these forms of 'big data' mean that researchers have a wealth of data to analyze for various research purposes. At the same time, computing power has been increasing enormously, meaning that the various analytical processes that can be applied to such data has increased greatly. ...
Article
Full-text available
Scientific research is indispensable inter alia in order to treat harmful diseases, address societal challenges and foster economic innovation. Such research is not the domain of a single type of organization but can be conducted by a range of different entities in both the public and private sectors. Given that the use of personal data may be indispensable for many forms of research, the data protection framework will play an important role in determining not only what types of research may occur but also which types of actors may carry it out. This article looks at the role the EU’s General Data Regulation plays in determining which types of actors can conduct research with personal data. In doing so it focuses on the various legal bases that are available and attempts to discern whether the GDPR can be said to favour research in either the public or private domains. As this article explains, the picture is nuanced, with either type of research actor enjoying advantages and disadvantages in specific contexts.
... Article 20 applies to data that has been submitted by an individual subject to data subject consent or a contract, and accordingly has a relatively limited operation. Despite the relatively limited circumstances in which it applies, this right may have a direct impact on citizen science with Internet of Things devices (Quinn, 2018). Therefore, researchers should integrate strategies to deal with these concerns in their study protocol. ...
Article
Full-text available
Digital innovation is ever more present and increasingly integrated into citizen science research. However, smartphones and other connected devices come with specific features and characteristics and, in consequence, raise particular ethical issues. This article addresses this important intersection of citizen science and the Internet of Things by focusing on how such ethical issues are communicated in scholarly literature. To answer this research question, this article presents a scoping review of published scientific studies or case studies of scientific studies that utilize both citizen scientists and Internet of Things devices. Specifically, this scoping review protocol retrieved studies where the authors had included at least a short discussion of the ethical issues encountered during the research process. A full text analysis of relevant articles conducted inductively and deductively identified three main categories of ethical issues being communicated: autonomy and data privacy, data quality, and intellectual property. Based on these categories, this review offers an overview of the legal and social innovation implications raised. This review also provides recommendations for researchers who wish to innovatively integrate citizen scientists and Internet of Things devices into their research based on the strategies researchers took to resolve these ethical issues.
... Therefore, researchers should integrate strategies to deal with these concerns in their study protocol. A number of theoretical and case study derived frameworks define how both citizen scientists and Internet of Things devices should be integrated into research projects (Evans, 2020;Rothstein et al, 2015, Quinn, 2018. These frameworks focus on specific ethical and legal issues that may arise from using Internet of Things devices in citizen science projects, including how citizen science projects can comply with privacy legislation in particular jurisdictions. ...
Preprint
Full-text available
Our chapter presents a scoping review of published scientific studies or case studies of scientific studies that utilise both citizen scientists and Internet of Things devices. Specifically, we selected studies where the authors had included at least a short discussion of the ethical issues encountered during the research process. Having conducted a search of five databases (IEEE Xplore, Scopus, Web of Science, ProQuest, and PubMed), we identified 631 potential results. Following abstract and title screening, and then full text eligibility assessment, we identified 34 published articles that matched our criteria. We then analysed the full text for these articles inductively and deductively, coding ethical issues into three main categories. These categories were autonomy and data privacy, data quality, and intellectual property. We also analysed the full text of these articles to see what strategies researchers took to resolve these ethical issues, as well as any legal implications raised. Following this analysis, our discussion provides recommendations for researchers who wish to integrate citizen scientists and Internet of Things devices into their research. First, all citizen science projects should integrate a data privacy protocol to protect the confidentiality of participants. Secondly, scientific researchers should consider any potential issues of data quality, including whether compromises might be required, before establishing a project. Finally, all intellectual property issues should be clarified both at the start of the project and during its lifecycle. Researchers should also consider any ethical issues that might flow from the use of commercially available Internet of Things devices for research.
... No infrastructure for data provision. Limitations in data portability, central to citizen science, for transferring the data to other sources (Quinn, 2018) No continuity after the project is closed. There is a major CS contribution on the virtual level and provision of data on line, which make it difficult to feed to the SDGs monitoring framework. ...
Article
Citizen Science, known as the participation of individuals and groups in scientific processes, is an increasingly growing discipline, which can contribute for the achievement of the Sustainable Development Goals. The UN Agenda 2030 for Sustainable Development is all-inclusive, where every contribution is valid. Participation, partnerships, education, sustainable living and global citizenship, all of which can build on Citizen Science activities, are crucial for the Sustainable Development Goals. In this context, this study aims at exploring several collaboration channels for Citizen Science-related activities and the Agenda 2030. Challenges and critical aspects are discussed based on the opinions of practitioners collected through a comprehensive online survey. Furthermore, recommendations for future involvement are given on a framework of interactions at different levels for Citizen Science and the Agenda 2030.
... Public attitudes towards the donation of personal data One of the principal aims of the General Data Protection Regulation 12 is to afford greater control over personal data to the individual 13 , and the right to data portability (Article 20) has provided a legally mandated mechanism that can be used for the general public to obtain and donate their individual digital footprint data (an individual's trail of online data 14 ) for research purposes 15 . We refer to data donation as 'an act of active consent of an individual to donate their personal data for research' 16 . ...
Article
Full-text available
Background: Commercial transaction records, such as data collected through banking and retail loyalty cards, present a novel opportunity for longitudinal population studies to capture data on participants’ real-world behaviours and interactions. However, little is known about participant attitudes towards donating transactional records for this purpose. This study aimed to: (i) explore the attitudes of longitudinal population study participants towards sharing their transactional records for health research and data linkage; and (ii) explore the safeguards that researchers should consider implementing when looking to request transactional data from participants for data linkage studies. Methods: Participants in the Avon Longitudinal Study of Parents and Children were invited to a series of three focus groups with semi-structured discussions designed to elicit opinions. Through asking participants to attend three focus groups we aimed to facilitate more in-depth discussions around the potentially complex topic of data donation and linkage. Thematic analysis was used to sort data into overarching themes addressing the research questions. Results: Participants (n= 20) expressed a variety of attitudes towards data linkage, which were associated with safeguards to address concerns. This data was sorted into three themes: information, trust, and control. We discuss the importance of explaining the purpose of data linkage, consent options, who the data is linked with and sensitivities associated with different parts of transactional data. We describe options for providing further information and controls that participants consider should be available when studies request access to transactional records. Conclusions: This study provides initial evidence on the attitudes and concerns of participants of a longitudinal cohort study towards transactional record linkage. The findings suggest a number of safeguards which researchers should consider when looking to recruit participants for similar studies, such as the importance of ensuring participants have access to appropriate information, control over their data, and trust in the organisation.
... The data resulting from the analysis made of the data collected by a health wearable device, for example, is thus not covered by this right, despite its potential benefit further research. 64 Under HIPAA, individuals have a comparable right to get their information transferred from one health service provider to another. Data portability in the US context can, however, lead to a weakened protection of health data, as personal health information (PHI) is only protected when held by 'covered entities', for example, health plans, health care clearinghouses, and any health care provider. ...
... When new research questions arise, the use of previously collected data for these new questions can become difficult given the requirements of the GDPR to indicate the intended use of the data in advance. In addition, international cooperative research (i.e., also conducted outside the EU), may conflict with the GDPR (Quinn 2018). ...
Article
Full-text available
The neoliberal turn in science has led to the economisation of knowledge, economic criteria for evaluating research, and a retreat of the state from governance of the scientific system. These steps have important ramifications for citizen science. On one hand, citizen science may add to the neoliberalization of science by filling gaps in “traditional science,” such as providing free environmental data or delivering public goods such as education or environmental knowledge. On the other hand, citizen science may provide a way to buck the trend of neoliberalization, by promoting new forms of societal cooperation and mutual learning that may lead to more social cohesion and sustainability, as well as safeguard a non-economized sphere. In this way, citizen science is ambivalent: It can either strengthen or challenge neoliberalization of science. This article describes this idea in more detail and presents practical suggestions for how to manage them, ranging from openly curated data over different types of feedback systems to the development of mutual learning spaces.
Article
Full-text available
Personal health data is essential to many forms of scientific research. Such data may come from a large variety of sources including electronic health records (EHRs), datasets used for previous research and from data linked to biobanks. European data protection law recognises that in addition to using consent as a legal basis for the processing of personal health data for scientific research, such data may be used without consent where it is in the ‘public interest’. Despite the existence of such a legal option, ethics bodies in a number of states have shown reticence to utilise it, often pushing researchers into either obtaining consent or anonymising the data in question. Whilst the latter option may be appealing from a legal point of view, if carried out properly, the result may be that the research value of the data is reduced or even destroyed.
Article
Full-text available
Data from well-designed experiments provide the strongest evidence of causation in biodiversity studies. However, for many species the collection of these data is not scalable to the spatial and temporal extents required to understand patterns at the population level. Only data collected from citizen science projects can gather sufficient quantities of data, but data collected from volunteers are inherently noisy and heterogeneous. Here we describe a ‘Big Data’ approach to improve the data quality in eBird, a global citizen science project that gathers bird observations. First, eBird’s data submission design ensures that all data meet high standards of completeness and accuracy. Second, we take a ‘sensor calibration’ approach to measure individual variation in eBird participant’s ability to detect and identify birds. Third, we use species distribution models to fill in data gaps. Finally, we provide examples of novel analyses exploring population-level patterns in bird distributions.
Article
Full-text available
A key contemporary trend emerging in big data science is the quantified self (QS)–individuals engaged in the self-tracking of any kind of biological, physical, behavioral, or environmental information as n=1 individuals or in groups. There are opportunities for big data scientists to develop new models to support QS data collection, integration, and analysis, and also to lead in defining open-access database resources and privacy standards for how personal data is used. Next-generation QS applications could include tools for rendering QS data meaningful in behavior change, establishing baselines and variability in objective metrics, applying new kinds of pattern recognition techniques, and aggregating multiple self-tracking data streams from wearable electronics, biosensors, mobile phones, genomic data, and cloud-based services. The long-term vision of QS activity is that of a systemic monitoring approach where an individual's continuous personal information climate provides real-time performance optimization suggestions. There are some potential limitations related to QS activity—barriers to widespread adoption and a critique regarding scientific soundness—but these may be overcome. One interesting aspect of QS activity is that it is fundamentally a quantitative and qualitative phenomenon since it includes both the collection of objective metrics data and the subjective experience of the impact of these data. Some of this dynamic is being explored as the quantified self is becoming the qualified self in two new ways: by applying QS methods to the tracking of qualitative phenomena such as mood, and by understanding that QS data collection is just the first step in creating qualitative feedback loops for behavior change. In the long-term future, the quantified self may become additionally transformed into the extended exoself as data quantification and self-tracking enable the development of new sense capabilities that are not possible with ordinary senses. The individual body becomes a more knowable, calculable, and administrable object through QS activity, and individuals have an increasingly intimate relationship with data as it mediates the experience of reality.
Article
Full-text available
The knowledge commons research framework is applied to a case of commons governance grounded in research in modern astronomy. The case, Galaxy Zoo, is a leading example of at least three different contemporary phenomena. In the first place Galaxy Zoo is a global citizen science project, in which volunteer non-scientists have been recruited to participate in large-scale data analysis via the Internet. In the second place Galaxy Zoo is a highly successful example of peer production, sometimes known colloquially as crowdsourcing, by which data are gathered, supplied, and/or analyzed by very large numbers of anonymous and pseudonymous contributors to an enterprise that is centrally coordinated or managed. In the third place Galaxy Zoo is a highly visible example of data-intensive science, sometimes referred to as e-science or Big Data science, by which scientific researchers develop methods to grapple with the massive volumes of digital data now available to them via modern sensing and imaging technologies. This chapter synthesizes these three perspectives on Galaxy Zoo via the knowledge commons framework.
Article
Full-text available
Psychological assessment and intervention are extending from the clinic into daily life. Multiple forces are at play: Advances in mobile technology, constrained clinical care, and consumer demand for contextualized, nonstigmatizing, and low-cost alternatives are beginning to change the face of psychological assessment and interventions. Mobile, social, and wearable technologies are now enabling individuals to measure themselves and to integrate myriad forms of help and entertainment. The massive data sets generated by self-tracking of mood and passive sensing of voice, activity, and physiology may eventually reorganize taxonomies of mental health concerns. Compelling mobile therapies will also emerge, involving contextually appropriate, entertaining, and dynamic feedback to provide help in the context of daily life. The efficacy of such applications will be tested through citizen science as well as clinical trials. This article reviews technical advances that can be applied to enhance assessment and intervention and dramatically increase access to psychotherapy. It is recommended that, in addition to exploring clinically oriented products, practitioners should support patients' use of direct-to-consumer applications in ways that align with therapeutic objectives. (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
Major pitfall, till now, has been the tendency of our federal regulations to enshrine a data-holder-centric view, in which data holders assemble large-scale data resources by invoking individual consent exceptions to free data for socially beneficial research on terms, and subject to privacy and security protections, in which the data subjects - the people whose data are used - have no real voice. The goal of consumer-driven data commons is to grant people the voice they have previously been denied and, by doing so, engage citizens more actively in the task of assembling the hundred-million-person and even billion-person cohorts that twenty-first-century science ultimately will require.
Article
In its draft Data Protection Regulation, the European Union has announced a major new economic and human right – the right to data portability ('RDP'). The basic idea of the RDP is that an individual would be able to transfer his or her material from one information service to another, without hindrance. For instance, consumers would have a legal right to get an immediate and full download of their data held by a social network such as Facebook, a cloud provider, or a smartphone app.Although the idea of data portability is appealing, the RDP as defined in Article 18 of the draft Regulation is unprecedented and problematic. Part I explains Article 18, whose text appears to require software and online service providers to create what we call an 'Export-Import Module,' or software code that exports data seamlessly from the first service to the second service. The requirements would apply globally, for any entity that sells to an E.U. resident.Part II critiques the RDP in light of the teachings of E.U. competition and U.S. antitrust law. Competition law has long addressed the problems of lock-in and high switching costs that form a chief justification for the RDP. The RDP, however, applies to small enterprises, where there is essentially no risk of lock-in. In contrast to competition law, the RDP applies to all online services even where there is no market power and no barrier to entry. Article 18 more generally is in conflict with the rules in competition law about exclusionary conduct – it creates a per se prohibition where competition law would apply a rule of reason approach. Competition law would consider the many efficiencies that result from a service provider deciding which functions and formats to include in its products, which undergo rapid innovation.Part III shows that Article 18 also suffers serious difficulties as a matter of privacy or data protection law. Proponents have claimed the RDP is a new fundamental human right, aiding the individual’s autonomy for online activities. No jurisdiction has experimented with anything resembling the proposed Article 18, however, casting serious doubt on its status as a new human right. Among other difficulties, Article 18 poses serious risks to a long-established E.U. fundamental right of data protection, the right to security of a person’s data. Previous access requests by individuals were limited in scope and format. By contrast, when an individual’s lifetime of data must be exported 'without hindrance,' then one moment of identity fraud can turn into a lifetime breach of personal data. Part IV shows that Article 18 goes far beyond previous legal rules that specifically address interoperability.In conclusion, the novel RDP is justified by the supposed benefits to consumers. As drafted, however, the RDP likely reduces consumer welfare, as articulated after long experience in competition law. It also creates risks to privacy that are not addressed in the current text. The RDP deserves far more scrutiny before becoming a mandate that applies globally to software and online services.
Article
We live in an age of “big data.” Data have become the raw material of production, a new source for immense economic and social value. Advances in data mining and analytics and the massive increase in computing power and data storage capacity have expanded by orders of magnitude the scope of information available for businesses and government. Data are now available for analysis in raw form, escaping the confines of structured databases and enhancing researchers’ abilities to identify correlations and conceive of new, unanticipated uses for existing information. In addition, the increasing number of people, devices, and sensors that are now connected by digital networks has revolutionized the ability to generate, communicate, share, and access data. Data creates enormous value for the world economy, driving innovation, productivity, efficiency and growth. At the same time, the “data deluge” presents privacy concerns which could stir a regulatory backlash dampening the data economy and stifling innovation. In order to craft a balance between beneficial uses of data and in individual privacy, policymakers must address some of the most fundamental concepts of privacy law, including the definition of “personally identifiable information”, the role of individual control, and the principles of data minimization and purpose limitation. This article emphasizes the importance of providing individuals with access to their data in usable format. This will let individuals share the wealth created by their information and incentivize developers to offer user-side features and applications harnessing the value of big data. Where individual access to data is impracticable, data are likely to be de-identified to an extent sufficient to diminish privacy concerns. In addition, organizations should be required to disclose their decisional criteria, since in a big data world it is often not the data but rather the inferences drawn from them that give cause for concern.