ArticlePDF Available

Is the GDPR and Its Right to Data Portability a Major Enabler of Citizen Science?

June 2018
Global Jurist 18(2)

DOI:10.1515/gj-2018-0021

Authors:

Vrije Universiteit Brussel

Citizen science is an emerging trend with an ever greater number of adherents. It involves the collection and contribution of large amounts of data by private individuals for scientific research. Often such data will concern the individuals themselves and will be collected through processes of self monitoring. This phenomenon has been greatly influenced by the Internet of Things (IoT) and the connectivity of a wide range monitoring devices through the internet. In collecting such data use will often be made of the services of various commercial organisations, for example that offer cloud storage services. The possibility of data portability is extremely important in citizen science as it allows individuals (or data subjects) to be able move their data from one source to another (i. e. to new areas of scientific research). This article explores the limits and possibilities that legal rights to data portability offer, in particular the new right as outlined by the European Union’s General Data Protection Regulation. In doing so this article will look at where this right (and how it operates in the international legal context) is able to facilitate the phenomenon of citizen science.

Content uploaded by Paul Quinn

Content may be subject to copyright.

Is the GDPR and its Right to Data Portability a Major Enabler of Citizen

Science?

Paul Quinn

Abstract

Citizen science is an emerging trend with an ever greater number of adherents. It involves the

collection and contribution of large amounts of data by private individuals for scientific

research. Often such data will concern the individuals themselves and will be collected

through processes of self monitoring. This phenomenon has been greatly influenced by the

Internet of Things (IoT) and the connectivity of a wide range monitoring devices through the

internet. In collecting such data use will often be made of the services of various commercial

organisations, for example that offer cloud storage services. The possibility of data

portability is extremely important in citizen science as it allows individuals (or data subjects)

to be able move their data from one source to another (i.e. to new areas of scientific

research). This article explores the limits and possibilities that legal rights to data portability

offer, in particular the new right as outlined by the European Union's General Data

Protection Regulation. In doing so this article will look at where this right (and how it

operates in the international legal context) is able to facilitate the phenomenon of citizen

science.

1. Introduction

The amount of data in existence that can be used for research is increasing in an exponential

fashion. Similarly, the ability of individuals (both technically and legally) to to collect,

assemble and deliver their data for research purposes is also increasing. These developments

have boosted movements and attitudes that have often been termed as citizen science. This

movement relates broadly to the idea that individuals can play an active role in collecting

personal data and providing it for scientific research. In doing so it is argued they are able to

boost the chances that certain types of research may occur. Central to the concept of citizen

science is the idea that data should be portable, i.e. that individuals should be able to transfer

their data from various sources to research institutions.

This article looks at the phenomenon from a legal perspective, focusing on the the

role data portability as a legal right has to play in boosting this movement. In particular, it

will focus on the right of data portability as described in the EU's recent General Data

Protection Regulation (the GDPR). In doing so it will look at how the GDPR facilitates the

right of data portability throughout the European Union, and potentially to jurisdictions

beyond its borders. The ability of individuals to use this right to have their personal data

transferred from existing data controllers to research institutions may allow initiatives

associated with concepts of citizen science to prosper. As this article discusses however there

are a number of aspects concerning the formulation of this right within the GDPR that may

serve to lessen its impact.

Section 2 of this article discusses the concept of citizen science and why it has been

growing in prominence in recent times. Section 3 discusses the importance of data portability

to citizen science. Section 4 will look at how, on the one hand the GDPR introduces a right of

data probability and how it offers potential for individuals interested in participating in citizen

science based initiatives and on the other, it leaves areas of data processing that will not be

subject to the right of data portability and the likely effects this may have on citizen science.

Section 5 analyses what the limited application of the 'right to data portability to limited legal

bases for the processing of personal data is likely to mean. Section 6 discusses the likely

territorial application of the right to data portability and its implications for citizen science

initiatives to op-operate on an international level.

2. Citizen Science as a Growing Phenomenon

Citizen science is not a new phenomenon but it is certainly a growing trend that is allowing

important changes in the way scientific research is occurring.1 Prominent examples of citizen

science go back hundreds of years, including for example a prominent experiment in 1830s

Britain that involved hundreds of members of the public to monitor 650 different costal

locations.2 Whilst there are numerous other examples in the intervening period of the use of

large groups of private individuals to coordinate and execute the collection of data for

experimental purposes the phenomenon of citizen science had been greatly boosted in recent

times. This is due to developments in the both the digitization of personal data and the ability

to coordinate and share such data that have come with the development of the online web and

social media.3 This is primarily for two reasons. First, the digitisation of personal data allows

individuals to record and organise their data in ways that were not previously possible. This

includes the capture of new forms of data (though the Internet of Things (IOT) and devices

such as 'wearables') and the ability to store and organise it more efficiently e.g. using mobile

phones, powerful personal computers and online storage. Second, online connectivity,

including through social media platforms allows data subjects to contact each other and

researchers. This allows the formation of groups who have the desire to promote scientific

research certain areas through the collection, organisation and sharing of personal of data

concerning a particular issue. These developments have allowed individuals to come together

and pool potentially interesting data in ways that was not previously possible. Individuals

may for example be able to learn through social media that there are others that share health

issues that requires further research. Using wearables and access to electronic health records

individuals for instance can in theory pool large longitudinal data sets that are potentially

interesting to researchers.4

Such endeavours are seen as being conducive to research in potentially different ways

with visons of what actually constitutes citizen science that vary in breadth and scope.5 A

narrower view sees an important role for groups of engaged individuals to be able to respond

to open calls by researchers to come forward with data on a particular issue. In such a vision

researchers remain both the inspiration and architects of the research programme that is to be

carried out. They may conceive of the need for it and design the experiment in question,

appealing to individuals to come forward with useful data that they have collected in order to

allow the experiment in question to be carried out. In such a scenario the data subject can be

thought of as a benevolent form of 'free labour'; that makes itself available to a research

project in order to further its aims.

1 DEVICTOR, V., WHITTAKER, R. J. & BELTRAME, C. 2010. Beyond scarcity: citizen science programmes

as useful tools for conservation biogeography. Diversity and Distributions, 16, 354-362.

2 MADISON, M. 2014. Commons at the Intersection of Peer Production, Citizen Science, and Big Data:

Galaxy Zoo. In: FRISCHMANN, B., MADISON, M. & STRANDBURG, K. (eds.) Governing Knowledge

Commons. Oxford University Press.

3 NEWMAN, G., WIGGINS, A., CRALL, A., GRAHAM, E., NEWMAN, S. & CROWSTON, K. 2012. The

future of citizen science: emerging technologies and shifting paradigms. Frontiers in Ecology and the

Environment, 10, 298-304.

4 PURCEL, R. & ROMMELFANGER, K. 2017. Biometric Tracking From Professional Athletes to Consumers.

The American Journal of Bioethics, 17, 72-74.

5 SILVERTOWN, J. 2009. A new dawn for citizen science. Trends Ecol Evol, 24, 467-71.

A broader and perhaps more ambitious conception of citizen science sees the citizen

as the true master of the research in question (i.e. in place of the research institution). In such

a vision, it is the citizen (i.e. the data subjects themselves) who through networking and

discussion see the need for research to be conducted in a certain area.6 It is their ability to

collect, store and collate the data that they see as being useful that provides them with the

power to induce certain forms of research.7 In being able to create such pools of data they are

able to attract researchers who may find the research opportunity it presents to be attractive.

The ability to collect, store, collate and transmit such data to interested researchers represents

a source of power for citizen scientists potentially allowing them collectively bargain with

competing research institutions and and ensure that the type of research they want occurs. 8

This latter interpretation of citizen science sees the individual lay person acting more out of

self-interest (rather than a sense civic virtue) and through the power that comes of grouping

with other similarly minded individuals, deciding what research is to take place (in place of

the professional scientist and the institution he or she is attached to).

Of course, these points exist on a spectrum at either end of potential manifestations of

citizen science. There are many manifestations that are possible between the two and many

that may share elements of both. Individuals may for example become citizen scientists both

out of self interest and a a result of a sense of civic duty.9 Similarly it may well be difficult in

reality to draw a clear line in discerning whether research is proposed and conducted because

of the availability of data through active citizen science or whether such citizen scientists are

mobilised in response to institutional calls for research data. Whatever the particular

manifestation there are a number of criteria that must be met in order for citizen science to

occur. These include, the ability to record data, the ability to store it, the ability to access it,

and that it is portable (i.e. that it can be transferred to a research institution). The importance

of transferability or portability is discussed below.

3. The Importance of Data Portability to Citizen Science.

(i) The Need for Both 'Interoperability' and 'Transferability'

All of the requirements described above (i.e. the ability to record and observe) are without

doubt indispensable for citizen science to occur. Even if they are fulfilled however the ability

to transfer (or share) data (i.e. that it is portable) is a sina qua non for citizen science to

occur. Even if individuals are able to record and store their data, practicing citizen science

will not be possible in situations where individuals and groups of individuals are not able to

transfer useful personal data to interested researchers. The same goes if data subjects are

simply provided with access to their personal data by a data controller (imagine for example

the provider of a mHealth service). Access alone to personal data (a well established right in

6 One of the most important areas for citizen science that is not focused upon in this paper is within ecology

and environment projects. See: BONNEY, R., COOPER, C. B., DICKINSON, J., KELLING, S., PHILLIPS, T.,

ROSENBERG, K. V. & SHIRK, J. 2009. Citizen Science: A Developing Tool for Expanding Science

Knowledge and Scientific Literacy. BioScience, 59, 977-984. KELLING, S., FINK, D., LA SORTE, F. A.,

JOHNSTON, A., BRUNS, N. E. & HOCHACHKA, W. M. 2015. Taking a 'Big Data' approach to data quality in

a citizen science project. Ambio, 44 Suppl 4, 601-11.

7 EVANS, B. J. 2017. Barbarians at the Gate - Consumer Driven HEalth Data Commons and the

Transformation of Citzen Science American Journal of Law & Medicine, 42, 651-685.

8 For further discussion on this see an article publish on the online site 'The Conversation entitled " Expanding

citizen science models to enhance open innovation" available at:

https://theconversation.com/expanding-citizen-science-models-to-enhance-open-innovation-61554

9 MORRIS, M. E. & AGUILERA, A. 2012. Mobile, Social, and Wearable Computing and the Evolution of

Psychological Practice. Prof Psychol Res Pr, 43, 622-626.

data protection law)10 may mean little if it if it does not equate to a possibility to transfer data

to a researchers for further analysis. 11 Rights of access to one's personal data as is

traditonally found in data protection may not be sufficient to fully facilitate citizen science.

This is because to ensure portability two important elements are required, elements that may

not be present in tradtional rights to access data. The most important of these elements are

described below.

A Requirement of Interoperability -A right to access for instance may not not provide a right

to receive personal data in a form that is 'interoperable' with the processing systems of

another potential controller, including those of a potential researcher institution. This was for

example the situation with the right to access in the EU Data Protection Directive (95/46/EC).

Providing data in a form that is 'intelligible' to the data subject does not entail providing data

in a form that is functionally readable by other controllers. 'Intelligible' would rather seem to

refer to the ability of humans to be able to comprehend the data that is provided (and does not

refer to interoperability with other processing systems).12 Intelligible can thus best be thought

of as a duty to provide data, even if complex in some manner that will allow human data

subjects to comprehend it in terms of it what can be deduced from it. In modern information

society where data sets may be enormous and complex, this may in reality translate into a

duty to effectively summarise the data in 'human readable format' so that the data subject can

understand it. Providing data in its raw form would be unlikely to meet a duty to provide

intelligible data, largely because it would be meaningless to the data subject (largely because

such data would be stored in a way that is machine readable). In this regard the right to access

found in the GDPR certainly goes further than the Directive 95/46/EC does stating: 13

"The controller shall provide a copy of the personal data undergoing processing. Where the data

subject makes the request by electronic means, and unless otherwise requested by the data subject, the

information shall be provided in a commonly used electronic form."

Whilst a requirement of providing personal data in "a commonly used electronic form" goes

far further in providing requirements in terms of interoperability (see further discussion in

section 4), it still provides arguably little in terms of direct transferability (discussed below)

A Duty to Facilitate a Data Transfer – A Right to Access does not provide any any right to

have data transferred to a third party, including a research institution. Transferability is

important because it places the responsibility of data transfer with the data controller and not

the data subject. This is important for a number of reasons.

Perhaps most importantly the data controller is likely to have a higher level of

technical ability and experience than the data subject. It may have numerous personnel other

organizational strengths (in comparison with an individual data subject). It may also

importantly possess a key advantage in terms of economies of scale. This is because a single

service provider, especially if it is a large one with a key position in the market, may receive

10 That data subjects might want access to their data is something that has been long recognised in data

protection. The original European Data Protection Directive (95/46/EC) Data Protection (in recital 41)

recognised a right of data subjects to access their data stating: "Whereas any person must be able to exercise the

right of access to data relating to him which are being processed, in order to verify in particular the accuracy of

the data and the lawfulness of the processing; whereas, for the same reasons, every data subject must also have

the right to know the logic involved in the automatic processing of data concerning him, at least in the case of

the automated decisions…)"

11 HUNTER, P. 2016. The big health data sale: As the trade of personal health and medical data expands, it

becomes necessary to improve legal frameworks for protecting patient anonymity, handling consent and

ensuring the quality of data. EMBO Rep, 17, 1103-5.

12 Article 29 Working Party Guidelines on the right to data portability. WP242 (13 December 2016) p14.

13 GDPR Article 14(3)

many requests from individuals who whish that their data is transferred to a particular

research institution. In such a context it will likely be a far more simple affair for one or a few

data controllers to contact and liaise with a particular research institution (than it would be for

thousands of data subjects). In such a manner discerning the necessary technical and

organizational arrangements that must be made in order to facilitate transfer is likely to be far

more efficient. An alternative scenario whereby research institutions had to liaises

individually with every data subject on technical adjustments that would have to be made in

order to facilitate transfer would in reality entail many more technical discussions between

research institutions and individual research subjects. Furthermore, such discussions would

likely be much more difficult given that individual research subjects would not be likely to

possess the same technical knowledge or abilities. The ability of data subjects to comply with

the technical requirements for transfer posed by the research institution are likely to be much

less than it would be for a large data controller. Alternatively, whilst research institutions

might in certain circumstances be willing to take on the all the responsibility themselves for

making data compatible for their research ends, the ability to do so would be severely

reduced where all data is provided by research subjects on a completely individual basis. In

such instances data may vary in format or even the method in which it is delivered (e.g. by

online file transfer, by DVD or by email). Taking on such variability would represent a costly

affair that could well hamper research. The ability therefore to deal with one or a few data

controllers who would transfer numerous data sets would be advantageous and encourage

research institutions to engage with citizen science initiatives.

4. The GDPR and its Right to Data Portability.

In what may be seen as an advance for the concept of citizen science the GDPR includes a

new right to data portability. Article 20 states:

"The data subject shall have the right to receive the personal data concerning him or her, which he or

she has provided to a controller, in a structured, commonly used and machine-readable format and

have the right to transmit those data to another controller without hindrance from the controller to

which the personal data have been provided."

There are two things that are immediately apparent and of potential relevance to this paper.

The first is that there is a right to receive code in a 'machine readable format' (also found with

the GDPR's strengthened 'right of access''.14 This appears to supplement the GDPR's right to

access (discussed above) and link it firmly with a right to data portability. This is important

from the perspective of interoperability of the data in question and thus increasing the

chances that it can be used for the purposes of scientific research. The second is that is

bestows the right upon a data subject of asking for direct transfer to another controller. As

section 3 discusses this requirement is important from the perspective of citizen science given

that for a number of reasons, it may often be the original data controller and not the data

subject who is best placed to execute the transfer of data. Article 20 can therefore be thought

of as improvement of the situation vis-à-vis the needs of citizen scientists. As the following

pages of this paper will discuss, this will facilitate citizen science activities in a number of

areas and should therefore be welcomed. At the same time there are however a number of

important elements that will likely serve to limit the ability of individuals and researchers to

use this article to further citizen science. The most important are summarized in the sections

below.

14 GDPR Article 14(3)

Limits to the concept of 'machine readable'

Whilst the concept of 'machine readability' might sound promising it is important not to read

it in too expansive a maner. In particular a duty upon data controllers to produce machine

readable data to not entail an obligation to make such data compatible for all purposes that

might be desired. As the Article 29 Working Party points out "portability aims to produce

interoperable systems not compatible systems".15 The latter (i.e. compatibility) would entail

an obligation upon the data controller to ensure that the data provided was directly

compatible with the intended purposes and processing systems of the proposed new controller

(to whom the data was to be passed). Although such a vision would make things easier for

both the data subject and the new controller (who would receive data that would be directly

ready for use) this would represent a heavy (if not impossible burden) on the original

controller.16 This is because all of the burden in terms of ensuring compatibility would fall

almost entirely upon that original controller. This would entail ensuring that the data that was

being transferred was completely compatible (i.e. ready to use) with whatever processing

systems were being used by the new controller. Given that there could be numerous different

formats and systems used by a new controller this would effectively mean a duty to modify

and tailor data to the needs of any data controller that a data subjected demanded transfer to.

Such a duty would likely act as a deterrent to data processing in general given that data

controllers would have to ensure that they had the capacity (in terms of both personnel and

technical expertise) to make such modifications if they were demanded.

It is for such reasons that a duty of 'compatibility' of transferred data is not realistic. It

also explains why the Article 29 working party emphasized that Article 20 of the GDPR

amounted to a duty of 'interoperability'.17 This represents a lower threshold and consequently

poses less of a burden on the original data controller. Such a duty represents a shared burden

where not only the original data controller but also the new one (a research institution in this

context) would have to make efforts so as to ensure compatibility. This is because

interoperability is normally taken as referring to a a duty to use one of a number of

commonly available formats.18 Although such formats may not be directly compatible with

the processing systems of a new controller they should be in such a form that that new

controller will be able to work upon and make compatible. Interoperability thus entails work

for both the original controller, who must ensure that the data meets such a format and for the

new controller who will have to further process the data into a new form that is compatible

with its desired purposes. Such a duty can not thus be considered as representing a maximum

facilitation of citizen science though it may however be a more realistic requirement. This is

because Article 20 will still entail a large amount of work on behalf of a research institution

from to make data compatible. Given that this will require resources that research institutions

15 Article 29 Working Party Guidelines on the right to data portability. WP242 (13 December 2016)

16 As the Article 29 Working Party guidelines state (p13): Given the wide range of potential data types that

could be processed by a data controller, the GDPR does not impose specific recommendations on the format of

the personal data to be provided. The most appropriate format will differ across sectors and adequate formats

may already exist, but should always be chosen to achieve the purpose of being interpretable. Formats that are

subject to costly licensing constraints would not be considered an adequate approach.

17 Recital 68 of the GDPR states: "The data subject's right to transmit or receive personal data concerning

him or her should not create an obligation for the controllers to adopt or maintain processing systems which are

technically compatible."

18 As the Article 29 Working Party guidelines state (p15) "As such, data portability implies an additional layer

of data processing by data controllers, in order to extract data from the platform and filter out personal data

outside the scope of portability (such as user passwords, payment data, biometric patterns, etc.). This additional

data processing will be considered as an accessory to the main data processing, since it is not performed to

achieve a new purpose defined by the data controller."

do not always have, it may arguably in some instances discourage their willingness to engage

in projects that involve citizen science and article 20 requests for data portability.

A Right of Transferability Only Applies to Personal data

Another important caveat that should be placed on the right of data portability as described

by the GDPR is that it applies only to personal data as provided by the data subject. This can

be split into two separate requirements i.e. (i) that the data be personal in nature and (ii) that it

be provided by the data subject.

Requirement (i) may appear self evident given that the GDPR in general only applies

to personal data. It would therefore be bizarre to expect that a right of data portability as

described in the GDPR could be applied to data that was not of a personal nature. Despite

being self evident this limitation nonetheless has some important implications. It means for

example that any data that has been anonymized does not fall under such a right. This

includes for example data that although anonymous may have been derived using personal

data (that may have been subsequently deleted). Even though such data may have been

derived from their personal data, a data subject will have no right to demand that such data be

transferred to another controller for purposes of scientific research.19

Requirement (ii) applies to data that may even be personal in nature. It places a limit

on the types of personal data that are subject to the right under Article 20 to the data that the

data subject has himself provided. This importantly excludes all other forms of secondary

personal data that has been derived from further processing. This will include for example the

results of various forms of analysis that have been performed on the original data that had

been provided by the data subject. Such a limitation exits inter alia to protect the commercial

secrets and strategies of commercial data processors who may have developed innovative

forms of data analysis.20 This exception however is likely to limit the application of the right

to data portability in a number of areas that could be of interest from the perspective of

citizen science. Imagine for instance the analysis of lifestyle data or the data that had been

provided by data subjects through wearable or other IoT devices. Such analysis could have

enormous research potential. Indeed, it may be such analysis (and not simply the storage of

the data) that represents the unique selling point of many data monitoring or storage

services.21 Imagine a commercial organization for example that offers fitness enthusiasts the

ability to (though wearable devices) monitor and upload their data to a cloud service and have

various forms of analysis provided to them concerning their performance and ways in which

they may be able to improve Such analysis may provide data subjects with knowledge and

useful perspectives that might not be apparent from the data alone. Such data may for similar

reasons also be appealing from the perspective of citizen science. The analyses performed on

such primary data may furthermore be highly innovative in nature and not easily repeatable

by other parties (for this reason it may often be considered a commercial secret), including by

researchers and research institutions. An assumption therefore that research institutions

maybe able to perform such an analysis may be misplaced (particularly for example when

one compares the relative resources and technical expertise of certain multinational data

controllers (e.g. Google, Amazon etc.) and those possessed by individual research

19 Recital 26 of the GDPR confirms that the regulation in general does not apply to anonymized data.

20 LAGOS, L. 2013. Why the Right to Data Portability Likely Reduces Consumer Welfare- Antitrust and

Privacy Critique. Maryland Law Review, 72, 341-380.

21 PURCEL, R. & ROMMELFANGER, K. 2017. Biometric Tracking From Professional Athletes to

Consumers. The American Journal of Bioethics, 17, 72-74. LUPTON, D. 2016. The Quantified Self, John Wiley

& Sons, SWAN, M. 2013. The Quantified Self: Fundamental Disruption in Big Data Science and Biological

Discovery. Big Data, 1, 85-99.

institutions).22 Even if it were possible, it might entail the use of resources that may not in

reality be at the disposition or particular research institutions. As a result of this the lack of

applicability of article 20 of the GDPR to such data means that data subjects will not be able

to use it to invoke the transfer of various forms of data that could be particularly valuable for

scientific research.

It should be noted that this issue does not only apply to commercial service providers

in the area of fitness/lifestyle data but also controllers in a number of other important areas

also.23 This could include the providers of various medical or healthcare services that involve

the analysis of personal data. Imagine for instance medical clinic or institution that performed

various analytic techniques to draw conclusions on the health status of individuals. This could

be through an analysis of their medical records or data taken from various monitoring

devices. Once again, although such data could in theory be useful for scientific research it

will not be covered by the the right to data portability. The same would also apply to other

data that could be useful for research purposes including relating to social media.24 Such data

is the subject of constant and complex analysis for commercial reasons such as improving

targeted advertising. Such analysis may involve the discovery of correlations and

relationships that would be of immense interest inter alia to those interested in scientific

research given the potential links with areas ranging from medicine to sociology to

economics. Such data will not however be covered by article 20 GDPR.

5. The Importance of the Grounds for the Processing of the Data in Question.

(i) Grounds for Processing to Which Article 20 GDPR is Applicable

Article 20 is also limited given that it only applies to data that is processed on the basis of

two (of the many) grounds that are described in the GDPR. These cover data that is processed

after obtaining the "express consent" of the data subject or alternatively that the processing

was "necessary for the performance of a contract to which the data subject is party or in order

to take steps at the request of the data subject prior to entering into a contract".25 These

grounds will cover some but by no means all of the potential types of personal data that might

be thought to be of use to citizen scientists. The first may for example cover the types of

relationship described above where individuals agree through formalized processes of

consent to provide their data so as to have it stored and or further processed. This could

include for instance lifestyle monitoring services or certain forms of processing related to

healthcare (where consent is the basis for processing - see discussion in (ii) below)). It may

also interestingly include data that had previously been provided to researchers or scientific

institutions precisely for the purpose of research (again where consent was the legal basis for

processing - see discussion in (ii) below). Imagine for instance where a data subject had

22 HUNTER, P. 2016. The big health data sale: As the trade of personal health and medical data expands, it

becomes necessary to improve legal frameworks for protecting patient anonymity, handling consent and

ensuring the quality of data. EMBO Rep, 17, 1103-5.

23 MURDOCH, T. & DETSKY, A. 2013. The Inevitable Application of Big Data to Health Care. Journal of

the American Medical Association, 309, 1351-1352, BELLAZZI, R. & ZUPAN, B. 2008. Predicitive data

mining in clinical medicine: current issues and guidelines. International Journal of Medical Informatics, 77, 81-

97.

24 MORRIS, M. E. & AGUILERA, A. 2012. Mobile, Social, and Wearable Computing and the Evolution of

Psychological Practice. Prof Psychol Res Pr, 43, 622-626.

25 In terms of "consent", there is in is reality two legal grounds given that there are two type of consent

foreseen in the GDPR. The first is the "unambiguous informed consent" described in Article 6(1) that applied to

the use of personal data in general. The second is explicit consent for the use of special forms of data (e.g. health

data) described in Article 9(2).

consented to provide his or her medical, socioeconomic or other data to a research project in

the past. Given that such data may conceivably be of interest to other subsequent research

projects at other institutions it is possible that data subjects might want to make use of the

their rights under article 20 to transfer their data in order to facilitate research. The reuse of

research data is indeed something that has been encouraged more and more in recent years

(with the term 'recycling' often being used in a metaphor that seemingly sees not using 'old

data' as being wasteful).26 Such reuse of old research data could be seen as being compatible

with many of the aims of citizen science.

With regards to to the second ground discussed above one can imagine various

contracts that may have been concluded with various organizations to provide services or

deliver physical products. Imagine for instance streaming services for movies or music,

online stores such as Amazon etc. Whilst such information may appear banal viewed from the

perspective of a single individual, on a larger scale (i.e. where such data is available for many

individuals) it may provide extremely useful research material, allowing important

information relating to socioeconomic factors or even health status. Article 20 thus provides

the option of transferability for such data.

(ii) Grounds for Processing that Are Not Covered by Article 20

The two grounds discussed above, though important, represent only two of many potential

grounds for processing described within the GDPR. This essentially means that many types

of processing that are permitted under the GDPR will not be covered by the right to data

portability. Whilst a full consideration of the relevance of all such types of data processing to

citizen science is beyond the scope of this paper27 some potentially striking examples (given

their obvious relevance to research) are immediately obvious and are discussed below.

Processing is necessary for the purposes of preventive or occupational medicine - Whilst the

processing of health data is possible on the basis of explicit consent, this is not the only, or

perhaps the most important grounds for the processing of such data within the healthcare

sector.28 This is because there exists another legal basis that permits the processing of heath

data for processes of occupational medicine. The equivalent provision within Directive

95/46/EC (which has seemingly been widened within the GDPR)29 was traditionally used to

process medical data within the bounds of an ongoing treatment relationship with an

officially recognised medical professional who was subject to rules on confidentiality.30 Such

a ground has been traditionally used to process patient data in ways that were required as a

result of continued treatment within a particular practice or institution. It is such an exception

26 DYER, C. 2007. Stringent constraints on use of patients' data are harming research. British Medical

Journal, 335, 1114–1115, KAYE, J. 2012. The Tension Between Data Sharing and the Protection of Privacy in

Genomics Research. Annual Review of Genomics and Human Genetics, 13, 415–431, MURDOCH, T. &

DETSKY, A. 2013. The Inevitable Application of Big Data to Health Care. Journal of the American Medical

Association, 309, 1351-1352.

27 Numerous grounds for the processing of sensitive and non-sensitive data are described in articles 6 and 9 of

the GDPR.

28 QUINN, P., HABBIG, A., MANTOVANI, E. & DE HERT, P. 2013. The Data Protection and Medical

Device Frameworks ? Obstacles to the Deployment of mHealth across Europe? European Journal of Health

law, 20, 185-204, MANTOVANI, E. & QUINN, P. 2013. mHealth and data protection – the letter and the spirit

of consent legal requirements. International Review of Law, Computers & Technology,

DOI:10.1080/13600869.2013.801581.

29 This ground currently exists in Article 9(2) of the GDPR.

30 Article 29 Data Protection Working Party. 2007. Working Document on the Processing of Personal Data

Relating to Health in Electronic Health Records (EHR), 00323/07/EN WP 131.

that allows a patient's data to be further processed without having to continuously re-obtain

consent, something which would be extremely laborious in large institutions. The practical

value of such a grounds for processing is that medical professionals and institutions do not

have to continuously ask patients for consent to process their data each time they have a new

consultations or undergo a new procedure. The availability of this pragmatic and frequently

used ground for processing means that an enormous quantity (if not most) personal medical

data is processed in such manner. Given that article 20 does not apply to processing

performed using such grounds this means that large quantities of health data may not be

subject to requests for transfer to a third party.

This may be unfortunate for citizen science enthusiasts given the potential for

research use of such data.31 Patient health records for example may go back years and contain

data on health, lifestyle and socioeconomic factors that are extremely useful for research.32

The fact that article 20 does not apply to such data does not mean of course that it can not be

used for research. There is nothing to stop researchers requesting the data in question from

healthcare providers and indeed from such providers providing the data (if they so wish).

They can not however be compelled to transfer such data, ether by the data subject or the

research institution. Likewise patients will still enjoy a right of access to their medical data

and will be able to receive a copy and then transfer it themselves to researchers or a research

institution. This however is subject to the many practical difficulties discussed in section 3

and must be considered to be an inferior option (in terms of facilitating citizen science at

least).

Processing is necessary for archiving purposes in the public interest, scientific or historical

research - Data used in and produced by scientific research may often be suitable for use in

subsequent research. To a certain extent it could be argued that there is a role for citizen

science in facilitating such reuse. This could occur for example were groups of research

subjects are able to demand that their research data be passed to further institutions for further

research. As discussed above, where the processing of such data was based upon consent this

may be possible. As with the processing of data for medical purposes however, whilst consent

is an important grounds for for processing of personal data by researchers or research

institutions, it is by no means the only one. This is because Article 9(2) of the GDPR also

provides that 'Scientific Research' is itself a valid ground for the processing of personal data.

There are therefore two grounds that exist in the GDPR for those wishing to conduct

scientific research. The former (i.e. consent) may often be seen as appealing from an ethical

perspective (indeed it may often be demanded by ethics bodies based at research institutions.

It does entail however a number of disadvantages.33 These notably include the administrative

complexity of organizing (the creation, dissemination and storage) consent forms, the

potential difficulty in tracing all data recipients, instances where data subjects may not

possess the capacity to give consent (e.g. the young or those with a lack of cognitive

capacity). Given these issues consent may often not be feasible and in suitable circumstances

31 TENE, O. & POLONETSKY, J. 2013. Big Data for All- Privacy and User Control in the Age of Analytics.

Northwestern Journal of Technology and Intellectual Property, 11, 239-274. JENSEN, P., JENSEN, L. &

BRUNAK, S. 2012. Mining electronic health records: towards better research applications and clinical care.

Nature Reviews Genetics, 13, 395-405

32 MURDOCH, T. & DETSKY, A. 2013. The Inevitable Application of Big Data to Health Care. Journal of

the American Medical Association, 309, 1351-1352, JENSEN, P., JENSEN, L. & BRUNAK, S. 2012. Mining

electronic health records: towards better research applications and clinical care. Nature Reviews Genetics, 13,

395-405

33 QUINN, P. 2017. The Anonymisation of Research Data — A Pyric Victory for Privacy that Should Not Be

Pushed Too Hard by the EU Data Protection Framework? European Journal of Health Law, 24, doi

10.1163/15718093-12341416.

(where important conditions are met) researchers may process personal data without the

consent of those involved. Where this is the case researchers may, if a number of conditions

are met, process personal data for scientific research without consent.34 This legal basis for

processing is often useful in large research projects that depend upon the use of extremely

large data sets (e.g. potentially harvested from electronic health records) and where obtaining

consent would not be feasible.

6. Transfer Outside of the EU

The world of modern research is truly global. The availability of online connectivity and the

ability to share information means that individuals may want, and be able, to share their data

with research institutions that are not located close by in physical terms. Such potential for

worldwide collaboration increases the chances that individuals or groups of individuals may

be able to find a research institution that could perform useful research on their data.35

Conversely, where individuals are restricted to small geographic areas or alternatively certain

legal jurisdictions, the chances of such a 'fit' between potential research subjects and

institution is reduced.

The good news (for advocates of citizen science) is that the one of the raisons d'être is

actually to facilitate the sharing of data over a wider area. It has for instance, as one of its

main aims, the facilitation of the sharing of data throughout the EU. Indeed, as the GDPR

itself states, it "seeks to harmonise the protection of fundamental rights and freedoms of

natural persons in respect of processing activities and to ensure the free flow of personal data

between Member States." As a result EU Data Protection legislation, including the GDPR

aims to create a situation where it is possible to move data around the European Union as if it

was a single legal jurisdiction.36 Moving data, inter alia for the purposes of citizen science

from one part of Europe should therefore pose little problems (where of course data

protection requirements have been met).37

The price of such a liberty to move personal data around Europe however is the

ability to transfer data outside of the EU. This is because, as the GDPR points out, the ability

to allow free movement of personal data across the EU can be permitted because of existence

of the same standards of data protection throughout the Union. This allows data subjects to be

sure that if their data is transferred from one part of the Union to another a similar standard of

protection will apply. This balance however does not hold for potential transfers outside the

EU. There the regulatory situation vis-à-vis data protection may be different, if not inferior.

This makes it difficult for for European data subjects to have confidence that their data will

be handled in a similar manner, or even have an idea of how such data may be handled. It is

for this reason that the GDPR (and its predecessor Directive 95/46/EC) imposes important

restrictions on the transfer of data outside of Europe.

In principle personal data can not be transferred out of the EU unless one of a number

of conditions are met. These include for example an adequacy decision on the part of the EU

Commission. This can occur where the Commission agrees that a " third country, a territory

or one or more specified sectors within that third country … ensures an adequate level of

34 Ibid.

35 BONNEY, R., SHIRK, J., PHILLIPS, T., WIGGINS, A., BALLARD, H., MILLER-RUSHING, A. &

PARISH, K. 2014. What Next for Citizen Science? Science, 343, 1436-1437.

36 GDPR Recital 3

37 It should however be recognized that Member States are, according to Article 9(4) of the GDPR able to

maintain their own respective laws that create additional requirements for sensitive data. This means that there

may for example be extra requirements on inter alia the transfer of health data. Such requirements may vary on

a state by state basis according to Member State Law.

protection"38 Such a decision may occur where the commission, after considering a number of

factors described in the GDPR has decided that an adequate level of protection will be

provided concerning the use of personal data.39 This includes the level of the rule of law in

the jurisdiction concerned (also taking into account any data protection legislation), the

existence of an data protection supervisory bodies, and any international agreements that may

exist with the state in which the jurisdiction in question is based.

These conditions are not however essential for the transfer of personal data to or

between researchers based outside the European Union. This is because the GDPR allows the

transfer of personal data outside the European Union in the event that informed consent of the

data subject has been secured.40 This is seemingly a good fit with the right to demand a

transfer of one's data under the GDPR. This is because article 20 self-evidently appears to

imply the need for the data subject to proactively make a request for such a transfer. In the

event that such a request concerned a transfer outside of Europe it would seemingly be

important (where a Commission adequacy decision does not exist), in order to be in

compliance with Article 49 of the GDPR, to provide the requisite information so that the data

subject could legitimately provide explicit consent to a transfer of his or her data outside the

EU. This would likely include information concerning the fact that no adequacy decision

existed, what the implications of such an absence are in layman's terms and the situation

concerning data protection in both the jurisdiction the data will be transferred to and the

specific context the data will be processed in. This requirement to provide sufficient

information for informed consent will require the data controller (i.e. who is to transfer the

data) to investigate whether the Commission had made an adequacy finding concerning the

jurisdiction in question and if not to research and take into account both the laws applicable

to the new data controller and the its own particular organizational situation. This is because

in order to provide the type of information that is required to provide truly informed consent

it will be necessary for the data controller (i.e. who is to conduct the transfer) to become

aware of such information and then to convey it to the data subject so that it can be

understood. In this regard a request for a transfer to a data controller outside of Europe would

differ importantly from that within Europe. This is because unlike the case with the latter, in

the former the data controller (who is to transfer the data) must make enquiries about the

ability of the potential new data controller to fulfill data protection obligations and explain

the results of such enquires to the data subject that made the request. There is doubt however

about whether data controller would in reality have to honour such a request for a data

transfer outside of Europe. The author of this paper would submit that there is some

ambiguity in the GDPR about whether a data subject has the right to compel a data processor

to transfer outside of Europe. This uncertainty arises for two main reasons. First, article 20

itself does not explicitly refer to such a situation. Second the articles of the GDPR that relate

to data transfers outside the European Union also do not refer to the right of transferability

described in Article 20. Given this, it seems likely that some data controllers may seek to

deny the applicability of article 20 to situations where they a request for transfer outside

Europe is made and no adequacy decision has been made by the Commission. The author

would submit that this may be seen as reasonable given that data controllers would be

required to investigate the legal situation in the new jurisdiction and the organizational

context of the new controller (including its abilities to provide for data protection

requirements). Such requirements are not part of article 20 in its normal context (i.e. transfers

within the EU) and thus make its applicability in extra EU transfers questionable as they

38GDPR Article 45(1)

39 GDPR Article 45(2)

40 Article 49(1)(a). Article 49 also spells out a number of other exceptions where such a transfer may be

possible. These exceptions are however beyond the scope of this paper and will not be considered futher here.

represent a burden that do not appear to be envisaged in article 20 itself. Case law may

ultimately be needed to settle this question.41

7. Conclusion.

At present we live in a time where there are grave concerns over the privacy of our data in the

social media age. Whilst such concerns are well merited it is important to remember that

concerns surrounding the use of our personal data are not only related to privacy. More

specifically whilst there are occasions where we may wish to prevent large and powerful data

controllers from doing certain things with our data (i.e. negative obligations), there are on

other occasions where we may want to compel them to do something (i.e. positive

obligations). This article looks at one such instance, the ability to of data subjects to compel

data controllers to transfer their data to another controller, in this case for purposes of 'citizen

science'.

In addition to technological and cultural developments, the developing legal

landscape will play a major role in deciding what is and what is not possible in terms of

citizen science.42 One of the most important of these developments in the notion of of 'a right

of data portability'' in the GDPR. This right will allow data subjects to ask data controllers to

transfer their personal data to a new data controller. Such a right is important to citizen

science for a number of reasons. First, individuals often do not collect and assemble

potentially useful data alone. Rather they often do so with the aid of third parties, for example

the use of online storage platforms that allow data to be accessed and manipulated in useful

ways. Where individuals want to make such data available for research there may thus often

be a need to have data transferred from one controller to another (e.g. a research institution).

Second, the ability to transfer the data directly between data controller and research

institution may be appealing because individual data subjects may not have the technical

knowledge or correct infrastructure to receive and transport it themselves. Such a right opens

up the possibility of using economies of scale to boost data transfers related to citizen

science. This may occur where where data controller and research organizations are able to

coordinate and arrange transfers – for instance where, in the case of one large data controller,

many data subjects have come forward and asked that their data be transferred to a particular

research institution. The possibility to arrange such transfers on a coordinated basis would

reduce investments in terms of time and cost for both data controllers and research

institutions and thus make many forms of potential research more feasible. Third, a right to

data portability as found in the GDPR goes beyond a right to access which has long existed

under Directive 95/46/EC. This is because unlike a right to access, which only provides for

the provision of data to the data subject in 'an intelligible form', the right to data

transferability allows for the data in question to be provided to the new controller in a form

that is 'interoperable'. This is important because depending solely on a 'right of access' would

not only involve intermediate transfer through the data subject (and all the technical and

organizational problems this may bring), but would also not include a requirement of

'interoperability' with the potential processing systems that might be used by a research

institution. Such a requirement means that the data should be provided directly to the

research institution in a way that would allow them to use it for their desired method of

processing.

41 See Article 29 Working Party Opinion on Data Portability, p6

42 For a good discussion on a number of legal requirements HOFFMAN, S. 2015. Citizen Science - The Law

and the Ethics of Public Access to Medical Big Data. Berkley Technology Law Journal, 30, DOI:

http://dx.doi.org/10.15779/Z385Z78.

As this paper discussed however, there are important limits to the right of

transferability at least as recognized to the GDPR. Four issues were outlined in this paper that

will to various extents, limit the extent of which this right can be used to further concrete

instances of citizen science. First, important limitation is that the right of portability only

applies to personal data that was provided by the data subject themselves. This rules out its

application to data that was derived by further processing of that data. This will have the

effect of ruling out the applicability of the right of portability to important data sets that will

contain potentially valuable information for researchers. This includes analysis of self-

monitoring data (e.g. from fitness or dietary) platforms, various forms of analysis carried out

for commercial purposes (e.g. advertising targeting) and for the purposes of healthcare.

A second is the concept of 'interoperability' itself. As the Article 29 working party

clearly stated, interoperability does not equate to compatibility. Whilst the latter would entail

providing data in a ready to use format, the former requires only the provision of data in a

manner that would allow it to be rendered useable. Such a concept accepts the likelihood that

a new data controller will have to further process such data in order to render it useful for its

purposes. It is therefore likely that that research institutions will have to conduct work on the

data being transferred in order to render it compatible. This could serve as a disincentive

where the resources of potential research institutions may be limited.

A third important factor is that the right of transferability is limited to instances where

the data held was being processed on the legal grounds that i) informed consent was provided

by the data subject in questions or ii) in order to fulfil a legally binding contract. Whilst such

legal grounds will cover a large range of contexts that could be of importance to citizen

science it will not cover many others. This may include for example, large amounts of data of

data that is held held in the electronic health records of medical institutions. Such data is

often processed under another legal basis i.e. for the 'purposes of preventive or occupational

medicine'. Likewise, the right of transferability will not apply to data that is being processed

for purposes of 'scientific research' (i.e. without relying on consent as a legal basis). This

means that individuals will in many cases not be able to demand researchers who have been

using their data to subsequently transfer it to another research institution. These limitations

on the right of transferability will dilute its potency and its potential usefulness to desired

instances of citizen science inter alia ruling out its application to important sources of

potential research data.

In addition to these explicit limitations of the right to transferability (as described in

the GDPR) a fourth factor arises through a number of ambiguities that give rise to

uncertainties surrounding its potential territorial application. Whilst the GDPR seemingly

confirms that a right of transferability will apply in instances where transfer is sought

anywhere within the EU, it is not certain as to whether it applies to requests made for the

transfer of data to controllers based outside of Europe. This is because whilst certain

conditionally must exist to allow external transfer (e.g. the existence of an EU Commission

Adequacy Decision or the existence of binding corporate rules on the use of data) such

conditionality can be dispensed with where the transfer in question is associated with the

provision of explicit consent on the part of the data subject. Given that such consent can be

obtained by the data controller when a portability request is made, one might reason that this

exception could also be made to apply to Article 20 requests outside the Union. Doubts as to

such an assumption may however be fuelled by the fact that such an exercise would entail

potentially significant efforts the part of the existing data controller, including the need to

ascertain the status of the proposed new data controller and the jurisdiction in which it is

based. Given that such efforts are not consistent with the light investigational duties that are

invoked within article 20 of the GDPRitself (i.e. on transfers within the EU), its applicability

to transfers outside the EU is at the very least debateable.

Bilbliography

BELLAZZI, R. & ZUPAN, B. 2008. Predicitive data mining in clinical

medicine: current issues and guidelines. International Journal of

Medical Informatics, 77, 81-97.

BONNEY, R., COOPER, C. B., DICKINSON, J., KELLING, S., PHILLIPS, T.,

ROSENBERG, K. V. & SHIRK, J. 2009. Citizen Science: A Developing

Tool for Expanding Science Knowledge and Scienti=c Literacy.

BioScience, 59, 977-984.

BONNEY, R., SHIRK, J., PHILLIPS, T., WIGGINS, A., BALLARD, H., MILLER-

RUSHING, A. & PARISH, K. 2014. What Next for Citizen Science?

Science, 343, 1436-1437.

DEVICTOR, V., WHITTAKER, R. J. & BELTRAME, C. 2010. Beyond scarcity:

citizen science programmes as useful tools for conservation

biogeography. Diversity and Distributions, 16, 354-362.

DYER, C. 2007. Stringent constraints on use of patients' data are harming

research. British Medical Journal, 335, 1114–1115.

EVANS, B. J. 2017. Barbarians at the Gate - Consumer Driven HEalth Data

Commons and the Transformation of Citzen Science American

Journal of Law & Medicine, 42, 651-685.

HOFFMAN, S. 2015. Citizen Science - The Law and the Ethics of Public

Access to Medical Big Data. Berkley Technology Law Journal, 30,

DOI: http://dx.doi.org/10.15779/Z385Z78.

HUNTER, P. 2016. The big health data sale: As the trade of personal health

and medical data expands, it becomes necessary to improve legal

frameworks for protecting patient anonymity, handling consent and

ensuring the quality of data. EMBO Rep, 17, 1103-5.

JENSEN, P., JENSEN, L. & BRUNAK, S. 2012. Mining electronic health

records: towards better research applications and clinical care.

Nature Reviews Genetics, 13, 395-405

KAYE, J. 2012. The Tension Between Data Sharing and the Protection of

Privacy in Genomics Research. Annual Review of Genomics and

Human Genetics, 13, 415–431.

KELLING, S., FINK, D., LA SORTE, F. A., JOHNSTON, A., BRUNS, N. E. &

HOCHACHKA, W. M. 2015. Taking a 'Big Data' approach to data

quality in a citizen science project. Ambio, 44 Suppl 4, 601-11.

LAGOS, L. 2013. Why the Right to Data Portability Likely Reduces

Consumer Welfare- Antitrust and Privacy Critique. Maryland Law

Review, 72, 341-380.

LUPTON, D. 2016. The Quanti*ed Self, John Wiley & Sons.

MADISON, M. 2014. Commons at the Intersection of Peer Production,

Citizen Science, and Big Data: Galaxy Zoo. In: FRISCHMANN, B.,

MADISON, M. & STRANDBURG, K. (eds.) Governing Knowledge

Commons. Oxford University Press.

MANTOVANI, E. & QUINN, P. 2013. mHealth and data protection – the letter

and the spirit of consent legal requirements. International Review of

Law, Computers & Technology,

DOI:10.1080/13600869.2013.801581.

MORRIS, M. E. & AGUILERA, A. 2012. Mobile, Social, and Wearable

Computing and the Evolution of Psychological Practice. Prof Psychol

Res Pr, 43, 622-626.

MURDOCH, T. & DETSKY, A. 2013. The Inevitable Application of Big Data to

Health Care. Journal of the American Medical Association, 309,

1351-1352.

NEWMAN, G., WIGGINS, A., CRALL, A., GRAHAM, E., NEWMAN, S. &

CROWSTON, K. 2012. The future of citizen science: emerging

technologies and shifting paradigms. Frontiers in Ecology and the

Environment, 10, 298-304.

PURCEL, R. & ROMMELFANGER, K. 2017. Biometric Tracking From

Professional Athletes to Consumers. The American Journal of

Bioethics, 17, 72-74.

QUINN, P. 2017. The Anonymisation of Research Data — A Pyric Victory for

Privacy that Should Not Be Pushed Too Hard by the EU Data

Protection Framework? European Journal of Health Law, 24, doi

10.1163/15718093-12341416.

QUINN, P., HABBIG, A., MANTOVANI, E. & DE HERT, P. 2013. The Data

Protection and Medical Device Frameworks ? Obstacles to the

Deployment of mHealth across Europe? European Journal of Health

law, 20, 185-204.

SILVERTOWN, J. 2009. A new dawn for citizen science. Trends Ecol Evol,

24, 467-71.

SWAN, M. 2013. The Quanti=ed Self: Fundamental Disruption in Big Data

Science and Biological Discovery. Big Data, 1, 85-99.

TENE, O. & POLONETSKY, J. 2013. Big Data for All- Privacy and User

Control in the Age of Analytics. Northwestern Journal of Technology

and Intellectual Property, 11, 239-274.

Citizens AND HYdrology (CANDHY): conceptualizing a transdisciplinary framework for citizen science addressing hydrological challenges

Article

Full-text available

Nov 2020

Widely available digital technologies are empowering citizens who are increasingly well informed and involved in numerous water, climate, and environmental challenges. Citizen science can serve many different purposes, from the “pleasure of doing science” to complementing observations, increasing scientific literacy, and supporting collaborative behaviour to solve specific water management problems. Still, procedures on how to incorporate citizens’ knowledge effectively to inform policy and decision-making are lagging behind. Moreover, general conceptual frameworks are unavailable, preventing the widespread uptake of citizen science approaches for more participatory cross-sectorial water governance. In this work, we identify the shared constituents, interfaces and interlinkages between hydrological sciences and other academic and non-academic disciplines in addressing water issues. Our goal is to conceptualize a transdisciplinary framework for valuing citizen science and advancing the hydrological sciences. Joint efforts between hydrological, computer and social sciences are envisaged for integrating human sensing and behavioural mechanisms into the framework. Expanding opportunities of online communities complement the fundamental value of on-site surveying and indigenous knowledge. This work is promoted by the Citizens AND HYdrology (CANDHY) Working Group established by the International Association of Hydrological Sciences (IAHS).

Citizen Science and Social Innovation: Mutual Relations, Barriers, Needs, and Development Factors

Book

Full-text available

Mar 2022

Social innovations are usually understood as new ideas, initiatives, or solutions that make it possible to meet the challenges of societies in fields such as social security, education, employment, culture, health, environment, housing, and economic development. On the one hand, many citizen science activities serve to achieve scientific as well as social and educational goals. Thus, these actions are opening an arena for introducing social innovations. On the other hand, some social innovations are further developed, adapted, or altered after the involvement of scientist-supervised citizens (laypeople or volunteers) in research and with the use of the citizen science tools and methods such as action research, crowdsourcing, and community-based participatory research. Such approaches are increasingly recognized as crucial for gathering data, addressing community needs, and creating engagement and cooperation between citizens and professional scientists. However, there are also various barriers to both citizen science and social innovation. For example, management, quality and protection of data, funding difficulties, non-recognition of citizens' contributions, and limited inclusion of innovative research approaches in public policies. In this volume, we open theoretical as well as empirically-based discussion, including examples, practices, and case studies of at least three types of relations between citizen science and social innovation: (1) domination of the citizen science features over social innovation aspects; (2) domination of the social innovation features over the citizen science aspects; and (3) the ways to achieve balance and integration between the social innovation and citizen science features. Each of these relationships highlights factors that influence the development of the main scales of sustainability of innovations in the practice. These innovations are contributing to a new paradigm of learning and sharing knowledge as well as interactions and socio-psychological development of participants. Also, there are factors that influence the development of platforms, ecosystems, and sustainability of innovations such as broad use of the information and communications technologies (ICTs) including robotics and automation; emerging healthcare and health promotion models; advancements in the development and governance of smart, green, inclusive and age-friendly cities and communities; new online learning centers; agri-food, cohousing or mobility platforms; and engagement of citizens into co-creation or co-production of services delivered by public, private, non-governmental (NGOs) organizations as well as non-formal entities.

Attitudes towards transactional data donation and linkage in a longitudinal population study: evidence from the Avon Longitudinal Study of Parents and Children

Article

Full-text available

Jun 2021

Background: Commercial transaction records, such as data collected through banking and retail loyalty cards, present a novel opportunity for longitudinal population studies to capture data on participants’ real-world behaviours and interactions. However, little is known about participant attitudes towards donating transactional records for this purpose. This study aimed to: (i) explore the attitudes of longitudinal population study participants towards sharing their transactional records for health research and data linkage; and (ii) explore the safeguards that researchers should consider implementing when looking to request transactional data from participants for data linkage studies. Methods: Participants in the Avon Longitudinal Study of Parents and Children were invited to a series of three focus groups with semi-structured discussions designed to elicit opinions. Through asking participants to attend three focus groups we aimed to facilitate more in-depth discussions around the potentially complex topic of data donation and linkage. Thematic analysis was used to sort data into overarching themes addressing the research questions. Results: Participants (n= 20) expressed a variety of attitudes towards data linkage, which were associated with safeguards to address concerns. This data was sorted into three themes: understanding, trust, and control. We discuss the importance of explaining the purpose of data linkage, consent options, who the data is linked with and sensitivities associated with different parts of transactional data. We describe options for providing further information and controls that participants consider should be available when studies request access to transactional records. Conclusions: This study provides initial evidence on the attitudes and concerns of participants of a longitudinal cohort study towards transactional record linkage. The findings suggest a number of safeguards which researchers should consider when looking to recruit participants for similar studies, such as the importance of ensuring participants have access to appropriate information, control over their data, and trust in the organisation.

Research under the GDPR – a level playing field for public and private sector research?

Article

Full-text available

Mar 2021

Paul Quinn

Scientific research is indispensable inter alia in order to treat harmful diseases, address societal challenges and foster economic innovation. Such research is not the domain of a single type of organization but can be conducted by a range of different entities in both the public and private sectors. Given that the use of personal data may be indispensable for many forms of research, the data protection framework will play an important role in determining not only what types of research may occur but also which types of actors may carry it out. This article looks at the role the EU’s General Data Regulation plays in determining which types of actors can conduct research with personal data. In doing so it focuses on the various legal bases that are available and attempts to discern whether the GDPR can be said to favour research in either the public or private domains. As this article explains, the picture is nuanced, with either type of research actor enjoying advantages and disadvantages in specific contexts.

Ethical Issues with Using Internet of Things Devices in Citizen Science Research: A Scoping Review

Article

Full-text available

Feb 2021

Digital innovation is ever more present and increasingly integrated into citizen science research. However, smartphones and other connected devices come with specific features and characteristics and, in consequence, raise particular ethical issues. This article addresses this important intersection of citizen science and the Internet of Things by focusing on how such ethical issues are communicated in scholarly literature. To answer this research question, this article presents a scoping review of published scientific studies or case studies of scientific studies that utilize both citizen scientists and Internet of Things devices. Specifically, this scoping review protocol retrieved studies where the authors had included at least a short discussion of the ethical issues encountered during the research process. A full text analysis of relevant articles conducted inductively and deductively identified three main categories of ethical issues being communicated: autonomy and data privacy, data quality, and intellectual property. Based on these categories, this review offers an overview of the legal and social innovation implications raised. This review also provides recommendations for researchers who wish to innovatively integrate citizen scientists and Internet of Things devices into their research based on the strategies researchers took to resolve these ethical issues.

Ethical issues with using Internet of Things devices in citizen science research: A scoping review

Preprint

Full-text available

Jul 2020

Our chapter presents a scoping review of published scientific studies or case studies of scientific studies that utilise both citizen scientists and Internet of Things devices. Specifically, we selected studies where the authors had included at least a short discussion of the ethical issues encountered during the research process. Having conducted a search of five databases (IEEE Xplore, Scopus, Web of Science, ProQuest, and PubMed), we identified 631 potential results. Following abstract and title screening, and then full text eligibility assessment, we identified 34 published articles that matched our criteria. We then analysed the full text for these articles inductively and deductively, coding ethical issues into three main categories. These categories were autonomy and data privacy, data quality, and intellectual property. We also analysed the full text of these articles to see what strategies researchers took to resolve these ethical issues, as well as any legal implications raised. Following this analysis, our discussion provides recommendations for researchers who wish to integrate citizen scientists and Internet of Things devices into their research. First, all citizen science projects should integrate a data privacy protocol to protect the confidentiality of participants. Secondly, scientific researchers should consider any potential issues of data quality, including whether compromises might be required, before establishing a project. Finally, all intellectual property issues should be clarified both at the start of the project and during its lifecycle. Researchers should also consider any ethical issues that might flow from the use of commercially available Internet of Things devices for research.

Channels of collaboration for citizen science and the sustainable development goals

Article

Apr 2020
J CLEAN PROD

Citizen Science, known as the participation of individuals and groups in scientific processes, is an increasingly growing discipline, which can contribute for the achievement of the Sustainable Development Goals. The UN Agenda 2030 for Sustainable Development is all-inclusive, where every contribution is valid. Participation, partnerships, education, sustainable living and global citizenship, all of which can build on Citizen Science activities, are crucial for the Sustainable Development Goals. In this context, this study aims at exploring several collaboration channels for Citizen Science-related activities and the Agenda 2030. Challenges and critical aspects are discussed based on the opinions of practitioners collected through a comprehensive online survey. Furthermore, recommendations for future involvement are given on a framework of interactions at different levels for Citizen Science and the Agenda 2030.

From Perception to Participation: Rethinking Research on Phantom Vibration Syndrome through Citizen Science and Smartphone Technology

Conference Paper

Jul 2024

El uso secundario de datos de salud electrónicos: el futuro Reglamento del Espacio Europeo de Datos de Salud y su interacción con la protección de datos personales

Article

Full-text available

Apr 2024

Mikel Recuero

La creación del Espacio Europeo de Datos de Salud por medio de la aprobación de su correspondiente Reglamento (REEDS) pretende erigirse como un importante hito para superar la fragmentación normativa existente, establecer mecanismos de gobernanza comunes y, en suma, impulsar la reutilización de datos de salud en beneficio de la sociedad y del interés general. El presente artículo tiene por objeto examinar el régimen propuesto para el uso secundario de datos de salud electrónicos, sus carencias y virtudes y su compleja integración e interacción con la normativa europea de protección de datos de carácter personal, en particular, el Reglamento General de Protección de Datos (RGPD). The setting of the European Health Data Space through the adoption of its corresponding Regulation (REHDS) represents a major milestone to overcome persisting regulatory fragmentation, to establish shared governance tools and, ultimately, to boost health data re-use for the common good. This paper aims to analyse the proposed regime for secondary uses of electronic health data, addressing its complex interplay with European data protection laws, notably, the General Data Protection Regulation (GDPR).

Análisis de la utilidad del derecho de portabilidad de datos personales para la garantía del derecho a la salud, a la luz del Reglamento General de Protección de Datos en la Unión Europea y la Ley General de Protección de Datos Personales en Posesión ...

Article

Full-text available

Jul 2022

Ana Guadalupe Olvera-Arellano

Con la publicación en el Diario Oficial de la Unión Europea del Reglamento General de Protección de Datos Personales (2016) y en el Diario Oficial de la Federación de la República Mexicana de la Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados (2017), sobrevino la positivización del derecho a la portabilidad de datos personales, que ya encontraba antecedentes en el campo de las telecomunicaciones. Sin embargo, los elementos subjetivos y objetivos de este derecho y que afectan a la totalidad del ciclo de vida del dato personal, nos dan cuenta de las muchas limitaciones existentes para su ejercicio y garantía, cuestión que además encuentra detalles específicos dependiendo de la materia que se trate. En ese sentido, el presente pretende analizar si el ejercicio de este derecho, tal y como se encuentra previsto en las normas mencionadas que se encuentran vigentes, resulta beneficioso para los usuarios de los sistemas de salud o si, por el contrario, representa una carga.

The Anonymisation of Research Data — A Pyric Victory for Privacy that Should Not Be Pushed Too Hard by the EU Data Protection Framework?

Article

Full-text available

Jul 2017

Paul Quinn

Personal health data is essential to many forms of scientific research. Such data may come from a large variety of sources including electronic health records (EHRs), datasets used for previous research and from data linked to biobanks. European data protection law recognises that in addition to using consent as a legal basis for the processing of personal health data for scientific research, such data may be used without consent where it is in the ‘public interest’. Despite the existence of such a legal option, ethics bodies in a number of states have shown reticence to utilise it, often pushing researchers into either obtaining consent or anonymising the data in question. Whilst the latter option may be appealing from a legal point of view, if carried out properly, the result may be that the research value of the data is reduced or even destroyed.

Taking a ‘Big Data’ approach to data quality in a citizen science project

Article

Full-text available

Nov 2015

Data from well-designed experiments provide the strongest evidence of causation in biodiversity studies. However, for many species the collection of these data is not scalable to the spatial and temporal extents required to understand patterns at the population level. Only data collected from citizen science projects can gather sufficient quantities of data, but data collected from volunteers are inherently noisy and heterogeneous. Here we describe a ‘Big Data’ approach to improve the data quality in eBird, a global citizen science project that gathers bird observations. First, eBird’s data submission design ensures that all data meet high standards of completeness and accuracy. Second, we take a ‘sensor calibration’ approach to measure individual variation in eBird participant’s ability to detect and identify birds. Third, we use species distribution models to fill in data gaps. Finally, we provide examples of novel analyses exploring population-level patterns in bird distributions.

The Quantified Self: Fundamental Disruption in Big Data Science and Biological Discovery

Article

Full-text available

Jun 2013

Melanie Swan

A key contemporary trend emerging in big data science is the quantified self (QS)–individuals engaged in the self-tracking of any kind of biological, physical, behavioral, or environmental information as n=1 individuals or in groups. There are opportunities for big data scientists to develop new models to support QS data collection, integration, and analysis, and also to lead in defining open-access database resources and privacy standards for how personal data is used. Next-generation QS applications could include tools for rendering QS data meaningful in behavior change, establishing baselines and variability in objective metrics, applying new kinds of pattern recognition techniques, and aggregating multiple self-tracking data streams from wearable electronics, biosensors, mobile phones, genomic data, and cloud-based services. The long-term vision of QS activity is that of a systemic monitoring approach where an individual's continuous personal information climate provides real-time performance optimization suggestions. There are some potential limitations related to QS activity—barriers to widespread adoption and a critique regarding scientific soundness—but these may be overcome. One interesting aspect of QS activity is that it is fundamentally a quantitative and qualitative phenomenon since it includes both the collection of objective metrics data and the subjective experience of the impact of these data. Some of this dynamic is being explored as the quantified self is becoming the qualified self in two new ways: by applying QS methods to the tracking of qualitative phenomena such as mood, and by understanding that QS data collection is just the first step in creating qualitative feedback loops for behavior change. In the long-term future, the quantified self may become additionally transformed into the extended exoself as data quantification and self-tracking enable the development of new sense capabilities that are not possible with ordinary senses. The individual body becomes a more knowable, calculable, and administrable object through QS activity, and individuals have an increasingly intimate relationship with data as it mediates the experience of reality.

Commons at the Intersection of Peer Production, Citizen Science, and Big Data: Galaxy Zoo

Article

Full-text available

Sep 2014

Michael J. Madison

The knowledge commons research framework is applied to a case of commons governance grounded in research in modern astronomy. The case, Galaxy Zoo, is a leading example of at least three different contemporary phenomena. In the first place Galaxy Zoo is a global citizen science project, in which volunteer non-scientists have been recruited to participate in large-scale data analysis via the Internet. In the second place Galaxy Zoo is a highly successful example of peer production, sometimes known colloquially as crowdsourcing, by which data are gathered, supplied, and/or analyzed by very large numbers of anonymous and pseudonymous contributors to an enterprise that is centrally coordinated or managed. In the third place Galaxy Zoo is a highly visible example of data-intensive science, sometimes referred to as e-science or Big Data science, by which scientific researchers develop methods to grapple with the massive volumes of digital data now available to them via modern sensing and imaging technologies. This chapter synthesizes these three perspectives on Galaxy Zoo via the knowledge commons framework.

Mobile, Social, and Wearable Computing and the Evolution of Psychological Practice

Article

Full-text available

Sep 2012

Psychological assessment and intervention are extending from the clinic into daily life. Multiple forces are at play: Advances in mobile technology, constrained clinical care, and consumer demand for contextualized, nonstigmatizing, and low-cost alternatives are beginning to change the face of psychological assessment and interventions. Mobile, social, and wearable technologies are now enabling individuals to measure themselves and to integrate myriad forms of help and entertainment. The massive data sets generated by self-tracking of mood and passive sensing of voice, activity, and physiology may eventually reorganize taxonomies of mental health concerns. Compelling mobile therapies will also emerge, involving contextually appropriate, entertaining, and dynamic feedback to provide help in the context of daily life. The efficacy of such applications will be tested through citizen science as well as clinical trials. This article reviews technical advances that can be applied to enhance assessment and intervention and dramatically increase access to psychotherapy. It is recommended that, in addition to exploring clinically oriented products, practitioners should support patients' use of direct-to-consumer applications in ways that align with therapeutic objectives. (PsycINFO Database Record (c) 2012 APA, all rights reserved)

Barbarians at the Gate: Consumer-Driven Health Data Commons and the Transformation of Citizen Science

Article

Nov 2016

Barbara J. Evans

Major pitfall, till now, has been the tendency of our federal regulations to enshrine a data-holder-centric view, in which data holders assemble large-scale data resources by invoking individual consent exceptions to free data for socially beneficial research on terms, and subject to privacy and security protections, in which the data subjects - the people whose data are used - have no real voice. The goal of consumer-driven data commons is to grant people the voice they have previously been denied and, by doing so, engage citizens more actively in the task of assembling the hundred-million-person and even billion-person cohorts that twenty-first-century science ultimately will require.

Biometric Tracking From Professional Athletes to Consumers

Article

Jan 2017

The big health data sale: As the trade of personal health and medical data expands, it becomes necessary to improve legal frameworks for protecting patient anonymity, handling consent and ensuring the quality of data

Article

Jul 2016

Philip Hunter

Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique

Article

May 2013

In its draft Data Protection Regulation, the European Union has announced a major new economic and human right – the right to data portability ('RDP'). The basic idea of the RDP is that an individual would be able to transfer his or her material from one information service to another, without hindrance. For instance, consumers would have a legal right to get an immediate and full download of their data held by a social network such as Facebook, a cloud provider, or a smartphone app.Although the idea of data portability is appealing, the RDP as defined in Article 18 of the draft Regulation is unprecedented and problematic. Part I explains Article 18, whose text appears to require software and online service providers to create what we call an 'Export-Import Module,' or software code that exports data seamlessly from the first service to the second service. The requirements would apply globally, for any entity that sells to an E.U. resident.Part II critiques the RDP in light of the teachings of E.U. competition and U.S. antitrust law. Competition law has long addressed the problems of lock-in and high switching costs that form a chief justification for the RDP. The RDP, however, applies to small enterprises, where there is essentially no risk of lock-in. In contrast to competition law, the RDP applies to all online services even where there is no market power and no barrier to entry. Article 18 more generally is in conflict with the rules in competition law about exclusionary conduct – it creates a per se prohibition where competition law would apply a rule of reason approach. Competition law would consider the many efficiencies that result from a service provider deciding which functions and formats to include in its products, which undergo rapid innovation.Part III shows that Article 18 also suffers serious difficulties as a matter of privacy or data protection law. Proponents have claimed the RDP is a new fundamental human right, aiding the individual’s autonomy for online activities. No jurisdiction has experimented with anything resembling the proposed Article 18, however, casting serious doubt on its status as a new human right. Among other difficulties, Article 18 poses serious risks to a long-established E.U. fundamental right of data protection, the right to security of a person’s data. Previous access requests by individuals were limited in scope and format. By contrast, when an individual’s lifetime of data must be exported 'without hindrance,' then one moment of identity fraud can turn into a lifetime breach of personal data. Part IV shows that Article 18 goes far beyond previous legal rules that specifically address interoperability.In conclusion, the novel RDP is justified by the supposed benefits to consumers. As drafted, however, the RDP likely reduces consumer welfare, as articulated after long experience in competition law. It also creates risks to privacy that are not addressed in the current text. The RDP deserves far more scrutiny before becoming a mandate that applies globally to software and online services.

Big Data for All: Privacy and User Control in the Age of Analytics

Article

Sep 2012

We live in an age of “big data.” Data have become the raw material of production, a new source for immense economic and social value. Advances in data mining and analytics and the massive increase in computing power and data storage capacity have expanded by orders of magnitude the scope of information available for businesses and government. Data are now available for analysis in raw form, escaping the confines of structured databases and enhancing researchers’ abilities to identify correlations and conceive of new, unanticipated uses for existing information. In addition, the increasing number of people, devices, and sensors that are now connected by digital networks has revolutionized the ability to generate, communicate, share, and access data. Data creates enormous value for the world economy, driving innovation, productivity, efficiency and growth. At the same time, the “data deluge” presents privacy concerns which could stir a regulatory backlash dampening the data economy and stifling innovation. In order to craft a balance between beneficial uses of data and in individual privacy, policymakers must address some of the most fundamental concepts of privacy law, including the definition of “personally identifiable information”, the role of individual control, and the principles of data minimization and purpose limitation. This article emphasizes the importance of providing individuals with access to their data in usable format. This will let individuals share the wealth created by their information and incentivize developers to offer user-side features and applications harnessing the value of big data. Where individual access to data is impracticable, data are likely to be de-identified to an extent sufficient to diminish privacy concerns. In addition, organizations should be required to disclose their decisional criteria, since in a big data world it is often not the data but rather the inferences drawn from them that give cause for concern.