Public health research is treated as a subset of scientific research under the GDPR, and, therefore, the same exemptions and requirements apply. However, the GDPR also contains several provisions applicable exclusively to public health research.

First, the GDPR encourages the member states to enact greater protections for the processing of sensitive data for health-related purposes. The GDPR states that, although it is intended to create “harmonized conditions for the processing of special categories of personal data concerning health, […] Union or member state law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons.” This is particularly the case where the controller processes genetic, biometric, or health data.

Second, the GDPR permits the transfer of personal data to third countries that do not offer an adequate level of protection if “the transfer is necessary for important reasons of public interest,” which may include public health research. This derogation applies especially “for example in the case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport.”

Finally, controllers that conduct public health research may be subject to heightened requirements for consulting supervisory authorities about their processing activities. The GDPR requires controllers to consult with a supervisory authority prior to processing that may result in a “high risk” to data subject rights. Even in the absence of a high risk, however, “Member State law may require controllers to consult with, and obtain prior authorization from, the supervisory authority.”

Recital 54 of the GDPR defines public health according to Regulation (EC) No. 1338/2008 as “all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.” Given this broad definition, the activities of social media and other online platforms may qualify as public health research.