Overview of legal requirements and ethical considerations for handling personal data responsibly and compliantly.

Legal and Ethical Considerations in FCT Data Handling

1       Session Description

Legal and ethical compliance is a key requirement for the acceptance of the LAGO solution. The following chapter provides a brief overview about key considerations related to law and ethics. It focuses on the solution implemented in the LAGO solution.

2       Assessment

With the initiation of the LAGO project, a comprehensive assessment of the applicable legal and ethical frameworks was conducted. Due to the complexity of the regulatory landscape, this assessment was divided into two phases, resulting in the creation of two deliverables: D2.1 and D2.2. The findings from this assessment revealed that, despite the focused objectives of the LAGO project, the Research Data Ecosystem being developed operates within a highly regulated and fragmented environment.

 3       Understanding the Complexity

There are three primary contributing factors to this complexity:

Harmonization by the European Union: The European Union is progressively harmonizing various areas of law pertinent to the Research Data Ecosystem. This ongoing harmonization results in an increasingly intricate legal framework that a Research Data Ecosystem must navigate.

Directives Versus Regulations: The European Union predominantly employs directives rather than regulations, granting EU Member States a degree of flexibility in the implementation of these standards. This flexibility is essential for achieving harmonization across diverse national legal systems. However, it necessitates individualized assessments in each country, as national implementations can vary significantly.

Dominance of National Legislation: Despite harmonization efforts by the European Union, the fields of FCT and related research areas remain largely governed by national legislation. This persistence of national dominance further complicates the regulatory landscape for a Research Data Ecosystem.

The bifurcated assessment approach, resulting in deliverables D2.1 and D2.2, ensured a detailed and thorough understanding of these complexities. The analysis underscores the need for a nuanced and adaptable compliance strategy, capable of responding to both EU-wide harmonization efforts and the persistent diversity in national legal frameworks. This dual-phase assessment has laid a robust foundation for navigating the regulatory challenges inherent in the Research Data Ecosystem.

4 Challenges of a Security by Design Architecture

The assessment results significantly influenced the discourse on the feasibility of implementing a compliance-by-design infrastructure. The intricate legal and ethical frameworks necessitated measures to assist participants in exchanging datasets through the Research Data Ecosystem while ensuring adherence to these frameworks. However, the complexity and fragmentation of the legal frameworks, coupled with their dynamic nature, rendered the design of a compliance-by-design architecture nearly unfeasible. A thorough evaluation of the arguments for and against integrating a compliance-by-design architecture within the Research Data Ecosystem, which would enforce compliance, culminated in the decision not to proceed with such an implementation. The primary arguments were as follows:

·         As different jurisdictions that were analyzed during the assessment showed significant differences in applicable nation laws it would be too complex endeavor to implement this landscape into a compliance-by-design architecture.  

·         Legal and regulatory frameworks are not static; they evolve over time. Keeping the compliance-by-design element of the Research Data Ecosystem updated with every new legal change across multiple jurisdictions is an immense challenge, often leading to outdated compliance mechanisms if solely reliant on the software.

·         The legal assessment revealed that laws can be subject to interpretation. While a legal expert might understand the nuances, software might struggle to capture these subtleties, potentially leading to non-compliance due to misinterpretation.

·         The assessment carried out under WP2 highlighted that some regulations are highly specific to certain institutions, activities, or contexts. Creating software that understands and adapts to these intricate details across various sectors that could share datasets is incredibly complex and often impractical.

·         Compliance is not limited to compliance with federal and state legislation – there are frequently compliance rules on the institutional level that go beyond legal standards. Implementing and maintaining localization features in software for every jurisdiction is logistically challenging and resource-intensive.

·         Closely related to this challenge is the fact that compliance often involves sensitive ethical and privacy considerations that software alone cannot navigate. Users need to apply ethical judgments and adhere to privacy standards that software cannot fully automate. In addition human oversight is crucial in interpreting and applying laws correctly. Users bring in human intuition, experience, and knowledge that software lacks, making user involvement indispensable.

·         Legal compliance inherently involves accountability. While software can aid in compliance, ultimate responsibility often rests with individuals and organizations, who must ensure that all actions comply with applicable laws, regulations and standards.

5       Towards a Compliance-Self-Assessment Approach

While the decision was made to forego the implementation of a compliance-by-design architecture, extensive analysis was conducted to explore alternative methods for leveraging the knowledge generated within the assessment conducted under WP2. This assessment aimed to elucidate how this knowledge could be effectively utilized to aid participants involved in dataset exchange in navigating the intricate legal and ethical frameworks governing such activities.

This analytical process culminated in the development of a sophisticated, software-based compliance self-assessment toolkit that is based on the work carried out in T2.3. This toolkit is designed to facilitate a comprehensive understanding of the regulatory landscape for users engaging in the exchange of datasets, both as senders and recipients.

The toolkit employs a structured approach, incorporating a set of more than 50 meticulously crafted questions. These questions are intended to guide participants through the multifaceted legal and ethical considerations pertinent to dataset exchange. By addressing these questions, users are directed to the most relevant compliance issues specific to their context, thereby enhancing their ability to adhere to applicable regulations and ethical standards.

The decision to develop this self-assessment toolkit rather than embedding compliance features directly into the system architecture was informed by several key considerations, that were laid out above. The self-assessment toolkit empowers users by providing them with the tools to understand and navigate the complexities of compliance themselves. This approach not only fosters greater awareness and accountability among participants but also allows for a more tailored and context-specific application of regulatory requirements. Users are encouraged to engage critically with the compliance questions, enhancing their ability to identify and address potential compliance risks proactively.

Furthermore, the development of this toolkit was underpinned by a rigorous methodological framework. The questions were formulated based on comprehensive legal and ethical analysis, ensuring that they cover the breadth of relevant issues. Each question is designed to prompt users to consider specific aspects of compliance, from data protection and privacy considerations to ethical concerns related to data sharing practices. They even include aspects of the AI Act that is not yet enforceable.

6       Summary

In conclusion, the decision to create a complex software-based compliance self-assessment toolkit represents a strategic choice to enhance regulatory adherence and ethical conduct among participants in dataset exchanges. By equipping users with a robust framework for self-assessment, this approach supports informed decision-making and fosters a culture of compliance that is both adaptable and responsive to the evolving legal and ethical landscape.


Skill Level: Beginner

Legal framework and ethical implications of processing of personal data

The course aims to teach you how to handle personal data responsibly and legally by understanding key legal and ethical principles.

Skill Level: Beginner

Legal framework and ethical implications of AI system

This course offers a brief overview of the EU AI Act, focusing on its regulatory approach to ensure AI safety, innovation, and the protection of fundamental rights. Participants will explore the AI Act's risk-based classification of AI systems and the associated obligations for providers and deployers. Key topics include high-risk AI system requirements, conformity assessments, and a comparison with international AI regulations such as OECD guidelines and the Council of Europe’s framework.







Skill Level: Beginner