Amid ongoing debates surrounding the EU’s proposed Digital Omnibus, scrutiny is being placed on the institutional balance underpinning the application and implementation of GDPR. An important part of these debates is the role of the European Data Protection Board (EDPB). While the GDPR formally tasks the EDPB with ensuring consistent application of GDPR, the Board is increasingly perceived as asserting a more authoritative, quasi-legislative role. This has prompted broader questions about the institutional balance in the EU’s data protection framework, especially as the current reforms seek to recalibrate the system to make it more responsive to today’s data driven world. This institutional ambiguity, and in some ways inter-institutional competition, is contributing to a more complex and less predictable regulatory environment.
The current discussions about the definition of scientific research under GDPR are a telling example of uncertainty arising from institutional ambiguity and competition. The Commission’s Digital Omnibus proposals put forth an explicit definition of scientific research under GDPR for the co-legislators to consider. The Joint Opinion of the EDPB/S in response to the Digital Omnibus recommends a more limited definition to be applied to scientific research. The latest Council Presidency document on the Digital Omnibus calls for keeping things as they are and not creating an explicit definition for scientific research. But, the EDPB has also issued Guidelines on processing of personal data for scientific research, right in the middle of the current reform debate, providing a specific definition of what constitutes scientific research for GDPR purposes. While EDPB’s guidelines are technically non-binding guidance only, in practice they have been viewed as a source of significant practical guidance, with national supervisory authorities applying them as obligatory legal standards. More to the point is the EDPB’s assertion that the newly adopted Guidelines already bring clarity to data processing for scientific research. This claim, and the timing of the Guidelines, raise various concerns about institutional balance in the EU’s data protection framework, as the EDPB claims its guidance is definitive even though the definition of scientific research is being debated by Co-legislators. Furthermore, the EDPB’s press release presents a very confident view that the Guidelines are definitive, even though a public consultation is still open. The EDPB appears to be of the view that the definition of scientific research is now a closed issue.
As with all aspects of data protection, it is essential to put the matter into the wider, applicable context. Data protection is set out in the EU treaties as one of many obligations and objectives to be pursued. Scientific research is also in the treaties. Article 179 TFEU sets out a specific objective of strengthening the EU’s scientific and technological bases through research. The purpose of this objective is to support and encourage industrial competitiveness through scientific research for a more competitive EU, internally and globally. The article also seeks to build a European Research Area in which researchers, scientific knowledge, and technology circulate freely across borders. In turn, this supports organisations in cooperating freely on research activities to “exploit the internal market potential to the full”.
Recital 159 of the GDPR, as a piece of secondary legislation, recognises that the processing of personal data for scientific research should take into account Article 179 TFEU. The recital also says that the “processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research”. It also calls for safeguards in the context of scientific research whereby “specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes,” and health related research is to have further measures that support the interests of the data subject.
Despite the role of scientific research in the EU treaties and GDPR’s recognition of the need for a broad interpretation, GDPR has been identified as an obstacle to scientific research and progress. Top of the list, perhaps, is the fragmented legal landscape created by the implementation of the GDPR, whereby the supervisory authorities of the Member States create their own national approach to derogations for research. This results in scientists conducting research in the Single Market having to navigate a maze of inconsistent rules across the Member States. On top of this, the well-known culture of caution created by the application of GDPR, where the fear of legal ambiguity and potential fines often results in refusals to share datasets. And then evidence of strict interpretations of what constitutes anonymous data has forced researchers to apply full GDPR protections to low-risk, key-coded information, significantly increasing administrative burdens and diverting limited resources and time away from actual scientific discovery. Finally, any attempt to engage in international collaboration has stalled transnational projects and made the secondary use of existing datasets close to impossible. The need for enhanced clarity on scientific research is definitely needed in order to bring increased legal certainty. But then the question now being faced is how legal certainty should be brought about?
The Commission’s proposals in the Digital Omnibus can be understood as an effort to clarify and operationalise GDPR’s support for scientific research in a way that reflects the EU treaties and corresponds to contemporary realities. Research today is often interdisciplinary, data-intensive, commercially organised, and closely linked to innovation. A definition of scientific research in GDPR may bring about increased legal certainty, but then, who decides this definition?
The EDPB’s Guidelines seek to create a new understanding of “genuinely” scientific research by introducing six indicative factors: a methodical and systematic approach, adherence to ethical standards, verifiability and public transparency, autonomy and independence, a contribution to general knowledge or societal well-being, and the advancement of knowledge. If not all six factors are met, a processing activity can still be considered scientific research, but the controller will need to justify the activity for GDPR to apply.
The EDPB Guidelines strive to transform “scientific research” into a normative category subject to standards set by an independent, but unaccountable, regulatory body. While the EDPB is tasked under the GDPR with promoting more consistent application of the Regulation, it is not a legislative body capable of determining the scope of its applicability. The Guidelines reflect a regulatory instinct that treats commercial involvement as inherently suspect, rather than as a normal and often indispensable feature of modern business ecosystems. In sectors such as pharmaceuticals, biotechnology, and artificial intelligence, scientific research is routinely conducted within commercial settings. In these settings, not only is innovation a primary driver, but the advancement of knowledge with clear societal benefits is also a regular outcome. By narrowing of the definition of scientific research and weakening its connection to innovation and commercial activity, the EDPB risks transforming a potentially enabling legal concept into a restrictive one. This is particularly problematic in fields such as AI, where the boundary between research and product development is inherently fluid. More crucially, the narrowing put forth by the EDPB is undermining primary objectives of the EU, such as the Single Market, and sustainable development for the well-being of citizens. The EDPB does say that research for commercial purposes remains possible but making that possibility more onerous does not benefit innovation, the pursuit of scientific research, or even the effective functioning of the data protection framework.
The question of what constitutes scientific research in relation to data protection and the application of data protection rules is an important matter for the EU within the Single Market and globally. The current debates surrounding the Digital Omnibus seek to improve the application of data protection rules to better support the EU’s continued growth while maintaining the Charter’s provisions on personal data. It is recognised that increasing legal certainty in the implementation of GDPR is necessary. By issuing the Guidelines at the same time the reform of the legislation is being examined by the co-legislators, the intentions of the EDPB need to be questioned
The Guidelines cannot be seen as clarifying the law as it stands today, for they overlook the fact that a legislative reform process is underway that directly addresses the subject matter of the Guidelines. What will happen if the co-legislators determine an outcome to the Digital Omnibus that does not align with the Guidelines, thereby undermining legal certainty even further?
None of this means that the EDPB is irrelevant or that it must remain silent whenever reform is pending. The Board’s views are valuable. The problem arises when that contribution is accompanied by separate guidance that appears designed to operationalise the Board’s preferred policy outcome before the co-legislators have spoken. If the EDPB wishes to argue for a narrow conception of scientific research, it can do so through advocacy channels. By issuing Guidelines at this point in time, the Board is no longer pursuing consistency in the application of existing law, it is using its distinct role to move the law toward a substantive destination that is not yet politically settled. The other concern about the release of the Guidelines at this time is how they are supposed to be open to consultation, but in its press release announcing the Guidelines the EDPB is claiming that legal clarity has been achieved by issuing the Guidelines.
If the EDPB believes it can define, through increasingly elaborate guidance (the definition of scientific research guidelines consists of 67 pages), the practical boundaries of GDPR concepts, while reform is ongoing, then the promise of democratic law-making is weakened, and legal certainty is paradoxically reduced. A board created to support the coherent application of a regulation is in danger of becoming a shadow legislator. If the EU wants a more innovation-conscious and legally certain data protection framework, that framework must be determined through the legislative processes and not pre-empted by a body that is not directly accountable to EU citizens.
13 May 2026
Rond Point Schuman 6 | Box 5
1040 Brussels | Belgium
info@privacynext.eu
Copyrights © 2026 PrivacyNext.eu | Privacy Policy | Cookie Policy Webdesign & Development by ALYS
