Could ORCID be mandatory and comply with the GDPR at same time?

[marcbria]

TL;DR:

ORCID is a great tool and is therefore becoming more and more widespread within the open science ecosystem, but in a global context we must ensure that it complies with the personal data regulations of the different regions (GDPR, CCPA, LGPD...).

This post focuses on the current and future compatibility with GDPR (which is the one I am familiar with) to conclude that in order to comply with EU legislation, it does not seem a good idea to end up being a mandatory field.

Argumentation

As far as ORCID keeps personal data, in EU need to comply with the GDPR.

Main concerns related with GDPR are:

• ORCID stores this data outside EU: Without a "datashild/safeHarvour/dataPrivacyFramework" (name changes but the underlaying problem is the same) it's mandatory to stored EU citizens data in Schëngen.
• ORCID is an American organization: Is ruled by US laws and under the Patriot Act, every American company is obliged (when required) to give data to its US government which contravenes the GDPR.

This question is not new, so ORCID decie to explain they comply with the GRPD [see, for example: 1, 2, 3...] but as regulation changes, arguments also change on time... and show a perspective (I mean, they are not irrefutable) and obviously, ORCID is an interested party.

In 2017 (regulation is now a bit different), a German consortium (ORCID DE, in which TIB participate) asked for an independent report (that it's the only independent resource I found) about this topic and I found it really interesting to read.

Although the report is from 2017 and translation is incomplete, IMO still offers a good basis to say today ORCID is GDPR compliant, BUT also points some issues that need to be taken in consideration...

As said, the report is only partially translated but it's very clear saying that ORCID complies without doubts the GDPR, but main legal argument holds over two facts: the registration in ORCID (quotes are summaries, not literal) "are voluntary and the user manages his/her own data" or "based on standard contractual clauses (SCCs)" and this is contradictory with what we saw recently in the EU with Meta (see 1, 2 (https://www.epc.eu/en/publications/Metas-Pay-or-Okay-Is-this-the-final-challenge-for-EU-GDPR~5672dc)).

So, although is a positive report for ORCID it still raised doubts when:
(1) "institutions are forcing researchers to use ORCID" (because "In these cases, the voluntary nature of the (scientist's) consent and thus the legal basis for a transfer of data by ORCID to a non-European foreign country is (also) questionable. In particular, given the current unfortunate legal treatment of personal data processing in the United States, a risk-free prognosis regarding the lawfulness of such situations cannot be made at this time.") or
(2) "what to do with user's data collected before the explicit consent" or
(3) suggesting a "technical review of the implementation is required" (for instance, to ensure data is properly stored), etc.

The list is not exhaustive, but I will also like to to the list (4) "what happens if the Attestation Letters are outdated" or what concerns me more (5) "what will happen with ORCID if/when the DPF decays because of Schrems III".

Without DPF I will be really surprised they still try to legitimize the processing on the basis of SCCs or individual consent.

So, in a global context of changing regulations, my recommendation here is:

• Look for a new independent legal review of the ORCID usage under the current legal framework (and also with the assumption that the DPF can be overturned) to clear all doubt.
• Don't make ORCID mandatory in any PKP products (at least till we have a global solution that fits well in every country with any reasonable doubt)

[asmecher]

@marcbria, we don't have any plans to make ORCiD mandatory in PKP products.