Article 6(1)(a) of the GDPR sets out that consent is lawful grounds for processing personal data for specified purposes.[1] For sensitive data, Article 9(2)(a) lays out the lawful grounds for processing sensitive data for specified purposes if there is explicit consent from the data subject.[2] It seems that consent is allowed for the collecting and processing of personal information for research purposes. However, it raises concerns that the criteria of consent under the GDPR are “conceptually and operationally”[3] different from the informed consent in medical research and clinical trials on human participants,[4] especially the professional ethical standards for health research.[5] Hence, the European Data Protection Supervisor (EDPS) suggests that informed consent is an alternative option only when consent is impracticable.[6]

The requirements of consent in the GDPR are established in Article 4(11), whereby participants “have the right to withdraw at any time”.[7] The article lays out the criteria of consent, in that it is a “freely given, specific, informed, and unambiguous indication of the data subject’s wishes”.[8] Freely given means that the data subject makes a decision based on their own free will, without any conditions. Recital 43 further explains the meaning of “freely given”, and contains two criteria of freely given consent:[9] (1) an individual can provide separate consent, allowing the researchers to collect and process different types of data;[10] and (2) there are no bundled contractual commitments in response to the consent.[11]

Specific consent means that the scope of collecting and processing personal data should be clear and distinguishable.[12] Data subjects give consent based on their full understanding and acknowledgement of a particular area and the purposes of the research.[13] “Informed” means that the data subject must be told precisely who will be processing the data, in what way, and for what purposes.[14] Article 29 Working Party (WP29) sets out six criteria for informed consent that the data subject must know: the identity of the controller, the objective of processing the data in each step of procedure, the class of data and the right to withdraw at any time. [15] Consent should be clearly expressed and “silent, pre-ticked boxes or inactivity”[16] does not constitute valid consent. Consent is only valid and lawful if there is a balance of power between the individual and institution.[17]

Although WP29 provides certain guidelines on informing the subject of the use of personal data, there are concerns as to whether the requirements of consent apply to health research, and whether broad consent is still lawful in terms of health research. The EDPB ensures that broad consent is applied to process genetic data for health research. The intention behind WP29’s restrictive requirements of consent regarding the processing of data is to protect fundamental human rights and personal information. However, these restrictive requirements may detrimentally harm the purpose of the research, as it makes it difficult to process data for secondary research. While WP29 does not object to adopting broad consent to process data, it is rather vague and open to interpretation.[18] 

That said, the criteria of consent, as set out in Article 4(11), may pose an obstacle to research such as clinic trials,[19]and raises concerns regarding the extent to which consent is freely given for health research.[20] In other words, there is an imbalance of power.[21] Another obstacle is that it is difficult for researchers to obtain specific consent for subsequent research purposes, especially if it concerns separate research objectives that have no connection with the original research.[22] It also raises the question as to whether secondary researchers can re-use the original data for subsequent purposes, such as health research, medical care, or clinic trials.[23] The EDPB proposes that consent is lawful only if freely given. As such, consent may not be legitimate if it is not freely given or negatively influences medical treatment and patients.[24]

Health data plays a crucial role during health crises, especially with the on-going pandemic. Researchers may wish to re-use health data collected during earlier research to enlarge their data sets.[25] That said, there is a barrier to this, as researchers are required to obtain fresh consent if the data was previously used for health care.[26] There are also several practical constraints for secondary researchers to obtain consent. First, the contact details of the data subject may not be up to date. Second, the initial processor may not be willing to assist the secondary researchers in contacting the data subject. Third, the original participants may have a low incentive to have their data used for subsequent health research.[27] Fourth, health care professionals may not necessarily have the time or capacity to seek fresh consent. Fifth, there are potential health risks associated with approaching patients, since they may lack sufficient protective equipment.[28] In light of the above, there is doubt as to how efficient it is for researchers to obtain fresh consent in practice, particularly during a pandemic. However, specific consent in Article 4(11) does not apply to the use of genetic data for health research. Hence, broad consent is an alternative for scientific research, as set out in Recital 33.

Recital 33 provides further explanation in regards to broad consent for research purposes. If it is impossible to recognise the scientific research purposes at the time of data collection,[29] then Recital 33 allows for “data subjects to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research”. Recital 33 further explains the extent of consent for scientific research purposes, as set out in Article 4(11).[30] Though it provides legitimate grounds for the researches to process data for scientific research, the recital remains unclear in the wording of “certain areas of research” and “parts of research projects”.[31] This uncertainty allows for a wide interpretation of consent in terms of processing personal data for health research, including genomic research.[32]Broad consent, however, is not usually accepted by the EDPB, which sets out guidelines explaining that consent is still necessary, even though it may be impossible to specify the purposes of the research at the time of data collection.[33]

In regards to the obstacles in Article 4(11), the GDPR provides additional legitimate grounds for organisations to collect and process genetic data for health research,[34]whereby organisations are allowed to legally process data without breaching the GDPR if they comply with Article 6.[35] Research purposes might change after the health data is collected. As such, Recital 29 allows for subsequent research if lawful permission is given by the member countries. Although the secondary use of data is irrelevant to the original research purposes,[36] the controller may still allow the data to be processed if there is a legitimate reason.[37] In other words, Article 6 provides a double guarantee – it not only allows researchers to process data for secondary purposes, it also allows the controller to collect and process data if there are legitimate reasons. What this means is that consent is not necessary in health research and that it seems likely that consent has not played an important role in processing data for research purposes.

Furthermore, Article 7 of the GDPR sets out that participants can withdraw consent regarding the processing of their data for health research at any time.[38] If participants withdraw their consent, the data needs to be destroyed, unless there are lawful grounds for the researchers to continue processing the data.[39] EDPB guidelines clearly state that researchers are only allowed to continue to process data if legal grounds were established before consent was removed.[40] However, Article 17(3)(d) sets out a backdoor, in that the right to erasure does not apply if it is for “archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes… and is likely to render impossible or seriously impair the achievement of the objectives of that processing”.[41]

Generally speaking, it is difficult to process genetic data for health research based on consent during a period such as COVID-19.[42] The next section will discuss other lawful grounds under the GDPR.

[1] GDPR of 2018, Article 6(1)(a). 

[2] GDPR of 2018, Article 9(2)(a). 

[3] European Data Protection Supervisor “A Preliminary Opinion on data protection and scientific research” (2020) at p.2 < https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf>.

[4] Ibid.

[5] European Data Protection Supervisor “A Preliminary Opinion on data protection and scientific research” (2020) at p.2 < https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf>. See also Jenny Strasburg “Volunteers to be infected with coronavirus in Vaccine-Effectiveness Trials in U.K.” The Wall Street Journal (20 October 2020) at < https://www.wsj.com/articles/volunteers-to-be-infected-with-coronavirus-in-planned-experimental-trials-11603203296>. This news raise concerns on the ethical standard for vaccine trials. Though it is not related to data protection and privacy, it may show how public interests override the ethical standard for health researches on human participants during the pandemic period.

[6] Ibid.

[7] GDPR of 2018, Article 7(3).

[8] GDPR of of 2018, Article 4(11).

[9] Ben Wolford “What are the GDPR consent requirements?” (2020) GDPR.EU at <https://gdpr.eu/gdpr-consent-requirements/>.

[10] GDPR of 2018, Recital 43.

[11] GDPR of 2018, Recital 43. Recital 42 also sets out that “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment”. Article 7(4) sets out that ‘bundling consent’ is not ‘freely given’ consent.

[12] Bird & Bird “Consent” (accessed Oct 2020) at < https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/23–guide-to-the-gdpr–consent.pdf?la=en>.

[13] Ben Wolford “What are the GDPR consent requirements?” (2020) GDPR.EU at <https://gdpr.eu/gdpr-consent-requirements/>.

[14] Bird & Bird “Consent” (accessed on 19 Oct 2020) at < https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/23–guide-to-the-gdpr–consent.pdf?la=en>.

[15] GDPR of 2018, Recital 42. WP29 Opinion 15/2011 laid down the definition of consent (WP187) at pp.19-20. See also Article 29 Working Party “Guidelines on consent under Regulation 2016/679” (2017) 17/EN, WP259 rev.01 at p.13. GDPR of 2018, Article 7(3). For criteria five and six, they are ‘process data for automated decision-making’ and ‘data flow without adequacy decision’. They are not related to genetic data for health research so that this paper will not discuss them.

[16] GDPR of 2018, Recital 32.

[17] NHS, Health Research Authority “Consent in research” (accessed on 19 Oct 2020) at < https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/consent-research/> . This article states that “consent would not be appropriate as a legal basis under this legislation where there is an imbalance of power in the relationship between the controller and the data subject, eg where the controller is a public authority and the data subject depends on their services, or fears adverse consequences, so feels they have no choice but to agree.” This is consistent with the Recital 43 that “consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller”.

[18] Dara Hallinan “Broad consent under the GDPR: an optimistic perspective on a bright future” (2020) Hallinan Life Sciences, Society and Policy 16:1 at 16 < https://doi.org/10.1186/s40504-019-0096-3>.

[19] Prictor, Megan, Harriet J.A. Teare, Jessica Bell, Mark Taylor and Jane Kaye “Consent for data processing under the General Data Protection Regulation: Could ‘dynamic consent’ be a useful too for researcher?’ (2019) Journal of Data Protection and Privacy 3:93-112.

[20] Mark J.Taylor and Tess Whitton “Public Interest, Health Research and Data Protection Law: Establishing a Legitmate Trade-Off between Individual Control and Research Access to Health Data” Melbourne Law School, University of Melbourne, Parkville VIC2010, Australia at p.8.

[21] European Data Protection Board. Opinion 3/2019 Concerning the Questions and Answers on the Interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR)(art.70.1.b.));pp.18-20 at <https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_opinionctrq_a_final_en> (accessed on 20 Oct 2020)

[22] Krousel-Wood, Marie, Paul Muntner, Ann Jannu, Amanda Hyre and Joseph Breault “Does Waive of Written Informed Consent from the Institutional Review Board Affect Response Rate in a Low-Risk Research Study” (2006) Journal of Investigative Medicine 54: 174-79.

[23] Tasse, Anne Marie, Isabelle Budin-Lione, Bartha Maria Knoppers and Jennifer R. Harris “Retrospective access to data: The ENGAGE consent experience” (2010) European Jorunal of Human Genetics 18:741-45.

[24] European Data Protection Board “Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak” (2020) at <https://edpb.europa.eu/sites/edpb/files/files/file1/ edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf>[accessed 20 October 2020]

[25] Regina Becker, Andrian Thorogood and Michael J.S. Beauvais “COVID-19 Research: Navigation the European General Data Protection Regulation” (2020) Journal of Medical Internet Research at p.2.

[26] Ibid.

[27] Nelson, Karin, Rosa Elena Garcia, Julie Brown, Carol M. Mangione, Thomas A. Louis, Emmett Keeler, and Shan Cretin “Do Patient Consent Procedures Affect Participation Rates in Health Services Research” (2001) Medicial Care 40: 283-88.

[28] Regina Becker, Andrian Thorogood and Michael J.S. Beauvais “COVID-19 Research: Navigation the European General Data Protection Regulation” (2020) Journal of Medical Internet Research at p.2.

[29] GDPR of 2018, Recital 33.

[30] Dara Hallinan “Broad consent under the GDPR: an optimistic perspective on a bright future” (2020) Hallinan Life Sciences, Society and Policy 16:1 at p.18 < https://doi.org/10.1186/s40504-019-0096-3>.

[31] Ibid.

[32] Rumbold, John and Barbara Pierscionek “The effect of the general data protection regulation on medical reaerch” (2017) Journal of Medical Internet Research 19(2) at <https://doi/org/10.2196/jmir.7180>. And see also Dara Hallinan “Broad consent under the GDPR: an optimistic perspective on a bright future” (2020) Hallinan Life Sciences, Society and Policy 16:1 at p.18 < https://doi.org/10.1186/s40504-019-0096-3>.

[33] Regina Becker, Andrian Thorogood and Michael J.S. Beauvais “COVID-19 Research: Navigation the European General Data Protection Regulation” (2020) Journal of Medical Internet Research at p.2.

[34] Gabe Maldoff “How GDPR changes the rules for research” (2016) at < https://iapp.org/news/a/how-gdpr-changes-the-rules-for-research/>. Article 6(1)(b) to (f) and Article 6(4).

[35] GDPR of 2018, Article 6.

[36] Gabe Maldoff “How GDPR changes the rules for research” (2016) at < https://iapp.org/news/a/how-gdpr-changes-the-rules-for-research/>.

[37] GDPR of 2018, Article 6(1)(f).

[38] Regina Becker, Andrian Thorogood and Michael J.S. Beauvais “COVID-19 Research: Navigation the European General Data Protection Regulation” (2020) Journal of Medical Internet Research at p.2.

[39] Regina Becker, Andrian Thorogood and Michael J.S. Beauvais “COVID-19 Research: Navigation the European General Data Protection Regulation” (2020) Journal of Medical Internet Research at p.2.

[40] European Data Protection Board “Guidelines 05/2020 on consent under Regulation 2016/679 (Version 1.1).” (2020) at < https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf> [accessed 21 October 2020].

[41] GDPR of 2018, Article 17(3)(d).

[42] Regina Becker, Andrian Thorogood and Michael J.S. Beauvais “COVID-19 Research: Navigation the European General Data Protection Regulation” (2020) Journal of Medical Internet Research at p.3.