GDPR Brief: when can I rely on broad consent for research?

1 Apr 2019

Consent under the GDPR must generally be given for a specific purpose. But Recital 33 broadens this to allow “consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research”. The justification given is that in research, it’s often not possible to fully identify the purpose at the time of data collection.

Consent under the GDPR must generally be given for a specific purpose. But Recital 33 broadens this to allow “consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research”. The justification given is that in research, it’s often not possible to fully identify the purpose at the time of data collection.

Guidance endorsed by the European Data Protection Board clarifies that although Recital 33 allows a more flexible approach, it doesn’t “disapply” specific consent. A well-described purpose is still required, meaning that blanket or vaguely worded consent is invalid. And when consent is given to areas of scientific research, the guidance says, countermeasures must be in place to respect the spirit of specific consent, such as greater transparency and further safeguards, among others. Although the guidance is silent on this point, one way to address Recital 33’s requirement of adherence to “recognised ethical standards” would be approval by a competent research ethics committee.

For secondary research use to be made by another party, Recital 33 also requires that this party be able to prove consent and to have been identified to the participant.

As last month’s GDPR Brief argued, researchers should consider relying on a GDPR lawful basis other than consent, and in fact UK guidance states categorically that consent should not be the GDPR basis for health and social care research. The breadth of permissible secondary use under other lawful bases restrained, for example by the necessity and balancing tests of the legitimate interests basis. On the other hand, the breadth of secondary use may be expanded by the GDPR principle that further processing for research purposes is deemed compatible with a valid initial purpose, with certain conditions.

But data protection consent cannot always be avoided in health research. Irish law, for example, generally requires explicit consent to any processing for health research, meaning consent cannot simply be inferred from the participant’s behaviour. These rules nonetheless do not require specific consent: consent can be given “in relation to a particular area or more generally in that area or a related area of health research, or part thereof.”

This GDPR brief addresses the scope of consent only in data protection law. Even if consent is not used as a GDPR lawful basis, limits on broad consent may be imposed by other legal rules, such as those governing research ethics consent.

Further Reading
Relevant GDPR Provisions
  • Article 4(11) – consent must be freely given, specific, informed, unambiguous, and given by a clear affirmative action
  • Recital 33 –  consent may be given to certain areas of scientific research when in keeping with recognised ethical standards
  • Article 5(1)(b) & Recital 50 – further processing for research purposes is deemed compatible with a legally valid initial purpose

Mark Phillips is a lawyer with a background in computer science, and an Academic Associate at the Centre of Genomics and Policy. McGill University. He advises clients on and writes about various data protection issues.

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.

Latest News

Headshots of the Cancer Community Co-Leads
18 Jul 2024
The GA4GH Cancer Community welcomes new Co-Leads Benjamin Haibe-Kains, Zinaida Perova, and Bernie Pope
See more
CGC and GA4GH logos
16 Jul 2024
Connecting GA4GH standards to community practice through unconferences
See more
Logos for the Research Data Alliance (RDA) and GA4GH, which are forming a strategic relationship
11 Jul 2024
GA4GH and the Research Data Alliance (RDA) agree to a Strategic Relationship to advance responsible data sharing
See more