On 3 April 2019, the Conference of German Data Protection Authorities (‘German DPAs’) published a resolution on the interpretation of “certain areas of scientific research” in Recital 33 of the GDPR and the concept of ‘broad consent’ (‘Resolution’).
According to Recital 33 of the GDPR, it “is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research.” This is considered the concept of ‘broad consent’.
Consent as defined in Article 4 (11) GDPR must be “specific”. This requirement is closely related to the principle of purpose limitation. The German DPAs point out in the Resolution that the term “certain areas of scientific research” is closely linked to the principle of purpose limitation. The term has to be distinguished from the broadly understood term of “scientific research” in Article 89 GDPR and interpreted rather narrowly.
The German DPAs state that such a broad consent can only come into play in exceptional cases, where at the beginning of a scientific research project, it is not possible to fully identify the purpose of the data processing at the time of data collection. However, according to the German DPAs, the broad consent does not exempt the controller from determining certain mechanisms, which limit the collection of personal data in a comprehensible manner. It accordingly should not be sufficient to just refer to a research area, as informed consent at least requires further specifications about the respective research project.Hence, the German DPAs conclude that whenever broad consent is unavoidable to achieve the research purpose, the following or similar measures should be considered to compensate for the abstract definition of the research purposes. These measures shall support transparency, building trust, and data security:
i. Additional safeguards to ensure transparency
- Utilisation of usage regulations or research plans that illustrate the planned working methods and questions that are to be the subject of the research project
- Assessment and documentation of the question why in this particular research project a more detailed specification of the research purposes is not possible
- Set up web presences to inform study participants about ongoing and future studies.
ii. Additional safeguards to build trust
- Positive vote of an ethics committee before use of data for further research purposes
- Assessment of whether it is possible to work with a dynamic consent or whether a data subject can object before the data might be used for new research questions.
iii. Additional data security safeguards
- No data transfers to third countries with a lower level of data protection
- Additional measures regarding data minimisation, encryption, anonymisation, or pseudonymisation
- Implementation of specific policies to limit access to personal data.
The German DPAs recommend an examination of the above together with the underlying motives and the documented result of the examination to be submitted together with the research concept to the bodies responsible for examining the ethical and data protection compatibility of the research project.
The Resolution is in line with the section on ‘broad consent’ in the Article 29 Working Party guidelines on consent. The Resolution highlights the narrow interpretation of the supervisory authorities regarding scientific research. Therefore, organisations should carry out an examination, as recommended, at an early stage and implement appropriate measures regarding transparency, trust-building, and data security.