On April 3, 2019, the Association of German Supervisory Authorities (“Datenschutzkonferenz” or “DSK”) issued a paper (available here in German) on the interpretation of “broad consent” for scientific research in Recital 33 of the GDPR and the interplay with the definition of consent  and the principle of purpose limitation.

According to the DSK, broad consent should only be used in exceptional circumstances when it is not possible to establish at the outset the expected scope of the research.  Moreover, the DSK suggests that a broad consent can be fixed at a later stage of the research by narrowing down the scope of the research once that scope is clearer – i.e., deliberately not using the obtained flexibility.  The use of broad consent also does not relieve parties from their obligation to put in place mechanisms to limit the authorized use of data and to prevent the uncontrolled expansion of research use.

In those cases where broad consent is “absolutely necessary”, the DSK sets out a list of recommended safeguards.  These safeguards should compensate on three fronts for the weak nature of broad consent: ensuring heightened transparency of the processing, reinforcing the trust of the data subjects in the processing and guaranteeing the protection of the personal data. The safeguards include:

  • documenting why specific consent is not possible;
  • establishing an internet page informing data subjects on a continuous basis about the research project and future research projects involving their personal data;
  • obtaining the consent of the ethics committee for further processing for research purposes;
  • verifying if dynamic consent is an option;
  • not transferring personal data to countries that do not provide an adequate level of protection of personal data; and
  • the application of specific encryption and pseudonymization techniques.

Finally, according to the DSK, controllers should keep a record of their decision to rely on broad consent and of the safeguards they implement, and submit these documents, together with a description of the research project, to the competent bodies responsible for examining the ethical and data protection compatibility of the research project.

Comment:

The DSK opinion is concerning.  To a large extent it repeats the Article 29 Working Party’s previous guidelines on consent.  However, it demonstrates again that Supervisory Authorities find it hard to come to terms with the GDPR’s favorable provisions for scientific research.  The way in which the DSK interprets Recital 33 risks voiding it of any meaning and utility.

This reluctant attitude of the authorities is unnecessary.  Recital 33 of the GDPR can be read in a way that dovetails nicely with other provisions of the GDPR that reflect the lawmaker’s policy decision to create a scientific research-friendly framework.  In fact, allowing broad consent to be relied on for scientific research can be seen as an extension of the exception to the purpose limitation principle in Art. 5(1)(b) of the GDPR.  It is quite astonishing to observe how the Supervisory Authorities can write a dedicated paper on scientific research without making any reference to this exception.

Article 5(1)(b) of the GDPR provides that the use of personal data for scientific research is by default compatible with the original purposes for which the data was collected.  The purpose limitation principle and Art. 6(4) of the GDPR simply do not apply when personal data is used for scientific research.  Recital 50 of the GDPR provides that when processing for compatible purposes, “no legal basis separate from that which allowed the collection of personal data is required.”

Obtaining broad consent for scientific research is consistent with these provisions of the GDPR.  A broad consent reflects the fact that the individual must accept the use personal data for other scientific research at the outset (as it is compatible) – that is the baseline position discussed above.  What’s the point of obtaining a (likely incomplete) narrow consent if subsequent further use for scientific research is compatible anyway?  Somewhat provocatively, one could argue that a broad consent for scientific research is the only consent that is fair to data subjects because it informs data subjects of the lawmaker’s policy decision reflected in the GDPR – a policy decision to permit personal data to be used for scientific research, subject to suitable safeguards set out in various provisions of the GDPR.

Tags: Article 5(1)(b) GDPr, broad consent, Datenschutzkonferenz, DSK, guidelines on consent, purpose limitation, Recital 33 GDPR, research, safeguards, Scientific Research, scope of research
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Read more about Anna Oberschelp de MenesesEmail
Show more Show less