On April 3, 2019, the Association of German Supervisory Authorities (“Datenschutzkonferenz” or “DSK”) issued a paper (available here in German) on the interpretation of “broad consent” for scientific research in Recital 33 of the GDPR and the interplay with the definition of consent and the principle of purpose limitation.
According to the DSK, broad consent should only be used in exceptional circumstances when it is not possible to establish at the outset the expected scope of the research. Moreover, the DSK suggests that a broad consent can be fixed at a later stage of the research by narrowing down the scope of the research once that scope is clearer – i.e., deliberately not using the obtained flexibility. The use of broad consent also does not relieve parties from their obligation to put in place mechanisms to limit the authorized use of data and to prevent the uncontrolled expansion of research use.
In those cases where broad consent is “absolutely necessary”, the DSK sets out a list of recommended safeguards. These safeguards should compensate on three fronts for the weak nature of broad consent: ensuring heightened transparency of the processing, reinforcing the trust of the data subjects in the processing and guaranteeing the protection of the personal data. The safeguards include:
- documenting why specific consent is not possible;
- establishing an internet page informing data subjects on a continuous basis about the research project and future research projects involving their personal data;
- obtaining the consent of the ethics committee for further processing for research purposes;
- verifying if dynamic consent is an option;
- not transferring personal data to countries that do not provide an adequate level of protection of personal data; and
- the application of specific encryption and pseudonymization techniques.
Finally, according to the DSK, controllers should keep a record of their decision to rely on broad consent and of the safeguards they implement, and submit these documents, together with a description of the research project, to the competent bodies responsible for examining the ethical and data protection compatibility of the research project.
Comment:
The DSK opinion is concerning. To a large extent it repeats the Article 29 Working Party’s previous guidelines on consent. However, it demonstrates again that Supervisory Authorities find it hard to come to terms with the GDPR’s favorable provisions for scientific research. The way in which the DSK interprets Recital 33 risks voiding it of any meaning and utility.
This reluctant attitude of the authorities is unnecessary. Recital 33 of the GDPR can be read in a way that dovetails nicely with other provisions of the GDPR that reflect the lawmaker’s policy decision to create a scientific research-friendly framework. In fact, allowing broad consent to be relied on for scientific research can be seen as an extension of the exception to the purpose limitation principle in Art. 5(1)(b) of the GDPR. It is quite astonishing to observe how the Supervisory Authorities can write a dedicated paper on scientific research without making any reference to this exception.
Article 5(1)(b) of the GDPR provides that the use of personal data for scientific research is by default compatible with the original purposes for which the data was collected. The purpose limitation principle and Art. 6(4) of the GDPR simply do not apply when personal data is used for scientific research. Recital 50 of the GDPR provides that when processing for compatible purposes, “no legal basis separate from that which allowed the collection of personal data is required.”
Obtaining broad consent for scientific research is consistent with these provisions of the GDPR. A broad consent reflects the fact that the individual must accept the use personal data for other scientific research at the outset (as it is compatible) – that is the baseline position discussed above. What’s the point of obtaining a (likely incomplete) narrow consent if subsequent further use for scientific research is compatible anyway? Somewhat provocatively, one could argue that a broad consent for scientific research is the only consent that is fair to data subjects because it informs data subjects of the lawmaker’s policy decision reflected in the GDPR – a policy decision to permit personal data to be used for scientific research, subject to suitable safeguards set out in various provisions of the GDPR.