GDPR Brief: is “consent for genomic and health-related research” specific enough to constitute a valid consent under the GDPR?

2 Dec 2019

There has been an emerging consensus in the genomic research community that “broad consent” is an ethically and legally permissible form of consent. For example, the Council of Europe’s recent recommendations on protection of health-related data expressly permit broad consent for scientific research.

There has been an emerging consensus in the genomic research community that “broad consent” is an ethically and legally permissible form of consent. For example, the Council of Europe’s recent recommendations on protection of health-related data expressly permit broad consent for scientific research.

Broad consent means that a research participant explicitly consents to have their data and/or samples used for a certain range of future research projects, subject to external and ongoing oversight (such as ethics committee approval and monitoring). Despite the emerging consensus on its acceptability, the way in which it may be permissibly implemented under the GDPR is less clear.

In the GDPR, consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The qualifiers “specific” and “informed” are important in the genomic and health-related research context. Articles 6(1)(a) and 9(2)(a) speak to the data subject’s consent to the processing of non-special category and special category (e.g. genomic and health-related) data, respectively. They state that the data subject’s consent must be for one or more specific (Art 6) or specified (Art 9) purposes. These provisions, at first glance, might suggest that a broad consent such as “consent for genomic and health-related research” is not sufficiently specific to serve as a valid legal basis for the processing of personal data.

However, and as discussed in a previous Brief, Recital 33 suggests that the GDPR permits broad consent for scientific research, when such consent is subject to generally accepted ethical standards and, presumably, assessment by an ethics committee. Moreover, under the principle of purpose limitation, further processing for scientific research purposes is qualified as being for “specified, explicit and legitimate purposes”. Thus, under the GDPR, “scientific research”, and even more so, “genomic and health-related research”, appear to be a well-defined purpose per se, with no need for further specification.

To this end, the Article 29 Working Party recently has opined that the GDPR’s “Recital 33 does not disapply the obligations with regard to the requirement of specific consent” and that a “well-described purpose” must be included in the consent to comply with the GDPR. They also state: “For the cases where purposes for data processing within a scientific research project cannot be specified at the outset, Recital 33 allows as an exception that the purpose may be described at a more general level” (emphasis added).

We note that the requirement for “explicit” consent (for special category data processing) and a “well-defined purpose” relates to the procedural aspect of consent rather than its permissible scope. That is, the requirement of explicitness goes to the data controller’s need to evidence the consent. A research participant could thus explicitly agree to participate in a research project that details well a broad data-processing methodology, which includes safeguards to mitigate potential harms caused by the application of that method in as yet unknown, future research projects. We also note the importance of Recital 42: for consent to be informed, the data subject should be aware at least of the identity of the controller. This obligation sits alongside (and complicates) the broad consent possibility, at least where new, future controllers will be involved. It is arguable, though, that only the original controller needs to be identified during the consent process. For subsequent as yet unknown data recipients (i.e. researchers), it may be sufficient to mention categories of recipients (controllers and processors) where the exact recipient cannot be named already.

In summary, a reasonable interpretation is that “consent for genomic and health-related research” likely is specific enough to constitute a valid consent under the GDPR. However, a broad consent should be supplemented by additional efforts on the part of data controllers, such as the specification of categories of data-processing methods, safeguards to mitigate the risks of these methods, and categories of potential data recipients.

Further Reading

• Article 29 Working Party, “Guidelines on consent under Regulation 2016/679” (WP259 rev.01) (As last revised and adopted on 10 April 2018). Available here.
• Council of Europe, “Recommendation CM/Rec(2019)2 of the Committee of Ministers to member States on the protection of health-related data”. Available here.
• Mark Phillips, “GDPR Brief: When can I rely on broad consent for research?” (April 2019). Available here.

Relevant GDPR Provisions

• Recital 33 – Consent to certain areas of scientific research
• Recital 42 – Burden of proof and requirements for consent
• Article 4(11) – Definitions
• Article 5(1)(b) – Principles relating to processing of personal data
• Article 6(1)(a) – Lawfulness of processing
• Article 9(2)(a) – Processing of special categories of personal data

Edward Dove is a Lecturer in Law at the University of Edinburgh.

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.