Consent under the GDPR must generally be given for a specific purpose. But Recital 33 broadens this to allow "consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research". The justification given is that in research, it's often not possible to fully identify the purpose at the time of data collection.
Guidance endorsed by the European Data Protection Board clarifies that although Recital 33 allows a more flexible approach, it doesn't "disapply" specific consent. A well-described purpose is still required, meaning that blanket or vaguely worded consent is invalid. And when consent is given to areas of scientific research, the guidance says, countermeasures must be in place to respect the spirit of specific consent, such as greater transparency and further safeguards, among others. Although the guidance is silent on this point, one way to address Recital 33's requirement of adherence to "recognised ethical standards" would be approval by a competent research ethics committee.
For secondary research use to be made by another party, Recital 33 also requires that this party be able to prove consent and to have been identified to the participant.
As last month's GDPR Brief argued, researchers should consider relying on a GDPR lawful basis other than consent, and in fact UK guidance states categorically that consent should not be the GDPR basis for health and social care research. The breadth of permissible secondary use under other lawful bases restrained, for example by the necessity and balancing tests of the legitimate interests basis. On the other hand, the breadth of secondary use may be expanded by the GDPR principle that further processing for research purposes is deemed compatible with a valid initial purpose, with certain conditions.
But data protection consent cannot always be avoided in health research. Irish law, for example, generally requires explicit consent to any processing for health research, meaning consent cannot simply be inferred from the participant's behaviour. These rules nonetheless do not require specific consent: consent can be given "in relation to a particular area or more generally in that area or a related area of health research, or part thereof."
This GDPR brief addresses the scope of consent only in data protection law. Even if consent is not used as a GDPR lawful basis, limits on broad consent may be imposed by other legal rules, such as those governing research ethics consent.
Mark Phillips is a lawyer with a background in computer science, and an Academic Associate at the Centre of Genomics and Policy. McGill University. He advises clients on and writes about various data protection issues.