Abstract
This paper explores some key discrepancies between two sets of normative requirements applicable to the research use of personal data and human biological materials: (a) the data protection regime which follows the application of the European Union General Data Protection Regulation (GDPR), and (b) the Declaration of Helsinki, CIOMS guidelines and other research ethics regulations. One source of this controversy is that the GDPR requires consent to process personal data to be clear, concise, specific and granular, freely given and revocable and therefore has challenged the concept of ‘broad consent’, which has been widely applied in the context of biobanking. Another source of controversy is the interplay between regulations of research ethics and protection of personal data related to the secondary use of personal data and biological materials. In this case, the GDPR ‘research condition’ provides an alternative to re-consent for the use of previously collected personal data and biological materials. Although the mentioned controversies have been raised in the legal literature, they have not been explicitly addressed from the research ethics perspective. Should consent be regarded as a priority legal basis for personal data processing in health data research? Can broad consent still be a suitable legal ground for biobanking? What should be the role of research ethics provisions that differ from the GDPR standards, and what should be the role and function of research ethics committees in the changing environment of health data research? These are the ongoing controversies to be explored in the paper.
Similar content being viewed by others
Consent misconception and other consequences of a ‘dual’ meaning of consent
Informed consent remains a fundamental normative core of such well known legally non-binding global research ethics guidelines as the WMA Declaration of Helsinki (WMA (World Medical Association) 2013) and the Council for International Organizations of Medical Sciences (‘CIOMS’) guidelines (Council for International Organizations of Medical Sciences (CIOMS) 2016). These guidelines followed the Nuremberg code (1949) in emphasizing the fundamental role informed consent must play in research involving physical or other forms of intervention (‘interventional consent’). A similar centrality of consent seems to be also retained by these guidelines in case of research that only involves processing of health data (‘informational consent’) because any modifications or waiving of consent in these guidelines are only allowed in the exceptional circumstances. In addition to the mentioned global research ethics guidelines, the central role of consent is also retained in the research ethics documents of the Council of Europe and the European Union dealing with the issue of consent in human participant research.Footnote 1
Such a consent-centered normative framework of research has been challenged after the EU General Data Protection Regulation (GDPR) entered into force in 2018 (Regulation (EU) 2016). Before the entry into force of the GDPR, consent to participation in medical research was widely perceived as integrating both ‘interventional consent’ as well as ‘informational consent’ to process personal data. After the GDPR entered into effect, the areas of human research involving interventions and research activities related only to processing of data became legally more separated in the EU member states. First, in contrast to the research ethics guidelines, the GDPR does not give consent any predefined priority for health data processing. Consent is only one among other legal mechanisms, such as a distinct research condition for processing special category data under Article 9(2)(j) (abbreviated further as ‘research condition’), which provides an alternative to re-consent for the research use of previously collected personal data and biological materials. Although there were alternative grounds for processing personal data for research purposes under the previous Directive 95/46 EC, the GDPR (which is a legally binding regulation directly applicable in all the EU) has made the alternatives to re-consent more explicit and therefore presented a “research-friendly approach” (Shabani and Borry 2018). Second, another distinctive feature of the GDPR is that it sets up very high requirements for informed consent to process personal data: it needs to be clear, concise, specific and granular, freely given and revocable (EDPB (European Data Protection Board) 2020). However, such a demanding standard of consent is paradoxically also the source of divergence from the conceptual framework of consent in the research ethics regulations. Compliance with the demanding GDPR consent standards might not always be met in case of collecting and sharing big sets of data for biobanking purposes as well as in case of secondary research use of personal data that have been initially collected for other purposes. As a result, strict GDPR consent requirements have encouraged research institutions and researchers to assess whether the mentioned activities comply with a valid consent according to the GDPR standard and therefore created uncertainty about the suitability of consent as a legal basis for data processing in research.
In such a way, a combination of these two factors, namely, the stringent consent requirements and giving no priority to consent as a legal mechanism for the research use of personal data, has been an impetus to review whether the exemptions from the explicit consent as well as another legal basis (such as public interest rather than consent) would be more appropriate for the secondary research use of personal data and biological materials. This also makes research without explicit consent, such as earlier mentioned ‘research condition’ under the Article 9(2)(j), a much less exceptional scenario for data processing as compared to what is still recommended in the current research ethics guidelines. It should also be noted that another alternative to re-consent based on the Article 9(2)(i) of the GDPR, which allows exemptions from the explicit consent when “processing is necessary for reasons of public interest in the area of public health”, has recently been particularly relevant due to the urgency of health data sharing in the context of research aimed at developing COVID-19 diagnostics, therapies and vaccines (Staunton 2021).
An interplay between different consent requirements has also been a source of important ambiguities and misconceptions. For example, a researcher conducting a particular clinical trial must follow human research guidelines and obtain explicit consent for clinical intervention. However, s/he can process data obtained in the course of this intervention following the mentioned ‘research condition’, which allows data processing without explicit consent when this is deemed to be necessary for scientific purposes. That is why failure to make a clear distinction between research ethics consent and data processing consent can lead to the ‘consent misconception’, where research participants can think that consent to participate in a research project also extends to the consent to process their personal data (Dove and Chen 2020) and therefore mistakenly believe that s/he is still able to access the data, object to its further processing or erase it (in case these rights are restricted either by the national or EU law). Any such misunderstanding could threaten the clarity needed for public trust in future research.
There are also some other controversies arising due to the divergent concepts of informational consent as defined in the GDPR and the research ethics regulations. A particularly important area of diverging interpretations is related to the debate on the use of the concept of ‘broad consent’, which has been very important in the field of biobanking and other areas of the prospective collection of biological materials and health data (Global Alliance for Genomics and Health 2019).
The mentioned controversies can also lead to some practical uncertainties. For example, the GDPR does not give research ethics committees (RECs) a legal mandate to examine data processing issues as all these issues seem to stay at the disposal of researchers and data protection officers (DPOs). On the other hand, in a number of countries, studies based exclusively on health data have traditionally been an integral part of the REC review. Indeed, the importance and social value of the research, assessment of benefits and risks including those related to data processing to mention but a few, are the key issues of ethics assessment to justify the secondary use of personal data in a particular study.
Although the discrepancies between the GDPR and research ethics regulations as well as their practical consequences have occasionally been raised in the legal literature after the GDPR came into force in 2018, they have not been sufficiently addressed from the research ethics perspective. Such a normative discordance is unfortunate when there is an increasing need for health data sharing in the context of personalized medicine as well as the urgency of data sharing for the research aimed at developing COVID-19 diagnostics, therapies and vaccines.
Diverging interpretations of consent
Due to the mentioned difficulties in complying with the stringent GDPR concept of consent in health data research, the European Data Protection Board (EDPB) (EDPB 2019) and national bodies like Medical Research Council (MRC (Medical Research Council) 2020) and Health Research Authority in the UK (HRA (Health Research Authority) 2018), recommend choosing other legal bases for data processing than consent. On the other hand, some GDPR experts argue that consent should still be an option for collecting data in research because research participant/data subject could be unwilling to have their data used in studies that contradict their ethical beliefs, such as, for example, using health and genetic data to profile families, gender or race (Reichel 2021; Staunton et al 2019). Others claim that broad consent is also in line with the requirements for consent set in the GDPR because it allows individuals to control whether they want their biological samples and data to be used in future unspecified research. In particular, the reasons to restrict this kind of control do not seem relevant in the context of genomic research infrastructures, such as biobanks, and increasing empirical data on the benefits of genomic research (Hallinan 2020). Subsequently, some international research organizations (Global Alliance for Genomics and Health 2019) still see broad consent as a legal basis for data processing.
In addition to these contradicting viewpoints expressed by GDPR experts, even deeper discrepancies emerge when comparing the GDPR and research ethics regulations. These two sets of different regulatory regimes provide diverging interpretations of what are the legitimate modifications of consent in the context of human research based exclusively on data. In particular, the need to clarify the role and meaning of broad consent at EU level emerged because two recent European Regulations (i.e. the GDPR and Clinical Trial Regulation (Regulation 2014)) provided different and, in some cases, contradicting interpretations of this principle.
On the one hand, GDPR Recital 33 seems to open the way for a broader interpretation of the concept of consent as it allows data subjects “to give their consent to certain areas of scientific research”. However, the Article 29 Working Party, which is authorized to provide interpretation of the GDPR provisions, restricts such a “flexible” interpretation of the Recital 33 noting that “…when special categories of data are processed on the basis of explicit consent, applying the flexible approach of Recital 33 will be subject to a stricter interpretation and requires a high degree of scrutiny.” (Article 29 WP 2018). The Article 29 Working Party provides an explanation of such a “stricter interpretation” of consent, which requires a continuous process of specification of consent by means of re-consenting for each subsequent step of the research project. This interpretation seems to be in line with new interactive approaches, such as dynamic consent (Teare et al. 2021). However, it is hardly compatible with a more traditional concept of broad consent obtained only at the time of enrolment in the biobank and limited to such issues as the overall scope and aims of the biobank as well as its governance (Mikkelsen et al. 2019).
On the other hand, a much more relaxed interpretation is provided by Recital 29 and Article 28 (2) of the Clinical Trial Regulation, which is another EU Regulation enabling universities and other research institutions to collect data from clinical trials of medicinal products to be used for future scientific research, for example for medical, natural or social sciences research purposes, if the subject gives consent to use his or her data “outside the protocol of the clinical trial”. Similarly, CIOMS Guidelines 11 and 12 introduced broad informed consent “extending to a number of wholly or partially undefined studies”. Some authors therefore seem to rely on these more relaxed interpretations of broad consent and claim that by limiting the use of broad consent, the GDPR significantly narrows “the extent to which consent could ever be a realistic basis for processing in the context of banked personal data and associated biospecimens” (Peloquin et al. 2020).
Recent discussion on the proposed EU Data Governance Act (DGA) also shows some tendency towards a more relaxed interpretation of the broad consent. The DGA introduces the concept of ‘data altruism’ and defines it as “the consent by data subjects to process personal data pertaining to them, < …or > without seeking a reward, for purposes of general interest, such as scientific research purposes or improving public services” (DGA Article 2.10) (European Commission “Data Governance Act” 2020). By introducing the concept of “processing for purposes of general interest”, the DGA may seem to also allow in certain circumstances the processing of personal data for not strictly defined research purposes which serve the general interest (e.g., scientific research) and therefore challenges the restrictive position of the Article 29 Working Party on broad consent referred to earlier. However, it is still to be seen what a more precise interpretation of consent based on the concept of ‘data altruism’ will be, taking into account the demanding GDPR consent requirements.
The debate that has sparked around the broad consent also raises more general questions on the meaning of this concept and its continued use in Europe and world-wide. For example, broad consent has been recently enabled by US research legislation. Under the prior regulations, US researchers had two consent related options: obtain study-specific informed consent or request the Institutional Review Board (IRB) to waive the requirement to obtain informed consent (Maloy and Bass 2020). Regulatory broad consent, which came into force in 2019, was seen as a means to facilitate personal autonomy and trust in the research enterprise and was supported by both researchers and patients (Lynch et al. 2019), Although some authors find the implementation of broad consent challenging (Lynch et al. 2019), this change of legislation suggests a noteworthy tendency toward increasing use of broad consent in the US in contrast to the EU.
Consent modifications to fit biobanking purposes and to better comply with the requirements of informed consent have also been widely discussed in the academic literature. On the one hand, there are those who argue that more innovative and specific consent approaches, such as dynamic consent (Teare et al. 2021) as well as meta-consent (Ploug and Holm 2020), would be better options to protect personal autonomy. In particular, in contrast to traditional forms of consent, which may be recorded once and limited to its documented form, platforms such as dynamic consent offer a way to meet the strict GDPR consent standards, such as specificity, granularity, revocability, and transparency. This is facilitated by an ongoing dialogue with the biobank or genomic research project participants, as their consent is continuously amended following changes and developments of the scientific project (EU-STANDS4PM 2020, p.26–27; Haas et al. 2021). On the other hand, there are those proposing to further optimize broad consent through “strong ethical review and continuous communication” by the means of regular newsletters with the biobank participants (Mikkelsen et al. 2019). Of course, ethical and legal controversies related to biobanking would be significantly reduced if biological samples stored for future research were fully anonymized. However, such a use of biological materials would signifactly limit their value in future research. In addition, it is increasingly recognized that researchers may have an ethical and, in some jurisdictions, legal obligation to return at least certain types of incidental findings to the participants of biobanks. It has even been argued that incidental findings should not be seen as an unnecessary obstacle to biobanking, but rather as an incentive that could increase people’s motivation to donate their biological materials and data to biobanks (Lekstutiene et al. 2021). All these attempts to find alternatives or to further develop the concept of broad consent show that there is also a continuing discrepancy between its interpretations in the legal dogmatic and the broader academic literature.
Waivers of consent and the research condition
Another controversy between regulations of data protection and research ethics regulations might have emerged regarding the option of waiving consent for the research use of identifiable human material or data. To use GDPR specific terminology, in these cases we refer to the already mentioned ‘research condition’ scenario, which allows secondary data processing without explicit consent when this is necessary for the scientific research purposes.
Let’s start with the research ethics regulations. For example, the latest version of the Declaration of Helsinki (WMA (World Medical Association) 2013), which is one of the most influential research ethics guidelines, notes that in case of research on identifiable human material or data contained in biobanks or similar repositories, an option to waive consent is only allowed in “exceptional situations where consent would be impossible or impracticable to obtain for such research” and with an approval of a research ethics committee. Similarly, according to CIOMS Guidelines 11 and 12, REC may waive the requirement of individual informed consent in case of research use of stored biological materials or data “collected for past research, clinical or other purposes without having obtained informed consent for their future use for research” only if “the research would not be feasible or practicable to carry out without the waiver.” (Council for International Organizations of Medical Sciences (CIOMS) 2016). Even stricter conditions to waive consent are suggested by the Council of Europe Recommendation on research on biological materials of human origin. This document seems to present the option of waiving consent as an exemption allowed by RECs only “where the attempt to contact the person concerned” has been made and proved to be unsuccessful (Council of Europe. Recommendation 2016).
On the other hand, some interpretations of the GDPR research related provisions can lead to much more relaxed positions. For example, according to the EDPB, scientific research may not require a legal basis envisaged in Article 6 of the GDPR and therefore seems to allow the re-use of data for scientific research without an identified lawful basis, such as consent or even public interest (EDPB 2019). It should be noted that some countries take a more cautious approach and require taking public interest as a legal basis for data processing in health research under the ‘research condition’ scenario, which allows secondary data processing without explicit consent. Article 89(1) GDPR requires that such processing is subject to “appropriate safeguards” that ensure “technical and organizational measures”, such as data minimization and pseudonymization. In this case, states may also require some specific conditions to be satisfied. For example, the UK Health Research AuthorityFootnote 2 requires researchers to assure that “substantial damage or distress is not caused to the subjects”. In Denmark, scientific and statistical studies must carry “significant importance to society” and in Germany the research condition is allowed only if “the interests of the controller in processing substantially outweigh those of the data subject in not processing the data” (EU-STANDS4PM 2020). However, it should be noted that these country specific conditions are much more modest as compared to those of the research ethics regulations. These conditions do not refer to the exceptional circumstances, such as impossibility to conduct research without a waiver of consent, imposed by the research ethics documents. As a result, the GDPR opens an easier way to re-use health data for scientific research without re-consent.
The divergent interpretations of research use of personal data and biological materials also point to some broader questions. When should consent be prioritized as a legal basis for data processing? What are the criteria to decide when a research condition scenario is justified, and public interest overrides the need to obtain consent? What role should the RECs and DPOs play in these circumstances?
Implications for researchers, research institutions, RECs and DPOs
The questions posed at the end of the previous section demonstrate the need for closer cooperation between RECs and data protection bodies when scrutinizing the ethical and legal justification of research studies using personal data and biological materials. It is very important to facilitate such a cooperation as a means to counterbalance some potential negative effects of legal separation between human research involving interventions and research activities only related to processing of personal data. This separation can easily lead to a situation where personal data assessment is being assigned to only data controllers (e.g., researcher and/or research institutions) assisted by legal units and DPOs acting at the institution, while leaving it to RECs to review studies and related informed consent issues dealing exclusively with the interventional aspects of research. The involvement of RECs in the assessment of research related data processing seems to be very relevant due to the need to assess the importance and social value of research, the benefit and risk ratio, as well as distress to the subjects, which are issues typically examined during the review procedure by RECs and elaborated in detail by different research ethics guidelines, such as the Declaration of Helsinki and CIOMS Guidelines specifically focusing on all the mentioned aspects of research. A more extensive involvement of RECs might also serve as a useful tool to determine criteria on how to define 'public interest' and to assess proportionality when balancing the aims of the research and the protection of personal data (Mezinska et al. 2020).
There are, however, some important organizational challenges to such cooperation between RECs and data protection bodies arising in the context of overlapping research and data protection regulatory regimes. For example, the Clinical Trial Regulation explicitly states that part II of the assessment report of the clinical trial application (to be produced by the REC) should include a review of whether the application is in “compliance with Directive 95/46/EC” (currently the GDPR). However, the GDPR does not provide RECs with a legal mandate to examine data processing issues, which are a prerogative of data controllers, data protection authorities and DPOs. This organizational contradiction can be resolved by pursuing closer cooperation between RECs and data protection bodies.
Concluding remarks
Although the GDPR has not been specifically introduced as a research regulatory instrument (Slokenberga et al 2021), it has nevertheless significantly shaped the conduct of scientific research in the EU in its attempt to harmonize two important but at the same time sometimes conflicting goals: first, giving European citizens more control over their personal data, and second, ensuring more flexibility in data processing in the context of research activities. On the one hand, introduction of a distinct ‘research condition’ for data processing under Article 9(2)(j) or Article 9(2)(i) can be regarded as a shift towards a more flexible approach in human research as it enables researchers to process personal data without consent and does not give consent any predefined priority. On the other hand, introducing stricter requirements for consent under Article 7 GDPR can be seen as an attempt to provide research participants a means to have stronger control over the research use of their personal data. It should be noted however, that after the GDPR entered into force, the mentioned provisions have also started to challenge traditional research ethics frameworks because, in contrast to the consent-centered research ethics regulations, the GDPR made consent a much more challenging option for data processing. Therefore, research participants, researchers and RECs should be well informed about this change in the role and meaning of consent, which has transformed a rather uniform pre-GDPR consent framework. A clear distinction between the interventional and informational aspects of research as well as the ability to distinguish between different legal grounds of data processing is an important precondition to safeguarding the rights of research participants and to preventing the so-called ‘consent misconception’.
In this dialogue between the research ethics and data protection regulations two major consent related controversies seem to be particularly important. One area of diverging interpretations is centered around the concept of ‘broad consent’. There are currently several divergent approaches dealing with the ethical and legal acceptability of broad consent. One position, opposing a strict interpretation of Recital 33 of the GDPR by the Article 29 Working Party, accepts broad consent for data processing in research. This position can also be supported by suggestions to further optimize broad consent through strong ethical review and better communication with the biobank participants. On the other hand, the proponents of a stricter GDPR based position prefer to use the public interest rather than consent as a legal ground for prospective collection and research on health data and biomaterials. This does not preclude the need to obtain (broad) consent as required by the research ethics guidelines, but in this case consent would be regarded only as an additional safeguard rather than a legal ground for data processing. However, this option might be problematic as it might cause a research misconception among research participants if not properly explained. Of note, all the opposing positions could be reconciled by consent modalities, such as dynamic consent, which seems to meet both the GDPR and the research ethics requirements.
Another major area of diverging interpretations between the GDPR and the research ethics regulations deals with the ‘research condition’ scenario, which allows secondary data processing without explicit consent when this is deemed necessary for the scientific research. Considering that some European countries encourage the use of the ‘research condition’ for secondary research use of health data based on the legal basis of public interest, it is important to ensure an interaction between RECs and data protection bodies and a better integrated framework for processing of personal data, where research ethics regulations operate along with the GDPR. In such a framework, RECs should have a meaningful role in defining criteria to explain such GDPR relevant issues as ‘public interest’, risks and benefits to the research subjects whose data are to be used for research purposes, as well as promoting data sharing, especially having in mind that DPOs are not always involved in the development of research protocols and direct interaction with the researchers. This shows a strong need for cooperation between RECs and data protection bodies. Such a cooperation should be facilitated despite the emerging tendency to assign personal data assessment to only data controllers (researcher institutions and researchers) assisted by legal units and DPOs, while leaving informed consent issues related exclusively to the interventional aspects of research to RECs.
Finally, in this context of the interplay between the research ethics regulations and regulations on the protection of personal data, it is important not to discount consent as a legal basis when it is methodologically feasible because consent can empower data subjects to control their data and can put the data subject on a “more symmetrical informational and communicative plane with the data controller” (Dove and Chen 2020). In addition, it seems that consent is still perceived as a priority basis for processing personal data for research purposes by some researchers and regulators in a few EU member states (Vlahou et al 2021; Assessment of the EU Member States’ rules on health data in the light of GDPR 2021). Furthermore, studies on public opinion also show that there is still a prevailing interest of individuals to have control over personal data in regards of what data are collected, who has access to this data, how and with whom data are shared and for what purposes the data are used. In this context, informed consent is still regarded as an important mechanism facilitating individual control over personal data (Aitken et al 2016). Therefore, consent plays an important role in sustaining public involvement in data sharing initiatives. While there are still ongoing discussions on what would be the best option for data sharing: the use of dynamic consent, broad consent or data donation without consent, it seems that public preferences for a certain level of control over their data, regardless of the lawful basis relied upon under the GDPR, support a continued role for consent to maintain trust in research, shows respect to study participants, and is a default necessity under the research ethics guidelines.
Notes
In this paper we also use the term “research ethics regulations”, which covers both the legally non-binding global research ethics guidelines as well as the Council of Europe Recommendation on research on biological materials of human origin (Council of Europe 2016) and the EU Regulation on clinical trials on medicinal products for human use (Regulation 2014) as far as these documents address the role and the meaning of consent in human participant research.
UK was an EU member state at the point the GDPR came into force and has retained the UK General Data Protection Regulation (UK GDPR) since its departure from the EU.
References
Aitken, M., de St. Jorre, J., Pagliari, C., et al. 2016. Public responses to the sharing and linkage of health data for research purposes: A systematic review and thematic synthesis of qualitative studies. BMC Medical Ethics 17: 73. https://doi.org/10.1186/s12910-016-0153-x.
Article 29 Working Party. 2018. Guidelines on Consent under Regulation 2016/ 679’ WP 259 rev.1, as last revised 10 April 2018. https://ec.europa.eu/newsroom/article29/items/623051. Accessed June 7, 2021.
Council for International Organizations of Medical Sciences (CIOMS). (2016). International ethical guidelines for health-related research involving humans (4th ed.). Geneva: CIOMS. https://cioms.ch/wp-content/uploads/2017/01/WEB-CIOMS-EthicalGuidelines.pdf. Accessed June 7, 2021.
Council of Europe. Recommendation CM/Rec (2016)6 of the Committee of Ministers to Member States on Research on Biological Materials of Human Origin. https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=090000168064e8ff. Accessed June 7, 2021.
Dove, E.S., and J. Chen. 2020. Should consent for data processing be privileged in health research? A comparative legal analysis. International Data Privacy Law 10 (2): 117–131. https://doi.org/10.1093/idpl/ipz023.
EDPB (European Data Protection Board). 2020. Guidelines 05/2020 on consent under Regulation 2016/679. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf. Accessed June 7, 2021.
EDPB (European Data Protection Board). 2019. Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art. 70.1.b)). https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_opinionctrq_a_final_en.pdf. Accessed June 7, 2021.
European Comission. Assessment of the EU Member States’ rules on health data in the light of GDPR. 2021. Luxembourg: Publications Office of the European Union. https://ec.europa.eu/health/sites/default/files/ehealth/docs/ms_rules_health-data_en.pdf. Accessed October 25, 2021.European Commission. Proposal for a regulation of the European Parliament and of the Council on European data governance (“Data Governance Act”). 2020. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0767 Accessed June 7, 2021.
EU-STANDS4PM (A European standardization framework for data integration and data-driven in silico models for personalized medicine). Legal and ethical review of in silico modelling. 2020. https://www.eu-stands4pm.eu/lw_resource/datapool/systemfiles/elements/files/AA77832F664661DBE0537E695E8689E3/current/document/WP3_March2020_D3-1_V1_public.pdf. Accessed June 7, 2021.
Global Alliance for Genomics and Health. 2019. GDPR Brief: Is ‘Consent for Genomic and Health-Related Research’ Specific Enough to Constitute a Valid Consent Under the GDPR? https://www.ga4gh.org/news/gdpr-brief-is-consent-for-genomic-and-health-related-research-specific-enough-to-constitute-a-valid-consent-under-the-gdpr/. Accessed June 7, 2021.
Haas, M.A., H. Teare, M. Prictor, et al. 2021. ‘CTRL’: An online, Dynamic Consent and participant engagement platform working towards solving the complexities of consent in genomic research. European Journal of Human Genetics 29: 687–698. https://doi.org/10.1038/s41431-020-00782-w.
Hallinan, D. 2020. Broad consent under the GDPR: An optimistic perspective on a bright future. Life Sci Soc Policy. https://doi.org/10.1186/s40504-019-0096-3.
HRA (Health Research Authority). 2018. Consent in research. https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/consent-research/. Accessed June 7, 2021.
Lynch, H.F., L.E. Wolf, and M. Barnes. 2019. Implementing regulatory broad consent under the revised common rule: clarifying key points and the need for evidence. The Journal of Law Medicine & Ethics 47 (2): 213–231.
Maloy, J.W., and P.F. Bass. 2020. Understanding Broad Consent. The Ochsner Journal 20 (1): 81–86. https://doi.org/10.31486/toj.19.0088
Mezinska, S., A. Buka, A. Bankava, et al. 2020. Legal and ethical issues in secondary use of administrative health data: the case of Latvian healthcare monitoring datalink. Studies in Health Technology and Informatics 270: 1138–1142. https://doi.org/10.3233/SHTI200340.
Mikkelsen, R.B., M. Gjerris, G. Waldemar, and P. Sandøe. 2019. Broad consent for biobanks is best—provided it is also deep. BMC Medical Ethics 20: 71. https://doi.org/10.1186/s12910-019-0414-6.
MRC (Medical Research Council). 2020. GDPR: Lawful basis, research consent and confidentiality. Preparation for the implementation of the General Data Protection Regulation (GDPR): understanding the current legal situation (ukri.org). https://mrc.ukri.org/documents/pdf/gdpr-lawful-basis-research-consent-and-confidentiality/. Accessed June 7, 2021.
Peloquin, D., M. DiMaio, B. Bierer, et al. 2020. Disruptive and avoidable: GDPR challenges to secondary research uses of data. European Journal of Human Genetics 28: 697–705. https://doi.org/10.1038/s41431-020-0596-x.
Ploug, T., and S. Holm. 2020. The ‘Expiry Problem’ of broad consent for biobank research - And why a meta consent model solves it. Journal of Medical Ethics 46: 629–631.
Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use and repealing Directive 2001/20/EC. Official Journal L. 2014; 158 (1). https://ec.europa.eu/health/human-use/clinical-trials/regulation_en. Accessed June 7 2021.
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal L. 2016;119(1). https://eur-lex.europa.eu/eli/reg/2016/679/oj. Accessed June 7, 2021.
Reichel, J. 2021. Allocation of Regulatory Responsibilities: Who Will Balance Individual Rights, the Public Interest and Biobank Research Under the GDPR?. In: Slokenberga S., Tzortzatou O., Reichel J. (eds) GDPR and Biobanking. Law, Governance and Technology Series. vol 43. Springer, Cham. https://doi.org/10.1007/978-3-030-49388-2_23. Accessed June 7, 2021. Shabani M., Borry P., 2018. European Journal of Human Genetics 26:149–156. https://doi.org/10.1038/s41431-017-0045-7. Accessed October 25, 2021.
Slokenberga, S., O. Tzortzatou, and J. Reichel. 2021. Introduction. In GDPR and Biobanking Law, Governance and Technology Series, vol. 43, ed. S. Slokenberga, O. Tzortzatou, and J. Reichel. Cham: Springer.
Staunton, C., S. Slokenberga, and D. Mascalzoni. 2019. The GDPR and the research exemption: Considerations on the necessary safeguards for research biobanks. European Journal of Human Genetics 27: 1159–1167. https://doi.org/10.1038/s41431-019-0386-5.
Staunton, C. 2021. Data Sharing and the Public Interest in a Digital Pandemic. Data Sharing and the Public Interest in a Digital Pandemic* – Verfassungsblog. https://verfassungsblog.de/data-sharing-and-the-public-interest-in-a-digital-pandemic/. Accessed June 7, 2021.
Teare, H.J.A., M. Prictor, and J. Kaye. 2021. Reflections on dynamic consent in biomedical research: The story so far. European Journal of Human Genetics 29: 649–656. https://doi.org/10.1038/s41431-020-00771-z.
Vlahou, A., D. Hallinan, R. Apweiler, et al. 2021. Data sharing under the general data protection regulation: time to harmonize law and research ethics? Hypertension, American Heart Association 74 (4): 1029–1035.
WMA (World Medical Association). 2013. Declaration of Helsinki – Ethical Principles for Medical Research Involving Human Subjects. https://www.wma.net/what-we-do/medical-ethics/declaration-of-helsinki/. Accessed June 7, 2021.
Funding
The authors of this article are part of the EU-STANDS4PM consortium (www.eustands4pm.eu) that is funded by the European Union Horizon 2020 framework programme of the European Commission (Grant Agreement #825843).
Author information
Authors and Affiliations
Contributions
EG, VL and JL contributed to the main ideas of the study. EG wrote the first draft of the manuscript. JL and VL made substantial revisions. MH, MM, and KÓC suggested further changes for important intellectual content. All authors approved the final version of the manuscript and are accountable for all aspects included in it.
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Gefenas, E., Lekstutiene, J., Lukaseviciene, V. et al. Controversies between regulations of research ethics and protection of personal data: informed consent at a cross-road. Med Health Care and Philos 25, 23–30 (2022). https://doi.org/10.1007/s11019-021-10060-1
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11019-021-10060-1