The European Union advisory body that issues non-binding guidance on EU data protection law recently provided final guidelines on the requirements for valid consent under the EU’s General Data Protection Regulation (the “GDPR”). See Guidelines on Consent under Regulation 2016/679 (WP259) (last revised and adopted on Apr. 10, 2018) (the “Final Guidelines”).
The advisory body—the Article 29 Data Protection Working Party (the “Working Party”)—published the Final Guidelines a little over a month before the GDPR’s enforcement date of May 25, 2018. A portion of the Final Guidelines addresses the use of consent as a basis for processing personal data in connection with scientific (including medical or clinical) research, and it is this section of the Final Guidelines on which this article focuses.
A prior article by the present authors provided a summary of the Working Party’s draft consent guidelines that were issued in November 2017 (the “Draft Guidelines”) and an earlier article provided a more general overview of issues regarding consent as a basis for processing personal data in connection with scientific research under the GDPR. See Barnes et al., New Draft Guidelines on GDPR Consent Requirement’s Application to Scientific Research, Bloomberg BNA Med. Res. L. & Pol’y Rep. (Jan. 17, 2018); Barnes et al., Reconciling Personal Data Consent Practices in Clinical Trials with the EU General Data Protection Regulation, Bloomberg BNA Med. Res. L. & Pol’y Rep. (Sept. 20, 2017).
This article provides an overview of the Final Guidelines’ treatment of subjects’ consent in scientific research and identifies lingering problems posed by the Final Guidelines for scientific research.
I. Issues with Draft Guidelines
a. Broad Consent
One of the major issues for the research community during the drafting of the GDPR was the extent to which the regulation would permit the use of broad consent for the processing of personal information for scientific research. The research community thus reacted positively to the final text of the GDPR, which contains in Recital 33 a recognition that “[i]t is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection” and goes on to state that “data subjects should be allowed to give their consent to certain areas of scientific research.” In the Draft Guidelines, however, the Working Party interpreted this recital narrowly, stating that it does “not disapply the obligations with regard to the requirement of specific consent.” See Draft Guidelines at 27.
The Draft Guidelines’ solutions for obtaining consent to future research seemed to demonstrate a lack of understanding among the regulators regarding the typical practices of researchers, especially the distinction between the roles of an investigator and a research sponsor. For example, the Draft Guidelines suggested that “[a]s the research advances, consent for subsequent steps in the project can be obtained before that next stage begins” thereby imposing a burden on researchers continually, and perhaps frequently, to re-contact research subjects to obtain additional consent. See Draft Guidelines at 28. This proposal could prove infeasible for a number of reasons, such as loss of contact with subjects in multi-year biobanking studies, subjects’ fatigue at repeated requests for additional consent, or, in the case of secondary research conducted by research sponsors, confusion of subjects upon being contacted by a industry sponsor with whom the subjects had not previously had any direct contact.
b. Withdrawal of Consent
Additionally, the Draft Guidelines’ position on withdrawal of consent posed serious problems for the research community. The Draft Guidelines took the position that, upon the withdrawal of consent, the controller “should delete or anonymise the personal data straight away.” Draft Guidelines at 29. In many instances, this interpretation would create an untenable conflict for researchers between a requirement to delete or anonymize data under the GDPR and independent legal and ethical obligations to maintain personal data for the integrity of the clinical trial and/or adverse event reporting. However, the Draft Guidelines also provided room for researchers to make a colorable argument that researchers could rely on separate bases for processing when there existed a requirement to maintain data to comply with legal obligations—at least when those separate purposes and their appropriate lawful bases were identified to data subjects in advance. See Draft Guidelines at 22.
II. Final Guidelines
The Final Guidelines add clarifying text that consent is not the only legal basis under which the GDPR permits data to be processed in connection with scientific research, even in instances in which consent is collected to satisfy “an ethical standard or procedural obligation” related to the research itself. Final Guidelines at 28. In such cases, the Final Guidelines clarify that controllers may rely on other lawful bases for processing personal data in connection with scientific research, such as processing for the performance of a task carried out in the public interest or processing for the legitimate interest of the controller, or processing necessary for scientific research purposes. See id., citing GDPR, Arts. 6(1)(e)-(f), 9(2)(j). Additionally, the Final Guidelines specifically recognize that GDPR Art. 6(1)(c), which permits processing necessary for compliance with a legal obligation to which the controller is subject, may be applicable for “parts of the processing operations specifically required by law, such as gathering reliable and robust data following the protocol as approved by the Member State under the Clinical Trial Regulation.” Id. n.69.
a. Broad Consent
With respect to broad consent, the Final Guidelines do not fundamentally alter the Draft Guidelines’ position. However, the Final Guidelines have removed a provision included in the Draft Guidelines stating that, “[w]here purposes are unclear at the start of a scientific research programme, controllers will have difficulty to pursue the program in compliance with the GDPR.” Draft Guidelines at 27. This removal could suggest that the Working Party may have determined that broad consent to future research uses is not categorically incompatible with the GDPR. However, the Final Guidelines retain the Working Party’s problematic recommendation of “rolling” re-consent and repeated contacts with the data subject as the recommended approach, if research purposes cannot be fully specified at the time of consent. As noted above, this approach could fundamentally impede research for a variety of reasons.
b. Withdrawal of Consent
The Final Guidelines appear to contain a technical drafting error regarding the obligations of the controller upon a data subject’s withdrawal of consent, as the Draft Guidelines provided that, upon receiving a withdrawal request, the controller “should delete or anonymise the personal data straight away if it wishes to continue to use the data for the purposes of the research.” Draft Guidelines at 29. The Final Guidelines deleted the ability of the controller to “anonymise” as an alternative to deleting the personal data, meaning that the revised sentence seems to state, nonsensically, that controllers could delete data in order to continue using them: “[i]f a controller receives a withdrawal request, it must in principle delete the personal data straight away if it wishes to continue to use the data for the purposes of the research.” Id. We believe that this change is an editing error and should not be read to foreclose controllers’ ability to anonymize personal data as an alternative to deleting the data upon a subject’s withdrawal of consent. This view is further supported by the fact that at the end of this sentence the Final Guidelines include a footnote citing the Working Party’s 2014 opinion on anonymization techniques. The Final Guidelines also replaced the word “should” with the phrase “must in principle,” which suggests slightly more flexibility regarding the instances in which data may be retained for future research purposes. Final Guidelines at 30.
The Final Guidelines clarify that, when consent is withdrawn, “the obligation to delete data that was processed on the basis of consent” is subject to there being “no other purpose justifying the continued retention.” Id. at 22. The Final Guidelines reiterate that “[i]n that case, the other purpose justifying the processing must have its own separate legal basis. This does not mean that the controller can swap from consent to another lawful basis . . . .” Id. Accordingly, the Final Guidelines admonish that when data are processed for multiple purposes, the controller must be “clear at the outset about which purpose applies to each element of data and which lawful basis is being relied upon.” Id.
However, the Final Guidelines note that even if the controller relies on another basis to retain data, the controller must still respect data subjects’ requests for erasure, which is a separate right of data subjects under the GDPR. Fortunately, the right of erasure should not prove especially problematic for researchers who maintain data to comply with scientific or legal requirements, as requests for erasure under the GDPR are subject to an exception that permits controllers to retain data for compliance with legal obligations or for scientific research purposes if deletion would be likely to render impossible or seriously impair the achievement of the objectives of such processing. See GDPR, Art. 17(3).
The Final Guidelines contain many of the provisions that made the Draft Guidelines problematic to the research community. First, they continue to take a narrow view of the breadth of consent and potentially require that repeated contacts be made with subjects to obtain additional consents during the life of a multi-year research project. Second, the Final Guidelines continue to provide that data must generally be deleted or anonymized following withdrawal of consent without providing a clear path for retention of data as required by regulatory or research integrity considerations. Despite the imminent GDPR enforcement date of May 25, 2018, the regulated community still will be confused, as demonstrated above, about how the GDPR can be successfully implemented in a way that does not defy current, long-established research practices and does not undermine any long-established research practices or compliance with other concurrent EU and U.S. regulatory obligations.