This blogger has previously discussed some of the difficulties in relying on consent as a justification for lawful processing under GDPR, but these difficulties bear closer examination. First, the basics. Then some thoughts on the use of consent in the research world and whether it is always needed.
Consent is one of the six lawful bases that justify the processing of personal data. To be adequate, consent must be a freely given, specific, informed and unambiguous indication of the individual’s wishes by a statement or clear affirmative action – granular is the word the regulators use. It is not silence or a pre-ticked opt-in box. It is not a blanket acceptance of a set of terms and conditions that include privacy provisions. It can be ‘by electronic means’ – it could be a motion such as a swipe across a screen. But, where special category data (sensitive data such as health data) are processed and explicit consent is needed, this will be by way of a written statement.
The data controller must be able to demonstrate consent. This goes to accountability – the controller is responsible for demonstrating compliance across the piece although GDPR does not mandate any particular method.
Consent must be requested in an intelligible and easily accessible form and must be clearly distinguishable from other matters. The request cannot be bundled up and appear simply as one part of a wider set of terms. When the processing has multiple purposes, consent should be given for each of them – granularity again. Conflated purposes remove freedom of choice.
Consent must be freely given. It must be a real choice. Employers will always find it hard to show that their employees have consented freely, for example. The choice needs to be informed. Without information, any choice is illusory (the transparency principle). As a minimum, the informed individual would need to know: the controller’s identity; the purpose of the processing; the data to be collected and used; and, that consent can be withdrawn.
It must be as easy to withdraw consent as it was to give it. This doesn’t necessarily mean that withdrawal must be by the same action (swipe to consent and withdraw) but rather that withdrawal must be by the same interface (consent via the website, withdraw via the website). After all, switching to another interface would involve ‘undue effort’ for the individual. If consent is withdrawn, the individual must not suffer any detriment.
With pleasing circularity, demonstrating that withdrawal carries no cost and no detriment (meaning no significant negative consequences) helps to demonstrate that the consent itself has been freely given.
Consent in research world
Getting granular consent (meaning consent specific to a given purpose) can be repetitive. Bundling up different consents in one is not allowed so multiple purposes make for long lists of consents and the risk of consenting fatigue. Other lawful bases may be more convenient and consent should not be the default or unthinking route for controllers. Aside from the high threshold for adequate consent, the GDPR’s transparency agenda means that there is a strong argument that if consent is given as the lawful basis at the outset there can be no substitution of a different legal basis if consent is withdrawn.
Getting granular consent can be difficult. GDPR recognises that it may not be possible to fully identify the purpose of scientific research processing at the point of data collection and acknowledges that individuals could consent only to certain areas of research. GDPR’s principles are relaxed for the benefit of scientific research but they continue to apply. The purpose of the processing must still be described but it is enough for the research purpose to be ‘well described’ rather than specific. Transparency is a safeguard where specific consent is not possible. Research plans should be available. Consent should be refreshed as the research progresses.
Consent must be freely given. Does a research participant have a free choice? Probably yes, if the intended processing is not arbitrary or unusual and if the information provided is adequate and accurate. An informed refusal to join a clinical trial will not lead to standard treatment being withdrawn so there is no detriment. But what if the standard treatment is not working? If the individual has to consent to arbitrary processing of their personal data in order to take what may be their only remaining hope then it is difficult to see that as a free choice.
Consent can be withdrawn. Researchers have some comfort in that processing that has already been carried out remains legitimate after consent is withdrawn. But further processing must stop which threatens the ongoing research project, unless the data can be disentangled. To make matters worse (for the researcher), if there is no other legal basis for holding the data then it may be necessary to delete it – more difficult disentangling, especially if the individual forces deletion through their right to be forgotten.
What can the worried researcher do about the risk of withdrawal? Anonymise the data and carry on is always a good answer. Rely on a different legal basis in the first place (and carry on) is another good answer.
Sidestepping the issue by making the consent irrevocable is not a good answer: it would breach the requirement that consent can be withdrawn at any time.
A sneaky lawyer’s answer may be to embrace the requirement that consent must be as easy to withdraw as to give. If changing formats involves ‘undue effort’ then avoid electronic means and require consent to be in writing. This answer is not guaranteed by any stretch of the imagination: the data controller is essentially betting that few will bother to put pen to paper to withdraw.
Clearly GDPR consent is a troublesome beastie but there is one strong point in its favour. Using consent as the legal basis for processing promotes trust. Repeatedly refreshing that consent as the research progresses reinforces trust. Trust makes the engagement stronger. Perhaps the prize of a stronger and more committed and engaged research cohort based on consent is worth it?