Broad consent under the GDPR : an optimistic perspective on a bright future

Broad consent-the act of gaining one consent for multiple potential future research projects-sits at the core of much current genomic research practice. Since the 25th May 2018, the General Data Protection Regulation (GDPR) has applied as valid law concerning genomic research in the EU and now occupies a dominant position in the legal landscape. Yet, the position of the GDPR concerning broad consent has recently been cause for concern in the genomic research community. Whilst the text of the GDPR apparently supports the practice, recent jurisprudence contains language which is decidedly less positive. This article takes an in-depth look at the situation concerning broad consent under the GDPR and-despite the understandable concern flowing from recent jurisprudence-offers a positive outlook. This positive outlook is argued from three perspectives, each of which is significant in defining the current, and ongoing, legitimacy and utility of broad consent under the GDPR: The principled, the legal technical, and the practical. © 2020 The Author(s)

The genomic data deficit : On the need to inform research subjects of the informational content of their genomic sequence data in consent for genomic research

Research subject consent plays a significant role in the legitimation of genomic research in Europe – both ethically and legally. One key criterion for any consent to be legitimate is that the research subject is ‘informed’. This criterion implies that the research subject is given all relevant information to allow them to decide whether engaging with a genomic research infrastructure or project would be normatively desirable and whether they wish to accept the risks associated with engagement. This article makes the normative argument that, in order to be truly ‘informed’, the research subject should be provided with information on the informational content of their genomic sequence data. Information should be provided, in the first instance, prior to the initial consent transaction, and should include: information on the fact that genomic sequence data will be collected and processed, information on the types of information which can currently be extracted from sequence data and information on the uncertainties surrounding the types of information which may eventually be extractable from sequence data. Information should also be provided, on an ongoing basis, as relevant and necessary, throughout the research process, and should include: information on novel information which can be extracted from sequence data and information on the novel uses and utility of sequence data. The article argues that current elaborations of ‘informed’ consent fail to adequately address the requirements set out in the normative argument and that this inadequacy constitutes an issue in need of a solution. The article finishes with a set of observations as to the fora best suited to deliver a solution and as to the substantive content of a solution. © 2020 The Author

(Un)informed consent in Psychological Research: An empirical study on consent in psychological research and the GDPR

In many instances, psychological research requires the collection and processing of personal data collected directly from research subjects. In principle, the General Data Protection Regulation (GDPR) applies to psychological research which involves the collection and processing of personal data in the European Eco- nomic Area (EEA). Further, the GDPR includes provisions elaborating the types of information which should be offered to research subjects when personal data are collected directly from them. Given the general norm that informed consent should be obtained before psychological research involving the collection of personal data directly from research participants should go ahead, the information which should be provided to subjects according to the GDPR will usually be communicated in the context of an informed consent process. Unfortunately, there is reason to believe that the GDPR’s obligations concerning information provision to research subjects may not always be fulfilled. This paper outlines the results of an empirical investigation into the degree to which these information obligations are fulfilled in the context of psychological research consent procedures to which European data protection law applies. Significant discrepancies between the legal obligations to provide information to research subjects, and the information actually provided, are identified

Data Protection Impact Assessments in Practice: Experiences from Case Studies

In the context of the project A Data Protection Impact Assessment (DPIA) Tool for Practical Use in Companies and Public Administration an operationalization for Data Protection Impact Assessments was developed based on the approach of Forum Privatheit. This operationalization was tested and refined during twelve tests with startups, small- and medium sized enterprises, corporations and public bodies. This paper presents the operationalization and summarizes the experience from the tests

Information Provision for Informed Consent Procedures in Psychological Research Under the General Data Protection Regulation: A Practical Guide

Psychological research often involves the collection and processing of personal data from human research participants. The European General Data Protection Regulation (GDPR) applies, as a rule, to psychological research conducted on personal data in the European Economic Area (EEA)—and even, in certain cases, to psychological research conducted on personal data outside the EEA. The GDPR elaborates requirements concerning the forms of information that should be communicated to research participants whenever personal data are collected directly from them. There is a general norm that informed consent should be obtained before psychological research involving the collection of personal data directly from research participants is conducted. The information required to be provided under the GDPR is normally communicated in the context of an informed consent procedure. There is reason to believe, however, that the information required by the GDPR may not always be provided. Our aim in this tutorial is thus to provide general practical guidance to psychological researchers allowing them to understand the forms of information that must be provided to research participants under the GDPR in informed consent procedures

Dara Hallinan & Paul De Hert, ‘Many have it wrong – Samples do contain personal data:The data protection regulation as a superior framework to protect donor interests in biobanking and genomic research

Genomic research relies on the availability of genomic data. Detached biological samples, stored in facilities known as biobanks, are the source of this data. Donors have interests in these samples. In particular, donors have interests in samples by virtue of the personal data they contain. In relation to this observation, this article puts forward three arguments. First: The current European legislative framework relating to samples is inadequate. This inadequacy results from not understanding samples in terms of the information they contain. Second: European data protection law, in particular as outlined in the forthcoming Data Protection Regulation, might be looked as a source of solutions. However, whether data protection law can apply to samples at all remains a subject of debate. One key argument supports the position that it cannot: Samples are not data, but rather are physical mater, and therefore can only a source of data. Third: The assertion that ‘samples are not data, but rather only physical matter’ is flawed. Samples do contain data – DNA is data. DNA is understood as information both popularly and in the genetic sciences. In fact, even in informatics, DNA can be understood as data

Genetic classes and genetic categories: Protecting genetic groups through data protection law

Each person shares genetic code with others. Thus, one individual’s genome can reveal information about other individuals. When multiple individuals share aspects of genetic architecture, they form a ‘genetic group’. From a social and legal perspective, two types of genetic group exist: Those which map to social groups – ‘genetic classes’ – and those which are perceived through interrogation of shared genetic code – ‘genetic categories’. Both of these groups may be seen to have legitimate interests affected when data about them are processed. This contribution considers if these interests can be effectively protected by the Data Protection Regulation. The contribution finds that the Regulation explicitly excludes genetic groups only in a relation to a limited number of provisions. Yet, the contribution also finds that the use of the Regulation to protect genetic groups would raise significant technical and substantial problems. In light of these problems, the contribution suggests a way forward based around guidance and ex ante oversight