What is “specific consent”? The EDPB’s acceptance of “broad consent” and “dynamic consent” in its new Guidelines is interesting, but its focus on (a limited view of) “scientific research” is problematic. According to those new Guidelines:
In the field of scientific research, it is possible for controllers to rely on the consent of a data subject to collect and process personal data in a certain area of scientific research when the purposes of research are not fully known at the time of collection of the data” (para. 40) – aka “broad consent”.
The EDPB proposes various safeguards: “controllers intending to process personal data for scientific research purposes on the basis of broad consent should define the purposes of future research as clearly as possible” (44) and “they should ensure that data subjects understand the consequence of their choice that their personal data will be processed in research projects within the area of scientific research that was communicated to them” (46). Also, “controllers should make detailed information available to data subjects (for example on a webpage) on how their personal data are being processed, as the research progresses in individual research projects” (48).
Regarding “dynamic consent”, where you “ask data subjects to consent to each different individual research project – or part thereof – separately, as soon as the purposes for processing personal data in those projects become known” (41), the EDPB foresees that it can be relevant “if the researchers are in a close and prolonged relationship with the data subjects, as may be the case in fields of research where researchers interact with research participants on a regular basis in long-term research projects” (52).
These considerations are the first real guidance on “specific” consent that we have received (in the “Consent” Guidelines of 2020, the parts on “specific” consent were very limited).
Yet they are also inherently problematic. If this “broad consent” is explicitly labelled as (only) possible for scientific research by the EDPB, is this an implicit indication by the EDPB that they consider “consent to the sending of commercial communications” to be insufficiently specific, because that’s broad enough to cover different types of marketing? (// different research projects)
There have been hints by certain authorities that they consider “marketing” insufficiently specific. Yet if you require a much more detailed level of specificity for consent, consent becomes unworkable. Too much consent kills consent.
This exposes a fundamental issue with the notion of specificity: the specificity concerns the *purpose* of processing, not the *processing operation itself*. We must ensure that the data protection framework is workable and not overwhelming.
So perhaps we need a broader view of “specific” consent more generally?
GDPR privacy
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗