The digital use of data: what is consent?

Data, medical research, and contract

Consent is a very important consideration for the digital use of data. It is one of the key lawful bases for the use of personal data, but it is also important in medical research contexts, and for consumers, contractually.

General Data Protection Regulation (GDPR)

The starting place for understanding consent is that you must have a lawful basis for processing personal data. Under Article 6 of the GDPR, the lawful bases are:

• consent
• performance under a contract
• a legal obligation
• protection of vital interests
• performance of a task of an official authority, or
• processing necessary for legitimate interests (does not apply to public authorities including hospitals)

What is special category data?

Special category data, though, needs one of these plus a condition for processing under Article 9. Special category data covers more sensitive personal data, and gives those data extra protection:

• data revealing racial or ethnic origin;
• data revealing political opinions;
• data revealing religious or philosophical beliefs;
• data revealing trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning health;
• data concerning a person’s sex life; and
• data concerning a person’s sexual orientation.

In addition to obtaining explicit consent, Article 9 sets out other conditions that make processing lawful; in the UK, you must also meet safeguards specified in Schedule 1 of the Data Protection Act 2018. The Article 9 conditions are:

• preventative or occupational medicine
• assessment of the working capacity of the employee
• medical diagnosis
• provision of health or social care or treatment or management of health or social care systems and services
• public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products
• establishment or exercise of legal claims or defences
• where the individual has manifestly made those data public, or
• archiving purposes in the public interest, scientific or historical research purposes

Clinical use of data

Clinical trials and research must be done having considered legal rules that include ethical requirements. Participating in trials and research is expected to be voluntary with informed consent per the regulations governing clinical trials. What you need to keep in mind is that informed consent for trial participants may not meet the requirement for explicit consent required under the GDPR for the lawful processing of special category data. It is necessary, therefore, to consider both the Clinical Trials Regulation (CTR) and the GDPR. Ensuring you have explicit consent in order to process special category data for clinical trials and research is important.

Informed consent is a requirement for enrolling in a clinical trial and is required by Article 3(2) of the Clinical Trials Directive 2001/20/EU (Directive) (and national implementing legislation), and Article 29 of the Clinical Trials Regulation (Regulation (EU) No 536/2014) (CTR). Consent to participate must be freely given and unambiguous. Currently the UK law on this is the Medicines for Human Use (Clinical Trials) Regulations 2004, but it is about to change. The statutory instrument to amend the Medicines for Human Use (Clinical Trials) Regulations 2004 was laid before Parliament in December 2024. The updated regulations will be debated in 2025 and after a 12-month implementation period, will come into force in early 2026.

Contracts

The general rule in contracts is that there has to be a positive affirmation of accepting, and therefore consenting to, a contract. A contract is an agreement giving rise to obligations. The first requirement for a contract is that the parties should have reached an agreement, which starts with an offer and requires acceptance of the offered terms (in essence, consent to what has been offered).

In the digital world, this is very important as online services typically try to streamline ‘sign-ups’ and acceptance of terms; this can often mean that a user is asked to indicate consent to data processing and to contractual terms together. It does not always go according to plan, though, as a recent US case illustrates. In Chabolla v ClassPass Inc., the US Court of Appeals Ninth Circuit held that website users were not bound by the terms of a ‘sign-in wrap’ agreement. Interestingly, the Court spoke of four types of acceptance and they are not equally seen as enforceable:

• Browsewrap – Users accept a website’s terms merely by browsing the site. Terms are not always immediately apparent to users and courts may decline to enforce.
• Clickwrap – Terms appear in a pop-up screen and users accept them by clicking acceptance. This will likely be enforced by courts.
• Scrollwrap – Users must scroll through the terms before the website allows them to click, manifesting acceptance. You should expect a court to enforce this.
• Sign-in wrap – The website provides a link to terms but it does not require users to actually review and explicitly consent to those terms. This is likely enforceable but the court will consider if on inquiry notice (1) the website provides reasonably conspicuous notice of the terms to which the consumer will be bound; and (2) the consumer takes some action, such as clicking a button or checking a box, that unambiguously manifests his or her assent to those terms.

In short, if you are trying to work with people via a digital medium, you need to understand what you are asking them to consent to, and to ensure the right kind of informed, explicit manifestation is in place. Understanding what kind of information must be offered, and what kind of consent is needed, can be key to avoiding painful problems later.

If you have questions or concerns about the use of data and consent, please contact our Data Protection partners James Tumbridge and Robert Peake.