The challenges big data poses to informed consent and how to address them

Autor
Prof. Bernice Simone Elger, Institut für Bio- und Medizinethik (IBMB), Universität Basel

Fulfilling the requirement of true informed consent for data use is challenging in today’s digitalized world. It might be necessary, more transparent, and more honest to abandon, at least in part, the concept of informed consent to big data processing and use and complement it with mechanisms that ensure protection from harm or guarantee appropriate compensation in the case of harm.

In this main article, I will deal with the ethical issues of informed consent and its legal framework. The requirement of informed consent is based on the fundamental ethical principle of respect for the autonomy of human beings. Already in the 19th century, studies that included human subjects without their knowledge or consent caused public outrage and led to legislation requiring informed consent from research participants (Maaßen 2015). For a long time, the use of data has been considered exempt from consent requirements under certain conditions. There are two primary reasons for this. First, contrary to clinical trials that include direct interventions on human beings, data are detached from human subjects. Therefore, there did not seem to be a strong need to protect subjects whose data was used from bodily harm. Second, the use of medical data from entire patient populations is important to detect adverse reactions to medications or other side effects of medical treatments. Thus, important side effects might be overlooked if some patients refused to consent to the use of their data, especially as patients with negative side effects tend to be angry at the healthcare system and refuse consent. Since identifiable data may cause harm, the easiest protection against harm seems to be anonymisation, which prevents data from being linked to the person who provided them. These considerations have influenced the Swiss Federal Act on Human Subject Research (HFG) as well as the Declaration of Helsinki (Swiss Confederation 2011; World Medical Association 2008). Both treat only the use of identifiable data as human subject research that falls under the protective regulations. In addition, both permit, under some conditions, weaker standards of consent, such as presumed consent with a right to opt out or general consent (general consent means that research participants do not receive any specific information about any future research projects to be carried out using their data, see HFG Art. 32, 33) or grant the option to a research ethics committee (REC) to waive consent requirements under certain conditions (Art. 34 HFG).

The era of big data has exacerbated the ethical and legal debate about appropriate consent for data use, in the medical arena and outside it. Concerns originate from the growing awareness that “all our data will be health data one day” (Schneble, Elger, and Shaw 2020a), and that true anonymisation is difficult or, in the case of genetic data, even impossible (Elger and Caplan 2006; Genevieve et al. 2018). The Swiss and international research ethics regulations reveal the theoretical and practical problems with informed consent in the era of big data. On the one hand, respect for autonomy requires the provision of a maximum of information and choice to those whose data are being used and their protection against harm. On the other hand, there are interests that override the right to informed consent; for example, data may be accessed without consent to prevent epidemics or crimes (Schneble, Elger, and Shaw 2020b). Furthermore, the complexities of big data make fully informed consent procedures impractical or at least so time-consuming that Internet users or research participants will tick boxes or provide agreement based on trust rather than true understanding. A common example is the often uninformed “consent” given by users to the terms and conditions of apps and social media companies (Schneble et al. 2021). Users rarely take the time to try to read and understand what they are “ticking themselves into” when they join Internet platforms or use services. While some experts recommend additional regulation for big data (Terry 2014), others are against what they call big data exceptionalism, that is, they are convinced that existing regulations concerning data processing and use apply equally to big data (Rothstein 2015).

One of the six lawful bases for processing personal data that are listed in Article 6 of the General Data Protection Regulation (GDPR) of the European Union is to obtain valid user consent. In the case of children or incapacitated adults, this would be parental consent or the consent of legal proxies. But how can this be put into practice? How can the challenges of big data to informed consent be adequately addressed in real life? The EU working party that provided guidance before GDPR entered into force wrote that “Swiping a bar on a screen, waving in front of a smart camera, turning a smartphone around clockwise, or in a figure-eight motion may be options to indicate agreement, as long as clear information is provided, and it is clear that the motion in question signifies agreement to a specific request (e.g., if you swipe this bar to the left, you agree to the use of information X for purpose Y. Repeat the motion to confirm). The controller must be able to demonstrate that consent was obtained this way, and data subjects must be able to withdraw consent as easily as it was given” (Article 29, Working Party 2018). While this may help to address the ambiguity of ticking boxes on the Internet, it does not solve the very essence of consent to big data use: the fact that the human brain is unable to cope with the huge amount of information and possible consequences of big data use. Thus, it might be necessary, more transparent, and more honest to abandon, at least in part, the concept of informed consent to big data processing and use and complement it with mechanisms that ensure protection from harm or guarantee appropriate compensation in the case of harm.

In the field of research ethics, the approval of the research project by a research ethics committee (REC) is such a mechanism. As the competence of REC members concerning big data might be limited, it could be prudent to enlist experts on big data to consider more specialised protection mechanisms not only for research but also for much broader use. These experts and procedures should ensure that data protection is sufficient (by anonymisation, for example); that people receive short, understandable information about the most significant ways their data will be used; and that data abuse will be either unlikely or detected early enough to prevent significant harm, independently of the choices people make about the use of their data.

Recommendations

Experts and procedures should ensure that data protection through anonymization is sufficient; that people receive short, understandable information about the most significant ways their data will be used; and that data abuse will be either unlikely or detected early enough to prevent significant harm, independently of the choices people make about the use of their data.

About the White Paper

Download PDF

  • Eleonora Viganò (University of Zurich) – editor
  • Mira Burri (University of Lucerne)
  • Markus Christen (University of Zurich)
  • Bernice Elger (University of Basel)
  • Christian Hauser (University of Applied Science of the Grisons)
  • Marcello Ienca (EPFL)
  • Michele Loi (University of Zurich)
  • Christophe Schneble (University of Basel)
  • David Shaw (University of Basel)

About the ELSI Task Force

Project description on www.nrp75.ch
http://www.nfp75.ch/en/projects/cross-cutting-activity/elsi-task-force-for-the-national-research-programme

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht.

Cookies helfen uns, unseren Service für Sie zu verbessern. Wenn Sie unsere Webseite weiterhin verwenden, erklären Sie sich damit einverstanden, dass wir Cookies verwenden.