Optimising cohort data in Europe

(Minari et al., 2018; Dupras et al., 2019). Consent in this sense is no longer about free and informed choice but about the interaction between individuals and online platforms and the amount of autonomy they are willing to give up (Shadbolt et al., 2019). 2.3. Legal frameworks Themain issue in the context of cohort research is that the law goes at a much slower pace than advances in data collection technologies, biotechnologies and bioscience (Cech, 2018), with the danger of becoming obsolete in relation to scientific development (Minari et al., 2018). The challenge is thus to reconceptualise legal frameworks so that they can provide adequate protection that keeps up with scientific development (Townend, 2018). The GDPR is based on ten principles, namely: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality (security) and accountability. The GDPR does not apply to data that are fully anonymised (Saunders et al., 2019). In relation to health data (including biometric data, genomic data, etc.), the processing is justified only under specific purposes such as the management of health or social care systems and services, preventive or occupational medicine, public interest and when participants give explicit consent (Townend, 2018) (cf. the Proportionality principle in Section 2.1.2a). In terms of its requirements, content and implementation, the GDPR presents important challenges to researchers, of which some will be outlined below. First, the GDPR makes explicit consent the main condition for research. This hinders innovative health research and makes it particularly difficult to implement in the EU (Salokannel et al., 2019). One reason for this is that people tend to not give their consent easily, especially within specific social and cultural contexts (van Veen, 2018). This might exclude from innovative research the very persons who should have benefited from it the most, as vulnerable and disadvantaged populations are not likely to have the material and cultural resources to participate in research (Manrique de Lara and Pellaez-Balestas, 2020). The absolute requirement of explicit consent also requires additional staff specially devoted to consent purposes, which will increase research costs (Zawati et al., 2018). Second, the GDPR focuses on the "right to be forgotten" clause. The clause stipulates that participants can withdraw consent at any time, which gives data controllers the obligation to remove all the personal data of these participants from all biobanks and platforms (Salokannel et al., 2019). This is a particularly expensive and quite impractical endeavour. Data controllers and researchers may therefore, have the incentive to share only fully anonymised data that cannot directly be related to participants (Saunders et al., 2019). More often than not, this relates to aggregated data that, through the processing techniques available, gain a considerable level of abstraction (Menychtas et al., 2020). Some researchers go as far as not sharing the data themselves but merely their insights about them (Hulsen et al., 2019). This level of abstraction is damageable to the research, the researchers and the participants as it becomes devoid of any practical relevance.