Specific measures for data-intensive health research without consent: a systematic review of soft law instruments and academic literature.

It is a common misunderstanding of current European data protection law that when consent is not being used as lawful basis, the processing of personal data is prohibited. Article 9(2)(j) of the European General Data Protection Regulation (GDPR) permits Member States to establish a legal basis in national law that allows for the processing of personal data for scientific research purposes without consent. However, the European legislator has formulated this "research exemption" as an opening clause, rendering the GDPR not specific as to what measures exactly are required to comply with the research exemption. This may have significant implications for both the protection of personal data and the advancement of data-intensive health research. We performed a systematic review of relevant soft law instruments and academic literature to identify what measures are mentioned in those documents. Our analysis resulted in the identification of four overarching themes of suggested measures: organizational measures; technical measures; oversight and review mechanisms; and public engagement and participation. Some of the suggested measures do not substantially contribute to the clarification of the GDPR's "suitable and specific measures" requirement because they remain vague or broad in nature and encompass all types of data processing. However, the themes oversight and review mechanisms and public engagement and participation provide valuable insights which can be put to practice. Nevertheless, further clarification of the measures and safeguards that should be installed when invoking the research exemption remains necessary.