Citizen scientists as data controllers: Data protection and ethics challenges of distributed science

Citizen-science is a rapidly expanding approach to knowledge production that increasingly involves the collection of personal data in various forms. This processing of personal data invokes relevant data protection laws and, specifically, the designation of data controller, the person(s) or organisation(a) who determine if and how personal data is to be processed and hence are charged with the legal responsibility for compliance with the General Data Protection Regulation (GDPR). Traditionally, in the context of research, professional researchers would be designated controllers, and research participants whose data was processed would be "data subjects" and hence enjoy the GDPR's protections. Yet, citizen-scientists adopt a dual role, acting both as participants and as researchers. This paper maps the implications this dual role has from the perspective of data protection law and research ethics. We explain how the data protection concept of controller has been interpreted very broadly. As a result, in their dual role, citizen scientists can be both data subjects entitled to protection and data controllers, sometimes of their own data, tasked with data protection compliance obligations. If citizen scientists share the objectives of research projects they participate in or co-shape those objectives, it is likely that they – together with the professional researchers - will be considered controllers, and held responsible for the processing of personal data in compliance with the GDPR. The paper discusses how this can affect both the quality of protections provided to participants (including participant-researchers), thus undermining the fundamental goal of research ethics, generally, as well as the practice of citizen science itself. We analyse this question of citizen scientists as data controllers as both a matter of law and research ethics. We conclude with policy recommendations that can be applied both on the level of data protection law (to reconsider how the role of controller is assigned) and research ethics guidelines that should take a nuanced approach to the circumstances of assignment of the status of data controller in citizen science projects as an important step toward responsible and ethical participatory research.