Abstract
The growing use of Big Data and computational methods in health research poses significant challenges for research ethics committees (RECs), whose review frameworks were designed for conventional, hypothesis-driven studies. Empirical evidence on how RECs in continental Europe are responding to these challenges has been largely absent. We conducted a cross-sectional web-based survey of REC members in Germany, Austria, and German-speaking Switzerland (November 2024–March 2025). The structured questionnaire combined closed and open-ended items covering general review practices, prior experience with Big Data proposals, perceived challenges, and the need for additional expertise. Responses from 172 valid cases were analyzed using descriptive statistics and qualitative content analysis. The response rate was approximately 10.1%–12.6%. Review practices were highly heterogeneous: only 59% of participants used any standardized guideline, and a mere 3.5% applied protocols specifically tailored to Big Data studies, despite 48% having reviewed at least one such proposal. Participants identified four clusters of challenges: methodological opacity; regulatory ambiguity regarding the EU Medical Device Regulation and AI Act; data protection concerns including the growing instability of anonymization and inconsistent GDPR interpretations; and the inadequacy of classical informed consent frameworks for exploratory research. While 41% considered Big Data-specific guidance to be lacking and a majority acknowledged expertise gaps, only 8% favored specialized RECs. German-speaking RECs face significant and largely unaddressed challenges in reviewing Big Data health research. The findings point to an urgent need for consensual guidance, deliberate competency development in data science and data protection law, and active REC engagement with emerging European governance frameworks, including the European Health Data Space and the EU AI Act. The challenges identified mirror those in other jurisdictions, suggesting that adapting ethical oversight to data-intensive research requires coordinated responses at the national and European level.
Keywords
Introduction
In recent years, the increasing availability of large and complex datasets, commonly referred to as “Big Data,” has transformed the landscape of health research by enabling the generation of new knowledge through computational methods (Leonelli, 2020). Proponents of Big Data approaches highlight significant potential for improving healthcare delivery, understanding disease patterns, and informing precision medicine (Car et al., 2019; Duggal et al., 2018). Unlike traditional clinical research, which often relies on standardized and well-defined datasets, Big Data studies frequently integrate heterogeneous sources of information, including electronic health records, genomic data, and patient-generated data, to explore novel research questions (Dinh-Le et al., 2019; Schneble et al., 2020; Wu et al., 2017). These studies may extend beyond narrowly defined purposes, allowing for exploratory analyses and the discovery of previously unknown associations. Given the diverse and at times inconsistent use of the term in the literature, we use the term “Big Data studies” within this study for research that draws on large, heterogeneous, and often pre-existing datasets – including electronic health records, registry data, genomic data, and patient-generated data – and employs computational methods such as machine learning, natural language processing, or large-scale data linkage for analysis. Such approaches encompass both exploratory and hypothesis-driven analyses, and “big data” refers to the complexity and heterogeneity of data as much as to their volume.
The ethical and legal review of biomedical research involving human participants is primarily the responsibility of research ethics committees (RECs). However, the role and suitability of RECs to assess Big Data research has been increasingly debated (Ferretti et al., 2020; Friesen et al., 2021; Ienca et al., 2018). Big Data studies pose novel ethical challenges that extend beyond conventional data protection concerns. For example, the long-term and group-level risks associated with large-scale data collection are often insufficiently addressed in traditional frameworks such as the Belmont Report (Doerr and Meeder, 2022). Such risks may be particularly salient given the potential for algorithmic bias and resulting discrimination in health-related Big Data applications (Obermeyer et al., 2019).
Moreover, the exploratory nature of Big Data research complicates the standard ex-ante ethical review process. Research questions may not be clearly defined at the outset, and the reusability of data can limit the feasibility of risk assessment prior to study initiation (Martin-Sanchez et al., 2017). Informed consent procedures are often challenged by undefined research objectives and incomplete risk characterization (McKeown et al., 2021). Additionally, while anonymized data can sometimes be used without REC oversight, advances in re-identification techniques create new ethical and privacy concerns (Ferretti et al., 2021; Yoshiura, 2019). These considerations underscore the need for specific criteria and expertise within RECs to evaluate Big Data research adequately.
Despite these challenges, RECs continue to serve a central role in safeguarding ethical standards in biomedical research, and there is no indication that fundamentally new ethical principles are required for Big Data studies (Wiesing and Funer, 2024). Nevertheless, the practical implementation of ethical oversight is in need of constant evaluation (Scherzinger and Bobbert, 2017) and in the context of Big Data studies faces significant hurdles. Internationally, some scholars have called for reforms in REC procedures or the delegation of oversight to specialized bodies such as Data Access Committees (McKay et al., 2023). Empirical studies from Switzerland and the United Kingdom indicate that REC members recognize the need for additional guidance and criteria when reviewing Big Data research (Ferretti et al., 2022; Hibbin et al., 2018; Samuel et al., 2018). This picture is further corroborated by policy assessments and cross-national expert consultations from other contexts, which similarly document significant gaps in existing oversight frameworks for AI and data science research (Ada Lovelace Institute, 2022; Lukaševičienė et al., 2026). Systematic evidence from German-speaking RECs, however, remains absent, highlighting a critical gap in our understanding of ethical oversight practices in this region.
This study aims to address this gap by systematically assessing the criteria and standards applied as well as desiderata by members of RECs in Germany, Austria, and the German-speaking part of Switzerland when reviewing Big Data studies in health research. Through a web-based survey of REC members, we wanted to elucidate current practices, challenges, and potential solutions for the ethical review of data-intensive research. The presentation of our study is based on the Consensus-Based Checklist for Reporting of Survey Studies (CROSS; Sharma et al., 2021).
Methods
Study design
This study was a cross-sectional online survey conducted between 25th November 2024 and 3rd March 2025 to investigate the criteria and standards used by research ethics committees (RECs)/institutional review boards (IRBs) in German-speaking countries to review data science-based study projects within medicine and healthcare. The survey was administered via SoSci Survey (www.soscisurvey.de) and targeted at members and research staff of RECs/IRBs in Germany, Austria and German-speaking Switzerland.
Sample characteristics and recruitment
Eligible participants were all appointed members, deputy members or full-time scientific staff of RECs/IRBs in Germany, Austria, and the German-speaking part of Switzerland. The sample therefore potentially consisted of 1.460–1.825 survey participants at 73 RECs/IRBs (Germany: 46; Austria: 23; German-Speaking Switzerland: 4). 1
Convenience sampling was used. The participants were recruited in a three-stage process: First, overarching national network organizations of RECs/IRBs were contacted – Germany: “Arbeitskreis Medizinischer Ethik-Kommissionen”
Data collection and measurement
A structured questionnaire was developed based on a literature review and consultations with experts in assessing research proposals (see Supplement 1). The questionnaire consisted of general information about the participants’ professional background, their years of experience, and the average number of research proposals they review per year. Then, selection and open-ended questions were asked about the use and origin of guidelines or standard procedures used, or alternatively, criteria used individually in the review of study proposals in general. This was followed by a general definition of what we understand by Big Data studies, followed by selection and open-ended questions on previous experience in reviewing Big Data study proposals and on the evaluation of previous review practices and their suitability as well as relevant criteria for reviewing Big Data study proposals. A final set of statements with five-point Likert scales to measure agreement/disagreement summarizes aspects addressed in the literature when reviewing Big Data studies within healthcare.
Pre-testing of the questionnaire was conducted with five participants to assess clarity and reliability, leading to minor modifications before full deployment. The complete questionnaire translated into English is attached as a supplement to this article.
Before participation, all respondents provided electronic informed consent. The survey was self-administered, and responses were collected anonymously. No measures were taken to prevent double participation, as no motives could be identified for doing so. The estimated time for survey completion was 20–30 minutes.
Ethical considerations
The study adhered to ethical guidelines outlined in the Declaration of Helsinki. Ethical approval was not required due to the anonymity of the survey, but it was discussed with the local REC of the Medical Faculty of the Eberhard Karls University of Tübingen. Participation was voluntary, and respondents could withdraw without any consequences until the time of the final submission of the online survey (and thus anonymization of the data).
Data analysis
Data analysis was performed in five steps: (1) First, descriptive statistics were computed for the quantitative survey features. Data was analyzed using IBM SPSS Statistics 30.0. Furthermore, a qualitative analysis of the free text responses was performed. (2) The survey responses were identified and categorized into main topics of interest. For each of these topics a list of keywords was assigned. (3) Then within the identified categories, the free text responses were translated and differentiated into subcategories. (4) Frequency analysis was performed for the identified keywords. The entire process was independently duplicated by a second researcher. (5) In the final step, the results were discussed, and any differences were debated. A significance level of p < 0.05 was considered statistically significant. Missing data were handled using listwise deletion, where “valid cases” were considered those for which at least 70% of the questionnaire was completed. Submissions that did not exceed this value were deleted.
Results
Participant characteristics
Of the people who followed the survey link provided (519 clicks), 36% started the survey. Nearly all the participants (93%) responded to at least 70% of the questions and were counted as valid cases. Based on the estimated target group the response rate was 10.1%–12.6%.
Most dropouts (96%, n = 334) occurred on the start page before starting the survey, suggesting either a mismatch of interest and the survey’s scope or concerns about time requirements. In addition, some respondents may have participated in the survey at a later date. Only 3.7% (n = 13) discontinued after beginning the survey (Figure 1).

Dropouts.
Descriptive results
Study participants had various professional backgrounds: 45% were physicians (n = 77), 26% scientists (n = 44), 10% lawyers (n = 17), 5% philosophers, theologians, ethicists (N = 9), 6% laymans (n = 11), 4% correspond to two professions (n = 7). Most of the participants indicated that they had many years of experience working in an IRB, with 53% (n = 91) having more than 5 years of experience and a further 22% (n = 37) having more than 15 years of experience. Only 17% (n = 29) of participants have been active in an IRB for less than 2 years. The number of studies assessed by the participants per year is distributed heterogeneously. While 26% (n = 44) review up to 10 study proposals, 43% (n = 73) assess more than 40 study proposals a year.
Main findings
Our survey focused on six central questions:
Do REC members use guidelines or standardized protocols to review study proposals?
What criteria do they generally evaluate for this purpose?
To what extent have REC members reviewed Big Data and computational method study proposals so far?
Are there specific aspects to focus on when reviewing Big Data and computational method study proposals, and are there specific difficulties associated with Big Data and computational method study proposals?
Do REC members use guidelines or standardized protocols that apply specifically for Big Data and computational method studies?
Do RECs need new expertise or competencies to review Big Data study and computational method proposals?
The results for these six central questions of the survey are presented below.
General review practices
A majority of participants (59%, n = 101) reported to use standardized guidelines or protocols when reviewing study proposals, while 40% (n = 69) did not. Use varied by profession, with laypersons (75%) and philosophers/theologians/ethicist (67%) more likely to apply standardized tools than medical/healthcare professionals (61%), natural scientists (52%) and lawyers (47%).
Within the group of IRB members using standardized protocols the sources of guidelines varied: While 53% (n = 55) of participants report that the guidelines are provided or recommended by their local IRB, more than 25% (n = 26) have developed a standardized protocol by their own and 7% (n = 7) stated to use guidelines found while doing own online research. The standardized protocol is in most cases either not publicly accessible (38%, n = 21) or the accessibility is not known (28%, n = 29). Only 20 participants (20%) could name publicly available guidelines, they are using. Among the most frequently named is “Empfehlungen zur Begutachtung klinischer Studien durch Ethik-Kommissionen” [=“Recommendations for the review of clinical trials by ethics committees”] by Raspe et al. (2012) Other participants referred to international codices as the declaration of Helsinki and the declaration of Taipei, statements of the European Medicines Agency (EMA), the Federal Ministry of Federal Ministry of Research, Technology and Space (BMFTR, formerly BMBF) or the German consortium of IRBs, the “Arbeitskreis Medizinischer Ethik-Kommissionen” (AKEK).
When IRB members use standardized protocols, they are likely to apply them regularly. More than two-thirds (78%, n = 69) of participants stated that they apply their guidelines frequently (in 60–80% of cases) or even almost always (in 80–100% of cases). Those not using guidelines expressed divided views: While 29% (n = 20) considered the lack of standardization as a deficiency, 61% (n = 42) did not view a standardization for the review process as desirable. Proponents of guidelines emphasized transparency and error reduction, while opponents feared a “one-size-fits-all” approach could stifle innovative study designs. One participant claimed, for example: Scientific approaches can be very different; I would be concerned that particularly original scientific approaches could fall victim to a template if the review process were too schematized, approaches could fall victim to a template. (P143, transl. by the authors)
When asked about evaluation criteria, participants highlighted scientific validity – especially clarity about the research questions, study design, and adequacy of sample size and power calculations – as central considerations. The importance of scientific review has been emphasized repeatedly as justification for patient burden and resource allocation, as one participant stated: “[. . .] otherwise, the study and the burden on patients and consumption of resources would be useless, so this should be given absolute priority in the assessment.” (P37, transl. by the authors) Privacy and data protection were also emphasized, alongside the need for clear, accessible participant information, which should be “[. . .] easy to understand, as concise and clear as possible [. . .] as a good basis for decision-making for potential participants” (P28, transl. by the authors). While many participants (n = 11) raised the issue of the benefit-risk ratio, only one participant explicitly mentioned patient safety and the inclusion of vulnerable groups as important criteria to look at.
Review of Big Data and computational method study proposals
Nearly half of the participants (48%, n = 83) had previously reviewed Big Data and/or computational method study proposals, 13% (n = 23) had not, and 38% (n = 66) where unsure or did not respond to the question.
With regard to Big Data studies, participants expressed different views. While 19% (n = 27) stated that Big Data studies do not pose additional difficulties for IRBs, 34% (n = 48) felt that established evaluation procedures were insufficient when it comes to Big Data or computational method studies and about 44% (n = 62) called for new assessment criteria. However, there is broad agreement that no specialized review boards were necessary to evaluate Big Data study proposals. Only 8% (n = 12) were in favor of specialized RECs for Big Data studies. Although the majority of participants stated a need for new assessment criteria for reviewing Big Data study proposals, only 3,5% of participants (n = 6) currently use standardized protocols that differ from their conventional procedures to review Big Data studies.
Specific challenges in reviewing computational and Big Data studies
Participants identified a range of challenges that arise when reviewing Big Data study proposals. These difficulties related both to the scientific assessment of study design and to broader ethical and legal issues.
Scientific quality and methodology
A recurring concern was the lack of methodological detail in many Big Data study proposals. Respondents noted that information on data provenance, validation procedures, and justification for analytic approaches was often insufficient or entirely missing. This lack of transparency was seen as undermining the ability of non-specialists to assess scientific quality: Scientific quality is difficult for non-data specialists to assess, as the quality of the data used often remains a black box. (P120, transl. by the authors) Often statements such as ‘modern AI methods are used’ are made. [. . .] There is [. . .] generally a lack of adequate justifications for the selected number of cases. (P35, transl. by the authors)
While many participants miss a precise scientific question, concerns were also raised about the general compatibility of Big Data research’s exploratory approaches with classical principles of scientific inquiry. One participant wondered if [. . .] scientific principles (hypothesis – testing – falsification, if necessary) [are after all compatible] with the purely exploratory approach of ‘Big Data. (P10, transl. by the authors)
Questions of reproducibility and traceability further complicated the evaluation of AI-based projects, with one participant remarking that patents and proprietary algorithms made transparency “even more impenetrable.” (P143, transl. by the authors)
Regulatory classification
Some participants expressed uncertainty about whether Big Data study proposals should be classified as medical device research and thereby fall under medical device regulation. This was seen as a frequent source of confusion by authors of study proposals: Due to the use of data collected with medical devices, the Big Data project is often declared an MPG study [= German medical product law], even though the Big Data project clearly does not intend to address the MPG area. (P68, transl. by the authors)
Data protection and security
Data protection was one of the most intensively discussed topics. While several participants emphasized the importance of distinguishing between pseudonymization and anonymization, others questioned whether true anonymization was possible at all in the context of large, complex datasets. One respondent argued that anonymization is “only seemingly possible anymore” (P9, transl. by the authors) as the risk of reidentification is increasing due to the growing size of datasets.
Several participants highlighted inconsistencies in the interpretation of data protection laws across different jurisdictions and authorities, which they described restrictive to research. According to them, data protection must be simplified and standardized: Data protection requirements must be simplified in order to ensure realistic access to patient data, starting with the general storage of data within clinics. Consent to data use must be simplified (e.g., consensus upon admission for non-interventional studies). (P72, transl. by the authors) There is an urgent need for consensus on the (simplest possible) application of ethical guidelines to Big Data and data protection laws. There are too many (variable) interpretations by different data protection authorities (in Germany and abroad), which both restrict use and underestimate the benefits of data use. The bureaucratic effort involved is enormous and is crippling the scientific use of Big Data. (P75, transl. by the authors)
Technical infrastructure was also mentioned as a critical factor for ensuring data security. Respondents noted the difficulty of evaluating repositories across multiple study sites with differing quality standards, particularly in large-scale consortia: [I]t is more difficult to assess data security for individual participants. [. . . T]he competencies of the study physicians must be assessed across many more centres, which may have different quality standards. (P60, transl. by the authors)
Another issue raised was data minimization. While researchers often would claim that all data are necessary to fulfill study objectives, respondents felt this was difficult to verify: It can often be difficult to definitively affirm or deny data minimisation. Researchers’ claims [. . .] can only be assessed for plausibility, not accuracy. (P29, transl. by the authors)
Informed consent and autonomy
The principle of autonomy and the adequacy of informed consent were frequently highlighted. Several respondents pointed out that, in anonymized data research, participants may not be informed at all, while in exploratory projects even the applicants often cannot specify the purposes and risks: Either the subjects are not informed at all (in the case of research involving anonymised data), or they cannot be sufficiently informed because the applicants themselves do not know what the final outcome will be. [. . .] Overall, there is an ethical risk of a progressive devaluation of informed consent in the context of data-based research. (P99, transl. by the authors)
Concerns were also raised about long-term risks, which are difficult to foresee especially “for individual participants” (P60) and may extend decades into the future: [. . .] It is extremely difficult to make time constraints. [. . .] There may be negative consequence that these findings could have for participants in years or decades to come. (P87, transl. by the authors)
Role of guidelines
Participants expressed divided views on whether specific guidelines for reviewing Big Data studies are needed. While 41% of participants (n = 71) felt guidelines to review Big Data studies were lacking, 29% (n = 49) did not, and 30% (n = 52) were undecided.
Among those who considered guidelines necessary, several reasons were given. Many emphasized the novelty and complexity of methods used in Big Data health research, combined with a lack of expertise and experience within RECs. Big Data studies, here, were often seen as “more complex” (p14, p64, p91 transl. by the authors) and “confusing” (p130, transl. by the authors). This lack of expertise in RECs was seen as a potential obstacle to conducting Big Data studies, as one participant noted: Many members of the ethics committee are unfamiliar with Big Data and AI, and therefore often impose requirements on those conducting the study that prevent the research project from going ahead. (P68, transl. by the authors)
It was hoped that guidelines would provide orientation in this unfamiliar terrain by clarifying which data and analytical methods are appropriate in which contexts. Perceived benefits of guidelines included increased transparency for applicants, better comparability across REC reviews, and improved quality assurance. Several participants also mentioned pragmatic advantages such as reducing workload and saving time. Furthermore, participants expected guidance on data protection issues, which many considered particularly challenging when reviewing Big Data studies. As one participant remarked: Even if the data is only published anonymously, it may be possible to identify individuals in the near future. (P102, transl. by the authors)
By contrast, 29% (n = 49) of the participants who did not perceive a need for specific guidelines offered heterogeneous reasoning. Some argued that Big Data studies do not pose fundamentally new risks and can be adequately assessed using established ethical principles: Generally speaking, I believe that the relevant principles of research ethics provide sufficient guidance. (P99, transl. by the authors)
Others acknowledged the increasing methodological complexity of Big Data studies, but participants either felt well equipped to do so or considered the evaluation of statistical and methodological detail as not the task of the REC: The statistical analysis of the data is becoming increasingly complex but evaluating this is not primarily the task of the REC. (P33, transl. by the authors)
Additional respondents expressed skepticism about the usefulness of guidelines in general. They feared that guidelines might be too rigid, lag behind technological developments, or fail to address expertise gaps. As one participant stated: A guideline does not enable me, as a physician, to evaluate points that I am not qualified to assess professionally. (P153, transl. by the authors)
In summary, while many participants hoped for guidelines to provide orientation and consistency, others doubted their added value and emphasized the need for expertise concerning the methods used in Big Data studies over standardized protocols.
Need for (special) expertise
A recurring theme throughout the survey was the perceived need for additional expertise within RECs to adequately review Big Data study proposals. Many participants stressed that technical knowledge in data science, data analysis techniques, and machine learning was currently insufficient. As one respondent put it: It requires expert opinions from individuals in the field of Big Data and AI. The current legal composition of ethics committees does not adequately cover the field of Big Data and AI. (P68, transl. by the authors)
Some RECs had already responded to this gap. Approximately 13% of participants who identified the need for technical expertise reported that their committees had already integrated experts in AI or machine learning: Our ethics committee has been expanded to include experts from the ML/AI field in order to be able to evaluate relevant research projects. (P35, transl. by the authors)
Beyond technical knowledge, expertise in data protection and data security was considered essential. This included not only legal aspects within national frameworks but also the growing importance of international law concerning data storage and data access across borders: Expertise in “international law concerning data storage [and] data access in/from foreign countries” is needed. (P90, transl. by the authors)
Another participant pointed out that although no additional data science and juridical expertise is needed as this “[. . .] would be available - cooperation in these areas is becoming more important” (P105, transl.)
Several participants noted the limited capacity of data protection officers, who are sometimes consulted but cannot cover all Big Data applications. One participant remarked: We only conduct cursory checks on data protection, unless we see particular challenges, in which case we send it to the data protection officer. However, this cannot be done with all Big Data research projects (the data protection officer does not have the capacity for this). It would therefore be desirable for this expertise to be (more strongly) represented in the committee. (P150, transl. by the authors)
Not all respondents favored expanding the REC’s expertise. Some argued that additional knowledge was available externally and that cooperation with specialized experts outside the REC would be more effective: Additional expertise “[. . .] would be available – cooperation in these areas is becoming more important” (P105, transl. by the authors)
Overall, the findings indicate a widely perceived need for RECs to strengthen their competencies in evaluating technical, legal, and data protection aspects of Big Data health research. However, there is no consensus on whether this should be achieved through the recruitment of new members, the training of existing ones, or increased reliance on external consultation (Figure 2).

Likert scales showing agreement or disagreement with statements about REC’s performance in reviewing BD study proposals.
Overall assessment of REC’s performance in reviewing Big Data studies and the quality of Big Data study proposals
Finally, participants indicated their level of agreement with a number of summary statements. Half of the participants (50%, n = 53) stated that the review of Big Data studies differs significantly from that of other studies. 23% (n = 24) denied major differences within the review process, 27% (n = 28) were undecided. While a majority of participants (65%; n = 66) agreed that the workflow of their ethics committee is suitable for the review of such studies, only 51% (n = 54) regarded their ethics committee as adequately equipped for the task, 24% (n = 26) objected and 24% (n = 25) were undecided. Around half of the participants (48%, n = 55) stated that the composition of their ethics committee is sufficiently competent for reviewing Big Data studies, 27% (n = 31) stated the opposite. Regarding personal qualifications, 47% (n = 50) believe they are capable of appropriately reviewing Big Data studies. 30% (n = 15) of them even strongly agreed to the statement. Conversely, about a quarter (24%, n = 26) of participants denied being capable of appropriately reviewing Big Data studies (Figure 3).

Likert scales showing agreement or disagreement with statements about the quality of BD study proposals.
Regarding the content of Big Data study proposals participants mostly agreed on the necessary aspects that proposals should consider. 79% (n = 85) agreed that applications for such studies should demonstrate the quality of their database through pre-reviews, 11% (n = 12) stated the contrary. 76% (n = 79) of participants agreed that applications should include project-/application-specific ethical and social impact assessments, 8% (n = 8) objected. When asked whether applications should address potential discrimination specific to the application and show preventive measures 74% (n = 76) of participants agreed. Participants nearly unanimously stated (92%, n = 100) that the provenance /sources of training data in Big Data studies should be clearly disclosed, only 1% (n = 1) objected. Similarly concordant, only 3% (n = 3) of participants disagreed with the statement that project applications with changing system architectures (e.g. in Machine Learning) should demonstrate the quality of repeated assessments.
Highly heterogenous results revealed a question about the overall quality of Big Data study proposals. While 34% (n = 30) stated that the quality of such studies would be comparable to study proposals using other methods, 28% (n = 25) disagreed.
Discussion
Principal findings
This study provides the first systematic survey of members of research ethics committees (RECs) in German-speaking countries on the review of Big Data and computationally driven health research. Drawing on responses from REC members in Germany, Austria, and German-speaking Switzerland, we identify a pattern of heterogeneous review practices, limited and uneven exposure to Big Data study proposals, and widespread uncertainty about whether existing procedures and competencies are adequate to meet the demands of data-intensive research. Our findings extend a small but growing empirical literature on REC functioning in this domain, in which systematic evidence from continental European contexts has until now been largely absent.
Four principal findings stand out. First, review practices for study proposals are highly non-standardized: only 59% of respondents reported using any form of guideline or protocol, and these were typically local, non-public, and inconsistently applied. Second, while nearly half of participants had reviewed at least one Big Data or computational study proposal, awareness of dedicated review frameworks for such studies was minimal – only 3.5% reported using protocols specifically tailored to this context. Third, participants identified a constellation of overlapping challenges when reviewing data-intensive research, spanning methodological opacity, regulatory ambiguity, data protection, and the erosion of meaningful informed consent. Fourth, there was broad – though not unanimous – agreement that RECs require additional guidance and expertise to perform adequate oversight of Big Data health research. These findings are discussed below in relation to the existing literature.
General review practices
The high degree of heterogeneity in review practices among German-speaking RECs is consistent with broader observations in the literature on the fragmentation and inconsistency of ethical oversight across institutions (Ferretti et al., 2022; Hibbin et al., 2018; Klitzman, 2012). The predominance of locally developed, non-public protocols raises legitimate concerns about the comparability and fairness of ethical assessments: applicants submitting similar research designs to different committees may encounter substantially different standards, with consequential implications for what research is approved, modified, or rejected. This structural variability is difficult to justify on principled grounds, even where a degree of contextual adaptation is appropriate.
The most frequently cited framework, Raspe et al.’s (2012) guidance on the review of clinical trials, is designed primarily for interventional biomedical research and offers limited operational traction for the methodological and legal complexities characteristic of Big Data studies. References to the Declaration of Helsinki, while foundational, are similarly too general to guide committee members through the specific analytical, regulatory, and consent-related challenges these studies present. More targeted instruments exist – notably the World Medical Association’s Declaration of Taipei on ethical considerations regarding health databases and biobanks ((WMA), 2016), frameworks proposed by Ienca et al. (2018) and Vayena et al. (2018), and guidance developed by Swiss and UK RECs (Ferretti et al., 2022; Samuel et al., 2018) – yet their uptake in the German-speaking region appears limited. Closing this gap between available guidance and actual practice is a task for coordinating bodies such as the Arbeitskreis Medizinischer Ethik-Kommissionen (AKEK), Forum Österreichischer Ethikkommissionen and swissethics, as well as for research funders who set standards for what study applications must contain.
Emergence of Big Data study proposals
The finding that only approximately half of participating REC members had reviewed a Big Data or computational method study proposal indicates that, at present, many committees encounter such submissions only sporadically. This is consistent with the broader trajectory of health data science, which is expanding rapidly but unevenly across institutions, disciplines, and regions. Given the likely self-selection bias in our sample – members with prior exposure or interest in the topic were disproportionately likely to participate – the true proportion of committees with little or no experience in this domain may be considerably higher. The implication is that preparedness is not merely a matter of expertise: it also requires that RECs have encountered enough such applications to develop institutional routines and collective judgment.
Several respondents reported that their committees had begun to adapt proactively: some had recruited experts in machine learning and artificial intelligence as standing or advisory members, while others had established cooperative arrangements with external specialists. This mirrors developments observed in Switzerland and the United Kingdom, where RECs have begun to supplement their membership with data science expertise in response to rising volumes of computational research (Ferretti et al., 2022; Samuel et al., 2018). That such adaptations are occurring on an ad hoc, committee-by-committee basis underscores the need for coordinated guidance and capacity-building at the national level, so that access to adequate ethical oversight does not depend on the resources or initiative of individual institutions.
Specific challenges in reviewing Big Data studies
Participants identified a diverse and interconnected set of challenges when reviewing Big Data and computational study proposals, which we group into four thematic clusters: (1) methodological opacity and scientific quality; (2) regulatory classification; (3) data protection and security; and (4) informed consent and participant autonomy. These echo – and in several respects extend – challenges documented in earlier empirical and normative work (Friesen et al., 2021; Ienca et al., 2018; Martin-Sanchez et al., 2017; Vayena et al., 2018).
With respect to methodological quality, respondents frequently noted that Big Data study proposals often fail to provide adequate information about data provenance, validation procedures, and the justification for analytical choices. The perception that scientific quality constitutes a “black box” for non-specialists reflects a structural mismatch: the multidisciplinary composition of RECs, oriented traditionally toward biomedical and clinical expertise, rarely encompasses the statistical and computational competencies required to assess machine learning pipelines, large-scale data linkage procedures, or the performance characteristics of predictive algorithms. This challenge is compounded by concerns about reproducibility and the opacity of proprietary systems – concerns that have been articulated prominently in the broader literature on accountability and transparency in AI-based research (Char et al., 2018; Mittelstadt et al., 2016; Price, 2018). The tension between the exploratory, pattern-recognition logic of Big Data research and the classical hypothetico-deductive framework underlying conventional ethical review represents a genuine epistemological difficulty (Leonelli, 2020), for which RECs currently lack established and consensually validated tools. It is worth noting that the underlying challenge – assessing research whose analytical choices are difficult to scrutinise from the outside – is not entirely novel: concerns about undisciplined statistical inference, p-hacking, and the misinterpretation of spurious correlations have accompanied data-driven research for decades. 2 What is structurally new is the degree of opacity. The inner workings of contemporary machine learning systems cannot be rendered transparent to reviewers regardless of their general competence, and the training required to evaluate such systems independently is, for most REC members, prohibitively steep.
The issue of regulatory classification – specifically, uncertainty about whether certain Big Data applications fall under medical device regulation or AI-specific oversight – emerged as a distinct and practically significant source of confusion. This is particularly salient in the context of the EU Medical Device Regulation (MDR; Regulation (EU) 2017/745) and, more recently, the EU Artificial Intelligence Act (AI Act; Regulation (EU) 2024/1689), which entered into force in August 2024. The AI Act classifies AI systems intended for use in medical diagnosis, prognosis, or treatment as high-risk, thereby imposing substantial obligations regarding conformity assessment, transparency, human oversight, and post-market monitoring – obligations that interact with, but are not fully coextensive with, existing REC review processes. Applicants themselves appear to misclassify their projects with some frequency, suggesting that clearer guidance on the demarcation between regulated medical AI applications, medical device research, and non-interventional data science is urgently needed. This is a task that falls partly to RECs, partly to competent regulatory authorities, and partly to research funders and institutions providing pre-submission advice.
Data protection was among the most intensively discussed topics, reflecting the particular salience of the EU General Data Protection Regulation (GDPR; Regulation (EU) 2016/679) and its varied national implementations for health research in the German-speaking context. Respondents’ concerns ranged from the practical difficulty of distinguishing pseudonymization from anonymization in large and heterogeneous datasets – a distinction that has grown increasingly unstable as re-identification techniques advance (Ferretti et al., 2021; Rocher et al., 2019; Yoshiura, 2019) – to perceived inconsistencies in how data protection authorities interpret relevant provisions across jurisdictions and within Germany’s federal structure. Several participants expressed frustration at what they described as the research-impeding effects of variable and at times overly restrictive regulatory interpretations – a concern that echoes tensions documented in broader debates about European health data governance (Floridi et al., 2019). While the scientific community’s interest in broader data access is legitimate, it must be weighed against the fundamental rights of data subjects to informational self-determination; RECs are well-positioned to assess this balance, provided they have adequate expertise and operate within clear and workable regulatory frameworks. The parallel challenge of verifying data minimization claims further illustrates the inherent limits of ex-ante ethical review for studies whose data structures are complex, evolving, or subject to iterative refinement during the research process.
Concerns about informed consent and participant autonomy recapitulated a well-documented tension at the intersection of data ethics and research governance (Doerr and Meeder, 2022; Knoppers and Thorogood, 2017; McKeown et al., 2021). In anonymized data research, participants may receive no information whatsoever; in genuinely exploratory projects, even investigators may be unable to specify research aims, analytical methods, or associated risks at the point of ethics review. This constellation undermines the classical model of informed consent as an individualized, prospective, and purpose-specific authorization – a framework that presupposes a degree of certainty about research objectives and risk profiles that data-intensive studies frequently cannot provide. Participants in the present survey articulated concern about what one respondent described as the “progressive devaluation of informed consent” in data-driven research. A particularly acute illustration of this dynamic arises when researchers interrogate large datasets in search of emergent patterns or correlations without pre-specified hypotheses: the data subjects from whom information was originally collected may have had no meaningful opportunity to consent to the specific uses to which their data are ultimately put. The very feature that makes Big Data research scientifically attractive, that is, its capacity to reveal hitherto unsuspected associations, is precisely what renders prospective, purpose-specific consent structurally inadequate as a protective mechanism. Simply dispensing with informed consent requirements, however, is not a viable response. It would undermine the foundational principle of respect for autonomy that justifies the requirement of informed consent in the first place, and risks normalizing a research culture in which data subjects are treated as passive resources rather than autonomous agents. Concerns were also raised about long-term risks – including potential discrimination, stigmatization, and group-level harms – that may not become apparent until years or decades after data collection (Mittelstadt et al., 2016; Obermeyer et al., 2019). These concerns are well-grounded in the normative literature, which has increasingly argued for the adaptation or partial replacement of traditional consent models through broad consent frameworks, dynamic consent mechanisms (Kaye et al., 2015), or participatory models of community engagement, particularly for secondary data use and longitudinal machine learning research (Friesen et al., 2021; Wiesing and Funer, 2024).
What is to be done? Implications for REC practice and governance
The findings of this survey carry several practical implications for RECs, their coordinating bodies, research funders, and legislators in the German-speaking region and beyond.
First, the high degree of heterogeneity in general review practices, combined with the near-total absence of Big Data-specific protocols, makes a compelling case for the development and dissemination of consensual guidance tailored to computationally driven health research. Such guidance should not – and, as our participants cautioned, must not – take the form of a rigid checklist that forecloses methodological innovation. Rather, it should identify minimum informational standards for Big Data study applications: transparent disclosure of data provenance and the sources of training data; pre-review documentation of database quality; project-specific ethical and social impact assessments; and explicit consideration of discrimination risks and mitigation strategies. The near-unanimous agreement among respondents that training data provenance must be disclosed, and that repeated quality assessments are required for systems with changing architectures, provides a robust empirical basis for such requirements. Existing instruments – including the Declaration of Taipei (WMA, 2016), the framework proposed by Ienca et al. (2018), guidance developed in Switzerland and the UK (Ferretti et al., 2022; Samuel et al., 2018), and the ethical guidelines for trustworthy AI issued by the European Commission High-Level Expert Group on Artificial Intelligence (HLEG AI; 2019) – could serve as starting points for a German-language synthesis adapted to the regulatory context of the region.
Second, the widespread acknowledgment of expertise gaps – particularly in data science, machine learning, and data protection law – points to the need for deliberate and systematic competency development within RECs. It is worth noting that requirements for multidisciplinary REC composition, including explicit provision for statistical and – since the OV-HFG revision of 1 November 2024 – digital health expertise, already exist in the regulatory frameworks of all three countries covered by this study. In Germany, §41a of the Arzneimittelgesetz (AMG), and in Austria similarly, §32 AMG, require, as a condition of REC registration for clinical trial review, the participation of at least one person with expertise in trial design and statistics; this provision, however, applies in both countries specifically to RECs registered for interventional clinical drug trials and does not extend to the broader range of studies subject to REC review under professional law. In Switzerland, the position is notably more encompassing: Art. 1 of the OV-HFG lists biostatistics as a mandatory area of REC competence, and the revision in force since 1 November 2024 has added expertise in information technology in the healthcare sector as an additional mandatory field (OV-HFG Art. 1 Abs. 1 Bst. a Zif. 9). Crucially, the OV-HFG applies to all RECs operating under the HFG, whose scope extends to research involving health-related personal data (HFG Art. 2) – a category that encompasses observational, registry-based, and secondary data research, and thus covers a substantial portion of Big Data health studies. Switzerland has therefore already taken regulatory steps that directly address the expertise challenges documented in this survey. The German and Austrian AMG provisions, by contrast, are not applicable to big data health studies as their scope is limited to clinical drug trials. The existence of these requirements – and Switzerland’s recent extension of them to digital health expertise – demonstrates that formally mandating such competencies within RECs is both legally feasible and institutionally accepted; the question for Germany and Austria is whether analogous developments will follow. In practical terms, competency development within existing committees can be pursued through complementary pathways: targeted recruitment of data scientists and AI ethics specialists as standing or advisory members; structured training for existing members; and the formalization of referral pathways to external expertise for technically complex applications (Char et al., 2018; McKay et al., 2023). Systematic support from nation-wide coordinating bodies would help ensure that such development occurs equitably rather than remaining the preserve of larger, better-resourced academic medical centers. At the same time, competency development alone cannot fully resolve the interpretability problem posed by the most opaque AI systems – a limitation that underscores the importance of the regulatory and governance-level responses.
A complementary response to these challenges lies in the development of a triage or risk-stratification approach to Big Data ethics review. Not all computational studies raise novel ethical concerns of equal gravity; many involve well-characterized datasets, practical barriers to re-identification, and straightforwardly applicable consent frameworks, and can be reviewed adequately using established procedures. A structured initial screening step, including dimensions such as re-identification risk, the exploratory versus confirmatory nature of the analysis, the sensitivity of the data involved, and the adequacy of existing consent arrangements, would allow RECs to calibrate the depth and specialization of review to the actual risk profile of a given submission. This risk-proportionate logic is already institutionalized in adjacent regulatory domains. The GDPR’s Data Protection Impact Assessment requirement (Art. 35 GDPR) mandates enhanced scrutiny only for processing operations likely to result in high risk to data subjects’ rights. While the DPIA is a data-protection compliance instrument completed by the data controller rather than an ethics review mechanism, it illustrates that risk-calibrated governance is feasible and accepted within the regulatory environment in which RECs operate. Crucially, a triage approach would also help RECs identify at an early stage those submissions – involving, for instance, highly opaque models or re-identification risks – where the structural limits of standard review are most likely to be reached, and where external specialist consultation or, in the most challenging cases, a frank acknowledgment of the limits of reviewability may be warranted. Such an approach is consistent with the strong preference expressed by our respondents for strengthening existing committees rather than replacing them with parallel structures – a point to which we now turn.
Third, the finding that only 8% of participants favored the creation of specialized RECs for Big Data research – despite broad recognition of additional challenges – is notable and analytically informative. It suggests that the field does not regard institutional fragmentation as the appropriate response: the solution is not to establish parallel oversight structures for data-intensive research, but to strengthen the competencies and frameworks of existing committees. This is broadly consistent with the position in the normative literature that established ethical principles are sufficient for Big Data research and do not require fundamental revision, even as new tools and competencies are needed to apply them effectively (Vayena et al., 2018; Wiesing and Funer, 2024). The creation of specialized structures could, moreover, introduce new inconsistencies and create perverse incentives for researchers to route applications through less rigorous pathways. More differentiated arrangements – such as designating lead committees with specific Big Data expertise for large-scale, multi-site studies, analogous to the coordinated review models used for multicenter clinical trials – may offer a more proportionate and less disruptive alternative.
Fourth, several of the challenges identified – particularly the inconsistency in data protection interpretations across jurisdictions – cannot be resolved at the level of REC practice alone. RECs operate within, rather than determine, the legal frameworks governing research data use. Calls from our participants for harmonized and practically workable data protection requirements echo ongoing policy debates at the European level. In this regard, the European Health Data Space (EHDS), formally adopted in 2025, represents a significant regulatory development: it creates a framework for secondary use of electronic health data for research, public health, and policy purposes across EU member states – a development directly relevant to Germany and Austria, and likely to exert regulatory influence on Switzerland through its bilateral relationships with the EU. RECs and their coordinating bodies have both an interest and a responsibility to engage actively with the implementation of the EHDS, to document the practical challenges they encounter, and to contribute to the development of workable standards for research data access that respect both scientific utility and the rights of data subjects.
Strengths and limitations
This study has several notable strengths. It is the first systematic empirical survey of REC members in German-speaking countries on the topic of Big Data and computational health research review, addressing a significant gap in the regional and international literature. By recruiting participants from Germany, Austria, and German-speaking Switzerland – three countries sharing important cultural and linguistic commonalities but operating under distinct national regulatory frameworks – the study enables cross-contextual insights while maintaining analytical coherence. The professional diversity of respondents – spanning physicians, scientists, lawyers, philosophers, ethicists, and laypersons – reflects the multidisciplinary composition of RECs and allows for a nuanced picture of how different professional perspectives shape the assessment of data-intensive research. The semi-structured survey design, combining closed quantitative items with open-ended questions, facilitated both descriptive trend identification and the in-depth exploration of participants’ reasoning and perspectives. The qualitative analysis, conducted independently by two researchers and reconciled through structured discussion, further strengthens the credibility of the interpretive findings.
Nevertheless, several limitations must be acknowledged. First, the response rate of approximately 10.1%–12.6% of the estimated target population, while broadly comparable to other surveys of healthcare professionals and ethics committee members, raises concerns about selection bias: those who participated may be more engaged with, or more expert in, the topic than those who did not, potentially leading to an overestimation of both awareness and preparedness across the broader population of REC members. That said, the convergence of our findings with patterns documented in studies from the United Kingdom, Switzerland, and, more recently, other European contexts (Ferretti et al., 2022; Hibbin et al., 2018; Lukaševičienė et al., 2026; Samuel et al., 2018) provides a degree of informal convergent validity, suggesting that the challenges identified are not artifacts of sampling but reflect broader structural features of the field. This resonance does not substitute for higher-response or probability-sampled replication studies, but it does support the substantive conclusions drawn here. Second, the reliance on self-reported practices and perceptions introduces the possibility of social desirability bias: participants may have reported more systematic or confident review practices than their actual behavior reflects. Third, although the qualitative data yielded rich and differentiated perspectives, the open-ended responses are not fully systematic and cannot support claims about the prevalence or representativeness of particular views. Fourth, the recruitment procedure – which proceeded first through REC offices and network organizations, and only subsequently via direct email contact – may have overrepresented members who are closely connected to institutional REC administration and underrepresented those with less formal integration into committee processes. Finally, the study’s focus on German-speaking RECs, while analytically appropriate given the shared regulatory context, limits direct comparability with findings from other jurisdictions and constrains generalization to broader international contexts.
Generalizability
The findings of this survey are most directly applicable to RECs in German-speaking countries, where the GDPR, national ethics laws, and the specific institutional arrangements of the German, Austrian, and Swiss research systems shape ethical review processes. However, the challenges identified – including difficulties in assessing data quality and methodological transparency, uncertainty about informed consent in exploratory research, the instability of anonymization as a protective measure, and tensions between data protection and scientific utility – closely mirror concerns documented in surveys and qualitative studies from the United Kingdom (Hibbin et al., 2018; Samuel et al., 2018), Switzerland (Ferretti et al., 2020, 2021, 2022), cross-national assessments (Lukaševičienė et al., 2026), and, more broadly, in the international normative literature on Big Data ethics (Ada Lovelace Institute, 2022; Ienca et al., 2018; Knoppers and Thorogood, 2017; Vayena et al., 2018). This convergence suggests that the issues identified here are not peculiarities of the German-speaking regulatory environment, but rather reflect structural features of the challenge that computational and Big Data health research poses to ethical oversight globally.
At the same time, the study’s limited response rate, convenience sampling strategy, and single-region focus constrain the extent to which results can be extrapolated to the full population of REC members in the region or to committees in other jurisdictions. The study should be understood as an exploratory empirical assessment that maps key areas of uncertainty, disagreement, and unmet need – a basis for further investigation rather than a definitive account. Cross-national comparative studies using consistent instruments, supplemented by in-depth qualitative interviews with REC members and applicants, and by analysis of actual committee decisions on Big Data study proposals, will be needed to build a more comprehensive and generalizable evidence base.
Conclusions
This study provides the first systematic empirical account of how RECs in German-speaking countries approach the ethical review of Big Data and computationally driven health research. Our findings reveal a landscape characterized by heterogeneous and largely unstandardized review practices, uneven exposure to data-intensive study proposals, and significant uncertainty about the methodological, regulatory, and data protection dimensions of such research. While a majority of REC members expressed confidence in their committees’ general review workflow, only around half felt adequately equipped for the specific demands of Big Data oversight – a gap that is unlikely to narrow without deliberate investment in guidance, training, and expanded expertise.
The challenges documented here are not merely technical or procedural. They reflect deeper, structural tensions between the exploratory, iterative logic of data-intensive science and the prospective, consent-based framework that continues to underpin the governance of biomedical research. The ex-ante review model, designed for studies with clearly defined hypotheses, populations, and interventions, struggles to accommodate research designs in which objectives evolve, data are repurposed, and risks are incompletely characterized at the time of application. Addressing these tensions will require not only updated REC procedures and stronger committee competencies, but a broader and more deliberate recalibration of how research ethics governance conceptualizes participant autonomy, methodological transparency, and the appropriate scope and limits of ethical oversight in an era of data-driven medicine. The ongoing development of the European Health Data Space, the implementation of the EU AI Act, and the broader governance debates around algorithmic accountability provide both the impetus and the institutional context for this recalibration. RECs in the German-speaking region – and their counterparts internationally – have an important and irreplaceable role to play in shaping it, provided they are adequately equipped to do so.
Supplemental Material
sj-docx-1-rea-10.1177_17470161261465028 – Supplemental material for Ethical oversight of emerging computational and Big Data approaches in health research: A survey of German-speaking research ethics committees
Supplemental material, sj-docx-1-rea-10.1177_17470161261465028 for Ethical oversight of emerging computational and Big Data approaches in health research: A survey of German-speaking research ethics committees by Maximilian Kassai and Florian Funer in Research Ethics
Footnotes
Ethical considerations
This study is an anonymous survey of research ethics committee members and does not constitute research on human subjects in the legally regulated sense under German medical law. Formal ethics approval was therefore not required: the statutory provisions mandating prospective ethics review in Germany apply to biomedical research involving patient participants and do not extend to anonymous, non-interventional surveys of healthcare professionals. This was confirmed in consultation with the Research Ethics Committee of the Medical Faculty of the Eberhard Karls University of Tübingen.
Consent to participate
All participants received information prior to participation and provided electronic informed consent to anonymous data collection and processing. Participation was voluntary, and withdrawal was possible at any time prior to final submission of the survey.
Funding
The authors disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: We acknowledge support from the Open Access Publication Fund of the University of Tübingen. Additionally, FF was supported by the VolkswagenStiftung (Digital Medical Ethics Network, Grant ID 9B 233).
Declaration of conflicting interests
The authors declared the following potential conflicts of interest with respect to the research, authorship, and/or publication of this article: Both authors are current or former members of a research ethics committee at the university hospital of Tübingen. The authors declare there are no conflicts of interest regarding the content of the article.
Data availability statement
The dataset generated and analyzed during this study is available from the corresponding author upon reasonable request and in compliance with institutional policies.*
Generative AI statement
The authors declare that generative AI was used in the creation of this manuscript. The authors acknowledge the use of large language models (ChatGPT/OpenAI and Claude/Anthropic) to support the rephrasing of certain paragraphs for improved readability and style. The content, interpretation, and conclusions remain solely those of the authors, who carefully reviewed and approved all text.
Supplemental material
Supplemental material for this article is available online.
Notes
References
Supplementary Material
Please find the following supplemental material available below.
For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.
For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.
