Several recently enacted data protection laws appear to afford a privileged position to scientific research, including health research. Rules that might otherwise apply to data subjects and data controllers, including rights exercisable by data subjects against controllers, are lifted or lessened. However, when it comes to considering whether consent should serve as the lawful basis for processing data in the health research context, a fair degree of policy and regulatory divergence emerges. This divergence seems to stem from a normative link that some draw between consent as a research ethics principle and consent as a lawful basis in data protection law. This seminar considers the EU General Data Protection Regulation (GDPR) and three national laws, either implementing the GDPR or inspired by it, to provide points of comparison: South Africa’s Protection of Personal Information Act, 2013, the UK’s Data Protection Act 2018, and Ireland’s Health Research Regulations 2018. I argue that there is merit in distinguishing research ethics consent from data processing consent, to avoid what I term ‘consent misconception’, and come to advocate a middle-ground approach in data protection law, i.e. one that does not mandate consent as the lawful basis for processing personal data in health research projects—but does encourage it. This approach achieves the best balance for protecting data subject/research participant rights and interests and promoting socially valuable health research.