GDPR Requirements for Biobanking Activities Across Europe 3031429435, 9783031429439

Citation preview

Valentina Colcelli Roberto Cippitani Christoph Brochhausen-Delius Rainer Arnold   Editors

GDPR Requirements for Biobanking Activities Across Europe

GDPR Requirements for Biobanking Activities Across Europe

Valentina Colcelli • Roberto Cippitani • Christoph Brochhausen-Delius • Rainer Arnold Editors

GDPR Requirements for Biobanking Activities Across Europe

With Contributions by Sabrina Brizioli and Alessandra Langella

Editors Valentina Colcelli Institute CNR-IFAC National Research Council of Italy Florence Research Area, Italy

Roberto Cippitani Institute CNR-IFAC National Research Council of Italy Florence Research Area, Italy

Christoph Brochhausen-Delius Pathologisches Institut Universitätsklinikum Mannheim GmbH Mannheim, Germany

Rainer Arnold Faculty of Law University of Regensburg Regensburg, Germany

ISBN 978-3-031-42944-6 ISBN 978-3-031-42943-9 https://doi.org/10.1007/978-3-031-42944-6

(eBook)

© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland Paper in this product is recyclable.

Preface

Taking Responsibility: The Value and Handling of Data in Modern Medicine in the Light of the New GDPR Medicine and life science have undergone tremendous conceptual changes in the last decades. These changes are based on rapidly growing knowledge about the base of biological and pathological mechanisms in health and disease, which has spurred exciting fields of research. In this context, molecular genetics, stem cell research, immunology and molecular pathology represent only a few examples of scientific disciplines that have significantly contributed to this development. As a result, our knowledge of disease has recently been infused with the view that in the development of many diseases, multiple individual and genetic factors are relevant not only for the prevention of diseases but also for their prediction and progression. Since individual factors are more and more important in our concept of diseases, there have been clear changes in our view of disease entities. This has significant consequences for therapeutic strategy. From an epistemological point of view, the classical therapeutic strategy is to treat the disease entity. The disease entity is defined by its morphological and clinical appearance. Structural changes in tissues and cells as well as humoral factors are responsible for the clinical appearance of a disease entity. Breast cancer gives us an excellent example not only of a description of a classical disease entity and its therapy but also of the change in concept. Classically, breast cancer is characterised by specific morphological changes of the gland structures, invasion and destruction of the surrounding tissue with or without invasion of blood- or lymphatic vessels, respectively, with the risk of metastasis. Consequently, the classical treatment for breast cancer is the resection of the tumour with or without consecutive radiation therapy. The discovery that breast cancer cells may express hormone receptors not only gave a further characteristic feature to the entity but also opened a new therapeutic strategy with anti-hormone receptor therapy. Furthermore, we now know of the existence of several genetic mutations responsible for the development and progression of breast cancer, which also v

vi

Preface

includes a well-known predisposition to breast cancer. These potential molecular changes not only complement the characteristics of the disease entity but also lead to a higher granulation of the entity within different groups, which opens different perspectives for an adapted therapeutic strategy. The consideration of these various factors within a disease entity leads to important consequences for treatment and was originally defined as ‘personal medicine’ but was then modified to ‘precision medicine’. The base of this new concept of disease takes into account that many molecular factors are critically involved in the development and progression of disease, and that these molecular factors are individually distributed. This means that although breast cancer may look the same in different patients based on morphological features, the molecular background may be quite different. In this context, it is important to realise that several soluble biomarkers represent the molecular background of different malignancies. The differences in the molecular background are responsible for the different behaviours of a malignant tumour with a view to aggressivity, invasion or progression. The integration of molecular data and biomarkers within the disease characteristics as well as within the treatment decision resulted in the use of precise targeted therapy in many cases with significantly better outcomes and less side effects from the therapy. The model of precision medicine was even able to cure early stages of cancer, for example, breast cancer. To realise the whole potential of precision medicine, a complex, multimodal diagnostic root is necessary in which all findings from clinical examination, laboratory and image analyses as well as histopathological and molecular-pathological data should be analysed and compared. Given the potential of precision medicine, it becomes obvious that continued investigation of the complexity of our disease entities opens new perspectives on the optimisation of prevention, diagnosis and therapy of diseases. We should be aware that investigations in the cadre of precision medicine have methodological demands other than those that are known from classical medical and life science. New approaches with which to work and compare the huge amounts of data from the different diagnostic procedures require methods from information technologies. In this context, it is also relevant to consider that in such a holistic view, data from different sources should be compared. This is of special importance in regions where the complex diseases of a single patient are diagnosed and treated by different health entities. Indeed, data harmonisation and integration are crucial issues for success in optimising the health care of European citizens. On the one hand, from a scientific point of view, new technologies, such as the use of artificial intelligence and deep learning, are appropriate methods to push forward both basic and translational science, not only in oncology but also in all kinds of diseases. On the other hand, it becomes very clear that the accumulation of huge amounts of patient data risks the protection of personal rights. This is the reason researchers from all over Europe are highly interested in the consequences of the new General Data Protection Regulation (hereinafter referred to as GDPR) of the European Union. As a first reaction, researchers were deeply worried about a potential crucial restriction on research possibilities, and this was an important issue of interdisciplinary discussions in life science and all medical disciplines and was also found to

Preface

vii

be a concern in a survey organised by the European, Middle Eastern and African Society for Biobanking and Bio-preservation. One reason for the lack of understanding within the community of life and medical science results from the fact that before the GDPR went into effect, research with human data already underlay a number of strict regulations. These regulations consider the particular role of the life and medical science with a view to personal rights. In fact, there is a dilemma within life and medical science because of all the efforts have been made to protect or to restore the integrity of a person. However, it becomes more and more important to know comprehensive details of a person to properly and respectfully reach this goal. Therefore, the new GDPR is seen by many researchers as raising significant uncertainty in the justification of their goal to optimise diagnosis and treatment of diseases. This is an interesting viewpoint because in the considerations of the GDPR, the special value of life science and medical research for the citizens of the European Union is accentuated several times, and it is also stated that this kind of research should be supported because of its great value for the people of the European Union. However, the regulation itself leads to uncertainties and open questions for researchers from the life and medical sciences. Even the fact that one crucial aim of this regulation is the protection of personal rights with a view to economic implications, which is also defined in the considerations of this regulation, brings no clarity because the regulation itself contains a general validation of the use of data in any situation. Medical science evaluated and accepted GDPR because of its critical value, as a proper balance between the legal goods of safety protection of personal rights and privacy and the freedom of research that is needed, especially if this research belongs to the health and the well-being of the citizens in the European Union. Therefore, the interpretation of the GDPR with a view to the value of personal data and data exchange for life and medical research seems to be mandatory to reach the goal of optimal medical care also for future generations. The present volume combines several dimensions of potential interpretations of the GDPR with a view to life and medical research and with a view to the specific situations and regulations in different countries. The editors understand this volume as a contribution to and a base for an active dialogue between researchers, legal scientists, lawyers and directive bodies with the aim that the new GDPR become a regulation which will not be seen as a rigid obstacle for life science and medical research. The editors thank all the contributors and hope that the present volume will give some orientation to an interdisciplinary readership and some stimuli for fruitful interdisciplinary discussions. Mannheim, Germany 2 March 2022

Christoph Brochhausen-Delius

Acknowledgement

This work is a result of the activities carried out within the project ‘Umbria Biobank: Start up per una Biobanca in Umbria’, Department of Medicine and Surgery, section of Anatomic Pathology and Histology, Medical School, University of Perugia (Italy). The project has received funding from European Union and the Umbria Region, PRJ-1506POR FESR 2014–2020 programme (Umbria Biobank).

ix

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Roberto Cippitani and Valentina Colcelli Medical Research and Data Protection in Europe. The Emergence of General Legal Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rainer Arnold Part I

1

11

Syllabus of the Burning Questions

Anonymisation (Part I) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ricard Martínez Martínez

21

Anonymisation: The Trap for Biobanking (Part II) . . . . . . . . . . . . . . . . Magdalena Kogut-Czarkowska

31

Applying National Law in Cross-Border Research Activity . . . . . . . . . . Valentina Colcelli

39

Archived Tissue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Antonella Mirabile

51

Blockchain and Dynamic Consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filippo Zatti

63

Brexit Effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hedley Christ

71

Broad Consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Andrea Maierà

79

Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alessandra Langella

87

xi

xii

Contents

Consent Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Roberto Cippitani

97

Consent and Assent by Children . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Alessandra Langella, Rocío Aguilar-Quesada, and Roberto Cippitani Consent and Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Andrea Maierà Consent from Children and Vulnerable People . . . . . . . . . . . . . . . . . . . . 129 Casimiro Benito Navarro Ojeda Consent Withdrawal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Valentina Colcelli Covid-19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Valentina Colcelli Dynamic Consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Sabrina Brizioli Ethics Committees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Roberto Cippitani Ethic and Biobanks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Daniela Capello and Antonio Rimedio Ethical Principles and Legal Provisions . . . . . . . . . . . . . . . . . . . . . . . . . 177 Roberto Cippitani EU Legislation and Health Data Protection . . . . . . . . . . . . . . . . . . . . . . 189 Nataliia Mushak Forensic Databases (Part I) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Francesca Aime, Noemi Argirò, Miriam Merli, Lisa Lonetti, and Francesca Scarpone Forensic Databases (Part II) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Francesca Aime, Noemi Argirò, Miriam Merli, Lisa Lonetti, and Francesca Scarpone Future Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Valentina Colcelli Genetic Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Roberto Cippitani Granularity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Roberto Cippitani Imaging Biobank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Andrea Barucci, Valentina Colcelli, and Anna Gottard

Contents

xiii

Industry Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Lisa Oster Joint Controller Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Valentina Colcelli Legitimate Interests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Tunjica Petrašević and Romana Ćosić Ownership of Human Biological Material . . . . . . . . . . . . . . . . . . . . . . . . 281 Roberto Cippitani and Valentina Colcelli Paediatric Biobanks (General Overview) . . . . . . . . . . . . . . . . . . . . . . . . 287 Tiziana Franchin and Rossana Ruggiero Public Interest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Jeanise Dalli Rare Diseases and Data Protection (Part I) . . . . . . . . . . . . . . . . . . . . . . . 305 Petra Duhm-Harbeck and Judith Köbler Rare Diseases and Legal, Ethical, Technical and Societal Needs (Part II) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 Petra Duhm-Harbeck and Judith Köbler Rare Paediatric Diseases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Sabrina Brizioli Residual Material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Sabrina Brizioli Retention Time: Conservation of Personal Data (Part I) . . . . . . . . . . . . . 347 Dario Farace Retention Time: Conservation of Tissues (Part II) . . . . . . . . . . . . . . . . . 353 Dario Farace Retrospective Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 Balázs Hohmann and Gergő Kollár Scientific Research and the Biomedical Sector. Requirements and Methods for Planning and Managing a “Data Protection by Design” Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Paolo Guarda and Giorgia Bincoletto Secondary Use (Part I) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Carla Barbosa and Andreia da Costa Andrade Secondary Use and Dual Use of Biomaterial Samples (Part II) . . . . . . . . 389 Carla Barbosa and Andreia da Costa Andrade

xiv

Contents

Transfer of the Personal Data for Research Purposes Towards Non-EU Countries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Roberto Cippitani Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 Laura Burzagli Part II

Biobanking Legal and Ethical Requirements Across Europe: National Reports (in Alphabetic Order)

Towards Regulation for the European Health Data Research: A Comparative Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Ricard Martínez Martínez Austria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Joanna Osiejewicz Belgium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Alessandra Langella Bulgaria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Martin Margitin and Milen Rusev Croatia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 Dunja Duić Cyprus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Sabrina Brizioli Czech Republic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Paula Poretti Denmark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Paula Poretti Estonia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 Sabrina Brizioli Finland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Alessandra Langella and Sabrina Brizioli France . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 Viviana Di Capua Germany . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 Toni Fickentscher Greece . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 Andreia da Costa Andrade and Carla Barbosa Hungary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Balázs Hohmann, Gergő Kollár, and Gergely László Szőke

Contents

xv

Ireland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 Tunjica Petrašević and Romana Ćosić Italy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 Stefania Stefanelli Latvia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543 Sabrina Brizioli Lithuania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551 Sabrina Brizioli Luxembourg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 Alessandra Langella Malta . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569 Sabrina Brizioli Netherlands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Hedley Christ Poland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583 Joanna Osiejewicz Portugal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 Carla Barbosa and Andreia da Costa Andrade Romania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597 Florin I. Mangu and Mircea Criste Slovakia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 Sabrina Brizioli Slovenia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611 Tunjica Petrašević and Romana Ćosić Spain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 Joaquín Sarrión Esteve Sweden . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627 Joakim Nergelius United Kingdom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 Hedley Christ Part III

Conclusion

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 Angelo Sidoni and Cristina Pelliccia

Introduction Roberto Cippitani and Valentina Colcelli

As pointed out by EU and international sources, biological materials are invaluable resources for biomedical research.1 All areas of research depend on the availability and flow of data, information, expertise and materials. Most of our current understanding in the biomedical areas has originated from the methodical examination of human biological samples, which are also kept in biobanks (Godard et al. 2003; Scaffardi 2008; Vivas-Tesón 2013). A biobank is ‘any collection of biological materials, whether the source be human, plant, or animal, fungi, bacteria, microorganisms or other living families, as well as bioinformatic data on such organic materials’ (Perry 2013, p. 267). In 2009, Time magazine considered biobanks among the ‘Top 10 ideas changing the world’, and 10 years later, in 2019, Forbes entitled an article ‘Biobanking is Changing the World’ (see also Gaskell et al. 2010). Biobanks are the basis of translational biomedical research and a pillar of disruptive medical innovations, such as precision medicine; for instance, this paradigm underpins so-called ‘precision oncology 3.0’ (Shrager and Tenenbaum 2014). Biobanks also have great importance for other research disciplines and knowledge. One can think about the ‘collections’ of biological materials from plants and animals for developing products in the fields of food and agriculture.2 According to international legal sources, gathering biological material is also a crucial instrument for scientific studies, such as the reference to a ‘biological resources centre’ in the documents of the

1 See, e.g., Workshop on Human Genetic Research Databases (HGRDs) – Issues of Privacy and Security (Tokyo Workshop), OECD, 2004. 2 See, e.g., Article 2 of the International Treaty on Plant Genetic Resources for Food and Agriculture of FAO of November 2001 and Article 2 of the Convention on Biodiversity.

R. Cippitani (✉) · V. Colcelli Institute CNR-IFAC, National Research Council of Italy, Florence Research Area, Italy e-mail: [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_1

1

2

R. Cippitani and V. Colcelli

Organisation for Economic Co-operation and Development (OECD 2007) and the notion of ‘research infrastructure’ in European Union law.3 Biobank-related research is also a way to create synergies between private businesses and public research entities, which may strengthen the competitiveness of the health industries. In addition, biobanking is a crucial component of personalised medicine because it allows clinical and biomedical experts to re-analyse and share among themselves human samples and derived data (including blood, cells, tissues and DNA as well as related data about the samples and the sample providers). The increasing number of research biobanks and the importance of their role in supporting medical and biological research implies the development and sharing of biobanking best practices and benchmarking without unnecessarily aggravating biomedical research. As matter of fact, the creation and management of biobanks causes several ethical and juridical issues and may provoke societal concerns (see Gaskell et al. 2010). The main legal challenges in the management of biobanks are to find ways to protect the interests of individuals, while at the same time, making essential information available for medical research. In addition to the tremendous technical and organisational issues, the fundamental principle underpinning the governance framework for medical research is that individual research participants must be respected, and at the same time, essential information must be made available for medical research. Consequently, the data systems that accompany biobanks must be technically implemented and legally managed in an efficient way that allows the generation of social welfare benefits for the international community through collaborative research efforts while respecting the informational privacy of individuals. A known problem in this field is that the implementation of relevant ethical guidelines and legal instruments may prevent collaboration and the exchange of information. Given that biobanks involve biomaterials obtained from human beings, different legal and ethical issues – such as the informed consent model, sample ownership, veto rights and biobank sustainability – are debated. Thus, if human tissues and cells are stored in biobanks, strict ethical and regulatory criteria must be followed. Legislative legal sources, such as Directive 2004/23/EC of the European Parliament and of the Council of 31 March 2004, on setting quality and safety standards for the donation, procurement, testing, processing, preservation, storage and distribution of human tissues and cells, as well as constitutional provisions (see Article 3 of the Charter of Fundamental Rights) govern the collection and storage of biological material at EU and national levels (European Commission 2016). Particularly relevant among the legal issues related to biobanks of human biological materials are those arising from the application of the norms concerning ‘personal data’; that is, information able to identify a natural person. Under European

3

See, in Europe, the ESFRI (European Strategy Forum for Research Infrastructures) roadmap for research infrastructures, which lists research infrastructure for biobanks and biomolecular resources (BBMRI).

Introduction

3

Union law, the protection of personal information is governed by several legal sources, in particular, Article 8 of the Charter of Fundamental Rights and Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and the free movement of such data (GDPR). Several papers have recently been approved by EU organisations and agencies to apply GDPR principles to the COVID-19 health emergency. 4 The GDPR could be considered a benchmark legal norm for governing the use of personal data and for protecting the rights of individuals whose information is processed both inside and outside of the EU; it can also be helpful if health data governance remains fragmented at national and regional levels, hindering any effort to scale up research and healthcare solutions. The coordination of national efforts is also fragmented as is the harmonisation of the treatment of personal health data considering the GDPR. The GDPR includes various provisions that provide EU Member States the power to modify and adapt it at the national level, such as the adoption of measures governing the processing of health data for scientific research (see Recital 159 of GDPR). According to Article 89(2) of the GDPR, the derogations in the context of research exemptions are related to (a) the rights of data subjects or (b) the so-called secondary use for further processing of personal data. Any modifications to Member State laws may have a significant influence on the legal foundation (Article 6) and the exemption for processing health data (Article 9) that must be cited when processing personal (health) data for research purposes. The possibility that Member States could preserve or apply new restrictions or prohibitions or could preserve or add new restrictions or limitations regarding the processing of genetic data, biometric data or health data is also mentioned in Article 9(4) GDPR. The GDPR is based on the idea that research activities are in the collective interest, and thus, the processing of personal data in scientific fields may benefit from special rules or derogations as is the case in other EU legal sources (e.g., public procurements and State Aids discipline) (European Commission 2016). Article 89 of the GDPR states that when ‘personal data are processed for scientific or historical research purposes or statistical purposes’, European and national laws may provide derogations from data subjects’ rights, such as access (Article 15), 4

Among others: Statement on the processing of personal data in the context of the COVID-19 outbreak. Adopted on 19 March 2020. https://edpb.europa.eu/sites/edpb/files/files/news/edpb_ statement_2020_processingpersonaldataandcovid-19_en.pdf; Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. Adopted on 21 April 2020. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_con tact_tracing_covid_with_annex_en.pdf; Guidelines 03/2020 on the processing of data concerning health for scientific research in the context of the COVID-19 outbreak. Adopted on 21 April 2020, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_ healthdatascientificresearchcovid19_en.pdf; Statement on restrictions on data subject rights in connection to the state of emergency1 in Member States, adopted on 2 June 2020. https://edpb. europa.eu/sites/edpb/files/files/file1/edpb_statement_art_23gdpr_20200602_en.pdf.

4

R. Cippitani and V. Colcelli

rectification (Article 16), restriction of processing (Article 18) and object (Article 21). Laws may also provide exceptions to the right to erasure (the right to be forgotten) guaranteed under GDPR Article 17(1).5 However, some issues derive from applying the GDPR to the establishment and functioning of the research biobanks. While the GDPR is a broad piece of legislation that includes various provisions that favour scientific research or, more accurately, a knowledge of its special demands, its application in the research setting is not always straightforward. This is mostly owing to the broad latitude granted to Member States by the GDPR in this regard. This circumstance leads to the fragmentation of GDPR implementation at the national level, which has a variety of consequences for research activities. As stated by EU sources: The national legislator of each Member State may enact specific laws under Article (9) (2) (i) and (j) GDPR to enable the processing of health data for scientific research purposes. The processing of health data for scientific research must also be covered by one of the legal bases in Article 6 (1) GDPR. Therefore, the conditions and the extent for such processing varies depending on the enacted laws of the particular member state.6

Furthermore, the GDPR is based on the idea that research efforts benefit the broader society. At the same, time GDPR requires that the data controller is responsible for ensuring that all privacy principles are respected. The GDPR also provides that the organisations/biobanks have to demonstrate compliance with all the principles of the Regulation; namely, the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality (see Article 5 GPR). In the case of research biobanks, no questions should arise from the application of some principles, such as lawfulness, fairness and transparency as well as accuracy, integrity and confidentiality. The bodies managing the biobanks are expected to comply with applicable legislative provisions and to adopt measure to ensure the security and protection of the rights of individuals. The implementation of principles such as the purpose limitation, data minimisation and storage minimisation is more difficult. Those ‘principles’ may be seen as the specification of the more general principle of the EU law, which is ‘proportionality’.

5 Derogations from the individual rights usually accorded to data subjects are also recognised in documents issued by the Council of Europe’s bodies. For instance, Article 8(2)(d), Recommendation R(97) 5 Recommendation R(97) states that access to medical data (including genetic data) and the right of rectification may be refused when ‘the data are used for statistical or for scientific research purposes where there is no risk of an infringement of the privacy of the data subject, notably the possibility of using the data collected in support of decisions or measures regarding any particular individual’. 6 Guidelines on the processing of data concerning health for scientific research in the context of the COVID-19 outbreak.

Introduction

5

Biobanks do not seem to comply with the principle of proportionality: the scientific importance of biobanks is associated with the availability of a massive quantity of data and materials, stored for a non-undefined period, and which may be used for research activities that are not known at the moment of collection. It is possible to provide at least two answers to these issues. The first answer is based on a general consideration because the principle of proportionality is not an absolute but a relative principle. According to the GDPR, data must be relevant and limited to what is necessary in relation to the purposes allowed by the law (cfr. Article 5, paragraph 1, c). On this point, the argument could be made that the collection of a huge quantity of materials and data is necessary to achieve the objective of modern science, as recognised by the GDPR itself. Recital no. 157 of the GDPR explains: By coupling information from registries, researchers can obtain new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression. On the basis of registries, research results can be enhanced, as they draw on a larger population. Within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions, such as unemployment and education with other life conditions. Research results obtained through registries provide solid, high-quality knowledge which can provide the basis for the formulation and implementation of knowledge-based policy, improve the quality of life for a number of people and improve the efficiency of social services.7

However, in the interpretation of the European Data Protection Supervisor (EDPS 2020, p. 22), under the wording of Article 8(2) of the Charter of the Fundamental Rights of the EU specification and lawfulness have to be seen as two separate and cumulative requirements. Therefore, the use of personal data from a biobank for research should not be reflected in a specific purpose; this is also in accordance with the meaning of future scientific research (Recital 33 GDPR). The second answer is related to a specific provision applied just for research activities. According to the ‘storage limitation’, data must be ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’ (Article 5, paragraph 1.e, GDPR). This provision itself recognises that the use for research is considered a legitimate reason for a wider period of maintaining health-linked personal data, including genetic data (see also Article 4.1.f draft Recommendation on the Protection of Health-Related Data). According to a document of the EU Agency for Fundamental Rights and the Council of Europe, ‘keeping data for future scientific, historical or statistical use is explicitly exempt from the principle of limited data retention’ (European Union Agency for Fundamental Rights 2014, p. 73).

7

In the case of historical research purposes, the value of the archiving is underlined by recital no. 158 which recalls that ‘Member States should also be authorised to provide for the further processing of personal data for archiving purposes, for example with a view to providing specific information related to the political behaviour under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes’.

6

R. Cippitani and V. Colcelli

However, such an approach is not without its weaknesses. EDPS continuously affirms that the derogations for research activities have not been considered as a general authorisation to infringe the principles and the provisions of the GDPR (see the ‘Preliminary Opinion on data protection and scientific research’). For example, while considering the research exception to the principle of the ‘storage limitation’, EDPS underlines that it is applicable only when the data are stored ‘exclusively’ for research purposes (this should be a problem for biobanks in biomedical fields that may be used for other purposes, e.g., therapeutic activities and epidemiological surveillance). EDPS also affirms that ‘the intention of the lawmaker appears to have been to dissuade unlimited storage even in this special regime, and guards against scientific research as a pretext for longer storage for other, private, purposes. If in doubt, the controller should consider whether a new legal basis is appropriate’ (p. 24 s.). Other problems derive from the fact that the GDPR provides that the special rules for research activities are applied in compliance with Article 89 GDPR, which refers to more detailed provisions to be adopted by the EU and national lawmakers (European Union Agency for Fundamental Rights 2014, p. 31). If those specific rules are absent, it is not clear how the controller may implement such special rules for research purposes. One of the most significant problems existing in regulating biobank operations is the meaning of ‘research purposes’. The GDPR provides a significant benefit by allowing the EU and national legislation to reconsider the entire system and design a more comprehensive protection framework for scientific research (Slokenberga et al. 2021), but the reality is that the GDPR rules are not clear nor is the reason they must apply to research activity. Despite this lack of a detailed legal instrument, the principles contained in the clinical trials regulation could provide integration rules to reach a basis for the protection of research participants/data subjects (Cippitani et al. 2022). The availability of the exemptions for research and biobank activities is also not clearly stated. In addition, biobanking activities are expected to comply with other rules arising from other sources; within the EU, this includes Directive 2004/23/EU (see, in particular, Article 13 of the Directive) and Regulation (EU) 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, which refers specifically to research in the biomedical field. The GDPR has nonetheless provided a significant benefit because it has given the EU and national legislation the chance to review the entire system and design a more comprehensive protection framework for scientific research (Slokenberga et al. 2021). However, the rules are not entirely clear, nor is it known when they must apply to biobanks. The Clinical Trials Regulation, for example, is not explicitly tailored for biobanks (Wright et al. 2010). The legislator will soon be unable to excuse itself from dealing with research biobanks as a research model in which various skills—ethics,

Introduction

7

information technology, medicine and law—are called into question, along with aspects of administration, private law and fundamental rights. The other legal sources have the same limits of not being specifically designed for biobanks, including the Clinical Trials Regulation (Wright et al. 2010). The legislature will soon no longer be able to exempt itself from dealing with research biobanks as a research model in which different skills—ethics, information technology, medicine and law and, in this sector, aspects of the administration, private law and fundamental rights—are called into question. Since numerous knowledge domains and different operators are involved and the scientific investigation often takes place between different centres, it will be essential to ensure a binding legal framework of reference and to create harmony in terms that is already lacking. The national and international proliferation of biobanks requires a common language, considering that only the words chosen to describe the structures can influence the decisions of patients to participate. Those concerns have been expressed by the European Commission, which underlines that: a pan-European legal instrument that lays out clearly the requirements for biobanking that can be understood by all stakeholders does not currently exist. Within the European Union, the principles and legal requirements for biobanking have been drawn from more general documents for data protection and clinical trials, but neither of these directives explicitly covers human tissue. There is a need to review the requirements that apply to the use of human tissue in research within Europe to address this deficit.8

To face the complex systems, the present volume combines several dimensions of potential interpretations of the GDPR with a life view of the professionals in the biomedical sector, taking into consideration of the specific situations and regulations in the different countries. The editors understand this work as a contribution to and a base for an active discussion between researchers, legal scientists, lawyers and directive bodies with the aim that the new GDPR becomes a regulation that will not be seen as a rigid obstacle for life science and medical research. According to the described legal framework, the book is structured in the following manner: ‘The syllabus of the burning questions’ tries to answer questions realised by operators of the main biobanks around the EU. We used results of a survey proposed by one of the editors, Prof. Christoph Brochhausen-Delius, which was carried out among members of the European, Middle Eastern & African Society for Biopreservation and Biobanking (ESBB), and summarised the main questions that the medical doctors and biobankers involved in the activities of Biobanks of Research face every day in their activities. This first part of the book will be an

8 Directorate-General for Research and Innovation Science in society, Biobanks for Europe, A challenge for governance Report of the Expert Group on Dealing with Ethical and Regulatory Challenges of International Biobank Research, 2012. https://ec.europa.eu/research/science-society/ document_library/pdf_06/biobanks-for-europe_en.pdf.

8

R. Cippitani and V. Colcelli

instrumental and operative analysis of the main topic of the GDPR and biobanking activity. ‘Biobanking legal and ethical requirements across Europe: National reports’ is an analysis of the Member States' legislation for the processing of health data for research purposes with a particular focus on biobanking activity related to research. In this second part, we collected for each Member State the several shortcomings in regulating the activities carried out by biobanks, especially biobanks for research purposes, as well as the National laws that maintain or introduce more specific provisions adapting the application of the rules of the GDPR with regard to scientific research.

References Cippitani R, Mandarano M, Pelliccia C, Colcelli V, Sidoni A (2022) Biobanking-related bioethical and legal unresolved issues. Virchows Arch. https://doi.org/10.1007/s00428-022-03450-0 EDPS (2020) A preliminary opinion on data protection and scientific research. https://edps.europa. eu/data-protection/our-work/publications/opinions/preliminary-opinion-data-protection-and-sci entific_en European Commission, EXPH, Disruptive Innovation. Considerations for health and health care in Europe, 2015, paragraph 3.3.3. https://ec.europa.eu/futurium/en/system/files/ged/54_-_disrup tive_innovation_ec_-_expert_panel_health_2015.pdf European Commission (2016) Open innovation, open science, open to the world – a vision for Europe. Publications Office of the European Union, Luxembourg. https://doi.org/10.2777/ 061652 European Union Agency for Fundamental Rights, Council of Europe (2014) Handbook on European data protection law. Publications Office of the European Union, Luxembourg. https://fra.europa.eu/en/publication/2014/handbook-european-data-protection-law-2014edition Gaskell G, Stares S, Allansdottir A, Allum N, Castro P, Esmer Y, Fischler C, Jackson J, Kronberger N, Hampel J, Mejlgaard N, Quintanilha A, Rämmer A, Revuelta G, Stoneman P, Torgersen H, Wagner W (2010) Europeans and biotechnology in 2010. Winds of change?. Report to the European Commission’s Directorate-General for Research. https://doi.org/10. 2777/23393 Godard B, Schmidtke J, Cassiman J-J, Aymé S (2003) Data storage and DNA banking for biomedical research: informed consent, confidentiality, quality issues, ownership, return of benefits. A professional perspective. Eur J Human Genet 11(Suppl 2):S88–S122 OECD (2007) Best practice guidelines for biological resource centres. https://www.oecd.org/sti/ emerging-tech/38777417.pdf Perry M (2013) Accessing accessions, biobanks and benefit-sharing. In: Pascuzzi G, Izzo U, Macilotti M (eds) Comparative issues in the Governance of research biobanks. Property, privacy, intellectual property and the role of technology. Springer, pp 267–279. https://doi. org/10.1007/978-3-642-33116-9 Scaffardi L (2008) Legal protection and ethical management of genetic databases: Challenges of the European process of harmonization in European legal integration: The new Italian scholarship. Jean Monnet Working Paper (No. 19/08). New York University School of Law Shrager J, Tenenbaum JM (2014) Rapid learning for precision oncology. Nat Rev Clin Oncol 11: 109–118. https://doi.org/10.1038/nrclinonc.2013.244

Introduction

9

Slokenberga S, Tzortzatou O, Reichel J (2021) Slokenberga. In: S., Tzortzatou, O., & Reichel, J. (ed) GDPR and biobanking. Individual rights, public interest and research regulation across Europe. Springer, p 1. https://doi.org/10.1007/978-3-030-49388-2 Vivas-Tesón I (2013) Bioresearch, biobanks and informed consent from vulnerable donors in Spanish law. Europa e Diritto privato 4:1069–1095 Wright J, Corrette Ploem M, Sliwka M, Gevers S (2010) Regulating tissue research: do we need additional rules to protect research participants? Eur J Health Law 17(5):455–469. https://doi. org/10.1163/157180910X525295

Medical Research and Data Protection in Europe. The Emergence of General Legal Principles Rainer Arnold

Constitutionalism today is anthropocentric: the human being, its dignity and freedom, is the centre and objective of the law. Constitutional guarantees, and fundamental and human rights, at national, international and supranational levels, safeguard this elementary human demand. The protection of the personality, especially of personal data, on the one hand, and the right to health, which also includes the right to research with the aim of developing and improving human health, or generally the freedom of science and research, are the two fundamental poles for the topic of our conference. Both poles serve the human being, but they are, to a considerable extent, in opposition. Too much data protection can hamper, or even exclude, health research. Thus, the two sides, enshrined, expressly or implicitly, in national and supranational as well as in international law, must be reconciled, must be brought into balance with each other. Fundamental rights are principles that, as is often said, must be optimised (Alexy 2018) by granting as much as possible to each of the conflicting rights without interfering with the essence of either of them. Obviously, one of the fundamental rights, such as data protection, must not be maximised while the other fundamental right, in this case freedom of research, is disproportionately hindered or even made impossible. Research needs room for development: it cannot be fixed from the outset on a certain path, on a precisely measured route. New research goals of great importance may suddenly emerge from the originally defined research objectives (SpechtRiemenschneider and Radbruch 2021). 1

1

See also Bundesärztekammer, Bekanntmachungen, Medizinische, ethische und rechtliche Aspekte von Biobanken, in: Deutsches Ärzteblatt 15.12.2017. doi: 10.3238/arztebl.2017.biobanken_01, p. A1 – A7, A5.

R. Arnold (✉) Faculty of Law, University of Regensburg, Regensburg, Germany © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_2

11

12

R. Arnold

Research also needs sustainability—it cannot be abandoned when on a promising path. Continuation of research is an important public interest, which is society’s interest in medical progress. Research depends on information, on data, whether physical or electronic, and the availability of data should not be unacceptably restricted in terms of quantity and quality. These attributes, which are part of the essence of research, must not be overridden by other fundamental rights; on the contrary, they must be maintained, but in such a way that the other fundamental right, data protection, is nevertheless realised as far as possible. Fundamental rights are laid down in the text of a constitution (in a national constitution, in the EU Charter of Fundamental Rights or in the ECHR) and they are concretised by ordinary law, in a state by legislation and other sources of law, in the supranational community of the European Union by regulations or directives, and partly also by soft law (quite frequently!), which has an important function in the formation of general legal principles and also in the interpretation of positive, but not clearly defined, law. In international law (in the law of the Council of Europe), fundamental and human rights are more closely detailed in conventions and recommendations of the Committee of Ministers 2 and in soft law, which is not legally binding but has a strong influential effect, and are concretised by the case law of the courts, above all the European Court of Human Rights. The concretisation through case law exists in all legal systems, in the national, supranational and international spheres. Fundamental rights at all three levels are not only rights of defence against public power, but also apply in the relationship between private (physical and legal) persons. Furthermore, they trigger an obligation on the holder of public power actively to protect the values enshrined in the fundamental rights. This is of particular importance for our topic. The holders of public power (the state or the EU) are obliged to implement these values (in our context, the values of freedom of research and healthcare through medical research, on the one hand, and the value of privacy, on the other hand) adequately and make them efficient through laws or other legal norms, conventions and jurisprudence. This duty to protect pertains, on the one hand, to the relationship between private persons (privately operated biobanks, private clinics and individuals whose data are at stake), and, on the other hand, to the relationship with the holder of public power itself—the state and, in the supranational field, the European Union. It is therefore a matter of providing safeguards that prevent disproportionate encroachments into these rights, for example by enacting procedural rules. The safeguards must be efficient, whether in relation to other private persons or in relation to the public sector (Arnold 2021). Finally, as already mentioned, laws, norms and conventions must resolve conflicts between fundamental rights by weighing up these rights (in our context, by

2

See, for example, Recommendation No. R (83) 10 on the protection of personal data used for scientific research and statistics.

Medical Research and Data Protection in Europe. The Emergence of. . .

13

weighing up the right to privacy and the right to freedom of research connected with the right to health). The values of these rights must be brought into harmony, into ‘practical concordance’ (Hesse 1991) either abstractly through norms or concretely in the application of the law by the courts when interpreting the law. Having outlined the function of fundamental rights, a few remarks should be made about the nature of fundamental rights in today’s system of open statehood (that is, about the cross-border effect of fundamental rights). The question that must be asked in this context, which is of significance for the complete understanding of our problem, is how the guarantees of fundamental rights interlock in the European sphere. The answer also has consequences for the constitutional requirements for biobanks in Europe. First of all: fundamental rights, and thus constitutional law, seen from a rather formal standpoint, exist only in states. Nevertheless, the functional concept of a constitution is broader, as it encompasses all entities exercising public power, other than states. The decisive factor is that such entities are in a position to interfere with the freedom of human beings or to shape their lives or essential parts of their lives. Functionally, this is then a constitutional relationship, even if it is expressed in the form of an international law or a supranational treaty. For this reason, the Treaty on the EU, as well as the EU Charter of Fundamental Rights, function as constitutional law. This is also true for the ECHR which is, as the Strasbourg Court expressly says, a ‘constitutional instrument of a European public order.3 What is the consequence of this broad functional approach to the definition of constitutional law? Neither the fundamental rights of a national constitution nor the fundamental rights of the European Union, as recorded in the EU Charter of Fundamental Rights, can be considered in isolation. They form a functional unit, a bloc de constitutionnalité, to use a term from French constitutional law (DenizeauLahaye 2022). They influence each other and converge more and more closely in their content, and each must be taken into account in the interpretation of the other. All these three levels of the protection of fundamental rights have the same (or almost the same) structure, in view of the balancing between different fundamental rights, the imperative of optimisation and also the concepts of value. This means that we must clearly see the connection between national law, EU law and the ECHR. From the point of view of each of these legal systems, the conflicts of fundamental rights have to be resolved, in the sense of there being a weighing and balancing, a concordance, or an optimal solution that corresponds to the nature of the fundamental rights involved. In data protection law, the well-known EU General Data Protection Regulation (GDPR) is particularly important. Personal data on health are special categories of personal data (Article 9 of the Regulation) that are subject to special protection. However, the area of research is dealt with in several places, but rather selectively, in the Regulation, while the opening clause in Art. 89 of the Regulation leaves it up to

3

Loizidou v. Turkey (Preliminary Objections) (Application no. 15318/89), Judgment 23 March 1995, para. 75.

14

R. Arnold

the Member States to establish rules for research that may deviate from Articles 15 (the right of access by the data subject, meaning the right of information on the processing of one’s own data), 16 (the right to rectification), 18 (the right to restriction of processing), and 21 (the right to object). However, the basic requirements of the Regulation must not be called into question by these national regulations. In the context of the issue of interest to us here, EU law has weighed up the fundamental right to privacy, in the sense of data protection, and the freedom of research, both of which are explicitly included in the Charter of Fundamental Rights governing the EU: Art. 8 on the one side, and Art. 13 on the other. This balancing is expressed in the EU GDPR, with its personality protection requirements, on the one hand, and, on the other, its internal privileges for research, and the opening clause in favour of national regulations for the protection of research. These provisions for the benefit of research, although exceptional in nature, must not be interpreted narrowly, either at the EU level, that is, within the framework of the Regulation, or at the level of national data protection regulations, which concretise the opening clause of the Regulation (Hense 2018) The purpose is to protect a fundamental right, that of freedom of research, in the best possible way. We must be aware that there are two fundamental rights to be balanced, data protection and freedom of research; both are equal in their significance and weight. The right to freedom of research should not be reduced in its importance when interpreting the exception clause of the Regulation. It has already been emphasised that not only national and supranational law, but also international law, must be taken into account in the interpretation, and that the European Convention on Human Rights and its interpretation by the Strasbourg Court of Justice also play an important supporting role in this interconnected European system of fundamental rights. We can therefore say that the existing data protection rules are interpreted correctly when the common European fundamental rights principles are respected, that is, when the conflicting fundamental rights are brought into harmony with each other, with due regard for the principle of proportionality and with respect for the essence of each of these fundamental rights. Article 9(2)(j) of the Regulation clearly expresses this as a consequence of European constitutional law. Let us have a further look at the Regulation itself. The consent of the data subject to data interference is at the heart of European data protection law. However, there are a number of reasons that justify data interference even without consent. Article 9(2), concerning the processing of special categories of data, which includes health data and genetic data, lists a number of other possibilities providing justification, in addition to the consent of the person concerned, including ‘scientific research purposes’ in letter (j), which is important for us; this applies independently of consent (Specht-Riemenschneider and Radbruch 2021, p. A 1359) However, this presupposes respect for the known constitutional principles in European constitutionalism, such as the principle of proportionality (‘processing must be proportionate to the aim pursued’), the prohibition on changing the essence of data protection law and—another general

Medical Research and Data Protection in Europe. The Emergence of. . .

15

proportionality clause – the obligation to provide ‘adequate and specific measures to safeguard the fundamental rights and interests of the data subject’. Since the use of personal data falls within the scope of the ‘right of informational self-determination’ of the person, as defined by the German Federal Constitutional Court and in the case law of other countries (Kühling et al. 2018, para 497) such processing possibilities are also allowed without the consent of the person concerned, but are subject to constitutional limits. As already explained above, these are general constitutional principles in the European area. These limits are only generally specified in the Regulation; the legislator at national and supranational level had a relatively wide scope for design, but the legislation must conceptually fulfil these constitutional requirements. If we look at the German legislator, we find, in Section 27 of the Federal Data Protection Act, a relatively precise implementation of the aforementioned provision of the Regulation, whereby the appropriate and specific measures in favour of the person concerned are further specified by the law (Specht-Riemenschneider and Radbruch 2021, p. A 1359). The important provision of Article 5(1)(b) of the Regulation, which lays down the principles for the processing of personal data, establishes that personal data can only be collected for ‘specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes’4 (Specht-Riemenschneider and Radbruch 2021, p. A 1359), but it makes the exception that ‘further processing for . . . scientific . . . research purposes . . . shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)’. Further processing for scientific purposes is therefore considered compatible, and this is therefore a compatibility fiction (Kühling et al. 2018, para 341) if the conditions of Art. 89(1) of the Regulation are met (appropriate safeguards through organisational and technical measures with the aim of data minimisation). Irrespective of the further processing of data, it must be noted that processing for scientific purposes cannot be based on an objective that can be clearly determined and definitively described from the outset. In view of the dynamics and unpredictability of research processes and research results, this is not possible (Hense 2018, Article 89 para 12). Research aims to explore the unknown, and it is therefore, by its very nature, impossible to define and delimit. Recital 33 to the Regulation (the content of which is not entirely clear) states that the consent of a data subject is possible and effective even if the purpose of the processing is not clearly identifiable, as is often the case in scientific research (Hense 2018, Article 89 para 12). This relativisation of the principle of certainty and unambiguity with regard to the purpose of processing in the area of research must also apply in cases where consent is not envisaged.

For more on the idea of ‘broad consent’, see https://www.medizininformatik-initiative.de/de/ mustertext-zur-patienteneinwilligung.

4

16

R. Arnold

Section 27(3) of the German Federal Data Protection Act, which enables the processing of sensitive data even without the consent of the person concerned, implements Art. 5(1)(b) of the Regulation, which requires adequate measures for data minimisation, by the following provision: In addition to the measures referred to in Section 22(2), special categories of personal data within the meaning of Article 9(1) of Regulation (EU) 2016/679 processed for scientific or historical research purposes or for statistical purposes shall be made anonymous as soon as this is possible in accordance with the research or statistical purpose, unless this conflicts with legitimate interests of the data subject. Until then, the characteristics with which individual data on personal or factual circumstances can be attributed to an identified or identifiable person shall be stored separately. They may only be combined with the individual data insofar as the research or statistical purpose requires this.

Further privileges of scientific research are (Kühling et al. 2018, para 825 ; Hense 2018, Article 89 para 12): • longer storage (exception to the principle of storage limitation, Art. 5(1) (e)GDPR); • exemptions from the obligation to delete (right to erasure -the ‘right to be forgotten’—are not applicable, according to Art. 17(3)(d) GDPR, but the principle of proportionality has to be observed); • no obligation to provide information where personal data have not been obtained from the data subject (Art. 14(5)(b) GDPR); • no obligation to meet specific requirements for the transfer of data to third countries and international organisations, as laid down in Articles 44 et seq. (Art. 49(1)2 GDPR (‘is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject. . .’), in conjunction with recital 113 of the GDPR (‘. . .For scientific or historical research purposes or statistical purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration. . .’) (Hense 2018, Art. 89 para 12; SpechtRiemenschneider and Radbruch 2021, p. A 1359; Towfigh and Ulrich 2018 Art. 44 et seq.; Art. 49 paras. 8, 9) Art. 89(2) of the Regulation also allows exceptions to important rights of the data subject to be specified by the national regulations. To take the German example: section 27 of the German Federal Data Protection Act elaborates on this and states: (2) The rights of the data subject provided for in Articles 15, 16, 18 and 21 of Regulation (EU) 2016/679 shall be limited to the extent that those rights are likely to make impossible or seriously prejudice the achievement of the research or statistical purposes and the limitation is necessary for the achievement of the research or statistical purposes. Furthermore, the right of access under Article 15 of Regulation (EU) 2016/679 shall not apply where the data are necessary for scientific research purposes and the provision of information would involve a disproportionate effort.

In summary, we can say that the EU General Data Protection Regulation contains a number of provisions that meet the specific needs of scientific research. In addition, it is left to the Member States to establish by law exceptions to a number of the rights

Medical Research and Data Protection in Europe. The Emergence of. . .

17

of data subjects for the purposes of research (and other areas of archiving and statistics). This innovative regulation is the consequence of a balancing between two fundamental rights, data protection as an essential aspect of personal rights, on the one hand, and freedom of research, on the other. However, this does not, by any means, solve all the problems. The norms contain general terms that must first be defined more precisely by case law. It is the European case law, in particular that of the Court of Justice of the European Union, and also the national case law of the 27 Member States, that may show divergences in understanding. The instrument of the preliminary ruling under Article 267 TFEU, which grants the Court of Justice of the European Union a Europe-wide competence for interpretation, has a particularly important task here. The legal practice of the Member States, in particular their legislation and jurisprudence, also has an influence on the understanding of European terms. The legislator is the first interpreter of the constitution, says the German Federal Constitutional Court;5 this can be generalised. Certainly, a constitution is above the law and EU law enjoys primacy over national law (and also above national constitutional law, at least to a large extent6), but nevertheless, what the national legislator establishes and what the national courts say is also relevant for the interpretation of European fundamental rights. This is also reflected in Article 52(4) of the EU Charter of Fundamental Rights, according to which a large number of EU fundamental rights are to be interpreted in the light of the constitutional traditions of the Member States, which in turn are influenced by the legislation and case law of the Member States. It is therefore an important task of this book, since it is written by our community, to show the national views of the relationship between data protection and research and medical research via biobanks. If we look at the European Convention on Human Rights and the other legal acts of the Council of Europe, we can see that they also carefully address the issues of medical research in relation to the protection of personal data. The basic ideas here are similar to those in EU law, but they are less detailed and, above all, there is a lack of legislative instruments comparable to EU law. Besides conventions (which are certainly important, but do not address the specific issue in the same way as EU law), it is mainly recommendations of the Council of Ministers of the Council of Europe that deal with this issue.7 Thus there is a lack of comparable normative binding effect. Nevertheless, the importance of this soft law for the development of general principles influencing the interpretation of ordinary law should not be underestimated.

5

FCC http://www.bverfg.de/e/fs19991111_2bvf000298.html, para. 281. The exception is the so-called constitutional identity equated by the FCC with the matters exempted from constitutional reform (Article 79.3 Grundgesetz (Basic Law, BL), FCC http:// www.bverfg.de/e/es20090630_2bve000208en.html (English translation by the FCC), paras. 218, 219, 239, 240 etc. 7 See note 2 and Recommendation CM/Rec(2019)2, p. 19 et seq. 6

18

R. Arnold

Ultimately, to a certain extent, a supporting and consolidating effect can also be derived from the law of the Council of Europe for the normative specification of EU law. We can therefore conclude that the tension between data protection and freedom of research, which is so important for biobanks, must be resolved to an extent that is optimal for both areas of freedom. This is a task of the normative guidelines—the EU General Data Protection Regulation and other legal acts; however, this is an ongoing task of interpretation, of legal and medical practice, of state and supranational jurisdiction, and of discussion in professional circles and in the general public. A message to medicine and biobanks: You are not left on your own! The law tries to take the legitimate interests of research seriously and to find adequate and practical solutions.

References Alexy R (2018) Theorie der Grundrechte, 8th edn. pp 75–76 Arnold R (2021) La structure des droits fondamentaux – aspects choisis. La estructura de los Derechos fundamentales – cuestiones seleccionadas. Comp Law Stud, 12 Bundesärztekammer, Bekanntmachungen, Medizinische, ethische und rechtliche Aspekte von Biobanken, Deutsches Ärzteblatt 15.12.2017. https://doi.org/10.3238/arztebl.2017.biobanken_ 01 Denizeau-Lahaye C (2022). La genèse du bloc de constitutionnalité. CC Dossier, N° 8 - avril 2022, Titre VII. https://www.conseil-constitutionnel.fr/publications/titre-vii/la-genese-du-bloc-deconstitutionnalite Hense A (2018) Commentary on Art. 89. In: Sydow G (ed) Europäische Datenschutzgrundverordnung, 2nd edn. Nomos Hesse K (1991) Grundzüge des Verfassungsrechts der Bundesrepublik Deutschland, 18th edn. C.F. Müller Kühling J, Klar M, Sackmann F (2018) Datenschutzrecht, 4th edn. C.F. Müller Specht-Riemenschneider L, Radbruch A (2021) Die Forschung braucht Daten. Deutsches Ärzteblatt 118:27–28 Towfigh EV, Ulrich J (2018) Commentary. In: Sydow G (ed) Europäische Datenschutzgrundverordnung, 2nd edn. Nomos

Part I

Syllabus of the Burning Questions

Anonymisation (Part I) What Is the State-of-the Art of Anonymisation in DataDriven Health Research and Its Role in the “European Health Data Space Regulation”? Ricard Martínez Martínez

1 Introduction The use of data analytics methodologies for health research has evolved in the last two years towards very well-defined and common strategies in the countries of the European Union Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as GDPR)1 considers that health research represents a clear public interest and should be promoted. To this end, it has established certain precise rules: • It has provided legal bases legitimising this processing (Articles 6, 9(2) (j) and 89). • It has considered data use relating to research (Article 5(1)(e)) as compatible uses. • It requires regulatory development by the European Union or by Member States’ laws to include both the grounds of legitimacy for processing and conditions for processing that provide adequate safeguards (Articles 6, 9(2)(j) and 89). Article 89(1) includes a clear preference regarding the identifiability of the data. Anonymisation should be the rule and pseudonymisation represents the safe alternative when anonymisation proves impossible. Moreover, the latter technique is conceived as necessary by default and as an adequate safeguard.

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

R. Martínez Martínez (✉) Faculty of Law, University of Valencia, Valencia, Spain e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_3

21

22

R. Martínez Martínez

2 Anonymisation in the General Data Protection Regulation Recital 26 of the GDPR defines the conditions that anonymisation must meet. The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes. It is necessary to differentiate between anonymisation and pseudonymisation, with the latter defined as follows: ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

The reference framework on anonymisation was defined by Article 29 Working Party in the Opinion 05/2014 on anonymisation techniques (0829/14/ESWP216). The opinion is based on a risk-based approach that focuses on reidentification risk through singling out, linkability and inference. The Working Party defines these risks as follows: – Singling out, which corresponds the possibility to isolate some or all records that identify an individual in the dataset; – Linkability, which is the ability to link at least two records concerning the same data subject or a group of data subjects (either in the same database or in two different databases). If an attacker can establish (e.g., by means of correlation analysis) that two records are assigned to the same group of individuals but cannot single out individuals in this group, the technique provides resistance against ‘singling out’ but not against linkability. – Inference, which is the possibility to deduce, with significant probability, the value of an attribute from the values of a set of other attributes.

Anonymisation (Part I)

23

The Working Party summarises the following conclusions, each of which affects strategic decisions made in research projects using health data: • Anonymisation is a technique applied to personal data to achieve irreversible de-identification. Therefore, the starting assumption is that the personal data must have been collected and processed in compliance with the applicable legislation on the retention of data in an identifiable format.2 This implies the need to obtain verifiable evidence of the legitimate origin of the data compliance with the transparency right of the patients and the need for appropriate ethical and legal approvals for the processing of the data. On the other hand, it seems reasonable that the documentation of the processing should include evidence of cases in which personal data has been anonymised so that there can be traceable processing. 1. The concept of reasonable effort on the part of the controller or any third party requires consideration of: • The technical means available, taking into account possible changes in the evolution of information technologies. • Ensuring the maximum level of aggregation of data. Therefore, removing directly identifying elements is in itself not enough to ensure that identification of the data subject is no longer possible. It will often be necessary to take additional measures to prevent identification, once again depending on the context and purposes of the processing for which the anonymised data are intended.3 • Third parties should analyse the risks of reidentification. This implies that when a research project receives anonymised data, it should implement an additional verification process aimed at analysing the risks of singling out, linking and inference. 2. Anonymisation does not imply the absence of rights of the persons concerned. In our view, this may imply additional obligations, such as providing traceability of the use of anonymised datasets so that we are able to identify their origin, the conditions and purposes of use of the data, the users of the data repository and the actions executed. Finally, the document takes Directive 2002/58/EC as a reference and goes as far as to state the following: ‘The underlying rationale is that the outcome of anonymisation as a technique applied to personal data should be, in the current state of technology, as permanent as erasure, i.e. making it impossible to process personal data’. To achieve this goal, Article 29 Working Party proposes a combined strategy of randomisation, generalisation, pseudonymisation, differential privacy, ‘l-diversity’ 2 3

Opinion 05/2014, page 7. Opinion 05/2014, page 9.

24

R. Martínez Martínez

and ‘t-proximity’ techniques. Data protection authorities also provide their own criteria, not only in technical but also in organisational terms (some of these guidelines are included in the bibliography). For example, the Spanish Data Protection Agency Guidelines of 2019 recommends a double-layer anonymisation process with independent teams and with a clear segmentation of tasks and responsibilities in terms of decision making, risk analysis or security.

3 General Framework for Data Access in the EHDS Proposal The Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space (EHDS Proposal)4 refers to anonymisation and pseudonymisation at several points. The standard designs a system based on the creation of one or more National Health Data Access Bodies that would operate as an intermediary and control agent in relation to secondary uses of data. These secondary uses are defined for very precise data and for purposes in Chapter IV of the Proposal, which obliges data controllers to make the data available (Table 1): Data will be provided by data holders as defined by the regulation as follows: “data holder” means any natural or legal person, which is an entity or a body in the health or care sector, or performing research in relation to these sectors, as well as Union institutions, bodies, offices and agencies who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data, through control of the technical design of a product and related services, the ability to make available, including to register, provide, restrict access or exchange certain data

The EHDS Proposal states two basic principles in its Recital (45) for the processing of special categories of data which, in our view, graphically express the European Commission choices. Thus, it states that “Due to the sensitivity of health data, principles such as “privacy by design” and “bring questions to data instead of moving data” should be respected whenever possible”. These principles should be considered together with the second and third paragraphs of Art. 44 of the Proposal. This rule proposes an approach consistent with Article 89 of the GDPR. It prioritises as a first option the anonymisation of electronic health data when it is possible to achieve the purpose of the processing requested by the user. Failing this, health data access bodies shall provide access to electronic health data in a pseudonymised format. Moreover, a strategy practically identical to that of the Spanish Data Protection law is adopted in the seventeenth additional

4

Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space (COM/2022/197 final).

Anonymisation (Part I)

25

Table 1 Types of data, secondary uses and non-permitted uses of data in the Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space Data Purposes (a) activities for reasons of public interest in the (a) EHRs; area of public and occupational health, such as (b) data impacting on health, including social, protection against serious cross-border threats environmental behavioural determinants of to health, public health surveillance or ensurhealth; (c) relevant pathogen genomic data, impacting ing high levels of quality and safety of healthcare and of medicinal products or medion human health; (d) health-related administrative data, including cal devices; (b) to support public sector bodies or Union claims and reimbursement data; institutions, agencies and bodies including (e) human genetic, genomic and proteomic regulatory authorities, in the health or care data; sector to carry out their tasks defined in their (f) person generated electronic health data, mandates; including medical devices, wellness applica(c) to produce national, multi-national and tions or other digital health applications; Union level official statistics related to health (g) identification data related to health profesor care sectors; sionals involved in the treatment of a natural (d) education or teaching activities in health or person; (h) population wide health data registries (pub- care sectors; (e) scientific research related to health or care lic health registries); (i) electronic health data from medical registries sectors; (f) development and innovation activities for for specific diseases; products or services contributing to public (j) electronic health data from clinical trials; (k) electronic health data from medical devices health or social security, or ensuring high and from registries for medicinal products and levels of quality and safety of health care, of medicinal products or of medical devices; medical devices; (l) research cohorts, questionnaires and surveys (g) training, testing and evaluating of algorithms, including in medical devices, AI sysrelated to health; tems and digital health applications, (m) electronic health data from biobanks and contributing to the public health or social dedicated databases; security, or ensuring high levels of quality and (n) electronic data related to insurance status, safety of health care, of medicinal products or professional status, education, lifestyle, wellof medical devices; ness and behaviour data relevant to health; (h) providing personalised healthcare (o) electronic health data containing various consisting in assessing, maintaining or restorimprovements such as correction, annotation, enrichment received by the data holder follow- ing the state of health of natural persons, based on the health data of other natural persons. ing a processing based on a data permit. Non-permitted uses (a) taking decisions detrimental to a natural person based on their electronic health data; in order to qualify as “decisions”, they must produce legal effects or similarly significantly affect those natural persons; (b) taking decisions in relation to a natural person or groups of natural persons to exclude them from the benefit of an insurance contract or to modify their contributions and insurance premiums; (c) advertising or marketing activities towards health professionals, organisations in health or natural persons; (d) providing access to, or otherwise making available, the electronic health data to third parties not mentioned in the data permit; (e) developing products or services that may harm individuals and societies at large, including, but not limited to illicit drugs, alcoholic beverages, tobacco products, or goods or services which are designed or modified in such a way that they contravene public order or morality.

26

R. Martínez Martínez

provision on health data processing. Like the Spanish law,5 it defines a scenario of functional separation between those who hold the identifiers and those who research with data along with a commitment to non-reidentification for the latter, since ‘the information necessary to reverse the pseudonymisation will only be available to the body accessing the health data’ and ‘data users will not re-identify the electronic health data provided to them’ in this format. Finally, when data are to be requested in pseudonymised format, an ethical assessment may be required in addition to a justification of the reasons for the request. The EHDS Proposal is consistent with the criteria of Opinion 5/2014 and the GDPR. Particularly instructive in this respect is Recital (46) from which principles in common with the aforementioned can be drawn: • Secondary use of data shall require the invocation of a legitimate basis for processing founded on the GDPR as well as compliance with the principles of Article 5 of the GDPR (purpose limitation, data minimisation and security). The use of anonymised data is preferred, and if pseudonymised data is required, the data requester should explain why this is necessary and why anonymised data would not be sufficient. When the applicant needs anonymised statistical data, it should submit a data request application requiring the health data access body to directly provide the result. Recital (60) completes the EHDS Proposal’s approach to anonymisation by considering not only the risk of reidentification but also the fact that (60) ‘certain categories of electronic health data can remain particularly sensitive even when they are in anonymised format and thus non-personal’. In practice, the impossibility of irreversible anonymisation is being recognised as there will always be a residual risk of reidentification in several cases: • Rare diseases ‘where the limited numbers of case reduce the possibility to fully aggregate the published data in order to preserve the privacy of natural persons while also maintaining an appropriate level of granularity in order to remain meaningful’. • Cases in which the identifying characteristics are more extensive and in which combination with other information (e.g., in very small geographical areas) or the technological development of methods that were not available at the time of anonymisation may result in the reidentification of data subjects using means that go beyond those reasonably likely. Articles 38 to 45 of the EHDS Proposal translate this philosophy into very precise obligations. The first obliges National Data Access Bodies to publicise to natural persons the conditions of access to data for secondary purposes. In particular:

5

Organic Law no. 3 of 5 December 2018.

Anonymisation (Part I)

27

(a) the legal basis under which access is granted; (b) the technical and organisational measures taken to protect the rights of natural persons; (c) the applicable rights of natural persons in relation to secondary use of electronic health data; (d) the arrangements for natural persons to exercise their rights in accordance with Chapter III of Regulation (EU) 2016/679; and (e) the results or outcomes of the projects for which the electronic health data were used. On the other hand, the Proposal exempts these bodies from the obligation of transparency that Article 14 of the GDPR imposes on data controllers when they receive data from third parties. Article 44(3) of the EHDS Proposal provides for pseudonymisation as an alternative when anonymisation is not feasible: Where the purpose of the data user’s processing cannot be achieved with anonymised data, taking into account the information provided by the data user, the health data access bodies shall provide access to electronic health data in pseudonymised format. The information necessary to reverse the pseudonymisation shall be available only to the health data access body. Data users shall not re-identify the electronic health data provided to them in pseudonymised format. The data user’s failure to respect the health data access body’s measures ensuring pseudonymisation shall be subject to appropriate penalties.

Finally, the requirements to be formalised according to Article 45 of the EHDS Proposal should be taken into account when requesting access to data: (a) a detailed explanation of the intended use of the electronic health data, including for which of the purposes referred to in Article 34(1) access is sought; (b) a description of the requested electronic health data, their format and data sources, where possible, including geographical coverage where data is requested from several Member States; (c) an indication whether electronic health data should be made available in an anonymised format; (d) where applicable, an explanation of the reasons for seeking access to electronic health data in a pseudonymised format; (e) a description of the safeguards planned to prevent any other use of the electronic health data; (f) a description of the safeguards planned to protect the rights and interests of the data holder and of the natural persons concerned; (g) an estimation of the period during which the electronic health data is needed for processing; and (h) a description of the tools and computing resources needed for a secure environment.

28

R. Martínez Martínez

4 Conclusions: The Anonymisation of Health Data in Health Research Projects The practical effect of the implementation of the General Data Protection Regulation and its development by national legislation has led to the widespread use of anonymisation of patient data. As has been pointed out in other chapters of this publication, the value that the GDPR attaches to the use of data for research purposes combined with the anonymisation of such data constitutes the most common technique for the development of retrospective studies and for the creation of data repositories. Its scope is more limited in prospective studies for which it is not unusual for national laws to require consent as a basis to legitimate the data processing. This has also led to the implementation of very precise privacy safeguards. From the point of view of the origin of data collection research projects (Bonmatí et al. 2022, p. 2), these usually require: 1. To accredit the legitimate origin of the data. 2. To provide evidence of its procurement by the project either by declaratory acts of the data provider, or by accreditation of the terms of use of the source open data environment or by a data sharing agreement. 3. To have an ethics approval statement issued by an ethics committee accredited under national law. However, this is not sufficient and, from the point of view of anonymisation, different strategies are adopted: 1. Applying risk-focused methodologies by reviewing the anonymised datasets that are delivered. In practice, this involves incorporating two or even three layers of anonymisation. 2. Building data spaces that from a controlled open-data philosophy include legal and technological measures. The first of these includes the signing of data-sharing agreements, acceptance of terms and conditions and the assumption of non-reidentification commitments. From a security point of view, the user must be registered and his or her action in the repository must be traceable. 3. The adoption of increasingly sophisticated anonymisation techniques, such as differential privacy techniques (Soria-Comas et al. 2016, p. 22), multi-party computation (Helminger and Rechberger 2022, p. 16) (Van Haaften et al. 2020, pp. 5–9) and/or synthetic data generation. The use of encryption techniques is a common element in many of these techniques. The entry into force of the Data Governance Act and the forthcoming EHDS Proposal raise significant questions. The first foresees the promotion of data reuse through the principle of ‘open by design and by default’ by promoting the creation and collection of data in formats and structures that facilitate anonymisation. In the public health system, this will be realised in each state through ‘one or more

Anonymisation (Part I)

29

competent bodies’, which may be sectoral, to support the public sector bodies that grant access to the re-use of data. The role of competent bodies designed by the Members States includes different activities: (a) providing technical support by making available a secure processing environment for providing access for the re-use of data; (b) providing guidance and technical support on how to best structure and store data to make data easily accessible; (c) providing technical support for pseudonymisation and ensuring data processing in a manner that effectively preserves the privacy, confidentiality, integrity and accessibility of the information contained in the data for which re-use is allowed, including techniques for the anonymisation, generalisation, suppression, randomisation of personal data or other state-of-the-art privacy preserving methods, and the deletion of commercially confidential information, including trade secrets or content protected by intellectual property rights; (d) when relevant, assisting the public sector bodies to provide assistance to re-users in requesting consent for re-use from data subjects or permission from data holders in line with their specific decisions, including on the jurisdiction or jurisdictions in which the data processing is intended to take place, and assisting the public sector bodies in establishing technical mechanisms that allow the transmission of requests for consent from re-users, where practically feasible; and (e) providing public sector bodies with assistance on the adequacy of undertakings made by a re-user, in case of transmit of non-personal confidential data or data protected by intellectual property rights to a re-user which intends to transfer those data to a third country. With respect to health, the supporting infrastructure is attributed by the EHDS Proposal to National Data Access Bodies. Finally, it becomes clear that healthcare systems and hospitals should be considered as data holders, and a similar position could be considered for the data repositories that are being created in multi-partner research projects. Data holders will undoubtedly have the task of anonymising the datasets, cataloguing them appropriately and providing trustworthy conditions. However, the risk inherent in any data anonymisation process leads us to conclude that there is only one way out. Given the need to achieve and demonstrate a level of irreversible anonymisation equivalent to erasure, there is no other recourse but to use pseudonymisation strategies. Even when data sets are anonymised, the control, security and traceability techniques that apply to pseudonymised data should be applied.

30

R. Martínez Martínez

References Article 29 Working Party (2014) Opinion 05/2014 on anonymisation techniques (0829/14/ ESWP216) Bonmatí LM, Miguel A, Suárez A, Aznar M, Beregi JP, Fournier L, Neri E, Laghi A, França M, Sardanelli F, Penzkofer T, Lambin P, Blanquer I, Menzel MI, Seymour K, Figueiras S, Krischak K, Martínez R, Mirsky Y, Yang G, Alberich-Bayarri Á (2022) CHAIMELEON project: creation of a Pan-European repository of health imaging data for the development of AI-powered cancer management tools. Front Oncol 12:742701. https://doi.org/10.3389/fonc. 2022.742701 Council Decision 2014/115/EU of 2 December 2013 on the Conclusion of the Protocol Amending the Agreement on Government Procurement, O.J. (L 68) 2 Helminger L, Rechberger C (2022) Multi-party computation in the GDPR. Manuscript in preparation. In: Privacy Symposium 2022 - Data Protection Law International Convergence and Compliance with Innovative Technologies (DPLICIT).https://graz.pure.elsevier.com/en/ publications/multi-party-computation-in-the-gdpr Soria-Comas J, Domingo-Ferrer J, Sánchez D, Megías D (2016) Individual differential privacy: a utility-preserving formulation of differential privacy guarantees. ArXiv:1612.02298v2. https:// doi.org/10.48550/arXiv.1612.02298 Spanish Data Protection Agency. Orientaciones y garantías en los procedimientos de anonimización de datos personales. https://www.aepd.es/sites/default/files/2019-12/guia-orientacionesprocedimientos-anonimizacion.pdf Van Haaften W, Sangers A, Engers T, Djafari S (2020) Coping with the general data protection regulation; anonymization through multi-party computation technology. In: 23rd International Legal Informatics Symposium, Salzburg, Austria. https://enablingpersonalizedinterventions. nl/2020-08-09/2020-08-09.pdf

Anonymisation: The Trap for Biobanking (Part II) Why the Anonymisation Could Be a Trap for the Biobanking Activity? Can There Really Be Anonymisation in the Research Biobanks? Magdalena Kogut-Czarkowska

1 Introduction Protecting the privacy of data subjects during research is a legal and ethical requirement. The GDPR principle of data minimisation requires that only minimal amounts of personal data be processed, incentivising data anonymisation. It is also perceived that there are fewer regulatory burdens to use anonymised information or to share it with others, as the GDPR no longer applies to it. These factors drive the pressure to declare much of the research data as anonymous. This raises the questions of whether data anonymisation is possible in the biobanking activity as well as of its consequences for biomedical research.

Magdalena is providing legal and ethics support to INCISIVE project on improving cancer diagnosis and prediction with AI and big data projects (https://incisive-project.eu/). INCISIVE has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 952179. However, the content of this article reflects the opinion of its author and does not in any way represent opinions of the European Union. The European Commission is not responsible for any use that may be made of the information the article contains. M. Kogut-Czarkowska (✉) Timelex BV/SRL, Brussels, Belgium e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_4

31

32

M. Kogut-Czarkowska

2 Coded Data in Biobanking and the Concept of Anonymisation Biobanks store biological and medical data. The name of the patient and other directly identifiable information are usually replaced with a code. The biobank then shares its data in a coded form without the possibility of the researcher accessing the key. Hence, there is a question whether the coding of personal data may lead to its anonymisation. The GDPR does not define or refer to the process of anonymisation, but only to the outcome of this process in the form of anonymous information. Recital 26 GDPR states that anonymous information is information which ‘does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable’. This contrasts with the concept of personal data, which is any information relating to an identified or identifiable natural person (data subject). In this sense, the GDPR takes a binary approach, meaning that information may be either personal or non-personal (anonymous). While this taxonomy is being questioned,1 it is also followed in other EU legislation.2 In determining whether a natural person is identifiable, the GDPR requires that consideration be given to ‘all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments’.3 In turn, the discussion about understanding of the term ‘personal data’ has been focused on interpretation of the phrase ‘means reasonably likely to be used to identify the natural person’ and the perspective from which those means should be ascertained. A very broad interpretation of the concept of personal data was presented by the Article 29 Data Protection Working Party (WP29) in its Opinion 05/2014 on

1

For example, AEPD-EDPS joint paper on 10 misunderstandings related to anonymisation indicates that ‘It is possible to analyse and measure the degree of anonymization. The expression “anonymous data” cannot be perceived as if datasets could simply be labelled as anonymous or not’. 2 For example, Recital 9 of the Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union states ‘If technological developments make it possible to turn anonymized data into personal data, such data are to be treated as personal data, and Regulation (EU) 2016/679 is to apply accordingly’. 3 GDPR, Recital 26.

Anonymisation: The Trap for Biobanking (Part II)

33

Anonymisation Techniques.4 In this opinion, WP29 stated that ‘importance should be attached to contextual elements: account must be taken of “all” the means “likely reasonably” to be used for identification by the controller and third parties’.5 This perspective is sometimes associated with an ‘objective’ criterion of assessment.6 The approach led the WP29 to conclude that ‘when a data controller does not delete the original (identifiable) data at event-level, and the data controller hands over part of this dataset (for example after removal or masking of identifiable data), the resulting dataset is still personal data’. A more nuanced ‘subjective’ (‘relative’) approach focuses on the perspective of the recipient of the data or the person/entity who is accessing or holding it (either as controller or a third party). This approach has been voiced by the UK Information Commissioner Office (ICO): ‘The status of data can change depending on who holds it. For example, pseudonymous data which you can still identify using a key or other separate identifiers might no longer be identifiable in the hands of a different organisation who does not have access to that key’7 (Mourby et al. 2018). From the judicial perspective, the landmark case for understanding the concept of personal data is the judgement of the Court of Justice (CJEU) in the Breyer case.8 In this case, the CJEU stated that a ‘dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data (. . .), in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data9 which the internet service provider has about that person’. Despite this clarification, scholars remain divided on whether the CJEU in Breyer followed the ‘relative’ or ‘objective’ approach and have focussed on different parts of the ruling (Groos and Veen 2020). In particular, Borgesius indicated that the CJEU uses an objective criterion to determine identifiability and favours a broad interpretation of the concept of personal data (Borgesius 2017). Other scholars have argued that the CJEU favours the relative approach. They have concluded that the factors that enabled the CJEU to consider the examined data as personal were the legal channels

4

Article 29 Data Protection Working Party. Opinion 05/2014 on Anonymisation Techniques (0829/ 14/EN WP216). The opinion was issued under the Directive 95/46/EC, however the definition of personal data in its core elements remains the same. 5 Emphasis added. 6 More about ‘objective’ (absolute) and ‘subjective’ criterion in the Opinion of Advocate General Campos Sánchez-Bordona delivered on 12 May 2016 in Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland. 7 ICO Chapter 3: pseudonymisation, February 2022, https://ico.org.uk/media/about-the-ico/ consultations/4019579/chapter-3-anonymisation-guidance.pdf. While this guidance was published already after UK leaving EU, a similar view was offered by ICO also prior to Brexit. However, it has been noted (see Mourby et al. 2018), ICO’s position appeared to be an outlier among EU member states. 8 Case C-582/14, Patrick Breyer v Bundesrepublik Deutschland (Breyer case), 2016, ECLI:EU: C:2016:779. 9 Emphasis added.

34

M. Kogut-Czarkowska

allowing a competent authority to obtain additional information from the Internet service provider in the event of an attack. Thus, ‘in the absence of these channels, the data would not have been considered personal simply because a known third party could identify them’ (Mourby et al. 2018). Similarly, some of the health databanks have focused on finding solutions to break the link between the information available to the data provider and the data which is provided to researchers (data users) to ensure that this data is anonymised from the researcher’s perspective (Crossfield et al. 2022).10 When adapting this approach in the EU, legal developments in the area of EU data policy should also be taken into account. Some recent decisions and proposals published by EU bodies shed further light on how the EU institutions and policymakers view the concept of personal data. In the European Commission decision on new standard contractual clauses for international transfer,11 the following note was included in the explanation of the term anonymisation: ‘This requires rendering the data anonymous in such a way that the individual is no longer identifiable by anyone, in line with recital 26 of Regulation (EU) 2016/679, and that this process is irreversible’. This signals that the EC (still) favours an objective approach rather than a subjective one. A similar conclusion may be reached when reading the proposal for the regulation on the European Health Data Space (EHDS Proposal).12 One of the aims of the EHDS Proposal is—in essence—the setting up of secure processing environments in which the researchers will be able to access electronic health data for research through a defined process (see also the previous chapter in this book: R. Martínez Martínez ‘Anonymisation’). The EHDS Proposal states13 that in principle, this electronic health data should be provided in anonymous form. Only if the data user’s processing cannot be achieved with anonymised data should the records be pseudonymised. However, it is explicitly stated that: ‘The information necessary to reverse the pseudonymisation shall be available only to the health data access body. Data users shall not re-identify the electronic health data provided to them in pseudonymised format’. This indicates that the EHDS Proposal treats data made available to the researchers as pseudonymised data (so still personal) despite the implicit legal restriction to make available the information necessary to reverse the pseudonymisation.

10 In this project, important limitations have been described, namely that the ‘digest anonymisation approach’ must be ‘coupled with processes that mitigate the risk of identification through the rest of the dataset (i.e. data that is shared but not used in the linkage process). In the case study, the third party did not perform a quantitative assessment of the residual risk of re-identification in the final dataset’. 11 Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. 12 Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space (COM/2022/197 final). 13 Article 44.3 EHDS Proposal.

Anonymisation: The Trap for Biobanking (Part II)

35

Considering this discussion, the objective approach and a broad understanding of personal data in the EU cannot be disregarded, even after the CJEU Breyer case and despite critical voices related to this viewpoint (Groos and Veen 2020). Apart from the discussion on the legal criteria for reaching the threshold of anonymous information, anonymisation of rich data sets, much needed for healthrelated research, presents significant technical challenges. For example, studies have demonstrated that neuroimages can be described as personal data even ‘when all direct information (e.g., the face) relating to the participant are removed’ (Eke et al. 2021). Other studies have shown that it is possible to identify some participants of a genomics research study even in the absence of a second (matching) DNA sample (Rodriguez et al. 2013). Further experiments show that even 99.98% of Americans could be correctly re-identified in any dataset using 15 demographic attributes, and the data scientists raise the alarm that ‘even heavily sampled anonymized datasets are unlikely to satisfy the modern standards for anonymization set forth by GDPR and seriously challenge the technical and legal adequacy of the de-identification release-and-forget model’(Rocher et al. 2019). These empirical studies cannot be overlooked in a discussion of the legal consequences of labelling data as anonymous without in-depth consideration. Some scholars have already concluded that ‘biobanks and researchers who access biobank materials and associated data cannot take the position that key-coded data are not personal data’ (Peloquin et al. 2020). To conclude, GDPR burdens (potential) controller(s) with the responsibility to make a call as to whether the data is personal or non-personal (anonymised). EDPB has still not updated the WP29 guidance on anonymisation nor given other indications of a more lenient ‘relative’ approach in its recent recommendations. Although different methods are being proposed (Groos and Veen 2020) there is no clear path for the biobanks to make an assessment of the disclosed datasets. Moreover, when considering whether the anonymisation is in fact achievable, it must also be understood what limitations anonymisation might place on research.

3 Consequences of Anonymisation of Personal Data The consequences of anonymisation can be summarised as follows: • Loss of data utility. Studies have pointed out the disruption and loss of utility caused by anonymisation of medical data indicating that induced noise may undermine data quality and distort the research results and make them unreliable (Scheibner et al. 2021); thus, ‘real anonymization procedures typically have a high impact on the scientific value/potential of the data’ (Eke et al. 2021). In the context of the development of artificial intelligence solutions for health, the World Health Organization (WHO) stated in its guidance that ‘while anonymization may minimise the risks of (re-)identification of a person, it can reduce the positive benefits of health data, including re-assembly of fragments of

36

M. Kogut-Czarkowska

an individual’s health data into a comprehensive profile of a patient, which is required for some forms of AI such as predictive algorithms of mortality’.14 • Irreversibility of de-identification. While some other jurisdictions may view this differently,15 under the GDPR, true anonymisation should be irreversible in the sense that under normally foreseen circumstances, the controller should not be able to reverse the process. This would mean that this (now former) controller could not report important incidental findings encountered during research to the patient (or their doctor), even if it would be beneficial for this person’s health. Similarly, after the research data has been made anonymous, it would not be possible to—even indirectly—ask the patient for consent to use their data in follow-up research or to update the research data with new information from this patient. Finally, the irreversible nature of the process may hinder the possibility to link the anonymised data set with other data, for example, to match the patients’ health data records with his or her socio-economic background information obtained from other sources. This would only be possible for pseudonymised datasets. • Decreased level of legal protection. Anonymous data is no longer subject to GDPR safeguards. For instance, the entity that is combining anonymous medical data from various sources does not have to conduct a data protection impact assessment (DPIA), which would be mandatory when combining pseudonymous data. Under strict application of the logic that anonymous information is non-personal, if such data is leaked, this breach does not have to be reported to data protection authorities. In addition, as anonymisation places the data record outside of the GDPR regime, a data subject’s rights to control their own data through data subject rights do not apply. Patients thus would not have to be informed on how this data may be used.16 While it may be possible to impose some contractual restrictions on the user of the anonymous data, they are likely to fall short of the significance of safeguards prescribed by the GDPR or other statutory obligations, which are enforced not only contractually but also by administrative means (by fines imposed by data protection authorities, in particular). • False sense of security. The labelling of data as anonymous may provide a sense of security to the user of this data based on the perception that the data is ‘free to

14

Ethics and governance of artificial intelligence for health: WHO guidance. https://www.who.int/ publications/i/item/9789240029200. 15 Singapore Personal Data Protection Commission’s (PDPC) in their Guide To Basic Anonymisation published 31 March 2022. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDFFiles/Advisory-Guidelines/Guide-to-Basic-Anonymisation-31-March-2022.ashx. Indicates that anonymity may be reversible: ‘There may be cases where the organisation applying the anonymisation retains the ability to recreate the original dataset from the anonymised data; in such cases, the anonymisation process is “reversible”’. 16 Some Member States provide additional requirements in this respect, for example, Article 193 of Belgian Data Protection Law requires the controller to inform the data subject as to whether or not the data will be rendered anonymous.

Anonymisation: The Trap for Biobanking (Part II)

37

use’ and that any statutory legal restrictions (such as GDPR) can be disregarded. This sense of security may be false. Researchers present various examples of de-anonymisation attacks on health data in the public domain (Ravindra and Grama 2021). Such subsequential re-identification of data may put its controller in a difficult position as he or she likely failed to meet the requirements of the GDPR (e.g., regarding legal basis for processing) in the first place, that is, for their earlier handling of data which was erroneously considered anonymous. It also may de-incentivise the holder of the data to invest in appropriate technical and organisational measures, since it is no longer ‘mandatory’ under GDPR. Furthermore, the perception of dealing with anonymised data may trigger open sharing practices. A combination of those factors may then increase the overall risk for the data subjects. M. Shabani underlined that ‘processing of anonymous data—which is not subject to the technical and organisational safeguards (e.g., controlled-access models) required by the GDPR—inherently incentivizes datasharing practices under open-access models’ (Shabani and Marelli 2019). Lack of said safeguards and unrestricted sharing increase the likelihood that the data will become reidentified (e.g., because it would be open to use by anyone, including malicious actors), which annuls the very premise on which the assessment of anonymity of data was made in the first place. • Misinforming the patients and doctors. There is often an accepted degree of probability of reidentification that remains, even if the data can be legally considered as anonymised.17 This may not be well understood by patients or even by health care professionals. For example, studies show a vast lack of understanding of the term ‘anonymisation’ in the medical community (Chevrier et al. 2019). As result, the labelling of data as anonymous may also give a false sense of ‘bulletproof’ security to data subjects.

4 Conclusion Achieving anonymisation of medical data is challenging, both from the legal and technical sides. It also has important consequences. There has been much focus on the positive side of anonymisation, such as fostering data sharing and the availability of rich data sources. However, there are also grimmer consequences of anonymisation for the research community. Pre-maturely declaring the data as anonymised may give a false impression of security that allows open data sharing, without putting in place technical and organisational measures that adduce security and privacy for the individuals. Thus, the choice of anonymisation versus other GDPR compliant and risk mitigating measures, such as pseudonymisation, should

AEPD-EDPS joint paper on 10 misunderstandings related to anonymisation states that ‘Although a 100% anonymization is the most desirable goal from a personal data protection perspective, in some cases it is not possible and a residual risk of re-identification must be considered’.

17

38

M. Kogut-Czarkowska

be carefully considered. GDPR does not mandate that all research is done using anonymous data. Pseudonymising data for a research project while keeping in mind the legal requirements of processing personal data may be a more appropriate approach to ensure compliant data sharing.

References Chevrier R, Foufi V, Gaudet-Blavignac C, Robert A, Lovis C (2019) Use and understanding of anonymization and de-identification in the biomedical literature: scoping review. J Med Internet Res 21(5):e13484. https://doi.org/10.2196/13484 Crossfield S, Zucker K, Baxter P, Wright P, Fistein J, Markham AF, Birkin M, Glaser AW, Hall G (2022) A data flow process for confidential data and its application in a health research project. PLoS One 17(1):e0262609. https://doi.org/10.1371/journal.pone.0262609 Eke D, Aasebø IEJ, Akintoye S, Knight W, Karakasidis A, Mikulan E, Ochang P, Ogoh G, Oostenveld R, Pigorini A, Stahl BC, White T, Zehl L (2021) Pseudonymization of neuroimages and data protection: increasing access to data while retaining scientific utility. Neuroimage Rep 1(4):100053. https://doi.org/10.1016/j.ynirp.2021.100053 Groos D, Veen EV (2020) Anonymised data and the rule of law. Eur Data Protect Law Rev 6:498– 508. https://doi.org/10.21552/edpl/2020/4/6 Mourby M, Mackey E, Elliot M, Gowans H, Wallace S, Bell J, Smith H, Aidinlis S, Kaye J (2018) Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK. Comput Law Secur Rep 34(2):222–233. https://doi.org/10.1016/j.clsr. 2018.01.002 Peloquin D, DiMaio M, Bierer B, Barnes M (2020) Disruptive and avoidable: GDPR challenges to secondary research uses of data. Eur J Hum Genet 28(6):697–705. https://doi.org/10.1038/ s41431-020-0596-x Ravindra V, Grama A (2021) De-anonymization attacks on neuroimaging datasets. In: Proceedings of the 2021 International Conference on Management of Data. Association for Computing Machinery, New York, NY, 2394–2398. https://doi.org/10.1145/3448016.3457234 Rocher L, Hendrickx JM, de Montjoye YA (2019) Estimating the success of re-identifications in incomplete datasets using generative models. Nat Commun 10(1):3069. https://doi.org/10.1038/ s41467-019-10933-3 Rodriguez LL, Brooks LD, Greenberg JH, Green ED (2013) The complexities of genomic identifiability. Science 339(6117):275–276. https://doi.org/10.1126/science.12345 Scheibner J, Raisaro JL, Troncoso-Pastoriza JR, Ienca M, Fellay J, Vayena E, Hubaux JP (2021) Revolutionizing medical data sharing using advanced privacy-enhancing technologies: technical, legal, and ethical synthesis. J Med Internet Res 23(2):e25120. https://doi.org/10.2196/ 25120 Shabani M, Marelli L (2019) Re-identifiability of genomic data and the GDPR: assessing the re-identifiability of genomic data in light of the EU general data protection regulation. EMBO Rep 20(6):e48316. https://doi.org/10.15252/embr.201948316 Zuiderveen Borgesius F (2017) The Breyer case of the court of justice of the European Union: IP addresses and the personal data definition. Eur Data Protect Law Rev 3(1):130. https://ssrn.com/ abstract=2933781

Applying National Law in Cross-Border Research Activity Which National Law Should Be Applied in Cross-Border Research Activity in the Local Implementation of GDPR? Valentina Colcelli

1 Introduction The development of the European Health Data Space (EHDS) and the reuse of health data for research, innovation, policymaking and regulatory activities means building large-scale infrastructures for the use of health data. Such infrastructures should demonstrate the potential to use cross-country health data for research, innovation, policymaking, regulatory activities, and possibly personalised medicine. EHDS will definitely promote the development of cloud computing healthcare platforms on which patient data will be shared and stored under secure federated cloud databases which fulfil the data protection requirements (legal or ethical) imposed by the General Data Protection Regulation (GDPR). The existing regulatory framework seems insufficient to deliver on the promises of the EHDS. The issue of the sharing of personal data also commonly arises for research consortiums in situations in which data processing takes place in an intragroup context. Examples include collaboration agreements for scientific research activities between several entities dedicated to the performance of a project that use personal data for research activities, biobanks that collect the personal health data of donors from hospitals, and companies that jointly manage personnel and support activities. Health data governance remains fragmented at national and regional levels, hindering any effort to scale up research and healthcare solutions (see in this book: ‘Biobanking Legal and Ethical Requirements Across Europe: National Reports’). The coordination of national efforts is also fragmented as is the harmonisation of the treatment of personal health data in light of the GDPR.

V. Colcelli (✉) Institute CNR-IFAC, National Research Council of Italy, Florence Research Area, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_5

39

40

V. Colcelli

While it is true that Regulation (EU) 2016/679 (GDPR)1 is a wide-ranging piece of legislation that includes several provisions which favour scientific research—or rather, favour an understanding of its specific needs—its application is not always easy in the research context. This is mainly due to the vast discretion the GDPR grants to the Member States (MS) in this regard. This situation produces fragmentation of the application of GDPR at national levels that impact research activity in several ways (see the introduction of the second part of this book: R. Martínez Martínez ‘Towards Regulation for the European Health Data Research: A Comparative Analysis’). The GDPR enables data flows for research cooperation in the EU, but the rules at the national level regarding research exemptions create a hurdle for cross-border research by ignoring the intra-EU conflict of laws that inevitably arise in a fragmented regulatory framework. Because of the possibility of intra-EU conflict of laws derived from the national implementation of the GDPR, it is tough to understand which of the Member States’ national data protection laws should be applied in the case of a research consortium for a cross-border project that uses personal data for research activities. The paper tries to analyse the problem of the possible conflict of laws due to the local implementation of the GDPR in the field of research activity and how to solve these conflicts. To reach this goal, the paper is organised as follows: Section 2 recalls the reasons we speak about conflicts of rules, provides some examples and lists the possible derogations in the context of research exemptions established by the GPDR; Sections 3 and 4 analyse the European Data Protection Board’s (EDPB) document on the application of the GDPR with respect to health research; Section 5 shows that the GDPR lacks rules regarding the issue of a possible intra-EU conflict of laws; Section 6 explains which mechanism could be applied in an analogic manner to solve the burning question; and Section 7 concludes the research.

2 Application of GDPR at National Levels: The Laws Relevant to Cross-Border Research Projects and Conflict of Laws ‘The national legislator of each Member State may enact specific laws pursuant to Article (9) (2) (i) and (j) GDPR to enable the processing of health data for scientific research purposes. The processing of health data for the purpose of scientific research must also be covered by one of the legal bases in Article 6 (1) GDPR.

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

Applying National Law in Cross-Border Research Activity

41

Therefore, the conditions and the extent for such processing varies depending on the enacted laws of the particular member state’.2 According to Article 89(2) of the GDPR, the derogations in the context of research exemptions in the GPDR are related to (a) the rights of data subjects or (b) the so-called secondary use for further processing of personal data: 1. The derogations for the rights of data subjects in the context of the research exemptions of the GPDR are: • Article 15(5) GDPR: requirement to inform data subjects about data processing when their personal data was collected from other sources. • Article 18 GDPR: ‘right to be forgotten and Article 16 GDPR: ‘Right to rectification’’. • Article 20 GDPR: data portability rights. • Article 21 GDPR: right to object at any time to the processing of their personal data. 2. Derogations from the general prohibition on further processing of personal data due to Article 5(1)(b) which states that ‘further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes’. At the same time, Member State (MS) and/or European Union law is needed with regard to the legal basis under Article 9 GDPR in order to stipulate: 1. a legal obligation and/or a task carried out in the public interest under Article 6 GDPR; 2. reasons of substantial public interest; and 3. reasons of public interest in the area of public health and/or scientific research purpose. ‘This implies that choices made in MS laws can have a considerable impact both on the legal basis (Article 6) and on the exemption for processing of health data (Article 9) that must be relied on when processing personal (health) data for scientific research purposes’ (. . .) ‘In addition, the possibility foreseen in Article 9(4) GDPR for MS to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health’3 has to be taken into account in analysing the possible conflict of laws in the case of crossborder data sharing.

2

EDPB (2020). Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak. https://edpb.europa.eu/sites/default/ files/files/file1/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf. 3 EDPB (2021). Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research. https://edpb.europa. eu/sites/default/files/files/file1/edpb_replyec_questionnaireresearch_final.pdf.

42

V. Colcelli

3 Equal Treatment of All Individuals in One Study/Research Activity Problems may arise in the management of supranational research consortia when data collected in a Member State are made available to researchers in one or more European Union states other than the one where the data were collected or when the data is stored in a cloud which is hosted in a Member State other than the State where the personal data were collected. The question arises as to which national law is applicable because there can be different legal bases for that of the Member State where the data subject is located and that of the State(s) where the data can be processed. This is the case, for example, when the country of destination lays down rules on the secondary use of data that are more extensive than those laid down by the country in which the data were collected and in which the basis of the rules on information notice to the data subject was drawn up; or if it provides for a secondary use that is based on a different legal basis from the consent that may have been used to collect the data in the specific research project for which the processing is carried out; or if there are differences between the two countries in the rules governing the exercise of the right of access or rectification. Article 20 GDPR which provides individuals with the right to data portability is also worth mentioning. However, it only applies if the data subject provided the personal data on the basis of his or her consent or if the processing was necessary for the performance of a contract. Therefore, in the event that the research was carried out on another legal basis in another Member State, this right would not be available to data subjects. With respect to Article 21 GDPR, the right to object at any time to the processing of personal data can only be overridden when a task is carried out for reasons of public interest. For this task to be valid, it must be established by the Member State or EU law. Even if the data controller can invoke the research exemption of the GDPR, processing for research purposes could still be impeded as the data subject retains the right to object to the processing (‘right to object’) under Article 21 of the GDPR. The lack of harmonisation of data protection rules across Europe must (. . .) be kept in mind, as said rules may influence data processing for scientific research purposes, such as determining conditions under which processing personal data can generally be lawful. Many member states have written their own rules on the role of consent—especially broad consent—for the processing of genetic and health data or may in the future specifically define what exactly constitutes “public interest”, which could also influence the lawfulness of processing for scientific research purposes. If multiple research stakeholders within the EU work together to process data, or a single stakeholder operates in multiple EU countries, identifying a (common) justification for processing personal or even sensitive data is challenging (Molnár-Gábor and Korbel 2020).

Dealing with these situations in a research consortium context opens up the classic private international law problem of conflict of laws. This situation could have an impact on individuals that decide to participate in a study/research activity in terms of equal treatment for the participants/patients involved.

Applying National Law in Cross-Border Research Activity

43

4 The Answers From the European EDPB About a Heterogeneous/Different Legal Basis for Processing Health Data of Different Individuals in a Single Research Project by One Data Controller in Several Member States The EDPB is very clear with respect to this situation, especially that considerable differences in Member State laws can be found in the legal bases for processing health data for scientific research purposes. To avoid the problem of the violation of equal treatment for the participants, the EDPB underlines: ‘When conducting a health research project in multiple Member States, it is recommended to use, whenever possible, the same legal basis in the project. However, it is foreseeable that in research projects in multiple MS, there might be need for using a heterogeneous legal basis for processing health data of the participants in a single research project in several Member States, due to MS law’. The EDPB position on how to avoid the potential negative impact of such a heterogeneous legal basis for the processing of health data in one research project in multiple Member States will support us in trying to answer our burning question. Under the EDPB, ‘it is advisable that controllers should as far as possible make an effort to limit the consequences of different Member States’ legal regimes for processing health data for scientific research purposes, for instance by optimising and thus harmonising the rights of data subjects irrespective of the Member State they live in’. The specific criteria of a common legal basis cannot be found at the EU level or in the GDPR because ‘as for relevant Union law, until now, only the Clinical Trial Regulation (CTR) can be identified as Union law in which a uniform legal basis for controllers can be found in the stipulated legal obligation for controllers (Articles 41–43 CTR) to process personal data in clinical trials for reliability and safety related purposes. However, this legal obligation for controllers does not cover all (other) purposes for which personal data are processed in a clinical trial. Therefore, the controller will have to rely on another legal basis in Article 6 GDPR for processing personal data for such other research purposes’. The point that the EDPB underlines is that the ‘potential lack of homogeneity cannot be solved in the EDPB guidelines or by means of Codes of conduct’. If this is true for the heterogeneous/different legal basis for processing health data, it is also true for the other questions which arise from the lack of harmonization. While waiting for the forthcoming legislative proposal for the EHDS, we have to try a transitional solution which will enable the resolution of the possible conflict of laws research projects which are carried out in multiple Member States and which meet specific criteria for a legislative ability to reach harmonisation for the processing of health data in one research project in multiple Member States.

44

V. Colcelli

5 The Lack of Rules with Regard to the Issue of a Possible Intra-EU Conflict of Laws in the Scenario of the GDPR The former Directive 95/46/EC4 on the protection of individuals with regard to the processing of personal data and on the free movement of such data contained a specific rule regarding a possible conflict of laws because of the ‘nature’ of the Directive itself.5 According to the fact that the ‘General Data Protection Regulation8 (GDPR) was meant to harmonize data protection rules across the EU, one might assume that this would also render the regulatory context for personal data use in research more comprehensive and harmonized than it was under the data protection directive’ (Pormeister 2018, p. 706). However, it is not a rule which is expressly dedicated to resolving conflict of laws, despite the need for this in the field of research activity due to local implementation. The conflict of laws rules established in the international private law area should be used. International private law on jurisdiction would thereby be used to ensure that states do not assert jurisdiction over affairs that are the domain of another state. In the case of cross-border research, we cannot apply Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations (Rome I) because the treatment of personal data cannot be considered to be a contract (informative and consensus are not a contract), especially in the field of research activity; nor can Regulation (EC) No 864/2007 of the European Parliament and of the Council of 11 July 2007 on the law applicable to non-contractual obligations (Rome II) be applied because its Article 1 expressly establishes that the Regulation does not apply to non-contractual obligations arising out of the violation of privacy rights and rights relating to personal. However, the GDPR apparently just does not provide for this hypothesis.

4

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. (1995). OJ L 281, 23/11/1995, 31–50. 5 Ibid. Article 4 National law applicable: ‘1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where: (a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable; (b) the controller is not established on the Member State's territory, but in a place where its national law applies by virtue of international public law; (c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community. 2. In the circumstances referred to in paragraph 1(c), the controller must designate a representative established in the territory of that Member State without prejudice to legal actions which could be initiated against the controller him or herself’.

Applying National Law in Cross-Border Research Activity

45

The scale of collaboration for data sharing on a consortium research project could have one of three types of governance structures related to personal data management. The most common situation is for two or more controllers established in the EU to be able to determine the purposes and means of processing. In this situation, the arrangement established by Art. 26 GDPR will determine the respective responsibilities of the controllers for compliance with their obligations under the Regulation as well as ‘where, when and why’ the personal data for research purposes should be shared. The processing of personal data for research purposes in a project consortium could foresee that the personal data collected in the EU will be shared with one of the project partners (e.g., because of the management of a cloud/database). In this case, an agreement with the partner according to Art. 28 GDPR has to be formed by the consortium. The partners will act as processors. It is also possible that this agreement will be complemented by an agreement according to Art. 26 previously cited. Another situation that has to be taken into consideration, is the hypothesis in which one of the project partners has establishments in more than one Member State and is acting as controller or processor. This situation is very common when there is a company in the project consortium and the processing of personal data for research purposes takes place in the context of the activities of its establishments in more than one Member State. In this case, as well as the case in which the other partners act as autonomous controllers in the project, a possible conflict of laws may occur.

6 The One-Stop-Shop Mechanism Identifies the Lead Supervisory Authority for Cross-Border Processing The so-called one-stop-shop mechanism established by Articles 55–65 GDPR ensures cooperation among the Data Protection Authorities (DPAs) in the case of cross-border processing. The one-stop-shop mechanism is the GDPR’s way to choose DPAs called to apply the national law in the case of cross-border research activity in the case of the local implementation of the GDPR research exemption, also in the case of conflict of national law. As a matter of fact, given the primary objective of the GDPR to more effectively protect data subjects, the one-stop-shop mechanism is one of the many features of the GDPR that aims to make it easier for data subjects to exercise their rights over their personal data. Data subjects can rely on their local supervisory authority to protect their rights under the GDPR, regardless of where the EU headquarters of an affected organisation is located First of all, the GDPR defines the meaning of ‘Cross-Border Processing’ in Art. 4 point 23: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the

46

V. Colcelli

Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State. The GDPR recalls Cross-Border Processing in Art. 60 Article 56(1) which relates to the competence of the lead supervisory authority, defining who this is and that they are the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor. A supervisory authority is competent to act as the lead supervisory authority for the Cross-Border Processing carried out by that controller or processor in accordance with the procedure provided in Article 60 if it is the supervisory authority for the main establishment or the single establishment of the controller or processor. The GDPR provides a central point of application through a system of cooperation and consistency procedures that have been coined as the one-stop-shop mechanism. The procedure does not exhaust our problem but offers a point of understanding because it highlights one or two aspects that the European legislator wanted to avoid within the system.

7 Is Using Recital 153 GDPR in an Analogic Manner a Potential Solution? Recital 153 GDPR related to freedom of expression and information and the right to the protection of personal data supports the idea that the national law of the Member State to which the controller or its main establishment is subject should apply to resolving the intra-EU conflict. Recital 153 affirms that Member States should adopt legislative measures which lay down the exemptions and derogations from certain provisions of GDPR if necessary to reconcile the right to the protection of personal data with the right to freedom of expression and information and this is necessary for the purpose of balancing those fundamental rights. Recital 153 itself resolves the intra-EU conflict of laws by establishing: ‘Where such exemptions or derogations differ from one Member State to another, the law of the Member State to which the controller is subject should apply’. In the case of a conflict of laws for research exemptions, the national law of the Member State to which the controller is subject should apply. Recital 153 offers a clear solution for a similar situation. Thus, the question could be: may the Recital 153 GDPR be applied in an analogic manner to solve the conflict of laws in the following possible situations that could arise in a consortium on a research project?

Applying National Law in Cross-Border Research Activity

47

In the application rights of data subjects in the context of the research exemptions of the GDPR, it is precisely the high level of protection to be granted to the data subjects to discourage the application in an analogic manner of Recital 153 to solve a possible conflict of law. It seems that the Recital 153 is a special rule, that in express manner ruled a specific case taking into consideration by the EU legislator. As special rule, it cannot be used as general regulation. As matter of fact, no one can transfer more rights than they have, and thus a data subject not living in a Member State where national privileges exist cannot: nemo plus iuris transferre potest quam ipse habet. When different national privileges exist, rights of access and usage of the data subject cannot be in jeopardy for huge consortia. Applying the rule for which in the case of conflict, the law of the Member State to which the controller is subject should apply, could realise a hypothesis of Forum shopping in the case of the supranational research consortia. In this sense, consideration be given to Article 26(1) and Recital 79: If two or more controllers established in the EU are able to determine the purposes and means of processing (. . .), ‘the controllers shall in a transparent manner determine their respective responsibilities for compliance with their obligations under the Regulation. In order, therefore, to benefit from the one-stop-shop principle, the joint controllers should designate (among the establishments where decisions are taken) which establishment of the joint controllers will have the power to implement decisions about the processing with respect to all joint controllers. This establishment will then be considered to be the main establishment for the processing carried out in the joint controller situation. The arrangement of the joint controllers is without prejudice to the liability rules provided in the GDPR, in particular in Article 82(4)’.6 The application of the Recital 153 in the case of Article 26(1) and Recital 79, could be a way to forum shop. Forum shopping have be avoided under Article 29 Working Party guidance for the GDPR.7

8 Conclusion The issue of the sharing of personal data also arises for research consortiums or for the development of the European Health Data Space (EHDS) and the reuse of health data for the research, innovation, policymaking and regulatory activities in which patient data will be shared and stored under secure federated cloud databases facing the problem of an existing regulatory framework that seems insufficient to deliver personal data or to deliver on the promises of the EHDS.

6 ‘Guidelines for identifying a controller or processor’s lead supervisory authority’ (wp244rev.01), p.8. https://ec.europa.eu/newsroom/article29/items/611235. 7 Ibid.

48

V. Colcelli

Health data governance remains fragmented at national and regional levels, hindering any effort to scale up research and healthcare solutions, and the coordination of national efforts, and harmonisation for the treatment of health personal data is also fragmented, even in light of the GDPR. This implies that choices made in national laws can have a considerable impact both on the legal basis (Article 6) and the exemption for processing of health data (Article 9) which must be relied on when processing personal (health) data for scientific research purposes. Dealing with these situations in a research consortium context opens up the classic private international law problem of conflict of laws. This situation could have an impact on the equal treatment of the participants/patients who decide to participate in a study/research activity. The potential lack of homogeneity cannot be solved in the EDPB guidelines or by means of codes of conduct, as underlined by the EDPB. While we wait for the forthcoming legislative proposal on the EHDS, we suggest the transitional solution described above which will enable the resolution of the possible conflict of laws for research projects carried out in multiple Member States which meet specific criteria for the legislative ability to reach a harmonisation for processing health data in one research project in multiple Member States. GDPR is a Regulation—that by its nature—wants to harmonise data protection rules across the EU; thus, it is possible to assume that this would also render the regulatory context for personal data use in research to be more comprehensive and harmonised than it was under the data protection directive. For this reason, it is not a rule expressly dedicated to resolving the conflict of laws, despite the need for this in the field of research activity because of local implementation. As we have explained, this is not true for research activities, primarily because of the vast discretion granted to the Member States in this regard in the GDPR. In the case of a conflict of laws related to the local implementation of the so-called research exemption in the GDPR, the national law which should be applied is not the law of the Member State to which the controller is subject. We cannot take into consideration an analogic application Recital 153 GDPR related to freedom of expression and information and the right to the protection of personal data, because using the rule that in the event of a disagreement, the legislation of the Member State to which the controller is subject shall apply, a hypothesis of forum shopping in the situation of supranational research consortia might be realized, for instance in the case of the application of the Article 26(1) and Recital 79. Although the GDPR indeed closes a large gap that would allow users to forum shop, that is, look for legislative differences, some of these inconsistencies are difficult to eliminate completely, even if this effect which is sought by many is seen as not being achieved. The research exemption is one of those situations in which inconsistencies will continue to exist. In any case, the respect of the fundamental rights of the data subject suggests the application of her/his national law by the judge or by the DPAs, as well as by the joint controllers in respect of the principle of nemo plus iuris transferre potest quam ipse habet and to avoid the Forum shopping by the supranational research consortium.

Applying National Law in Cross-Border Research Activity

49

References EDPB (2020) Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak. https://edpb.europa.eu/sites/ default/files/files/file1/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf EDPB (2021) Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research. https://edpb. europa.eu/sites/default/files/files/file1/edpb_replyec_questionnaireresearch_final.pdf Molnár-Gábor F, Korbel JO (2020) Genomic data sharing in Europe is stumbling-could a code of conduct prevent its fall? EMBO Mol Med 12(3):e11421. https://doi.org/10.15252/emmm. 201911421 Pormeister K (2018) Genetic research and applicable law: the intra-EU conflict of laws as a regulatory challenge to cross-border genetic research. J Law Biosci 5(3):706–723. https://doi. org/10.1093/jlb/lsy023

Archived Tissue What Is the Potential Use for Research Under GDPR for Archived Tissue Specimens Obtained in a Diagnostic or Therapeutic Pattern? Antonella Mirabile

1 Introduction The use of biological material and the linked data, which is originally collected for diagnostic or therapeutic purposes, for research activity is central for research biobanks and more generally for research in the biomedical field. The general rule1 for the collection, storage and use of human biological material and related data for research purposes, which is at the basis of all legal sources, implies the existence of prior express consent to guarantee informed and voluntary participation in the research activities and to protect the personal data of the subjects involved (Borghi 2018; Bleassoe and Grizzle 2013; Cheung 2013; Häyry et al. 2007). However, in the case of biological materials collected in the past, when the General Data Protection Regulation (hereinafter named as GDPR)2 was not yet in force, or even when informed consent for medical treatment was not yet required, particular attention should be paid to the use of such archived materials containing personal data for research purposes.

1

See, for example, of Recommendation 4/2006 of the Council of Europe, Committee of Ministers Recommendation Rec(2006)4 of the Committee of Ministers to member states on research on biological materials of human origin and its Explanatory Memorandum, Article 21 entitled ‘General rule,’ with reference to the use of biological material in research projects. 2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. A. Mirabile (✉) IEOS - Istituto per l’endocrinologia e l’oncologia sperimentale “G. Salvatore”, National Research Council of Italy (CNR), Napoli, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_6

51

52

A. Mirabile

In this context, and to identify the potential uses of archived tissue samples obtained in a diagnostic or therapeutic pattern, it is necessary to define the term ‘archive.’ This term has different meanings and, therefore, different juridical connotations linked to peculiar and complex aspects that it is necessary to tackle in this contribution.

2 The Possible Definitions of ‘Archive’ and, Consequently, of ‘Archived Tissues’ As mentioned in the introduction, to correctly frame the topic, it is necessary to firstly focus the attention on the meaning of the wording ‘archived tissue.’ The concepts ‘archive’ and therefore ‘archived tissue’ have multiple meanings that influence the potential uses of biological material obtained in a diagnostic or therapeutic pattern, as determined by the GDPR. Under the GDPR,3 the term ‘archive’ is defined only in some of its translated versions; for example, the Italian translation adopts the term ‘archivio’4 in Article 4(1)(6), while the English text uses the wording ‘filing system.’ Focusing on the definition of ‘archivio’, as in the Italian version, the ‘filing system’ in Article 4(1)(6) of the GDPR means ‘any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.’5,6 However, it is worth underlining that this meaning is the result of a translation that is not entirely suited to the subject matter. Moreover, in the context of the GDPR, the term ‘archive’ always substantiates the wording ‘archiving purposes,’ which in turn is used to indicate certain exceptions to the general rules provided for by the GDPR. However, the GDPR does not specify what is meant by ‘archiving purposes.’ For this reason, to fully understand the meaning attributed to this wording, it is necessary

3

And even in the previous Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data O.J. 23.11.1995 L 281/31. 4 This term could literally be translated into the English term ‘archive’. 5 Also in the previous legislation, the concept of ‘personal data filing system’ was, for example, translated to “archivio di dati personali” (Article 2(1)(c) Directive 95/46/EC) in the Italian version. 6 On 10 July 2018, the Grand Chamber of the CJEU also ruled on the concept of ‘filing system’ in the Jehovan todistajat case, Case C- 25/17, Tietosuojavaltuutettu vs Jehovan todistajat — uskonnollinen yhdyskunta [2018] ECLI 551. The Grand Chamber ruled that there is a filing system: ‘if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods’.

Archived Tissue

53

to closely examine the use of the term ‘archive’ in the context of the European legislation. In the European legislation, ‘archive’ is generally used to refer to records or documentation generally produced in an administrative context. The regulations7 concerning the public opening of the historical archives of the European Economic Community and the European Atomic Energy Community define archival documents as records selected for permanent preservation. This type of archive collects and catalogues all data and documentation which have been selected for preservation because of their historical or administrative value, even though there is no longer an obligation to preserve them. In this sense, this type of archive is commonly defined as ‘historical archive.’ In addition to historical archives, both European legislation8 and doctrine9 (Carucci and Guercio 2021) also use the term ‘current archive’ when referring to all documents produced or otherwise acquired by an entity in the performance of its duties and relating to the proceedings in progress. In the European context, due to the importance of archives, the European Archives Group (EAG) was also established as a special body to ensure cooperation and coordination on general matters relating to archives.10 Archiving is an activity that not only concerns administration in the strict sense, but also in the medical field. Indeed, health records are also subject to archiving and the consequent obligation of retention. Particularly in the pathological field, archiving consists of the preservation and classification of diagnostic reports and related documents once the diagnostic report has been issued. More precisely, the diagnostic reports and documentations include both the documents necessary for the transformation process of tissue sample to report (e.g. request sheets of clinicians, x-rays, autopsies or fetopathological examination sheets, etc.) and the documents resulting from this process (e.g. fixed, frozen

7

See, for example, Council Regulation (EEC, Euratom) No 354/83 of 1 February 1983 concerning the opening to the public of the historical archives of the European Economic Community and the European Atomic Energy Community O.J. 15.2.1983 L 43/1, as last amended by the Council Regulation (EU) 2015/496 of 17 March 2015. 8 Article 7 of Council Regulation (EEC, Euratom) No 354/83, referring to the establishment of historical archives, indeed says that ‘Each institution shall transfer to its historical archives all documents contained in their current archives no later than 15 years after their date of creation. According to the criteria laid down by each institution pursuant to Article 9, there shall be an initial sorting process with the purpose of separating documents that are to be preserved from those that have no administrative or historical value’. 9 The authors actually make a tripartition of archives: current, deposit and historical. 10 The European Commission has established the European Archives Group (EAG) with Council Recommendation 2005/835/EC on priority actions to increase cooperation in the field of archives in Europe of 14 November 2005 O.J. 29.11.2005 L 312/55. The ECG is composed of experts designated by the Member States and the institutions of the Union with the mission to ensure cooperation and coordination on general matters relating to archives. Within its attributions, the EAG has also developed guidelines for the implementation of the GDPR by archives services. https://ec.europa.eu/info/sites/default/files/eag_draft_guidelines_1_11_0.pdf.

54

A. Mirabile

or paraffin-embedded tissues, slides for histology, cytology and complementary techniques, photographs, etc.). Thus, all the tissue specimens are considered and, therefore, treated as documents in themselves. Archiving is an activity of important medical interest since it allows the re-examination of the diagnosis in the event of a dispute and the re-examination of material to carry out additional investigations with a diagnostic, prognostic or predictive purpose, which may not have been available at the time of the initial examination. Indeed, in almost all European countries, it is not only paper records and patient data that is subject to a preservation obligation, but also biological material collected during diagnostic and/or therapeutic interventions, although the term ‘preservation obligation’ varies from country to country. Therefore, for the purposes of this study, ‘archival materials’ can be defined as all samples of biological material collected in the course of medical activity, archived and retained in fulfilment of the obligation of the retention of the health record. Archives of biological material, then, as well as documentary archives, may be qualified as current or as historical depending on whether or not the corresponding obligation of retention applies.

3 Consent Required for the Use of Biological Materials and Related Personal Data in Research Activities For the purposes of this analysis and in order to understand the potential uses of archival material, both historical and current, the main aspect to be addressed here is the consent of the person to use their biological material for research activities. Informed consent, in fact, is a fundamental element in the discipline of biobanks and research activity in general; it needs to guarantee the informed and voluntary participation of the individual and to protect the personal data of the subjects involved, whenever the research involves individuals, biological samples or, possibly, personal data (see also other chapters in this book: S. Brizioli ‘Residual material’; C. Barbosa & A. da Costa Andrade ‘Secondary use and dual use of biological samples’). From the perspective of a subject’s conscious and democratic participation in biomedical research and in biobanking, the informed consent of the donor represents an act of indispensable personal will and an expression of their freedom, selfdetermination and empowerment (Cippitani and Colcelli 2021).

Archived Tissue

55

However, it should be specified that consent to healthcare treatment (required as a general rule by Article 26 of the Helsinki Declaration11) and/or to any clinical trial12 cannot be fully assimilated with the notion of consent as a legal basis for the processing of personal data under the GDPR. Consent for research activity is a consent distinct from explicit consent to process personal data for research activity. These are two different disclosures with partially overlapping purposes; consent for the research activity often contains and invokes the lawfulness and security of the processing of the personal data of the subject participating in the activity. Informed consent for research activity is conceived, as mentioned previously, for the protection of the dignity and self-determination of the subject involved and not as a tool for guaranteeing the protection of personal data, as is the case for explicit consent under Article 7 of the GDPR. Therefore, the information and consent for the processing of personal data may be supported when relating to the research activity, but the latter consent must still be requested even when the legal basis of the data processing is different from consent. This occurs if the processing of health data for research purposes is based on legal grounds other than consent, namely Article 6(1)(e) or (f), for example, public interest or the legitimate interest of the data controller (Cippitani 2019). Depending on whether one is dealing with a historical archive or a current archive, it is possible to encounter various consent formulae: from the complete absence of any kind of consent whatsoever, to the need to balance consent to the use

The 1964 Declaration of Helsinki ‘Ethical Principles for Medical Research Involving Human Subjects’ of the World Medical Association—available at https://www.wma.net/policies-post/ wma-declaration-of-helsinki-ethical-principles-for-medical-research-involving-human-subjects/— as last amended in 2013, provides in Article 26 that: ‘In medical research involving human subjects capable of giving informed consent, each potential subject must be adequately informed of the aims, methods, sources of funding, any possible conflicts of interest, institutional affiliations of the researcher, the anticipated benefits and potential risks of the study and the discomfort it may entail, post-study provisions and any other relevant aspects of the study. The potential subject must be informed of the right to refuse to participate in the study or to withdraw consent to participate at any time without reprisal. Special attention should be given to the specific information needs of individual potential subjects as well as to the methods used to deliver the information. After ensuring that the potential subject has understood the information, the physician or another appropriately qualified individual must then seek the potential subject’s freely-given informed consent, preferably in writing. If the consent cannot be expressed in writing, the non-written consent must be formally documented and witnessed. All medical research subjects should be given the option of being informed about the general outcome and results of the study.’ 12 Informed consent relating to clinical trials on medicinal products for human use is governed by Article 29 of Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medical products for human use, and repealing Directive 2001/ 20/EC O.J. 27.5.2014 L 158/1. This Regulation, however, has as its scope that of clinical trials. In general, the establishment of biobanks does not imply any clinical trials as defined in Article 2 of the aforementioned Regulation, but the rules contained therein are applicable by analogy (where compatible) to this field. 11

56

A. Mirabile

of data and materials for research purposes with compliance with the obligation to preserve them. For this reason, Sect. 4 will analyse and address these hypotheses and the precautions that could be implemented in order to be able to use archival materials and associated data for research activities.

4 Historical Tissue Archives and the Absence of Express Consent As mentioned in Sect. 3, historical archives are archives of diagnostic documentation for which the preservation obligation has ended. The storage period varies from country to country, from a minimum of 5 years— as in Italy for cytological preparations13—to at least 30 years (Germany14). The historical archives of diagnostic documentation (Cippitani and Colcelli 2021) may have a long history. They may consist of samples, for which it is very difficult, if not impossible, to ascertain informed consent because of the context in which the collection took place, i.e. at a time when awareness of the need to ensure adequate information and to prepare informed consent was not yet widespread. If consent had been given, it would have concerned only the diagnostic or therapeutic treatment and 13 Article 9 of the Prime Ministerial Decree of 20 February 1984 stated that the minimum retention period for cytological and histological slides and paraffin inclusions was 5 years. However, the subsequent circular No. 61 of 19 December 1986 on the retention period of health documentation in public and private hospital and care institutions, stated a minimum period of 20 years for other diagnostic documentation, by analogy with the provisions on x-rays. To resolve this conflict, the opinion of 14 October 1987 intervened, highlighting the third section of the Superior Health Council. In that opinion, the Italian Superior Health Council observed that: ‘only the histological diagnostic material (consisting of the preparation and its inclusion), regardless of the positivity or negativity of the report, is to be considered an integral part of the remaining diagnostic documentation as set out in circular no. 61 of 19.12.86, concerning the period of conservation of health documentation in public and private institutions of hospitalisation and care and therefore conserved for 20 years; considers that the directives expressed in circular no. 61 are extended to the provisions contained in the D.P.C.M. of 10.2.84 only for histological preparations and relative inclusions, that the cytological preparations must be retained for a period of 5 years.’ 14 According to Section 630f BGB, entitled ‘Documentation of treatment’, ‘(1)... the practitioner is obliged to keep medical records in paper or electronic form in direct temporal connection with the treatment. [...](3) The curator must retain the medical record for a period of 10 years after the end of the treatment, unless other retention periods exist in accordance with other provisions.’ Longer retention periods exist, for example, for records of treatment with radiation or x-rays pursuant to § 72 (1) no. 2b) in conjunction with § 85 (2) no. 1 StrlSchG (30 years) or for the use of blood products pursuant to § 14 (3) TFG (15 years or 30 years for certain data specified in § 14 (2) TFG). If the doctor does retain keep the medical records until the end of the retention period, they may have to prove in a possible medical liability case that they have actually taken the medically necessary measures (cf. 4.1.a.E. of the recommendation on professional secrecy, etc. 3 BGB). In this regard, possible liability actions can be asserted up to 30 years (pursuant to §§ 197 para. 1, 199 para. 2, para. 3 no. 2 BGB).

Archived Tissue

57

would not have dealt with the possibility of conducting research on those samples or using the data associated with them. It should also be considered that these historical archives may present an additional logistical and practical problem: the difficult availability of informed consent for samples which, at least until the 1980s, was only available in paper form and, in any case, probably held by the individual department that had pre-cleared the sample as part of its diagnostic or therapeutic activity. In any case, the analysis of the most relevant legislation on the subject, including Recommendation no. 6/2016 of the Council of Europe,15 recital no. 62 and Article 89 of the GDPR, clarifies that it is always the responsibility of the researcher or institution, when intending to use biological materials for scientific research purposes, to obtain informed consent or new consent from the donor. Despite this, there are cases in which this rule is no longer applicable. The first exception occurs when data are anonymised, so that it is no longer possible to identify the person concerned. In particular, Article 11(3) of Recommendation No 6/2016 provides that biological material taken for purposes other than research may only be retained for future research, without the consent of the data subject, if it is no longer identifiable and a statutory authorisation has been obtained. However, it must be borne in mind that, in any case, biological material by its nature contains the genetic data of the person (and therefore also of their genetic group) from whom it was taken. Modern techniques and the easy availability of a wide range of data could, as has already occurred, allow a person to be identified from anonymous genetic data16 (Gymrek et al. 2013). Complete anonymisation, however, entails some serious consequences; both the person concerned and the researcher will lose important information and will not be able to produce follow-up results (Macilotti et al. 2008), which are often crucial for the optimal execution of a research project. Therefore, complete anonymisation should be considered as a last resort. Further derogation from the consent rule is contained in recital 62 and Article 14(5)(b) of the GDPR. These provisions consider cases where obtaining consent would be impossible or would involve a disproportionate effort that could make it impossible or seriously jeopardise the attainment of the purposes of the research. In such cases, ‘the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.’ On this point, individual States may provide for specific requirements. By way of example, in Italy, it is necessary to obtain not only a favourable opinion from the competent Ethics Committee, but also specific authorisation from

15

Council of Europe, Committee of Ministers Recommendation CM/Rec(2016)6 of the Committee of Ministers to member States on research on biological materials of human origin. 16 The ability to identify an individual using their anonymous genome sequence, using a clever algorithm and data from public databases, threatens the principle of subject confidentiality.

58

A. Mirabile

the Italian Data Protection Authority, as provided for in Article 110-bis of the Italian Data Protection Code (Legislative Decree 196/2003 updated to Legislative Decree 101/2018). In Finland, on the other hand, in addition to the opinion of the Ethics Committee, a generalised disclosure must be provided with the possibility for data subjects to exercise their right to opt-out.17 In any case, given the time span of historical records, it is very likely that most of the persons concerned are dead. As stated by recital 27, the GDPR does not apply to the personal data of deceased persons. For this reason, it could be presumed that materials and data from historical archives could be used, taking into consideration that recital 27 also states that ‘member States may provide for rules regarding the processing of personal data of deceased persons.’ In the Italian legal system, for example, article 2-terdecies of the Italian Data Protection Code provides that the rights established from articles 15 to 22 GDPR may be exercised by ‘those who have an interest of their own, or are acting on behalf of the data subject, as his representative, or for family reasons deserving protection’. Therefore, although this provision is not very clear, it can be assumed that such persons may express consent on behalf of the deceased person, or otherwise exercise the opt-out option for the use of biological materials and data for research purposes (Giesbertz et al. 2012).

5 Current Tissue Archives, Secondary Use and Conservation Obligation Current archives of tissue specimens also involve complex aspects, some similar to those of the historical archives mentioned in Sect. 4, and others of their own deriving from their characteristics. Current archives contain material and personal data for which the preservation obligation has not been fulfilled. As seen in Sect. 4, the preservation obligation varies according to the country and the type of sample. In these archives, one can find diagnostic samples collected in the present day (within the GDPR’s scope), as well as samples dating back 20 to 30 years ago. For older samples, the previously mentioned considerations related to historical archives apply. However, with regard to samples collected under the GDPR, a distinction must be made.

17

Pursuant to section 13 of Biobank Act (law 688/2012), clinical and research samples that have been collected before the Biobank Act comes into force (i.e., September 1, 2013) can be transferred to a biobank as a result of a specific notification procedure and subsequent opt-out principle. On this point, see J. Nergelius’s national report on Finland in this handbook.

Archived Tissue

59

Samples collected with consent for research activities either general or specific may be used if the type of research to be carried out is included among those permitted or is not expressly excluded, e.g. about samples collected with consent for diagnostic or therapeutic purposes only, the use for research purposes could be defined as secondary use, which is discussed in more detail in this handbook (see the chapter in this book: C. Barbosa & A. da Costa Andrade ‘Secondary use’). Article 6(4) of the GDPR allows ‘the processing for a purpose other than that for which the personal data have been collected’ even without the further consent of the data subject if the further use ‘is compatible with the purpose for which the personal data are initially collected, take into account, inter alia: (a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing; (b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller; (c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10; (d) the possible consequences of the intended further processing for data subjects; (e) the existence of appropriate safeguards, which may include encryption or pseudonymization.’ Further processing for inter alia ‘scientific or historical research purposes should be considered to be compatible lawful processing operations’ (recital 50 GDPR). In this regard, in addition to the rules of the GDPR, one must also consider the provisions of Article 12 of Recommendation 4/2006 of the Council of Europe, concerning residual biological material: ‘biological materials removed for purposes other than storage for research should only be made available for research activities with appropriate consent or authorisation, or in accordance with the provisions of Article 22 paragraph 1.ii. /2. Whenever possible, information should be given and consent or authorisation requested before biological materials are removed.’ If consent or authorisation for the further use of biological samples cannot be obtained with reasonable effort, Article 22 paragraph 1.ii. states that ‘these biological materials should only be used in the research project subject to independent evaluation of the fulfilment of the following conditions: a. the research addresses an important scientific interest; b. the aims of the research could not reasonably be achieved using biological materials for which consent can be obtained; and c. there is no evidence that the person concerned has expressly opposed such research use.’ Whilst it would be preferable to re-contact the interested parties so as to provide the necessary information and obtain their consent for research activities, in cases in which this is not possible and despite the fact that every reasonable effort has been made to reach them, certain conditions must be met. This is not only required to comply with the GDPR, but in general terms it is essential from an ethical point of view.

60

A. Mirabile

It would be advisable to obtain a specific opinion from the competent ethics committee and, if the national legislation allows it, to request a specific authorisation from the National Data Protection Authority.18 The research activity and also the possible transfer of biological material contained in current archives to a research biobank is further limited by the obligation of healthcare facilities to preserve diagnostic documentation. As explored in this section, biological material and related data contained in current archives are subject to specific preservation obligations. The preservation obligation responds to diagnostic needs, on the one hand, and legal needs on the other, which are associated in particular with medical liability. The use of biological samples for research activities could lead to their destruction and/or exhaustion at any time. Researchers and biobanks, however, in order to fulfil their obligation to preserve and maintain the diagnostic usefulness of the samples, taking into account the interest and well-being of the individual over the sole interest of society or science (Oviedo Convention19), should take measures to use the samples sparingly and to avoid the risk of accidental destruction. It should also be stipulated that the last aliquot of a biological sample must be preserved, even to the detriment of possible research activities. The use and subsequent destruction and/or depletion of the sample could and should only be allowed if this is requested by the person concerned or by members of the same family group for reasons relating to their health condition either for diagnostic purposes or to be included in possible research projects.

6 Conclusion The GDPR has undoubtedly emphasised the role of consent and related rules, including in the context of research activities. Nevertheless, this does not necessarily imply that tissues can not absolutely be used for research purposes. Indeed, the GDPR and national and international standards provide for exceptions to the rule of consent and the principle of granularity in case the processing of biological data and materials is determined by research purposes.

18

It should be noted, however, that this framework could be modified if the EU directive, currently the subject of a proposal in the European Parliament for the establishment of the ‘European Health Data Space,’ were to be adopted. This proposal, among other things, aims to resolve the problems connected to the ‘secondary use of health data’ and to the fragmentation of the national policies on this point. The basic idea would seem to be that of ‘data altruism,’ which would allow health data to be used or re-used for research purposes in a more flexible manner. 19 Particular reference is made to Article 2, entitled ‘Primacy of the human being’, which states that ‘The interest and welfare of the human being shall prevail over the sole interest of society or science’.

Archived Tissue

61

Both in the case of the total absence of consent and in the case of secondary use, processing for research purposes may take place when the following conditions are met: (a) the samples and data are rendered completely anonymous; (b) contacting the data subjects would be impossible or would involve a disproportionate effort that could make the research objectives impossible or seriously jeopardise their attainment. In any event, the use of this type of sample should at least be subject to the opinion of the competent ethics committee and, where required, to authorisation by the national supervisory authority. In the future, it would be desirable for healthcare facilities to prepare their own information to ensure that tissues retrieved during diagnostic/therapeutic procedures can also be used for research purposes. In the context of current archives, consideration should also be given to the need to comply with the obligation to preserve diagnostic documentation and thus biological materials. In this regard, biobanks and researchers in general will have to take measures to avoid the destruction and/or exhaustion of the sample and, in any case, to preserve the last useful aliquot in the interest of the subject from whom the sample was taken or their family group.

References Bleassoe MJ, Grizzle WE (2013) Use of human specimens in research: the evolving United States regulatory, policy, and scientific landscape. Diagn Histopathol 19(9):322 Borghi M (2018) Individual rights and property rights in human genetic databases: a common-law perspective. In: Rainer A, Cippitani R, Colcelli V (eds) Genetic information and individual rights. Universität Regensburg, Regensburg, p 120 Carucci P, Guercio M (2021) Manuale di Archivistica. Carocci Editore Cheung CC (2013) Issues with diagnostic tissue: a practical approach from a Canadian perspective. Diagn Histopathol 19(9):337–342 Cippitani R (2019) Finalità di ricerca scientifica ed eccezioni alla disciplina della protezione dei dati personali. Ciberspazio e diritto 20:161–176 Cippitani R, Colcelli V (2021) Bio-legal issues in the establishment of a historical collection of human tissues: the case of the Umbria biobank project. Medicina Historica 5:1–9 Giesbertz NAA, Bredenoord AL, van Delden JJM (2012) Inclusion of residual tissue in biobanks: opt-in or opt-out? PLoS Biol 10(8):1–6 Gymrek M, Mcguire A, Golan D, Haperin E, Erlich Y (2013) Identifying personal genomes by surname inference. Science 339:321–324 Häyry M, Chadwick R, Árnason V, Árnason G (2007) The ethics and governance of human genetic databases. Cambridge University Press, Eur Persp Macilotti M, Izzo U, Pascuzzi G, Barbareschi M (2008) La disciplina giuridica delle biobanche [the legal aspect of biobanks]. Pathologica 100:86–108

Blockchain and Dynamic Consent Can the Blockchain Realise Proper Support for Dynamic Consent? Filippo Zatti

1 Introduction Biobank data sharing is relevant during a pandemic, as Sars-CoV-2 showed. Even though legal issues still need to be sorted out, blockchain technology could help allow this. The pandemic actually revealed how the rules on personal data protection don’t fit well with the research context. At the same time, concerns emerged about how research needs could affect data collection, given the heightening of data security. Two issues are on the ground. First, to prevent the loss of intellectual property and personal data. Second, overcoming legal uncertainties and limiting the lack of commonly applied standards to favour innovative infrastructure adoption. Awareness has been growing that distributed ledger technology (DLT) and Blockchain could help maintain the security and integrity of patient data, thereby facilitating research and improving results. Promoting a new public engagement in the relevant definitions of broad consent (specific, meta or dynamic), data sharing, and residual risk for re-identification could also be done (Vlahou et al. 2021). Blockchain and DLT are particularly suited to securing personal identity due to their architecture based on cryptography and disintermediation, allowing participants to play a dynamic role in a network. Thanks to these features, dynamic consent can become a standard in biobanking when compliant with the General Data Protection Regulation (GDPR)1 (Nordberg 2021; Prictor et al. 2019). It can also

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. F. Zatti (✉) University of Florence - Department of Economics and Management and BABEL-Blockchains and Artificial Intelligence for Business, Economics and Law, Florence, Italy e-mail: filippo.zatti@unifi.it © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_7

63

64

F. Zatti

make consent more efficient and transparent if applied to DLT and blockchain (Rupasinghe et al. 2019). A recent investigation of public engagement models and processes in biomedical research has suggested that when forms are more general, or the purpose of the sample and data usage is less clear, trust in the “appropriateness” of research diminishes (Goisauf and Durnová 2019, p. 285). The public must maintain power over its own data based on dynamic consent because it aims to give individuals the opportunity to be better informed about their consent choices and the ongoing research process in general and to provide them with control over how their biospecimens and data are used (Mamo et al. 2020, p. 611). Dynamic consent can be qualified as ‘participant-centred, granular, flexible and adapted to changes in the legal and regulatory environment’ (Prictor et al. 2019, p. 101). At the same time, blockchain technology can allow individuals to ‘express and change their consent virtually immediately, at any time, and on a continuous or ongoing basis’ (Wee et al. 2013, p. 344). Our goal is to contribute to an understanding of the advantages and disadvantages of blockchain technology in biobanking from a legal perspective. It concerns whether it could be GDPR-compliant or what else would be needed from a legal point of view to facilitate the transition to a blockchain system for biobanking to ensure adequate support for dynamic consent. We need to put legal mechanisms into place so that regulatory obstacles cannot stifle these possible helpful technological advances.

2 The Blockchain for Biobanking: The Most Relevant Projects So Far Blockchain applications have a broad scope. Blockchain applications started with the payment system (see Nakamoto’s whitepaper) but have since been applied to fields other than the financial economy, such as healthcare and medical research (Digital Science and Rossum 2017, pp. 8–9). In these fields, ‘the use of Blockchains is for creating common databases of health information that clinicians could use regardless of the type of electronic health records (HER) they have, potentially improving patient care’ (Committee on Improving the Quality of Health Care Globally et al. 2018, pp. 91–92). A few years after the rise of bitcoin in Estonia, citizens, healthcare professionals and health insurance companies could use the blockchain to retrieve all information on medical treatments performed (Basu 2016). The scientific community has also started to think about using blockchain technology to encourage participation and transparency in biobank research (Spector-Bagdady et al. 2018). All transactions in the physical space can be tracked as a digital token by a DLT or a blockchain. Depending on the use of biological specimens or data that can be digitally recorded as unique data by blockchain, this could be used for lodging a DNA sequence or the publication of results. New

Blockchain and Dynamic Consent

65

patient-oriented research opportunities would be created, as these individual transactions would be traceable and immutable (Committee on Biological Collections: Their Past, Present, and Future Contributions and Options for Sustaining Them et al. 2020, p. 135). According to recent research by the University of Malta (Albalwy et al. 2021) at least two projects are already developing dynamic consent in biobanking using DLT: Dwarna (Mamo et al. 2020) and a design proposal from IBM Research (Choudhury et al. 2018). Both projects are set on a specific type of blockchain classified as permissioned, meaning decentralised but with the persistence of a kind of authority. The prototype Dwarna is based on Hyperledger Composer, while the IBM proposal is on Hyperledger Fabric. Both are open source and come under the umbrella started in 2015 by the Linux Foundation, receiving contributions from IBM, Intel and SAP. Another project has been set up that focuses on the interaction between two biological/bioinformatics commons, namely public biobanks and the free open source software (FLOSS) (Evangelatos et al. 2020). Blockchains have already been used for governance problems of data management and digital ‘toxicity’ (Özdemir 2018; Shabani 2019). The news here is that Ethereum is being used for this goal. Understanding an adequate blockchain solution for guaranteeing self-sovereign identity in storing and transferring digital data into a biobank is thus relevant. It is worthwhile to examine how a permissioned blockchain differs from a permissionless protocol before focusing on the legal issues concerning privacy and security.

3 Valuable Blockchain Functions for Dynamic Consent in Biobanking Understanding how a blockchain works at a fundamental level is critical to see how it could be used in biobanking and grasp the features of dynamic consent. Dynamic consent was first developed in biobanking a decade ago (Prictor et al. 2019, p. 101). Dynamic consent needs an explicit indication of agreement. The features of blockchain could meet the need for dynamic consent. However, the digital divide and insufficient empirical evidence of participant commitment could make it hard to adopt. Let us simply remind the blockchain basics. Technically, blockchain is a method of recording and storing electronic data based on algorithms that theoretically allow the data to be structured in the chronological order of their validation in the form of interlinked blocks. This method primarily originates from applying two quantitative disciplines: game theory and cryptography. They constitute an automated decentralised system that is selfexecuting. Cryptography is the key to expressing consensus by network participants. It allows transfers of digital data inside the network, guaranteeing the identity of the participants without revealing it to others. Some participants act as ‘nodes,’ verifying

66

F. Zatti

that transactions comply with the consensus mechanism. Nodes are copies of the transaction register. The more nodes there are, the more decentralised and secure the network is. Each validated block is once and for all ‘written in stone’ without any possibility of being modified by anyone. There are two main features at the core of blockchain technology: node distribution and the consensus algorithm. These features affect automated consensus, creating incentives that nudge participants into behaving constructively, transforming social relations and reducing transaction costs. The features vary with the level of decentralisation and the type of consensus algorithm. In a permissionless blockchain (such as Ethereum), all the peer-to-peers are nodes; anyone can enter and use it, and any peer has the same power as any other. In the case of the Hyperledger Fabric-based platform, the blockchain is permissioned: only some peer-to-peers can also act as nodes. Therefore, authorisation is requested to enter it, and the network operates in an environment of partial trust. This protocol allows centralised governance to work on a private network, and the administrator would modify the protocol as desired. Private blockchains can connect different information systems that do not speak well with each other within the same entity, such as in an intranet. Shared governance, as in the case of the consortium or federated and hybrid Blockchains, is the final option. The first type brings together different actors but is not public and open to all. The latter is a combination of private and public blockchains. The management of access, rights and data is flexible. Write and edit rights can be changed, and some nodes can be made public while others remain private. Most of the participants have certain rights, and decisions made on the blockchain are taken. The consortium is better suited to regulated contexts in which the identity of actors is required for regulatory compliance reasons. In any case, choosing a blockchain type concerns security, transaction volume and speed. In the case of biobanking, the first two features are so relevant that it is not entirely understood why private blockchains are currently considered the best choice (Kim et al. 2021, tbl. 3).

4 Blockchains for Biobanking Under the GDPR If a person gives dynamic consent in a blockchain-based biobank, they can change their consent to specimens and samples of any type at any time. Notarisation makes blockchain a suitable technical choice to enable patients to update their consent when needed and to rethink it to participate in various research phases. Blockchain speed is irrelevant to biobanking to ensure effective dynamic consent, considering how data is shared in healthcare and biobanking today through databases. However, suppose a blockchain, from a technical view, could help securely facilitate the transfer of personal health data with pseudonymisation. We must consider that this could probably not be used in many jurisdictions. Legal uncertainty remains the main obstacle to its application to date. However, agreements between biobanks can overcome legal uncertainties and set common standards for data sharing using blockchain following technical initiatives such as the Confidential

Blockchain and Dynamic Consent

67

Consortium Framework.2 As blockchain is not (yet) in the privacy-enhancing technology (PET) taxonomy (Royal Society (Great Britain) 2019, p. 12), they can be combined (Kaaniche et al. 2020, p. 26) to fit the privacy engineering schemes. Nonetheless, the process is computationally expensive and needs a trusted party to work (Royal Society (Great Britain) 2019, p. 48). This leads to the legal side, which requires adopting measures to overcome a case-by-case interpretation to adapt the GDPR to a decentralised framework (Giordano 2021, p. 794). In particular, this involves clarifying the concept of anonymous data, the definition of the data controller and the meaning of ‘erasure’ under article 17 GDPR.3 In the first review of the GDPR under Article 97, the European Data Protection Board was invited to issue guidelines on applying the GDPR in scientific research and blockchain. 4 The need for an adequate legal framework is growing, not only for the financial sector (the Markets in Cryptoassets EU Regulation proposal is at its final stage) but also for applying blockchain technology in the supply chain, which involves contractual and privacy issues. Cybersecurity is another necessary strength as blockchains are based on the need for key public–private infrastructure to prevent the loss of access to data. Biobanks have already been designed with perimeter and security pipelines to protect what is inside, but Blockchains are also generally intended to deal with encrypted communications. The permissionless Blockchains were designed to be constantly attacked by malicious actors. So far, there is no news that blockchains have been hacked to break this public-private key encryption that allows security in transaction recording. One-way public decentralised applications in the medical field could be through consortium-based blockchains such as Distributed Autonomous Organisations (DAO). This aspect could be crucial for dynamic consent as Dwarna aims to ‘further increase transparency’ (Mamo et al. 2020, p. 624). Dwarna’s data link is a front and back end. The first enables the communication between biobank managers, researchers and partners. The latter is divided into two components that store data: one is a permissioned Blockchain, and the other is a database. This separation of data makes it more difficult to access the data of research partners. The links between the real identities of research partners and their pseudonyms are physically stored in the biobank (Mamo et al. 2020, p. 617). Dwarna creates new pseudonyms to represent research partners in the Blockchain. Blockchain also has the task of recording only consent changes. Biobanks that use blockchains for back-end reconciliation could avoid many plagues that affect centralised biobanking, such as downtime, fraud or interference by third parties (Hazlegreaves 2019). 2

Confidential Consortium Framework. (n.d.). Microsoft Research. https://www.microsoft.com/enus/research/project/confidential-consortium-framework/. 3 European Parliament. Directorate General for Parliamentary Research Services (2019). Blockchain and the general data protection regulation: Can distributed ledgers be squared with European data protection law? Publications Office, p. 101. https://data.europa.eu/doi/10.2861/535. 4 Communication from the Commission to the European Parliament and the Council Data Protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition—2 years of application of the General Data Protection Regulation COM/2020/264 final.

68

F. Zatti

Distributed biobanks enable fascinating applications for cloud storage and patient data tracking for research. Blockchain technology makes it possible to incentivise research partners to contribute samples or specimens or even health organisations that collect them to allow others to use them for research or other purposes with the promise that if they are later used in specific ways, there might be some reward, financially or otherwise. This comes with the proposal for a European regulation on data governance. In fact, Blockchains were initially designed for this, not by chance. They have been successfully used for financial inclusion with micro-payments. Thanks to smart contracts, this technology helps when a significant amount of material and data must be appropriately managed, even if the data has different standards. Indeed, smart contracts are another valuable instrument to automate processes, connect data to AI and IoT or ease the creation of consortia in the architecture of DAO, thereby agreeing with a standard to share data and terms. Finally, Blockchain could be strategic for biobanking issues concerning consent and tracking under the EU legislation. Still, residual legal uncertainty requires a case-by-case analysis, but it is not an obstacle to creating common standards and easing the adoption of schemes that allow the use and sharing of this data more effectively for medical research and care.

5 Conclusion Dynamic consent could help to go beyond the limits of informed consent. The technology could now become an effective tool to persuade the public to trust that they are adequately protected by releasing their medical data for research purposes. The public becomes an active research partner. Researchers and clinicians would not be more at the centre of the stage for ensuring trust. As stated, dynamic ‘consent platforms provide researchers with robust technological and governance protections, often using novel solutions to protect the privacy and enhance security through access restriction, pseudonymisation, encryption, data separation, audit trails, and blockchain technology’ (Goncharov et al. 2022). So, can the blockchain realise proper support for dynamic consent? The answer is to date based on two issues. The first concerns the technological perspective and the security it guarantees. The second is the legal reasoning concerning the compliance of blockchain technology with the rules in force to protect privacy rights. We would not find a definitive position from any computer scientist or legal scholar on either of these two aspects. It is not only due to the technology level or legal uncertainties but also the very distinct opinions about the role of Blockchain in economics and society. Let us assume, however, that this technology can facilitate patient consensus management (as in the case of biobanking). In that case, it is pretty clear how helpful it would be to share medical data. We should encourage its development by removing legal uncertainties and establishing a standardised regulatory framework, at least at the EU level, focused on blockchain technology. We can confirm that ‘facilitating the exchange

Blockchain and Dynamic Consent

69

of genomic data through blockchain technology and smart contracts is promising’ (Albalwy et al. 2021). All that remains is to make this promise a reality.

References Albalwy F, Brass A, Davies A (2021) A blockchain-based dynamic consent architecture to support clinical genomic data sharing (consentchain): proof-of-concept study. JMIR Med Inform 9(11): e27816. https://doi.org/10.2196/27816 Basu M (2016, March 6) Estonia using blockchain to secure health records’. GovInsider (blog). https://perma.cc/EAF8-FRLQ Choudhury O, Sarker H, Rudolph N, Foreman M, Fay N, Dhuliawala M, Sylla I, Fairoza N, Das AK (2018) Enforcing human subject regulations using blockchain and smart contracts. Blockchain in Healthcare Today. https://doi.org/10.30953/bhty.v1.10 Committee on Biological Collections: Their Past, Present, and Future Contributions and Options for Sustaining Them, Board on Life Sciences, Division on Earth and Life Studies, & National Academies of Sciences, Engineering, and Medicine (2020) Biological collections: ensuring critical research and education for the 21st century. National Academies Press, https://doi.org/ 10.17226/25592 Committee on Improving the Quality of Health Care Globally, Board on Global Health, Board on Health Care Services, Health and Medicine Division, & National Academies of Sciences, Engineering, and Medicine (2018) Crossing the global quality chasm: improving health care worldwide. National Academies Press, p 25152. https://doi.org/10.17226/25152 Digital Science, Van Rossum J (2017) Blockchain for research. Digital Science. https://doi.org/10. 6084/M9.FIGSHARE.5607778 Evangelatos N, Upadya SP, Venne J, Satyamoorthy K, Brand H, Ramashesha CS, Brand A (2020) Digital transformation and governance innovation for public biobanks and free/libre open source software using a blockchain technology. OMICS: J Integr Biol 24(5):278–285. https:// doi.org/10.1089/omi.2019.0178 Giordano MT (2021) Blockchain and the GDPR: new challenges for privacy and security. In: Cappiello B, Carullo G (eds) Blockchain, law and governance. Springer International Publishing, pp 275–286. https://doi.org/10.1007/978-3-030-52722-8_20 Goisauf M, Durnová AP (2019) From engaging publics to engaging knowledges: enacting “appropriateness” in the Austrian biobank infrastructure. Public Underst Sci 28(3):275–289. https:// doi.org/10.1177/0963662518806451 Goncharov L, Suominen H, Cook M (2022) Dynamic consent and personalised medicine. Med J Aust 216(11):547–549. https://doi.org/10.5694/mja2.51555 Hazlegreaves S (2019, September 24) Distributive biobanking models: why biospecimens need blockchain. Open Access Government. https://www.openaccessgovernment.org/distributivebiobanking-models/73910/ Kaaniche N, Laurent M, Belguith S (2020) Privacy enhancing technologies for solving the privacypersonalization paradox: taxonomy and survey. J Netw Comput Appl 171:102807. https://doi. org/10.1016/j.jnca.2020.102807 Kim TM, Lee S-J, Chang D-J, Koo J, Kim T, Yoon K-H, Choi I-Y (2021) DynamiChain: development of medical blockchain ecosystem based on dynamic consent system. Appl Sci 11(4):1612. https://doi.org/10.3390/app11041612 Mamo N, Martin GM, Desira M, Ellul B, Ebejer J-P (2020) Dwarna: a blockchain solution for dynamic consent in biobanking. Eur J Hum Genet 28(5):609–626. https://doi.org/10.1038/ s41431-019-0560-9 Nordberg A (2021) Biobank and biomedical research: responsibilities of controllers and processors under the EU general data protection regulation. In: Slokenberga S, Tzortzatou O, Reichel J

70

F. Zatti

(eds) GDPR and biobanking. Individual rights, public interest and research regulation across Europe. Springer, pp 61–89. https://doi.org/10.1007/978-3-030-49388-2 Özdemir V (2018) The dark side of the moon: the internet of things, industry 4.0, and the quantified planet. OMICS J Integr Biol 22(10):637–641. https://doi.org/10.1089/omi.2018.0143 Prictor M, Teare HJA, Bell J, Taylor M, Kaye J (2019) Consent for data processing under the general data protection regulation: could ‘dynamic consent’ be a useful tool for researchers? J Data Protect Priv 3(1) https://ora.ox.ac.uk/objects/uuid:f74babfc-a8d6-4709-8049-6a0 756e97a71 Royal Society (Great Britain) (2019) Protecting privacy in practice: The current use, development and limits of privacy enhancing technologies in data analysis Rupasinghe T, Frada B, Carsten R (2019) Blockchain based dynamic patient consent: a privacypreserving data acquisition architecture for clinical data analytics. In: ICIS 2019 Proceedings, 2019. https://aisel.aisnet.org/icis2019/blockchain_fintech/ Shabani M (2019) Blockchain-based platforms for genomic data sharing: a de-centralized approach in response to the governance problems? J Am Med Inform Assoc 26(1):76–80. https://doi.org/ 10.1093/jamia/ocy149 Spector-Bagdady K, De Vries RG, Gornick MG, Shuman AG, Kardia S, Platt J (2018) Encouraging participation and transparency in biobank research. Health Aff 37(8):1313–1320. https://doi. org/10.1377/hlthaff.2018.0159 Vlahou A, Hallinan D, Apweiler R, Argiles A, Beige J, Benigni A, Bischoff R, Black PC, Boehm F, Céraline J, Chrousos GP, Delles C, Evenepoel P, Fridolin I, Glorieux G, van Gool AJ, Heidegger I, Ioannidis JPA, Jankowski J et al (2021) Data sharing under the general data protection regulation: time to harmonize law and research ethics? Hypertension 77(4): 1029–1035. https://doi.org/10.1161/HYPERTENSIONAHA.120.16340 Wee R, Henaghan M, Winship I (2013) Dynamic consent in the digital age of biology: online initiatives and regulatory considerations. J Prim Health Care 5(4):341–347. http://search. ebscohost.com/login.aspx?direct=true&db=ccm&AN=104169296&site=ehost-live&scope= site

Brexit Effects What Are the “Brexit Effects” on the Exchange of Data and Biological Samples with the UK? Hedley Christ

1 Introduction On 31 January 2020, the United Kingdom (UK) left the European Union (EU). However, for the remaining part of 2020, the UK was, in effect, still a Member State, albeit in a reduced capacity, until the transition period for exiting from the EU was completed by 31 December 2020. This transition period was to be occupied by the negotiation process; that is, the UK was to agree with the EU on the means of disentanglement from the EU and determine its future relationship with the EU. Part of this negotiation was to include the (pre-)conditions and safeguards for the crossborder data flows of information. The treaty settlement, however, left considerable room for digital services or how data transfer could occur between the UK and the EU now that the UK is a third country.1 The UK’s withdrawal agreement makes no explicit provisions for the UK’s continued participation in the European Data Protection Board.2 Within Section 2 Withdrawal Act 2018, the UK retains EU Law until repealed. However, EU Law is no longer part of the laws of the United Kingdom. This means that although the GDPR is still relevant, the UK is considered a third country as far as

1

The government did issue a technical note giving guidance on data protection post-Brexit; however, this guidance was withdrawn on 1 March 2019. 2 The European Data Protection Board’s note of February 2019 states that the UK will become a third country unless there is a negotiated settlement on the issue. European Data Protection Board, Information Note on Data Transfers under the GDPR in the Event of a No-Deal Brexit, on 12 February 2019 (updated on 4 October 2019). https://edpb.europa.eu/sites/default/files/files/ file1/edpb-2019-02-12-infonote-nodeal-brexit-october_en.pdf. H. Christ (✉) Law Department - Brighton Business School, Brighton, UK e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_8

71

72

H. Christ

cross-border data flow is concerned. Thus, data flow can no longer be automatic and other means provided by the GDPR or international law must now be considered. The following sections provide a brief overview of the discipline for the crossborder flow of health data between the UK and the European Economic Area (EEA) and for the transfer of biological samples as a result of the Brexit effect. It first sets the changing relationship in data transfer within the UK’s health digitalising programmes and the increasing involvement of the private sector in health data by means of new technologies. Second, the requirements for the transfer of biological material between the UK and the EEA are scrutinised. Both these processes are complex areas of law with an ever-changing landscape.

2 The ‘Brexit Effect’ on Data and Biological Samples As of 2021, EU law no longer applies to the UK, and a process of de-regulation and re-regulation has changed the relationship between the UK and the EU, in particular related to the transfer of health data and biological samples. This changed relationship could be labelled as the ‘Brexit effect’ (Schwartz 2021, p. 129). The Data Protection, Privacy and Electronic Communications (EU exit) Regulations 20193 amended various parts of what is now referred to as the EU GDPR, reflecting the UK GDPR (Choromidou 2021). This regulatory change means that as far as data transfer is considered, the UK is a third country with regard to the transfer of data between the UK and the European Economic Area (EEA); that is, the EU plus Iceland, Norway and Liechtenstein. As a result, data transfer between the UK and the EU is now restricted. This has significant implications for organisations within the UK that are involved in the transfer of data and, in particular, regarding the transfer of personal data not only between the UK and the EEA but also between the UK and other countries. The importance of data flow is evident in modern societies as data may be useful to health services to enhance their own surveillance of public health. But there is a clear clash of philosophies; one looking to the public health as a state strategy and one looking to commercialisation as a corporate strategy. In whatever form, however, health data has now become big data with vast amounts of information being accessed and stored. There are thus vast amounts of personal data related to individual’s health that is being stored, processed and retrieved. And this, as the World Health Organisation has acknowledged, has become an increasing major issue.4

3

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. https://www.legislation.gov.uk/ukdsi/2019/9780111177594/contents. 4 In May 2017, a cyber-attack on the UK’s NHS locked many health service computers. This highlighted concerns regarding health data confidentiality, ownership and cyber-bulling.

Brexit Effects

73

Of course, health data is all about capturing, storing, sharing, evaluating and acting upon health information that both the health services and individuals can access via computer-based technologies and networks. And this cannot, and does not, relate to only one country. There is a globalisation of health information of increasing volume, variety, veracity and complexity. There is a clear gap between the GDPR and the practical reality of all of this generated health data.5 The emphasis is placed on organisations, both public and private, to show that they have thought about privacy issues and, especially, the principles of data protection, particularly when the mechanism of data transfer is considered and now that the UK is no longer a Member State of the EU. However, what is clear from the plethora of health data is that the idea of a straightforward transfer of data cannot easily be conceived. It is worth noting that biological samples and their use within research are governed similarly to that of data in many ways. The main relevant piece of legislation to consider when dealing with biological samples is the Human Tissue Act 2004.6 But there are other acts applied by the funding bodies, particularly related to reproductive material and its conditions. Many of these provisions and conditions have similar roots, such as the need for specific research purposes on biological samples and the requirement of the consent of individuals whose samples are to be used in the research. In light of the Brexit effect, the issue now for researchers is how may these samples be transferred between the various research bodies, even those falling outside of the UK.

3 The Flow of Health Data: Waiting for an Adequacy Decision The scope of big health data makes it very difficult to know who has what data and how it is being used. This is because we are in a world in which healthcare information is rapidly becoming digitalised within and beyond the medical context. The technology of tracking health and fitness, using pressure sensors to measure vital signs, such as heart rate, and counting of steps in mobile apps and wearables, such as watches and bracelets, or in smart fashion, such as glasses and clothing, means that the transfer of data should no longer be considered as just the transfer from one individual organisation to another. And this is even before considering the use of genomics in genealogy, research and ethnology, and population studies. Therefore, we cannot consider the transfer of data within the Brexit effect as just

5

There is not only the GDPR to consider here but also the Council of Europe’s modernisation convention for the protection of individuals with regard to the processing of personal data, known as modernised convention 108. This international convention also states that health data is a special category of data. 6 Human Tissue Act, 2004. https://www.legislation.gov.uk/ukpga/2004/30/contents.

74

H. Christ

within the terms of the UK/EU data protection laws. The transfer of data, including samples of biological materials, must be considered in wider contexts, and we need to be aware of this when examining the technical effect of data transfer, especially for the UK as it is no longer a Member State of the EU. Indeed, the Brexit effect has significantly affected data transfer between the UK and the EEA. One of the first things we need to be clear about regarding the Brexit effect is that the UK is now a third country with respect to the EU, and when we speak of the GDPR, we now need to consider the UK GDPR and the EU GDPR because the UK no longer has the EU GDPR as part of UK law. Data transfer could then no longer be seen as moving freely between the UK and the EEA. As a result, we need to consider the ways in which and how data transfer can lawfully occur within the GDPR’s restricted or restrictive transfers. There are four possibilities that are within both the UK GDPR and the EU GDPR for securing the lawfulness of data transfer. These include: (1) an adequacy decision, which is the best means possible; (2) the use of standard contractile clauses, known as SCCs; (3) the use of binding corporate rules, known as BCRs; and (4) codes of conduct. These are the principal means for the transfer of health data between the UK and the EEA as they make the transfer of health data possible.7 Under the EU GDPR, the Commission has the power to determine based on Article 45 GDPR8 whether a country outside of the EU offers an adequate level of data protection. If an adequacy decision is provided, then data transfer may freely occur, that is, without further appropriate safeguards as long as there is compliance with the EU GDPR. This process of providing an adequacy decision is also possible under the UK GDPR, and the UK has recognised the EEA as having adequate safeguards or, at least, that there is a transitional recognition of all EEA countries and Gibraltar as adequate. Furthermore, the Data Protection Privacy and Electronic Communications (EU Exit) Regulations 2019 gave the Secretary of State power to adopt adequacy decisions by Regulation and obliged the Secretary of State to keep such decisions under periodic review. The process by which the Secretary of State makes adequacy decisions9 is the same as the European Commission under Article 45(2) EU GDPR that was transferred into the UK’s Data Protection Act 2018 section

7

European Data Protection Board, Information Note on Data Transfers under the GDPR in the Event of a No-Deal Brexit, on 12 February 2019 (updated on 4 October 2019), see note 2, p. 2–4. 8 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J.4.5.2016 L 119/1, see art. 45 (1). 9 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, see note 3, Schedule 2, Part. 2 (general processing), 23: ‘17A Transfers based on adequacy regulation’, (3):‘Regulations under this section may specify that the Secretary of State considers that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations’; ‘17B Transfers based on adequacy regulations: revie etc’ ‘[. . .] the Secretary of Sate must carry out a review of whether the country, territory, sector or organisation ensures an adequate level of protection of personal data at intervals of not more than 4 years’.

Brexit Effects

75

74A.10 With respect to the adoption of an adequacy decision, the European Board of Data Protection released its Opinion that the UK provides sufficient data protection, despite expressing some concerns. The adoption of an adequacy decision for the UK by the Commission essentially means that the other lawfulness approaches to data transfer will no longer need to be considered, as was feared. There is however, one final important aspect of data transfer that depends on whether an organisation has a branch, office or establishment within the country of data transfer. This is a relevant issue because if any organisation does not have a representative within the country of data transfer, then an organisation must appoint a representative within that country. If an organisation is then offering goods and services or is monitoring the behaviour of EU citizens, then a representative needs to be authorised to act on behalf of that organisation with a country’s supervisory authority and data subject within that country. The representative must also maintain local records. Only if that organisation is a public authority that transfers health data on an occasional basis and can be considered as low risk is there no need to have a representative. Furthermore, the understanding that any representative must facilitate the organisation’s communication with the lead supervisory authority no longer applies to the UK.11 UK organisations will need to be involved with all of the supervisory authorities in whose country data is being transferred.

4 The Transfer of Biological Samples In the UK, the transfer of human tissue is governed by the Human Tissue Act 2004.12 The Act provides for the lawfulness of various activities using human tissue and, in particular, the storage and use for specified purposes of material coming from a human body.13 This Act, which functions in a similar manner to the GDPR, states that the use of body material requires a specific purpose (i.e., the purposeful principle) and that the storage and use of body materials must have the consent of the individual, known as appropriate consent.14 If consent cannot be obtained, then there are powers under section 7 of the Human Tissue Act 2004 to dispense with the

Ibid., 74A ‘Transfers based on adequacy regulations’. The lead supervisory authority is a designated supervisory authority and means that an organisation need not deal with all of the supervisory authorities in countries in which data transfer occurs. The lead supervisory authority acts on behalf of all EEA supervisory authorities and is known as a one-stop shop. 12 This act excludes reproductive material which is governed by the Human Fertilisation and Embryology Act 2008 as amended. 13 See Human Tissue Act 2004, see note 6, Part.1, art.1. The Act handles material from a live person differently from material of a dead person. 14 Ibid., art. 2. For children, this depends on whether the child is considered as competent to deal with the issues. If they are not competent, then consent is required from an appropriate adult, usually the parents. 10 11

76

H. Christ

need for consent. The nature of consent is given in schedule 4 of the Act, which specifically states that analysis of DNA manufactured by the body of a person requires the consent of that individual. The purposes allowed for the use of biological samples are for the results of an analysis that includes medical diagnosis or treatment and research, inter alia. The Act also provides for the Human Tissue Authority to oversee the activities authorised by the Act.15 A licence is required from the Human Tissue Authority to undertake activities, such as the removal of material from the human body, the storage of specimens and their use for specific purposes, and the import and export of such material, to procure, test, process, store, distribute, import or export tissue and cells.16 The Authority may also issue codes of practice as practical guidance to persons carrying on activities within its remit, that is, the purposes of the activities.17 Beyond the Human Tissue Act is the requirement of the Medical Research Council (MRC) which considers the ethical use of human biological samples. Any research funded by the MRC is expected to reach ‘the highest ethical standards’ in medical research and to conform to requirements and guidance set out in its operational and ethical guidelines.18 These guidelines relate specifically to research using biological materials and not to clinical diagnosis. The researchers are expected to follow ten principles.19 These include that research on samples should be conducted with respect and transparency; the potential benefits should outweigh the potential risks; the research should benefit science and society; the research should benefit the individuals providing the samples; the use of samples should not give rise to financial gain; the individuals should provide consent for the use of their samples and know how their samples are used and disposed of, which includes providing information to donors about the degree of confidentiality; and, finally, researchers should keep themselves up to date regarding ethical issues, legislation, regulations and governance requirements related to their research. The MRC considers that researchers are custodians of the samples and are therefore ‘responsible for the safekeeping of samples, control of the use of samples, transferred to third parties, and eventual disposal’ of the samples. Importantly, the MRC recognises that ‘although researchers do not originally own the sample itself,

15

Ibid., Part. 2, art. 13. The Authority may provide directions and impose requirements in relation to the conduct of the activity that the licence authorises. These directions may be important if there are likely to be changes in the purposes of the activities licenced. 17 Ibid., art. 26. 18 Medical Research Council, MRC Ethics series, Using Information about People in Health Research, June 2018. https://www.ukri.org/wp-content/uploads/2021/08/MRC-0208212-Usinginformation-about-people-in-health-research-2018.pdf; Medical Research Council, MRC ethics series, Human Tissue and Biological Samples for Use in Research: Operational and Ethical Guidelines, November 2014. https://www.ukri.org/wp-content/uploads/2021/08/MRC-0208212Human-tissue-and-biological-samples-for-use-in-research.pdf. 19 Beyond these principles, the guidance also notes that researchers cannot own a human body or a sample from that human body once it has been removed from the donor. 16

Brexit Effects

77

they can come to “own” the product of work or skill applied to that sample. This may involve intellectual property (IP) rights generated from a sample’. In the light of the Brexit effect, any form of exchange of samples requires a Material Transfer Agreement (MTA), that is, a contract which sets out the rights and obligations with respect to the use of a biological sample. These samples may include cultures, cell lines, plasmids, nucleotides, protein, bacteria, transgenic animals and pharmaceuticals, inter alia.20 These agreements may cover a wide range of materials, including data and software. Once agreement has been reached on the MTA, then the sample must be packaged for transportation. Reference here is generally made to the UN Recommendation on the Transport of Dangerous Goods—Model Regulations, 19th Revised Edition. These recommendations allow for the appropriate labelling of samples under various classifications. Patient specimens, for example, are found at Division 2.6.3.1.4.21 Only samples that do not constitute a risk of infection are not subject to these rules. It is thus important to determine the types of samples being transported and which regulations thereby apply. As of 1 January 2021, the UK was no longer a Member State of the EU, and as a result, new third country customs controls came into existence. These controls must conform to the formalities required under EU law and, in particular, the Union Custom Code, including the entry and exit summary declarations. The trade cooperation agreement between the UK and the EU includes a zero tariff and zero quota agreement on all goods, subject to customs formalities. All imports into the EU meet the EU standards subject to checks on safety, health and other public policy measures. There is also a commitment, by the UK to implement the UN Globally Harmonised System of Classification and Labelling of Chemicals as well as any scientific and technological guidelines. Furthermore, there is a reciprocal recognition of equivalents between the EU and UK organic legislation and control systems. This should also follow sanitary and phytosanitary measures. Such measures need to be considered when producing an MTA. It is reported that exports from the UK into the EU have come up against many problems involving ‘additional bureaucracy and sometimes unexpected costs and taxes’. This has significantly reduced the number of exports leaving the UK for the EU. and some of the problem areas have been with biological material, particularly in relation to agriculture, food and fisheries and health care. There remains a continuing call to reach Mutual Recognition Agreements (MRAs) on inspections

20 There are three different types of MTAs: agreements between academic institutions/research institutions; agreements between academic institutions and industry; and agreements between industry. These agreements are primarily between academic/research institutions for use in research. The agreements set out a number of permitted uses and, therefore, need to cover such issues as confidentiality, ownership, access to the results of the research and liabilities, inter alia. Any commercial potential should also be written into the agreement. 21 These categories divide the types of samples into various groups; those which are infectious agents and those which are not infectious. Infectious biological material is given the number UN3373 biological substance category B.

78

H. Christ

and batch testing of biological samples and pharmaceuticals. The UK has unilaterally waved batch testing of medicines coming from the EU, but the EU is still imposing these tests coming from the UK. If a customs intermediary is not to be used to export from the UK, the declaration has to be made online through the National Export System (NES). This includes making sure that the EU importer has an EU EORI number, any relevant import licences and a complete import declaration with the importers countries declaration system. Once this is completed, it is important to determine whether an export licence or certificate is required. This will generally be the case for controlled goods such as chemicals and biological material. After this, it is necessary to determine whether the VAT rating is required. No tariffs will apply because of the UK withdrawal agreement. For many exporters and importers, therefore, the use of a customs intermediary, that is, a company set up to undertake the formalities of exporting and importing and deal with the transit of goods, is much preferred.

5 Conclusion The Brexit effect on the transfer of data and samples within a health care context is, of course, the result of the UK’s exit from membership in the EU, thereby placing the UK outside the EU and as a third country with respect to the EU. The Withdrawal Act incorporates EU law into UK law until the UK either de-regulates or re-regulates EU retained law. The principal concern is how data and samples will be transferred. Such concern led to the consideration of the use of standard contractual clauses as a means of lawful transfer. However, the EU has now recognised the UK legal framework as adequate to ensure protection for data transfer: the European Commission has issued adequacy decisions that embody a ‘sunset clause’ which limits the duration of adequacy to 4 years and has strong safeguards in case of future divergence (Stolton 2020). This adds a further issue for the UK, namely how it will consider data transfer to non-EEA countries since its supervisory body, the Information Commissioner’s Office (ICO), is now responsible for UK adequacy decisions.

References Choromidou A (2021) EU data protection under the TCA: the UK adequacy decision and the twin GDPRs. Int Data Priv Law 4:388–401 Schwartz PM (2021) The data privacy law of Brexit: theories of preference change. Theoret Inq Law 22:111–152 Stolton S (2020) UK to diverge from EU data protection rules, Johnson confirms. EURACTIV. https://www.euractiv.com/section/digital/news/uk-to-diverge-from-eu-data-protection-rulesjohnson-confirms/

Broad Consent Do Patients Have to Be Informed About the Concrete Research Projects for Which Their Data and Biosamples Are to Be Used? Is So-Called Broad Consent Adequate? Andrea Maierà

1 Introduction It is clear that consent is a communicative instrument that must constantly adapt to the contexts in which it is applied, as well as to clinical and scientific developments. The basics of informed consent are: (1) the information, which must be adequate, complete, exhaustive, and given in advance1; (2) the competence of the medical and scientific personnel who must explain what is stated in the informed consent; (3) the voluntariness of the subject who, on the basis of the information and of their own conscious, free, and informed decision, may decide whether or not to participate in the research activities. The very structure of informed consent may hinder its translation from conceptual tool to practice since these three pivotal elements, and thus the entire decisionmaking process, may be influenced by numerous variables, including cultural, socioeconomic, and educational ones (Krogstad et al. 2010, p. 743). Different types of informed consent, characterised by different strengths and extensions, have been proposed and used in biomedical research (Weinar 2014), and there remains some disagreement as to which model of consent is most appropriate and suitable for biobanks’ activities. Among the various types of informed consent, it is possible to consider two antithetical proposals, namely specific consent and broad consent (Grady et al. 2015, p. 34; Garrison et al. 2016). The former restricts the use of biological samples and associated data to a specific research project only, precluding current or future activities not originally planned (Hofmann 2009, p. 125); the latter (Sheehan 2011, p. 226; Steinsbekk and Solberg 2011, 1

Quite often, it is particularly complex to make generalisations about consent information, especially for complex scientific issues, because of the wide variety of issues it addresses, as well as low rates of scientific and health literacy.

A. Maierà (✉) Department of Medicine and Surgery, University of Perugia, Perugia, Italy © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_9

79

80

A. Maierà

p. 236) is one of the most liberal forms of consent, allowing the use of biological samples and related data for several types of research and therefore for several types of researchers, with protection of the interests of those involved by means of monitoring from independent third parties such as ethics committees or review boards and by means of specially developed governance (Solberg 2011, p. 236). However, broad consent sets limits, unlike the even more liberal blanket consent, which does not provide for any limitation on the future use of donated biological samples (Tomlinson 2013, p. 41). Although there are obvious differences between the various biobanks, countries, cultures, and regulatory backgrounds, broad consent is the most widespread form of informed consent in biobanking (Master et al. 2012, p. 885; Steinsbekk et al. 2013, p. 897). It is in fact commonly adopted in Europe, accepted and allowed by the GDPR (Hallinan 2020), and used to a much smaller extent in the USA, where the legal approach tends to require a specific and meticulous information obligation. This widespread use is easily explained considering the nature of the biobanking activity, which does not facilitate the concrete definition of the time of sample collection or the details of current and future research in which samples and data may be used (Kaye et al. 2011; Kaye et al. 2012, p. 371). Broad consent therefore aims to overcome these objective difficulties while seeking to guarantee the protection of participants. Until recently, broad consent was considered by many to be the most suitable form for the donation of samples to biobanks (Hofmann 2009, p. 125), but although this form is particularly convenient for the activities of biobanks and for scientific research, according to some it puts the donor’s right to self-determination at risk, and so the question arises as to whether this can really be defined as truly ‘informed’ consent and whether it is sufficient in the general intentions of ideal consent.

2 Advantages and Disadvantages of Broad Consent Supporters of broad consent assume that the individual donor is running a very small risk as a result of their participation, and in any case this is considerably less than the overall benefit that the research activity may bring. Others, on the other hand, argue that important ethical guarantees are provided by the possibility of participant withdrawal at any time and by monitoring activities by ethics committees, which may require re-consent if deemed necessary (Kaye et al. 2015, p. 141). In this connection, it is stressed that misuse of re-consent would lead to a routinisation of the process, which would debase the instrument of consent and place a burden on the donor, resulting in the tangible risk of affecting the number of participants in research activities (Cambon-Thomsen 2004; Ploug and Holm 2015a). Broad consent, although it certainly cannot be defined as a form of fully informed consent, is an instrument whose intention is to provide adequate and relevant information to the donor to enable them to make as informed and thoughtful a decision as possible. If the real intention is to provide the donor with clear and

Broad Consent

81

truthful information on the possible uses of their biological samples, then we certainly cannot speak of a poorly informed form of consent (Manson 2019, p. 291). Although it is not able to inform donors in detail about future studies, it does allow for autonomous decision-making on the basis of the information obtained. This emphasises transparency and honesty as key values in the biobank-donor relationship, values that can increase the confidence of the individual and allow the participation of an ever larger pool of society in biomedical research activities. Several authors (Hofmann 2009; Kaye et al. 2015; Budin-Ljøsne et al. 2016) argue that this form of consent does not guarantee the same level of protection as specific consent, and that it is supported by a number of assumptions that may appear weak, especially from certain points of view. First of all, the idea that the donor runs a minimal risk, although this may be considered true when comparing it with the potential benefits, tends to waver in the face of current advances. It has been amply demonstrated that it is possible to trace specific individuals on public databases even from anonymised information (Gymrek et al. 2013, p. 321). While it is true that the physical risk is certainly lower than in the case of participation in a clinical trial, since in this case the biobank sample is a physically autonomous entity with respect to the original body, the same cannot be said for the informational risk, which instead represents one of the major sources of concern, particularly in light of possible future risks that are currently unforeseeable and the amount of information that biobanks tend to collect. The information risk could be realised through the unintentional distribution or breach of the biobank with disclosure of sensitive information. However, it must be stressed that the likelihood of such risks materialising depends heavily on the policies and governance of individual biobanks. The possibility of revocation, which is considered by some to be a great strength, may actually lose its effectiveness if one considers that the donor may have doubts about a specific activity that could be carried out with their samples and data but of which they may not be aware. Considering the additional distribution of samples and data for different projects and for long or even indefinite periods of time, another significant risk could be that of violating donors’ personal values. A major risk of broad consent in biobanking is that of information, which, as previously mentioned, is one of the three constituent elements of consent. In practice, this form of consent is in fact unable to provide full information on future research, possible effects, and the expected risks and benefits of such activities, simply because these considerations depend on emerging technologies and knowledge that either exceeds our current understanding or may not even exist. Moreover, it seems likely that the amount and complexity of information that can be obtained from biological samples may increase significantly in the future, presenting substantial ethical challenges that we cannot foresee at present (Kutner et al. 2006). However, it must be emphasised that it is in any case possible to inform the donor of the possible future uses of which they are aware, and above all of the methods of managing and supervising biological samples and related data. In this regard,

82

A. Maierà

however, it must be emphasised that this type of consent may burden ethics committees or review committees in general, which may in any case have objective difficulties in assessing future effects and risks that are currently unknown and difficult to imagine (Hofmann 2009). This means that, although it cannot be defined as a form of fully informed consent, such a level of consent could still be sufficient to protect the autonomy of most donors. The donor, through their own values and considerations, may certainly be able to filter out the possibilities presented by this type of consent, without worrying in detail about specific future uses. Although at first glance the opposite may appear to be true, in reality broad consent may facilitate informed, well-understood, and autonomous decisions compared to other types of consent, such as specific consent, because, for example, from the point of view of the information, specific consent may become excessively long, detailed, and difficult to understand.

3 Donors’ Views on Broad Consent As mentioned previously, different authors are often at odds over the effectiveness of broad consent, with the generation of a particularly diverse audience (Brown et al. 2016; De Vries et al. 2016; Garrison et al. 2016; Kern 2010). Among them, some have argued that this type of consent does not provide sufficient information and protection to donors (Ploug and Holm 2015b). Although it is necessary to reflect from a theoretical point of view on the suitability of broad consent in biomedical research, it seems particularly relevant and necessary, as well as interesting, to reflect on the point of view of donors. In this regard, a recent study (Warner et al. 2018) assessed this very aspect, examining donors’ inclination to allow the use of their samples for a wide range of research types, their satisfaction with the degree of information received, and their doubts about potential future uses. The study ascertained that the majority of the population who gave broad consent were particularly positive, satisfied with the level of information, tended to be open to future use of their samples in a variety of studies, had few concerns about breaches of confidentiality, and were evenly distributed across gender, ethnicity, and class. The main concerns largely centred around the specific cases of use outside national borders, use for profit, and the possible return of clinically unhelpful results. Most donors also underlined the importance of supervision by ethics committees (Hoeyer et al. 2004). It is therefore clear that broad consent cannot be defined as an ethically unsuitable instrument for authorising the storage and use of biological samples for future research. However, there is a need for biobanks to assess and address the critical aspects of this form of consent, opening up to the concerns of donors, and improving

Broad Consent

83

the consent instrument itself.2 It is thus possible to conclude that through broad consent the donor is no longer the sole decision-maker on the specific details of the research carried out on their samples, but rather a subject, supported and protected by the supervision of ethics committees, who is asked to reflect on and decide on the governance of the biobank (Grady et al. 2015; Koenig 2014), a real structure aimed at protecting the rights and interests of all the stakeholders involved (O’Doherty et al. 2011). It is therefore clear that, compared to other forms of consent, there is an observable conceptual shift in focus from content to context. Since researchers, institutions, and ethics committees will be the faithful managers of donated biological samples, a fundamental element for broad consent is therefore the trust of the donors themselves, which could be protected by the involvement of patients’ associations in biobank governance itself, thus fostering the trust and the participation of the entire population in biobank research.

4 Consent for Governance The implementation of informed consent fully adapted to the activity of biobanks has therefore represented and indeed still represents a complex activity, for ethical, theoretical, and practical reasons, and it is precisely these difficulties that have imposed the need to seek alternative models or to adapt others to the changing needs of research, as demonstrated by trends in the literature (Elger and Caplan 2006; Hofmann 2009; Budin-Ljøsne et al. 2016). It is now clear that it has been difficult to define a perfect form of consent for biobanks, but rather attempts have been made to adapt, sometimes in a forced manner, varied forms of consent that are ill-suited to the basic principles of biobanking. In view of this conclusion, Mikkelsen et al., focusing on the forms of protection needed specifically for biobanks’ activities, identified the three main criteria that should be met by the consent used by the biobank, namely: (1) the information criterion, i.e., the need to fully inform donors about the risks and benefits of participating in biobanks’ activities; (2) the value criterion, i.e., the need to allow donors to assess the coherence of participation in research activities in accordance with donors’ personal values; (3) the criterion of duration, i.e., offering donors the possibility to continuously evaluate their participation over time, thus allowing a tangible withdrawal and guaranteeing ethical protection during the entire participation (Mikkelsen et al. 2019). Consequently, on the basis of these propositions, it is clear that broad consent, albeit with some criticalities, can satisfy the first two criteria but proves to be

2

Health and Human Services. (2017). Protection of human subjects. Retrieved from https://www. federalregister.gov/documents/2011/07/26/2011-18792/human-subjects-research-protec-tionsenhancing-protections-for-research-subjects-and-reduc-ing-burden.

84

A. Maierà

particularly deficient when it comes to respecting the criterion of durability and guaranteeing donor autonomy in the long term. Broad consent can be an effective model for biobanks as it can provide information on the most important risks of participation, which are largely dependent on the policies and governance of the biobank, and can thus guarantee donor autonomy. Ethical supervision and continuous information could certainly ensure deeper and more comprehensive consent. Although it is not a perfect solution, with a few adjustments it could still guarantee adequate protection for participants while allowing the objectives of biobanks’ research to be achieved. In particular, in order for broad consent to guarantee the fundamental objectives, it is necessary to ensure continuous ethical reviews. This means that any new study that intends to use samples and data from the biobank will require a prior ethical review to ensure that the project falls within the scope of what the patient has consented to. It is then necessary for the biobank to clearly define the conditions of access. The broad consent must therefore be clear on the aims, objectives, and activities of the biobank, as well as on the fundamental values that will guide the distribution of materials and data for research projects. Naturally, this will imply necessary restrictions on future research projects and at the same time a partial risk for the donor since committees’ ethical supervision processes will not be able to take into account the opinions of each participant. Broad consent might appear to be one of the least problematic alternatives for the operation of biobanks, provided, however, that there is continuous and regular communication with donors who are still alive, thus generating trust in the participants, which is fundamental to guaranteeing society’s willingness to participate (Hoeyer 2003), allowing donors to keep abreast of ethical evaluations and thus being able to assess that the activities involved meet their current values, as well as consolidating the guarantee of the possibility of withdrawing consent. However, this prospect carries the potential risk of fatigue for the donor, who may not be able to cope with the regular presentation of information, which could even become intrusive. One solution could be to limit contact to cases of major variations only, or to allow the donor to decide the degree of communication with the biobank.

5 Conclusion The management of data and biological samples is a particularly sensitive issue, raising important questions about the ethics of donor participation in biobanking activities and the possibility of using the collected samples for future research activities. In this context, the role of consent is central. It seems reasonable to pursue a form of consent that is optimal, and although broad consent may be among the most suitable to meet the objectives of biobanks and the protection of donors, especially when combined with profound aspects of protection, it is also worth considering that another form of consent is under scrutiny: dynamic consent (Kaye 2011; Stein and Terry 2013) (see the chapter in this book:

Broad Consent

85

S. Brizioli ‘Dynamic Consent’). Because of its combining of the broad channels of communication with strong interactions with donors, dynamic consent would allow a continuous relationship to exist between donor and researcher, and would thus be able to overcome the most important shortcomings of broad consent with regard to the criterion of duration.

References Brown KM, Drake BF, Gehlert S, Wolf LE, DuBois J, Seo J, Woodward K, Perkins H, Goodman MS, Kaphingst KA (2016) Differences in preferences for models of consent for biobanks between black and white women. J Community Genet 7:41–49 Budin-Ljøsne I, Teare HJ, Kaye J, Beck S, Bentzen H, Caenazzo L, Collett C, D’Abramo F, Felzmann H, Finlay T, Javaid MK, Jones E, Katić V, Simpson A, Mascalzoni D (2016) Dynamic consent: a potential solution to some of the challenges of modern biomedical research. BMC Med Ethics 18:4. https://doi.org/10.1186/s12910-016-0162-9 Cambon-Thomsen A (2004) The social and ethical issues of post-genomic human biobanks. Nat Rev Genet 5:866–873. https://doi.org/10.1038/nrg1473 De Vries RG, Tomlinson T, Kim HM, Krenz C, Haggerty D, Ryan KA, Kim SY (2016) Understanding the public’s reservations about broad consent and study-by-study consent for donations to a biobank: results of a national survey. PLoS One 11(7):e0159113. https://doi.org/10.1371/ journal.pone.0159113 Elger BS, Caplan AL (2006) Consent and anonymization in research involving biobanks. EMBO Rep 7:661–666 Garrison NA, Sathe NA, Antommaria AH, Holm IA, Sanderson SC, Smith ME, McPheeters ML, Clayton EW (2016) A systematic literature review of individuals’ perspectives on broad consent and data sharing in the United States. Genet Med 18:663–671. https://doi.org/10.1038/gim. 2015.138 Grady C, Eckstein L, Berkman B, Brock D, Cook-Deegan R, Fullerton SM, Greely H, Hansson MG, Hull S, Kim S, Lo B, Pentz R, Rodriguez C, Weil C, Wilfond B, Wendler D (2015) Broad consent for research with biological samples: workshop conclusions. Am J Bioeth 15:34–42 Gymrek M, McGuire AL, Golan D, Halperin E, Erlich Y (2013) Identifying personal genomes by surname inference. Science 339:321–324 Hallinan D (2020) Broad consent under the GDPR: an optimistic perspective on a bright future. Life Sci Soc Policy 16:1. https://doi.org/10.1186/s40504-019-0096-3 Hoeyer K (2003) Science is really needed—that’s all I know: informed consent and the non-verbal practices of collecting blood for genetic research in northern Sweden. New Genet Soc 22:229– 244 Hoeyer K, Olofsson B-O, Mjörndal T, Lynöe N (2004) Informed consent and biobanks: a population-based study of attitudes towards tissue donation for genetic research. Scand J Public Health 32:224–229 Hofmann B (2009) Broadening consent and diluting ethics? J Med Ethics 35:125–129. https://doi. org/10.1136/jme.2008.024851 Kaye J (2011) From single biobanks to international networks: developing e-governance. Hum Genet 130:377–382 Kaye J, Whitley EA, Kanellopoulou N, Creese S, Hunghes KJ, Lund D (2011) Dynamic consent: a solution to a perennial problem? BMJ 343:d6900–d6900 Kaye J, Curren L, Anderson N, Edwards K, Fullerton SM, Kanellopoulou N, Lund D, MacArthur DG, Mascalzoni D, Shepherd J, Taylor PL, Terry SF, Winter SF (2012) From patients to partners: participant-centric initiatives in biomedical research. Nat Rev Genet 13:371–376

86

A. Maierà

Kaye J, Whitley E, Lund D, Morrison M, Teare H, Melham K (2015) Dynamic consent: a patient interface for twenty-first century research networks. Eur J Hum Genet 23:141–146. https://doi. org/10.1038/ejhg.2014.71 Kern MH (2010) Clinician attitudes and intentions toward participation in a DNA biobank. Thesis, Case Western Reserve University Koenig BA (2014) Have we asked too much of consent? Hast Cent Rep 44:33–34 Krogstad DJ, Diop S, Diallo A, Mzayek F, Keating J, Koita OA, Touré YT (2010) Informed consent in international research: the rationale for different approaches. Am J Trop Med Hyg 83:743– 747 Kutner M, Greenberg E, Jin Y, Paulsen C (2006) The health literacy of America’s adults: results from the 2003 National Assessment of Adult Literacy (NCES 2006-483). Department of Education, National Center for Education Statistics, Washington, DC. http://nces.ed.gov/ pubs2006/2006483.pdf Manson NC (2019) The biobank consent debate: why ‘meta-consent’ is not the solution? J Med Ethics 45:291–294 Master Z, Nelson E, Murdoch B, Caulfield T (2012) Biobanks, consent and claims of consensus. Nat Methods 9:885–888 Mikkelsen RB, Gjerris M, Waldemar G, Sandøe P (2019) Broad consent for biobanks is best – provided it is also deep. BMC Med Ethics 20:71. https://doi.org/10.1186/s12910-019-0414-6 O’Doherty KC, Burgess MM, Edwards K, Gallagher RP, Hawkins AK, Kaye J, McCaffrey V, Winickoff DE (2011) From consent to institutions: designing adaptive governance for genomic biobanks. Soc Sci Med 73:367–374. https://doi.org/10.1016/j.socscimed.2011.05.046 Ploug T, Holm S (2015a) Meta consent: a flexible and autonomous way of obtaining informed consent for secondary research. BMJ. https://doi.org/10.1136/bmj.h2146 Ploug T, Holm S (2015b) Going beyond the false dichotomy of broad or specific consent: a metaperspective on participant choice in research using human tissue. Am J Bioeth 15:44–46 Sheehan M (2011) Can broad consent be informed consent? Public Health Ethics 4:226–235 Solberg B (2011) Biobanks--When is Re-consent Necessary? Public Health Ethics 4:236–250 Stein DT, Terry SF (2013) Reforming biobank consent policy: a necessary move away from broad consent toward dynamic consent. Genet Test Mol Biomarkers 17:855–856 Steinsbekk KS, Solberg B (2011) Biobanks--When is Re-consent Necessary? Public Health Ethics 4:236–250 Steinsbekk KS, Myskja BK, Solberg B (2013) Broad consent versus dynamic consent in biobank research: is passive participation an ethical problem? Eur J Human Genet 21:897–902 Tomlinson T (2013) Respecting donors to biobank research. Hastings Cent Rep 43:41–47. https:// doi.org/10.1002/hast.11 Warner TD, Weil CJ, Andry C, Degenholtz HB, Parker L, Carithers LJ, Feige M, Wendler D, Pentz RD (2018) Broad consent for research on biospecimens: the views of actual donors at four U.S. medical centers. J Empir Res Hum Res Ethics 13:115–124. https://doi.org/10.1177/ 1556264617751204 Weinar M (2014) Introduction to biospecimens. J Clin Res Best Pract 10:1–4

Cloud How Is It Possible to Exchange Research and Personal Data Using the Cloud Without Being a Danger to Patients? Alessandra Langella

1 Introduction. The Use of the Cloud in Research Scientific findings need the widest possible dissemination. The cloud could be an efficient and cost-effective solution for the storage and virtually unlimited exchange of research information between universities, institutions, scientific societies, and other scholars. The cloud also has the potential to facilitate activities that would not otherwise be possible, such as sharing works and data from different locations using the same platform. An exchange of data between subjects involved in similar research activities, although in different geographical areas, would make it possible to operate on information relating to a broader audience, an essential factor in the perspective of the advancement of knowledge. In this sense, over the last few years, one of the EU’s strategies has been to guarantee sharing in the scientific world. This has been pursued through the cloud, a tool which easily allows the transfer and reuse of data between institutions and research disciplines1 within Europe, and the various stakeholders involved as research players. In this way, the enhancement of the cloud in scientific research, as well as social and industrial activities, is of strategic value for the European Union.2

1 COM (2016) 178, European Cloud Initiative - Building a competitive data and knowledge economy in Europe. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:5201 6DC0178&from=en, p. 2. 2 COM (2020) 66 final, A European strategy for data. https://eur-lex.europa.eu/legal-content/EN/ TXT/PDF/?uri=CELEX:52020DC0066&from=EN.

A. Langella (✉) Department of Law, University of Perugia, Perugia, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_10

87

88

A. Langella

2 Risks of the Cloud As previously mentioned, the advantages of also using the cloud in the research sector could be numerous. Indeed, the cloud represents an ecosystem providing a range of activities and services in a scalable and flexible manner through integration with the internet, upon unilateral request of the user and without intervention from the provider. Otherwise, these services would have been performed by the customer using their own local hardware and software resources3 (Mell and Grance 2011; Badger et al. 2012).4 However, risks to the privacy of individuals whose data are exchanged through the cloud paradigm need to be carefully considered, as cloud inclusion implies a mitigation, albeit partial, of the ability to exercise user control over both unforeseeable and foreseeable risks of potential loss or unauthorised access.5 It is clear that the choice of temporarily archiving health data collected by an institution, university, or hospital on the cloud, in order to transfer information to a research partner or to share a common workspace, requires reflection on certain critical issues to protect the security, confidentiality, integrity, and availability of data outsourced to the cloud. Public, private, hybrid, and community clouds stand out between the deployment models. A private cloud is an infrastructure in which hardware and software resources are entirely dedicated to a single organisation or company. Services are offered to previously identified users only, and not to the general public, on a private internal

The National Institute for Standards and Technology defines Cloud computing as ‘a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction’. 4 The five essential characteristics of the cloud are: (1) On-demand self-service: a consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider; (2) Broad network access: capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms; (3) Resource pooling: the provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the resources provided but may be able to specify a location at a higher level of abstraction; (4) Rapid elasticity: capabilities can be rapidly and elastically provisioned, in some cases automatically, to rapidly scale outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time; (5) Measured service: cloud systems automatically control and optimise resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service. 5 Italian Privacy Authority. Cloud computing: indicazioni per l’utilizzo consapevole dei servizi, 16. https://www.garanteprivacy.it/documents/10160/10704/1819933.pdf/f3ab909e-1af8-4195-b6c36efce91ffdea?version=1.0. 3

Cloud

89

network hosting the resources locally, or on servers appropriately configured to separate the various users of the cloud. In a public deployment model, on the other hand, all cloud resources, such as servers and storage, are owned and managed by a third-party cloud service provider. The infrastructure is shared among several users, and services are provided by the supplier via the web. Hybrid clouds are composed of both public and private cloud infrastructures; while in the community model, the cloud infrastructure is provided for exclusive use by a specific community of consumers from organisations with shared concerns (e.g., mission, security requirements, policy, and compliance issues).6 The structure of the different cloud models suggests that the extent of the risks differ depending on whether the storage takes place in the internal IT environment of the university, research organisation, or institution holding the data, from the hypothesis in which researchers use an e-mail or public cloud storage to store and to exchange the personal information collected. Indeed, the private cloud can be compared to classic data centres and can exist outside or inside the premises. In the latter, the organisation has to bear some structural costs (rent, transfer device, storage and operation, IT staff, electricity, maintenance, and security). In the former, its private nature allows the environment to be customised to the specific needs of the institution. In this sense, the organisation controls the use of the cloud for its own purposes and, even if the private cloud is hosted and entrusted to a third party, the organisation can exercise accurate control over the latter. On the other hand, when personal data are outsourced, they pass to the remote systems of the provider; typically, a transfer of data occurs in favour of a third party, leading to the possibility of a subsequent ‘loss of control’. Relocation leads to a lack of information concerning the processing; the data controller may not have knowledge of the operations in the cloud services. They may remain unaware that multiple processors and subcontractors are involved, and personal data are processed in different geographic locations or transferred to third countries which may not even provide an adequate level of data protection, since they are outside the EEA.7 Since the data controller would not control the data transfers, they would not be able to fulfil their obligations under the principle of accountability, including the duty to provide the information to the data subject, pursuant to Articles 13.1.f and 14.1.f of the GDPR with violation of the transparency principle referred to in art. 5 (GDPR), and infringement of the rights of data owners. However, the lack of information relating to the processing of data, due to its assignment to the cloud service provider, does not exclude the liability of the controller. Indeed, pursuant to Art. 28 of the Regulation, where processing has to be carried out on behalf of the controller by a third party, the first “shall use only

6

National Institute for Standards and Technology. Cloud Computing Synopsis and Recommendations, 2. 7 Article 29 Data Protection Working Party, Opinion 05/2012 on Cloud Computing, July 2012, paragraph 2, Data protection risks of cloud computing, p. 6.

90

A. Langella

processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”. Moreover, Art. 32 of the GDPR requires the data controller to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services on a permanent basis (lett. (b)). In this way, the Italian Data Protection Authority stressed that “the adoption of outsourced services does not exempt companies, that use them for the management of their information assets, from the liabilities attributed to them by regulations on the protection of personal data8”.

3 Measures and Penalties Public cloud storage has considerable management advantages. However, sufficient security guarantees must be provided to store patients’ data. Indeed, the cloud user, as the data controller, must choose and ‘manage’ relations with the supplier, verifying how data are stored, and seriously paying attention to the protection measures, in addition to guaranteeing that data are transmitted in accordance with the rules. On these grounds, the Swedish Data Protection Authority has sanctioned the University of Umeå9 to store, through a cloud service of an American provider, special categories of personal data, concerning the sexual life and health of the individuals involved, and to have sent unencrypted e-mails through an open network. The authority concluded that ‘the cloud service, and the way the University uses it, does not provide sufficient protection for this type of personal data’. The Institution would not have sufficiently protected the aforementioned data as it would not have provided technical and organisational measures, as required by the GDPR (Art. 5, par. 1, lett. f; Art.32, par.1, 2). On that occasion, the Swedish Authority also referred to the danger when cloud repository service providers store data in a non-European country and/or plan to process them abroad. In particular, the Authority stated that the transfer of personal data to the US is high risk as data subjects are limited in the protection and implementation of their privacy rights.10

8

Italian Data Protection Authority. Cloud Computing: indicazioni per l’utilizzo consapevole dei servizi. https://www.garanteprivacy.it/documents/10160/10704/1819933.pdf/f3ab909e-1af8-4195b6c3-6efce91ffdea?version=1.0, p. 11. 9 Decision published on 11 December 2020. Swedish version.https://www.imy.se/en/news/ university-failed-to-sufficiently-protect-sensitive-personal-data/. 10 Ibid., p. 19.

Cloud

91

As recognised by the European framework, ‘transfer’ also includes remote access from a third country to personal data, as well as the mere storage of data on cloud platforms outside the Union.11 The transfer of personal data should not undermine the level of protection of individuals guaranteed by the GDPR pursuant to Article 44; however, the export of the data to a cloud service provider outside the EU may not guarantee that the processing is carried out in compliance with European rules. The same risk exists if cloud providers that also store data in Europe do not have a European nationality. In such cases, the foreign cloud provider could be forced by its own national law to allow the authorities of the country in which it has its registered office to access the data (also archived in Europe) of European citizens (Genna and Prosperetti 2020). This aspect is relevant as many of the most widely used public clouds are companies registered outside the EU, and they store data in non-European countries where adequate protection of personal data may also not be guaranteed.12 This issue has gained significance for data transfers between the EU and the USA after the judgment of the Court of Justice of the EU of 16 July 202013 (Schrems II), which invalidated the Decision of the European Commission 2016/1250 of 12 July 201614 on the adequacy of the protection of privacy provided by the EU-US Privacy Shield (the EU-US case is an example as the principle can be extended to any third country, for example the People’s Republic of China15) (Bolognini and Pelino 2020). After Schrems II, as it is known, on July 10, 2023 the European Commission adopted a Decision pursuant to Regulation (EU) 2016/679 on the adequate level of protection of personal data under the EU-US Data Privacy Framework. By doing so, the Commission decided that the US ensure an adequate level of protection for personal data transferred from the EU to american organisations that are included in the data privacy framework list (made publicly available by the U.S. Department of Commerce). However, despite this Commission’s subsequent adequacy decision, it remains the case that Shrems

11

Recommendations 01/2020 on measures that supplement transfers tools to ensure compliance with the EU level of protection of personal data, version 2.0, adopted on 18 June 2021, par. 13, p. 9. https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations012020-measures-supplement-transfer_en. 12 The Dropbox privacy policy states that ‘to provide you with the services, we may store, process and transmit data in the United States and locations around the world, including those outside your country. (. . .)’. https://www.dropbox.com/privacy); The Google Privacy policy https://policies. google.com/privacy/frameworks?hl=en-US states that ‘We maintain servers around the world and your information may be processed on servers located outside of the country where you live’. 13 16 July 2020, Data Protection Commissioner v. Facebook Ireland LTD, Maximillian Schrems, C-311/18. 14 Decision of the European Commission 2016/1250 of 12 July 2016. https://eur-lex.europa.eu/ legal-content/EN/TXT/HTML/?uri=CELEX:32016D1250&from=EN. 15 COM (2020) 66, p. 10, confirms the concern about Chinese laws relating to cybersecurity and national intelligence.

92

A. Langella

II can be taken as a model for discussion to understand how the data controller must behave, according to the principle of accountability, to export the data to the cloud. Under those judgment, the Privacy Shield has been assessed as unsuitable in relation to guaranteeing the protection of the data if a local authority requires the disclosure. The reason for the invalidation was that persons subject to US law would be exposed to massive surveillance, disproportionate in light of Articles 47 and 52 of the Charter of Fundamental Rights of the European Union, by the US authorities, who could access and process the personal data transferred without restrictions. In fact, US-based Cloud Service Providers acting as Data Processors (or Sub-processors) would be, as ‘electronic communication service providers’,16 subject to the Foreign Intelligence Surveillance Act17 and the E.O. 12333.18 Consequently, they would be obliged to grant the US security authorities access to personal data of ‘non-Americans’, and to collect and store such data before they reach the US, as well as to allow access to data in transit. These surveillance measures were recognised by the Court as disproportionate, and the adequacy decision has been invalidated pursuant to Art. 45 GDPR.19 Subsequently, any transfer of personal data to the US should be assisted by one of the additional safeguards provided by Chapter V of the GDPR,20 to be carried out in a legitimate way. The transfer would be possible only in the presence of the tools provided for by Art. 46 (2) (and 3) of the GDPR; these would be able to ensure compliance with data protection requirements and effective legal remedies: the so-called standard data protection clauses, binding corporate rules, codes of conduct,21 certification mechanisms, and ad hoc contractual clauses.22 In this regard, in view of the uncertainty

50 U.S. Code § 1881. https://www.law.cornell.edu/uscode/text/50/1881. The Foreign Intelligence Surveillance Act (FISA) was enacted in 1978 to regulate US governmental electronic and physical surveillance of communications for foreign intelligence purposes. It has been amended, strengthened, and reformed a number of times, including by the USA Patriot Act of 2001, the FISA Amendments Act of 2008, and the USA FREEDOM Act of 2015. FISA was originally intended to govern surveillance activities targeting individuals inside the US. In 2008, however, s702 was enacted to authorise the acquisition of foreign intelligence information about non-US persons located outside the US. 18 https://www.archives.gov/federal-register/codification/executive-order/12333.html. 19 The European Commission publishes the list of its adequacy decisions on its website https://ec. europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacydecisions_en. 20 GDPR, Recital 108 ‘In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject’. 21 The EDPB approved two transnational Codes of Conduct (Codes) presented to the Board by the Belgian and French supervisory authorities (SAs), EU CLOUD COC and CISPE. 22 C-311/18 (Schrems II), paragraph 108. 16 17

Cloud

93

following the Schrems II judgment, the Commission repealed the previous standard data protection clauses23 and adopted two sets of new SCCs.24,25 In any case, as stated in the final Recommendations adopted by the EDPB,26 it is necessary that any instrument chosen for this purpose be effective in practice to concretely guarantee a level of protection in third countries that are substantially equivalent to those provided in the EEA.27,28 When one relies on adequate guarantees pursuant to Art. 46 of the GDPR to ensure a level of protection substantially equivalent to that provided for in the EU, it would be necessary to consider the requirements of the legislation of the third country. If that legislation does not comply with the requirements of the European essential guarantees,29 in order to secure a level of protection substantially equivalent to the measure guaranteed within the EU, the exporter and the importer would need to take on a duty to concretely take steps to ensure that such legislation does not affect the safeguards relating to the transfer. In this sense, the SHREMS II judgment pointed out that the adoption of the standard clauses on data protection, while not invalid per se, becomes invalid if the laws in force in the third country do not allow the guaranteeing of the necessary data protection. For this reason, the third step in the roadmap drawn up by the EU Commission Recommendations requires players who want to export the data to ‘assess whether there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools relied upon in the context of the specific transfer’, considering both (in subjective terms) the number of actors participating in the treatment, and the objective circumstances in which the transfer would take place (purpose, nature of the entities involved, categories of data, if the data will be stored in the third country or if there is only remote access to data that remain stored within the EU/EEA, data format to be

23

Decisions of the European Commission n. 2001/497 and n. 2010/87 available respectively at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32001D0497&from=IT and https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=LEGISSUM:4468023. 24 Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. https://eur-lex.europa.eu/legal-content/EN/TXT/ HTML/?uri=CELEX:32021D0914&from=EN. 25 Standard contractual clauses combine general clauses with a modular approach to respond to different transfer scenarios. 26 Recommendations 01/2020 on measures that supplement transfers tools to ensure compliance with the EU level of protection of personal data, version 2.0, adopted on 18 June 2021, par. 13, p. 9. https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations012020-measures-supplement-transfer_en. 27 Court of Justice of the European Union July 2020, Data Protection Commissioner v. Facebook Ireland Limited e Maximillian Schrems, C-311/18 (Schrems II), paragraphs 105. 28 Ibid., Par. 28–29, p. 12. 29 EDPB Recommendations 02/2020 on the European Essential Guarantees for surveillance measures. Adopted on 10 November 2020. https://edpb.europa.eu/sites/default/files/files/file1/edpb_ recommendations_202002_europeanessentialguaranteessurveillance_en.pdf.

94

A. Langella

transferred, possibility that the data be transferred from the third country to another third country). Regardless, whenever the chosen instrument pursuant to Art. 46 for the transfer of data appears to be inadequate to offer protection equivalent to that guaranteed by the GDPR, additional measures are required30 (fourth step of the roadmap). Such measures can be of a contractual, technical, or organisational nature, and can also be used cumulatively.31 In this meaning, the case of the EDPB, concerning data transfer to a third country for research purposes, rightly explains an additional measure about pseudonymisation performed by the data exporter if the following conditions are fulfilled: – the additional information is held exclusively by the latter and stored separately in a Member State or in a third country, territory, or in one or more specific sectors within a third country, or in an international organisation for which the Commission has established, in accordance with Article 45 of the GDPR, so that an adequate level of protection is guaranteed; – the disclosure or unauthorised use of the additional information is prevented by technical and organisational security measures (it is ensured that the data exporter retains exclusive control of the algorithm or repository that allows identification using the additional information); – the data controller has established, through an in-depth analysis of the data, considering any information in the possession of the public authorities of the recipient country, that the pseudonymised personal data cannot be attributed to an identified or identifiable natural person, even if cross-referenced with such information. If, despite these additional measures, it is still not possible to achieve an appropriate level of data protection, in accordance with the accountability principle pursuant to Art. 5.2 GDPR, the transfer should be avoided or stopped. In this way, within the meaning of the ECJ decision “Schrems II”, the Bavarian Data Protection Authority, while not imposing a fine, declared the extra-Eu data transfer carried out by a German company via a US cloud to be illegal, since the controller had failed to assess the risk and implement supplementary measures.32

4 Conclusion Considering the legislative framework, numerous issues are encountered when using the cloud to share or store research information.

30

CJEU C-311/18 (Schrems II), paragraph 134–135. GDPR, Recital 109. 32 The EDPB report on the case. https://edpb.europa.eu/news/national-news/2021/bavarian-dpabaylda-calls-german-company-cease-use-mailchimp-tool_en. 31

Cloud

95

In order to avoid the risk of compromising health data and the safety of the patients involved, the university/research institution/hospital must comply with several obligations. A fortiori, since the information being transferred is of a ‘sensitive’ nature (Article 9 GDPR). First of all, the data controller must concretely fulfil the duties of personal data protection, even and all the more so when an adequate level of protection has not been recognised by the European Commission. It would seem less dangerous to opt for the private cloud model of use, without prejudice for the data controller to put in place appropriate organisational and technical measures, in order to circumvent the risks to the rights and freedoms of the natural persons involved, ensuring compliance with the GDPR (Article 24). Thus, they would be able to (a) isolate various security zones using layers of firewalls; (b) opt for end-to-end transport level encryption to secure data in transit between applications deployed in the cloud as well as to the enterprise; (c) outsource authentication and authorisation to trusted security services; (d) employ data masking and encryption to avoid breaching security and the integrity of patient data in the private environment (Pullarao and Thirupathirao 2013, p. 222). If, on the other hand, the researcher uses a public cloud, efforts to concretely guarantee the privacy should increase. An important protection measure for patients would be the obligation of the university (as the data exporter) to identify and understand all transfers via the cloud, including the second level movement where the data will transit or be processed. This is not always easy, as privacy policy documents are often unclear and lack precise indications about service subcontractors. However, it is a prerequisite for the university/hospital to fulfil its obligations under the principle of accountability. Moreover, if the cloud has its registered office or server outside the EEA, the university shall verify that even with the transfer to the foreign provider the adequacy of the protection of patients’ personal data is ensured. The personal information of patients could only be transferred to service providers who are able to guarantee the essential equivalence of protection. As a result, for the safety of patients, attention should be paid to the measures foreseen by the provider, in order to be able to verify their validity, also considering the case where foreign legislation requires access to data by local public authorities. Indeed, the hospital or university exporting the data to third countries whose legislation does not guarantee the level of protection afforded by the GDPR, could be perpetrators of a breach punishable under Article 83 and, in more serious cases, of the offence of the unlawful processing of personal data. The institution should choose a provider who transfers data in a way that complies with European data protection standards; this is because the chosen tool guarantees an adequate level of security in practice and/or because, if necessary, technical (encryption or pseudonymisation), organisational (an internal policy on how to handle access requests from authorities), or contractual measures have been implemented to ensure the move to the cloud.

96

A. Langella

References Badger L, Grance T, Patt-Corner R, Voas J (2012) Cloud computing synopsis and recommendations. National institute for standards and technology, pp 800–146 Bolognini L, Pelino E (2020) Le tentazioni del cloud europeo e nazionale: tra semplificazione politica e critica giuridica. Istituto Italiano per la Privacy e la Valorizzazione dei Dati. https:// www.istitutoitalianoprivacy.it/wp-content/uploads/2020/10/2020_09_Paper-cloud_nazionale_ IIP_ITA-1.pdf Genna I, Prosperetti E (2020) La raggiungibilità giuridica dei dati. https://www.seeweb.it/files/La_ Raggiungibilit%C3%A0_Giuridica_dei_Dati.pdf Mell P, Grance T (2011) The NIST definition of cloud computing. Recommendations of the National Institute of Standards and Technology, pp 800-145 Pullarao K, Thirupathirao K (2013) A secure approach for storing and using health data in a private cloud environment. Int J Adv Res Comput Sci 4(9):222–229

Consent Requirements What Are the Terms and Conditions of Informed Consent? Roberto Cippitani

1 Introduction As observed in other chapters of this Handbook, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as ‘GDPR’)1 sets special rules for consent and rights in the context of research activities. However, the discipline of informed consent is not exclusive to the protection of a personal data framework and other legal sources provide for requirements to express will. The legal obligation to require the consent of a person who is involved in an activity that may affect his or her interests is relatively recent. From a legal perspective, it is only since the second post-war period that legal sources have begun to consider this issue, usually referring to informed consent in the case of health care treatment (see, for example, Article 32 of the Italian Constitution of 1948; Article 7 of the Constitution of Finland; Article 2, paragraph 2 of the German Constitution). Symbolically, the first document on research ethics was adopted by the medical scientific community in Nuremberg, the site of the trial of the Nazi criminals who also included scientists and doctors.

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

R. Cippitani (✉) Institute CNR-IFAC, National Research Council of italy, Florence Research Area, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_11

97

98

R. Cippitani

The so-called ‘Nuremberg Code’ on medical experimentation makes the voluntary consent of the individual an absolutely essential requirement of medical research. However, the question of informed consent has been absorbed into that of medical practice, and over the following years, the legal sources did not give any relevance to the expression of will in scientific activity in hypotheses other than medical treatment. Recent constitutional charters, or those recently modified, deal with consent in the specific field of scientific research. Thus, the Swiss Constitution in article 118b, which came into force on 7 March 2010, tackles informed consent in the case of research on human beings. The 1991 Constitution of Bulgaria (Article 29), of Slovenia (Article 18), of Hungary (Article III, paragraph 2) and of Croatia (Article 23) also prohibit medical or scientific experimentation without the consent of the person concerned. At the national level, laws or other pieces of legislation regulate consent in the scientific field (see, in particular, Book I, Title I, Chapters 2, 3 and 4 of the French Civil Code, amended by the laws on bioethics). European Union law and the system of the European Convention on Human Rights (the ECHR) deal with consent across Europe. In particular, ‘bio-legal’ issues have already been framed in the Charter of Fundamental Rights of the European Union. Article 3, paragraph 2 of the Charter establishes the general rule that ‘In the fields of medicine and biology, the following must be respected in particular: (a) the free and informed consent of the person concerned, according to the procedures laid down by law’. The issue of informed consent is not directly addressed by the European Convention of Human Rights (the ‘ECHR’), but the European Court of Human Rights (the ‘ECtHR’) has found its rationale in health matters in Article 8 ECHR (Right to respect for private and family life). The Council of Europe promoted the adoption of a specific regional convention on the subject of biomedicine, namely the ‘Protection of Human Rights and Dignity of the Human Being with regard to the Application of Biology and Medicine’, the so-called Convention on Human Rights and Biomedicine – Oviedo, 4 April 1997, and its Additional Protocols. The Oviedo Convention considers as a ‘general rule’ that ‘An intervention in the health field may only be carried out after the person concerned has given free and informed consent to it’ (Article 5). The need for consent is required in all matters regulated by the Convention on Biomedicine, such as scientific research (Article 15) and the donation of human organs or tissues (Article 19). In the discipline of personal data protection, the consent of the person concerned represents the fundamental condition for the legitimate processing of such data, as laid down by Article 8, paragraph 2 of the Charter of Fundamental Rights and by secondary EU law, such as the GDPR. In addition, other important EU legal sources, such as the Regulation (EU) 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, require informed consent to research in the biomedical field. The same occurs in

Consent Requirements

99

Directive 2004/23/EC of the European Parliament and of the Council of 31 March 2004 on setting standards of quality and safety for the donation, procurement, testing, processing, preservation, storage and distribution of human tissues and cells (see, in particular, Article 13 of the Directive 2004/23/EC).

2 The Adequacy of the Information According to the above-mentioned legal framework at the national and European levels, consent to research activities must be obtained under certain conditions. Consent should be informed, that is, based on information allowing ‘an appreciation and understanding of the facts and implications of an action’. The data subject is entitled to receive in a clear and understandable manner accurate and full information on all relevant issues.2 To this end, the information must be provided in an ‘adequate’ manner (Article 13, paragraph 1, Convention of Oviedo Additional Protocol on Biomedical Research), both subjectively and objectively. From the subjective point of view, the information is adequate if it is provided by professionals qualified to carry out the medical treatment, research or other professional activities. For example, the Declaration of Helsinki (paragraph 26) states that information about the intervention should be communicated by a ‘physician or another appropriately qualified individual’.3 Article 29, paragraph 2(c) of Regulation (EU) no. 536/2014 specifies that the information will be provided ‘in a prior interview with a member of the investigating team who is appropriately qualified according to the law of the Member State concerned’. The information is subjectively appropriate if it is expressed in an understandable form (Article 13(1), Additional Protocol on Biomedical Research) considering the personal situation and context (especially social, cultural and economic) (European Group on Ethics in Science and New Technologies 2003, point 1.29). According to the ECtHR, in Csoma v. Romania,4 informed consent must be requested from the person concerned even if he or she is an experienced professional. In general, it is necessary to avoid both ‘information overload’ and generic and superficial communication. The researcher is tasked with communicating the necessary information to make the decision to consent or reject the activity under

2

Article 29 Working Party, Working Document on the processing of personal data relating to health in electronic health records, on 15 February 2007, paragraph 4, cc. 3 World Medical Association, Declaration of Helsinki, Ethical Principles for Medical Research Involving Human Subjects. www.wma.net. 4 Judgement of 15 January of 2013, case no. 8759/05.

100

R. Cippitani

consideration (European Commission 2010, p. 37; Comitato Nazionale per la bioetica 1992). Moreover, it is not only necessary to guarantee accessibility to information but also to ensure that it is clearly understandable (if, for example, when information is given in writing, it is necessary to use characters of appropriate type and size).5 Information is supposed to be adequate from an objective point of view, when ‘all the necessary information is given at the moment the consent is requested, and that this should address the substantive aspects of the processing that the consent is intended to legitimise’.6 Even though information to be provided is that set out by Article 13 GDPR and by other legal sources, it depends ‘on when, and the circumstances in which, consent is requested’.

3 Information to Be Provided Adequacy of the information is also an objective requirement and information must address certain details, namely: a) relationships with the research group and research establishment; b) legal base, purpose and context of the research activity; c) risks and other consequences; d) information concerning storage, security and confidentially; e) categories of recipients and international transfer of data and materials; f) rights of the person involved in the research activities; g) additional information. These features deserve a thorough scrutiny.

3.1

Relationships with the Research Group and Research Establishment

The legal sources refer to the necessity of providing the persons involved in the research activities with information about the following: – The legal entity (e.g., university, centre of research, health research establishment) which is carrying out the research activities (see GDPR, Article 13 ff., which refers to the identification of the ‘controller’); in particular, the information sheet must provide ‘the identity and the contact details of the controller and, where applicable, of the controller’s representative’ as well as, if applicable, the contact details of the data protection officer (DPO; see Article 13, paragraph 1, let. [a] and [b]).

5 See paragraph III.A.1 of the Opinion 15/2011 on the definition of consent, issues by Article 29 Working Party on 13 July 2011. 6 Ibid.

Consent Requirements

101

– The contact details of the contact person of the research group (see, for example, paragraph 1.1.2.b, Annex IV, Directive 2006/17/EC). The contact details should refer to easy means for the persons involved in the research to use, such as email and phone numbers, to directly contact the research group.

3.2

Legal Base, Purpose and Context of the Research Activity

The individual is entitled to receive information on the purpose of the processing as well as the legal basis for the processing (see GDPR, Article 13, paragraph 1.c). In the case of research activities, it is necessary to provide information concerning the project or the field of research. According to the legal sources in the biomedical fields, which are also useful for all scientific disciplines, the information should explain the objectives and nature of the activity (see article 29, paragraph 2.a.i of Regulation 536/2014; article 5 Oviedo Convention); ‘the nature, extent and duration of the procedures involved, in particular, details of any burden imposed by the research project’ (see Article 13, paragraph 2.i, Additional Protocol to the Oviedo Convention on Biomedical Research); and ‘the source of funding of the research project’ (see Article 13, paragraph 2.viii, Additional Protocol on biomedical research).

3.3

Risks and Other Consequences

The information should refer to the possible risks, discomforts or other consequences arising from participation in the research activities. The necessity to provide this information is emphasised by the legal sources concerning biomedical activities, including the research (see Article 29, paragraph 2.1.i Regulation [EU] no. 536/2014; Article 5 Oviedo Convention). In addition, Article 13 of the Additional Protocol refers to specific biomedical research that needs to identify ‘(iii) measures to address adverse events that may affect the persons involved’ and ‘(vi) measures for adequate compensation in case of damage’.

3.4

Information Concerning Storage, Security and Confidentially

According to Article 13, paragraph 2.a GDPR, the data subject will receive information concerning ‘the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period’.

102

R. Cippitani

This kind of information may also concern the storage of the biological material together with personal data. It is advisable to provide the person with information concerning the measures put in place to ensure the security and confidentiality of the personal data and the biological material. This is in application of the dispositions concerning the duties of security charged on the controllers (see GDPR, Article 35) and in storing human cells and tissues (see Directive 2004/23/EC, Article 14). Both the GDPR and other legislation consider anonymisation or pseudonymisation as the main measures to be implemented in order to ensure security and confidentiality. However, this does not prevent the adoption of all other necessary technical and organisational measures (see GDPR, recital no. 28).

3.5

Categories of Recipients and International Transfer of Data and Materials

The GDPR establishes that the data subject be informed about the category(ies) of recipients of the personal data ‘if any’ (see Article 13, paragraph 1, let. d), if this is known at the moment of data collection. For example, this implies that the research group will inform the person if his/her data will be transferred to other partners of a research project. The transfer is subject to the measures to ensure the security and confidentiality, such as anonymisation and pseudonymisation. The data subject should be informed of such measures. The provisions mentioned seem to refer only to a case in which the transfer is put in place within the European Union. In the case of transfer towards a third country, the data subject must be specifically informed (see Article 13, paragraph 1, let. e), and the existence of an adequacy decision by the Commission or the application of other safeguards provided by Articles 46 and ff must be taken into account.

3.6

Rights of the Person Involved in the Research Activities

According to Article 16, point iv), of the Oviedo Convention ‘the persons undergoing research have been informed of their rights and the safeguards prescribed by law for their protection’. Among the rights established by the GDPR (see GDPR, Article 13, paragraph 2, let. b), is ‘the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability’ (see GDPR, Articles From 15 to 21). The person must be informed about the right to withdraw from the research at any time as provided by Article 16, v, Oviedo Convention. The GDPR tasks the

Consent Requirements

103

controller with the obligation to inform the data subject of the right to withdraw from the processing of personal data at any time ‘without affecting the lawfulness of processing based on consent before its withdrawal’ (see GDPR, Article 7, paragraph 3; Article 13, paragraph 2, let. c). Recital no. 33 of the GDPR should be taken into consideration with regard to the research activities, as it lays down that ‘It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose’. Therefore, the persons involved in the research activity must be informed of the possibility to restrict the processing of his/her personal data (or biological material) to specific projects or research or to exclude the use of such data and material for specific fields of research. Otherwise, the data/material may be used in further research activities. For the specific case of clinical trials, Regulation no. 536/2014 puts the attention on the use of the data for ‘future scientific research (e.g., medical, natural or social sciences research purposes), and in this case, ‘it is necessary that the subject gives consent to use his or her data outside the protocol of the clinical trial and has the right to withdraw that consent at any time’ (see Regulation 536/2014, recital no. 29). Freedom of consent also includes the right to know and not to know (paragraph 6. C.18.3 Right to know - right not to know, from the Council of Europe’s Guide for Members of Research Ethics Committees) (Rodotà 1995; Santosuosso 2002, p. 27). Not wanting to know the outcome of treatment or research is an expression of freedom accorded to the individual and, therefore, does not conflict with the right to consent (Andorno 2004). This right is affirmed, for example, by Article 5(c) of the UNESCO Declaration on the Genome and by Article 10(2) of the Oviedo Convention.

3.7

Additional Information

The information sheet should provide any other insight necessary to allow the individual to have a complete view of the activity in which he/she is involved, the context of that activity, the consequences, the follow-up, etc. For example, the information sheets should make the persons aware of the approach to so-called ‘incidental findings’, that is, information which may arise from research activities which refers to a serious risk (physical, psychological, social) to the persons or fundamental interests but that is unrelated to the purpose and beyond the aims of the study (e.g., discovery of a serious illness during a study on the styles of life using wearable devices).

104

R. Cippitani

Another case may be information concerning the strategy of communication of the results of the research activities. It would be best practise to actively involve the person in the dissemination of the output of the research in which he/she was engaged. The persons may decide to be in touch with the staff to know the future developments of the project or research or to participate in dissemination events, to follow the social network concerning the research, to become a partner of the association that supports the research and so on.

4 Withdrawal and Freedom of Consent As stated in the previous sections, consent must be freely given. This means that the subject must effectively choose whether or not to be involved in the activities for which he or she receives the information.7 Free consent is ensured when there is no intimidation, coercion or threat of negative consequences in the event the person does not give consent.8 In addition, ‘any pressure that would lead individuals to accept a higher level of risk than would otherwise be acceptable to them’ is considered illegitimate coercion. Coercion and intimidation can be conveyed by acting on social, economic and financial factors.9 Manipulation should also be avoided; this more precisely implies, ‘to alter people’s behaviour by influencing them in ways that somehow bypass rational agency; rather than influencing them through reason and argument, we (typically through some ‘sleight of hand’) seek to change their mind by appealing (consciously or otherwise) to non-autonomous and/or non-rational parts of the person’ (European Commission 2010, p. 38). Furthermore, threats of sanctions or refusal of health treatment or other benefits are prohibited. Inappropriate influence may imply, for example, attempts to influence close relatives or veiled threats to deny access to services to which individuals would otherwise be entitled.10 The inappropriate influence may also be of an economic nature. In this view, all financial inducements or other kinds of incentives aimed at improving the economic or personal situation of the individual are not permitted (see Article 31, paragraph 1, lett. d Regulation 536/2014) (Nuffield Council on Bioethics 2002).

7

See Article 29 Working Party, Opinion 15/2011 on the definition of consent, ref. Ibid. 9 See Article 29 Working Party, Working Document on the processing of personal data relating to health in electronic health records, ref. 10 Council of Europe Steering Committee on Bioethics, Guide for Research Ethics Committee Members, January 2012. 8

Consent Requirements

105

In principle, giving compensation or other forms of economic benefit to the participant is acceptable in so far as the amount or entity is not so high as to exercise an undue pressure on him/her. This occurs when people are induced to accept a higher level of risk in comparison with what they would have accepted without any form of benefit or compensation. Let’s consider an employee’s consent: in this case, it could be difficult to consider consent as effectively free. Thus, special attention needs to be paid to consent acquired in the context of an employment relationship. In particular, consent should not be linked to gaining or losing work or career opportunities.11 The freedom to accept participation in research even implies the right to refuse to give consent or to subsequently revoke it. Giving consent for the aforementioned purposes differs from the manifestation of the will to conclude contracts or other agreements of a patrimonial nature as regulated by the civil codes. In fact, in the case of authorising interventions that may affect personal interests, consent may be freely revoked by the individual at any time (see article 5, Oviedo Convention; see also Article 13, paragraph 3, Additional Protocol on Biomedical Research; Article 9, paragraph 2, Additional Protocol to the Oviedo Convention on Genetic Testing for Health Purposes, 2008).12 The refusal or withdrawal of consent may not lead to any form of discrimination against the person, in particular regarding medical care (Article 14, paragraph 2, Additional Protocol on Biomedical Research; see also Article 28, paragraph 4, Regulation [EU] n. 536/2014).13 However, to protect the scientific research, it should be taken into account that ‘The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal’ (Article 7, paragraph 3, GDPR). An analogous provision is laid down by Article 28, paragraph 4, Regulation (EU) 536/2014 specifically for clinical studies. The person should be informed about this limitation concerning the effect of any withdrawal (see paragraph 3 of the Article 7 of the GDPR).

11

See Article 29 Working Party, Opinion n. 8/2001, on the processing of personal data in the employment context, of 13 September 2001 and Article 29 Working Party, Working document of the on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995. 12 An application of revocability can be found in the case of Evans v. United Kingdom of 10 April 2007, decided by the ECtHR. 13 According to the Recommendation of the Committee of Ministers of the Council of Europe Rec (2006)4 of 15 March 2006 (which concerns research on biological material of human origin), the person who withdraws or modifies his or her consent, apart from the fact that he or she must not be discriminated against, for example, in terms of health treatment, has the right to have the biological material destroyed or rendered anonymous (Article 15, paragraph 2).

106

R. Cippitani

5 Form of the Information and of Consent The GDPR and the other sources also provide formal requirements concerning informed consent. According to Article 12, paragraph 1 GDPR, ‘the information shall be provided in writing, or by other means, including, where appropriate, by electronic means’. The obligation of providing information in a written form also concerns the clinical study (see Regulation [EU] no. 536/2014, Article 29, paragraph 3). If requested by the data subject, the information may be provided orally. This may be useful to give further information or to clarify some points on the information sheet. Consent must also be an ‘unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’ (GDPR, Article 4, no. 11). The statement may be expressed in several ways (see GDPR, recital no. 32), such as ‘ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data’. Meanwhile ‘silence, pre-ticked boxes or inactivity should not therefore constitute consent’. A simple omission of an action cannot be considered a valid expression of consent14 (e.g., the failure to reply to an e-mail15). Furthermore, the data controller must be sure that the person giving consent is indeed the data subject. This is especially the case when consent is requested through telematic instruments. In general, consent can be given in any form, including orally, provided that the other conditions are respected (the subject is free to express consent and has all the necessary information).16 In some cases, EU documents require unambiguous consent expressed through an explicit form,17 that is, a written form. This occurs when the collection of data or material carries a risk of deeply affecting the interests of the person involved in the research activities.18 In fact, the explicit form is used when collecting special

14

See the paragraph III.A.3 of the Opinion 15/2011 on the definition of consent, ref. Article 29 Working Party, Opinion 5/2004 on unsolicited communications for marketing purposes under Article 13 of Directive 2002/58/EC, of 27 February 2004. 16 See paragraph III.A.1, Opinion 15/2011 on the definition of consent, ref. 17 The two concepts should be considered to be different. See also Article 29 Working Party, Working Document on the processing of personal data relating to health in electronic health records (EHR), of 15 February 2007. 18 See paragraph III.A.3 de la Opinion 15/2011 on the definition of consent, ref. 15

Consent Requirements

107

categories of data (those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health or sexuality; see GDPR, Article 9, paragraph 2.a). The explicit form, or the written form, is also requested in biomedical research (see Article 16 (v) of the Oviedo Convention and Recital 30 of Regulation no. 536/2014) and in specific cases, such as the removal of human biological material.19 When the person is unable to write, the consent must be recorded ‘through appropriate alternative means, for instance through audio or video recorders’ (see Regulation [EU] no. 536/2014, recital no. 30). If the consent to the processing of personal data must be expressed in a written form, (GDPR, Article 7, paragraph 2) and if the declaration has to be given in a context which refers also to other matters (usually this is the case with informed consent in biomedical fields), ‘the request for consent shall be presented in a manner which is clearly distinguishable from’ the other issues (such as those concerning the medical intervention or the collection of biological samples). To conclude, it is advisable to use written forms to express consent, especially in research activities and even if the written form is not mandatory. This is also in view of the obligation of the controller to give evidence that the data subject has consented to the processing of his or her personal data (see GDPR, Article 7, paragraph 1).

6 Conclusion Informed consent is an important instrument to implement several types of mandatory international, EU and national legislation (e.g., those concerning the protection of personal data, the use of biological material and clinical trials) and, above all, to make biomedical activities consistent with fundamental ethical principles, such as dignity and self-determination. To comply with those principles and law, information has to be provided in a manner to meet the requirements of the various legal sources in a text which addresses the different topics. Therefore, not only should the requirements of a specific legal discipline be taken into consideration, such as Regulation (EU) 2016/679, but also the entire legal and ethical framework at the bases of the informed consent. That result should be achieved without sacrificing the necessary clarity and comprehensibility of the text by adopting adequate drafting strategies.

19

See Article 3, Appendix to the Resolution no. (78) 29 on harmonisation of legislations of member states relating to removal, grafting and transplantation of human substances, adoptato by the Committee of Ministers of the Council of Europe of 11 May 1978.

108

R. Cippitani

References Andorno R (2004) The right not to know: an autonomy based approach. J Med Ethics 30:435–440 Comitato Nazionale per la bioetica (1992) Informazione e consenso all'atto medico. https://bioetica. governo.it/media/1836/p10_1992_informazione-e-consenso_it.pdf European Commission (2010) European textbook on ethics in research. Publications Office of the European Union, Luxembourg European Group on Ethics in Science and New Technologies (2003) Ethical aspects of Clinical Research in Developing Countries, Opinion no. 17 Nuffield Council on Bioethics (2002) The ethics of research related to healthcare in developing countries, London. www.nuffieldbioethics.org Rodotà S (1995) Tecnologia e diritti. Il Mulino, Bologna Santosuosso A (2002) Genetica, diritto e giustizia: un futuro già in atto. In: Santosuosso A, Redi CA, Garagna S, Zuccotti M (coord.) I giudici davanti alla genetica. Como-Pavia

Consent and Assent by Children Management of Assent and Consent by Children. What Should Be Done When They Reach the Appropriate Age: Obligations and Recommendations? Alessandra Langella, Rocío Aguilar-Quesada, and Roberto Cippitani

1 Introduction Paediatric biobanks can create a virtuous circle because biomedical knowledge in the paediatric field can be improved through research on human samples. Research involving minors’ biological materials can contribute to developing personalised care and treatment for diseases of childhood and adolescence. This would not only have medical relevance but also social effects and economic implications. Furthermore, this means that healthcare can be enhanced. However, the inclusion of paediatric samples in biobanks entails several legal and ethical problems (Field and Behrman 2004), and specific precautions must be taken because ‘children are not small adults; they have an additional, unique set of interests’ (Royal College of Paediatrics and Child Health: Ethics Advisory Committee 2000). The chapter attempts to provide biobank operators with some instructions to guide the crucial issue of managing the consent and assent of minors.

A. Langella (✉) Department of Law, University of Perugia, Perugia, Italy e-mail: [email protected] R. Aguilar-Quesada Andalusian Public Health System Biobank, Coordination Node, Centre for Biomedical Research, Granada, Spain e-mail: [email protected] R. Cippitani Institute CNR-IFAC, National Research Council of italy, Florence Research Area, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_12

109

110

A. Langella et al.

2 Children’s Consent or Assent in Biobanks The European regulatory framework on biobanks is uneven. Moreover, the issue of the management of consent and assent by children involved in biobank activity raises many difficulties. This occurs because a reference to children in the context of biobanking does not exist at the European level, and the activity is regulated by civil and constitutional legal sources in the Member States. This is the case in Italy, where the requirement of consent for any treatment involving the human person is a constitutional norm (Article 32). However, the recent legislation on informed consent1 (Law No. 219 of 22 December 2017, Article 3) merely provides that consent to the health treatment of a minor must be given or refused by adults exercising parental responsibility. Even if there is a specific national law on biobanks, the aspect of the participation of minors may not be considered at all. For example, the Belgian New Royal Decree on biobanks of November 2018 does not contain any provision on children’s involvement. Similarly, Austrian law on the organisation of research regulates the systematic collection, storage and recording of material for research purposes (§ 2b Z 12) but does not provide a rule on the consent of minors. In Spain, the Royal Decree for Biobanks and Human Biological Samples 1716/ 2011 states (Article 23, 2 (n)) that in the case of samples from minors, the consent for collection, conservation, storage and use of biological samples of human origin for biomedical research purposes must contain a guarantee of access by the subjects to the information referred to in Article 32 only upon reaching adulthood. Those information are: (a) the specific purpose of the research for which the sample was used; (b) expected and achieved benefits; (c) identity of those responsible for the research; (d) genetic data relevant to health obtained from the analysis of the samples; (e) mechanisms to guarantee the confidentiality of the information obtained; and (f) identity of the persons who have had access to personal data not submitted to dissociation or anonymisation processes. The lack of a regulatory law on biobanking in the national framework implies that reference to EU and international sources (hard and soft) is essential. Furthermore, regulations for the involvement of minors can be found in laws that regulate cases that are close to biobanking (e.g., laws for biomedical research activities, organ donation for transplantation, medically assisted procreation, clinical trials, patients’ rights, public health and hospital policies, bioethics and data protection). However, these texts may refer to different age thresholds. This is the case in Spain, where the Royal Decree for Clinical Trials of 2015 states a child over the age of twelve attains the capacity to give consent (Article 5 (3)); and from this point onwards, his/her consent to continue participating in the clinical trial 1

See the official text Legge 22 dicembre 2017, n. 219. Norme in materia di consenso informato e di disposizioni anticipate di trattamento, GU Serie Generale n.12 16.01.2018. https://www. gazzettaufficiale.it/eli/id/2018/1/16/18G00006/sg

Consent and Assent by Children

111

must be sought (Art. 4 (3)). In contrast, the Patient Autonomy Act 41/2002 (Article 9, (3)) states that it is only from the age of sixteen onwards that the consent of minors who are neither incapable nor incapacitated must not be given by means of representation (final subparagraph). Lastly, the Law 3/2018 on the protection of personal data and guarantee of digital rights allows (Article 7) the consent of children over the age of fourteen, while the processing of data of minors under that age is only lawful with the consent of the holder of parental authority or guardianship, who also exercises related rights on behalf of the child (Article 12). The lack of a coherent regulatory framework leads to a discrepancy in the ages at which the child should be involved, and this implies serious complications for biobankers. It becomes essential to untangle the knot and figure out how to resolve the conflict of a biobanking law that only provides for the involvement of adults with the regulatory texts that involve minors at different ages in biobanking-related phenomena.

2.1

The Legal Context

The earliest legal sources in biomedicine excluded any participation of children in scientific research because they exclusively considered the child as an object of special protection.2 This scenario changed when the United Nations Convention on the Rights of the Child established that minors should be directly involved in activities that concern them in accordance with their age and maturity (Article 12 (1)) as long as the activities are in their best interests (Article 3 (1)).This means that children are not only receivers of special attention by law but become subjects of rights and duties. This approach is confirmed by the provision of Article 24 of the EU Charter of fundamental rights, which provides (in the first subparagraph) the freedom of expression of children and the principle that their opinion must be taken into consideration on matters that concern them (see the second subparagraph). The disposition of this constitutional legal source for the European system can be considered the pillar of the entire discipline concerning minors. The concept of the involvement of the child in activities that concern him/her, and the pursuit of his/her best interests has been introduced in the biomedical fields. The ‘best interest of the child’ is the rule requiring benefits for the minor instead of merely benefitting research purposes. It represents an ethical cornerstone of scientific activities involving minors as well as the expression of the broader principle of solidarity that requires any biomedical activity to take into account the interest, the wellbeing and the protection of people, especially vulnerable people, including children, for whom special safeguards and protection must be provided (e. g., the obligation to protect minors in the case of genetic testing is provided in Article 17 of the Portuguese law no. 12/2005 on personal genetic information and health

2

Nuremberg Code (1947) and the Declaration of Helsinki (1967).

112

A. Langella et al.

information; the Lithuanian law on ethics in biomedical research requires certain conditions for research with vulnerable subjects (Article 5), prescribing further measures to protect their interests (Articles 6 and 7)). This means that research must consider a child not only as a means but also as an end in itself (Williams 2012). Thus, many legal sources require that an intervention may only be carried out on a person who does not have the capacity to consent if it is for his or her direct benefit (Article 6, Oviedo Convention). In addition, two other conditions are requested: (i) research may be undertaken only if the results have the potential to produce a real and direct benefit to the person’s health; and (ii) research of comparable effectiveness cannot be carried out on individuals capable of giving consent (see Article 15 Additional Protocol to the Convention on Human Rights and Biomedicine concerning Biomedical Research). The latter rule requires that priority be given to research with persons capable of giving consent over research with subjects that are incapacitated. This is primarily an application of the principle of proportionality, which also must be taken into account in order to implement the precautionary principle. The precautionary principle in scientific research requires that the risks to the freedoms and integrity of the persons involved should be assessed. To this effect, ‘all necessary precautions must be taken to protect the privacy of research subjects and the confidentiality of their personal information and to minimise the impact of the study on their physical, mental and social integrity’ (Principle 23 Helsinki Declaration). Scientific activity must be conducted without excessive means in relation to the ends to be achieved and without burdens that are disproportionate to the benefits for the person involved (Langella 2019). It is necessary to examine whether the aim pursued can be achieved in a less invasive manner and that the sacrifices of those involved in the research should be kept to a minimum. The principle entails that the number of parties included in the research protocol should be as small as possible and that the amount of data collected and processed should be as little as possible (see Article 89(1) of Regulation 2016/679; see Cippitani 2018). Furthermore, the principle of proportionality implies that the categories of research participants for scientific research should not include minors when it is possible to involve adults. Indeed, proportionality has the principle of subsidiarity3 as a corollary. The subsidiarity principle requires that adults should relieve youth from the burden of research activity whenever possible, thus bringing to the research field the idea that society must protect and support childhood. The special regime for research activity involving vulnerable persons, such as children, would impose certain recommendations in practice: researchers should explain in the study protocol that activity does not impose a risk to the child or

3

See the Report of the Italian National Bioethics Committee, Presidenza del Consiglio dei Ministri, Comitato Nazionale per la Bioetica, Biobanche Pediatriche, 11 April 2014. https://bioetica. governo.it/media/1821/p116_2014_biobanche_pediatriche_it.pdf.

Consent and Assent by Children

113

should demonstrate a good reason upon which an invasive procedure can be justified; and the option must be for the least intrusive method possible. The protection also requires that a preference be given to older children (if possible) in the research; this also responds to the need to involve people who are more aware (principle of self-determination). Likewise, the principle of human primacy requires that the interest of science and society should never take precedence over the wellbeing of the subject.4 The practical application of this principle implies that researchers must prioritise the wellbeing of the young participants and not initiate or continue any activity that does not consider their best interests, taking into account present and future effects that the research could have on them. For this reason, an assessment of the risk of physical, psychological or social harm to subjects must be made as well as an evaluation of the impact of any cultural or gender issues that may pertain to persons involved and/or the dissemination of the research findings with the aim to understand the possible risks and take any useful measures. After all, the principle of the primacy of the human being is also a procedural rule (Różyńska 2021). This implies that researchers and sponsors should draw up a research protocol to assess the potential risks and benefits of the research. Research ethics committees must consider that the risk–benefit ratio be reasonable (Simonsens 2012), and subjects involved must be informed about the assessment of risk–benefit. To this end, the research must always be based on a written protocol in which not only the objectives, methodology and outcomes are clearly indicated but also the justification for the research and its risks. There should also be an assessment of how the balance between benefits and costs of research may change over time in relation to changes in the child. The risks that may be encountered by children involved in research may be relevant in both physical terms and data protection. Children may be less aware of the risks, consequences and safeguards for personal data and their rights in relation to data processing (see Recital 38 GDPR). It is up to researchers to also make these aspects known through appropriate and tailored information. After all, any participation, choice and opinion need to be informed in order for there to be awareness. This imposes the duty to prepare suitable instruments for listening to the child and to provide information appropriate to the subject’s ability to understand (see Recital 58 GDPR). If research activity on children can only be undertaken when the condition of taking his or her opinion into account as an increasingly decisive factor in proportion to age and degree of maturity is fulfilled (Article 15, Additional Protocol to the Oviedo Convention concerning Biomedical Research; Article 32, 2 (b), Regulation (EU) 534/2016), the involvement of the child should be encouraged (principle of 4

The human primacy principle is laid down in the WMA Declaration of Helsinki and in the Convention on Human Rights and Biomedicine (1997; Article 2) and its Additional Protocol concerning biomedical research (2005; Article 3) as well as in Article 3.2 UNESCO Universal Declaration of Bioethics and Human Rights (2005). It is also provided in Recital 1 of EU clinical trial Regulation No. 536/2014.

114

A. Langella et al.

self-determination; see Principle 24 of Helsinki Declaration); otherwise, the minor’s age as a legal protection institution would become an instrument of prevarication. In accordance with the principle of self-determination, which is related to human dignity (Article 1 EU Charter of Fundamental rights), children must be actively involved since they have a subjective right to express their opinions, including in the context of the use of biological samples of human origin for research purposes (Recommendation CM/Rec (2016) 4, see Articles 10, 12, 22). Any research, even research that occurs with biological samples, must be preceded by the consent of the participant. The involvement of minors is also functional to lasting research. The more the child is allowed to participate in the decision-making process from the outset, the more the risk is removed that he/she will withdraw the parental consent as soon as he/she acquires legal authority to do so. Based on this set of principles, valid solutions to gather the child’s will as soon as he/she has the cognitive capacity to understand his/her actions can be found. The child must be made an accomplice in the research activity through different procedures depending on his or her sensitivity. Thus, if parental or guardian consent is sought for the collection of child samples, then as the child’s cognitive faculties and capacity to have opinions increases, the research infrastructure must take steps to consider the child’s will. Therefore, paediatric biobanks should have a clearly articulated policy on whether, when and how the minor’s participation will be obtained and on what steps will be taken once such participants become legally competent to consent. Capacity can generally be presumed when dealing with minors who are subject to school obligations and, therefore, normally able to understand the object of their choices and to consciously express themselves. Therefore, since the primary school age (normally from 6 or 7 years, depending on the maturity of the child), the child’s opinion should be required. The legal consent is signed by parents, but the minor must be informed: it must be explained that material is being collected for research purposes and what will be done with it. With reference to the capacity of discernment, the 12-year-old child should have such awareness and understanding that his/her hearing results in assent, although the parents sign the legal consent. Finally, having reached the 14-year-old threshold, the ability of the child should justify the act of consent. The 14-year-old minor becomes an autonomous centre of legal imputation in the research that concerns him/her, as relevant rights and interests are implicated. His/her participation should not qualify as mere assent, with obvious consequences even if situations of conflict of interest arise with the parents.

2.2

Age to Be Considered

These mentioned fundamental principles should guide the activity of the researcher. Informed consent does not exhaustively guarantee the ethicality of a research project involving minors since research itself must also respect other values (subsidiarity,

Consent and Assent by Children

115

solidarity, precaution) to be ethical; nevertheless, to implement the legal requirements, the researcher must first ensure that the minor is listened to and his/her informed consent is obtained. If there are specific laws regulating research in biobanks and the consent of underage participants, biobankers are required to comply with them. However, it is possible that this special law only requires the consent of adults, and this may not be in line with the general right of the child to be heard. It follows that the researcher should still find a way to involve them. The same applies when there is not a national law on biobanking. Given that there is little unanimity on how the principle of self-determination can be applied in practice, then some guidance may be useful in the absence of a law. Some legal guidelines on obtaining consent for minors can be found in other national laws. Using the principle of analogy to fill a gap, the interpreter of the law applies the rules provided for similar issues or analogous cases, for example, scientific research, therapeutic treatment, clinical trials, organ donation or personal data. In these situations, if legislature has established a uniform age threshold, this could also be followed for the consent to biobanking. The Slovenian case can be considered. In Slovenia, there is no law on biobanking but rather laws that may be relevant because they regulate similar matters and set the same age threshold with respect to the involvement of minors. The age of 15 is fixed in the law on patient’s rights (Article 35, 2, ZPacP) and in Article 8 of the Data Protection Law as well as in the act on quality and safety of human tissues and cells intended for medical treatment (Article 31, 2).5 However, there may be a discrepancy—as in Spain—among the national laws on capacity to consent (i.e., in Spain, the Royal Decree on clinical trials requires the age of 12; the 16-year-old threshold is set by the Patients’ Autonomy Act; and the age of 14 is enacted by the law on data protection). This divergence could be resolved by following up with two criteria: the researcher could apply the criterion of the lowest age stipulated in the laws regulating phenomena that are close to biobanking. A second option would be to admit minors of 14 to consent. This might be a good age because it meets the adolescence phase in which the child’s cognitive abilities are well developed, which is why in some legislative texts and codes of ethics for research the threshold of 14 years of age is set for requesting consent (e.g., in Croatia, where the Code of Ethics for research with children prescribes that a child over the age of 14 gives informed consent to research on his/her own), and in other cases, it is assumed that from the age of 14 to 18, children have some capacity to act (see Lithuania Civil Code, Article 2.11). This would be a prudent choice since it is an intermediate age between 16 and 12. In addition, Article 8 of the European Regulation on the protection of natural persons

5

Human Tissue and Cells Quality for Treatment Act (Official Gazette of the Republic of Slovenia, No. 61/07 and 56/15 – ZPPDČT, ZKVČTC.

116

A. Langella et al.

with regard to the processing of personal data ((EU) 2016/679)6 (hereafter GDPR) on the conditions applicable to a child’s consent in relation to information society services makes the processing of the personal data of a child lawful once the child is at least 16 years old. However, the Member States may provide by law for a lower age for those purposes, provided that such lower age is not below 13 years: the threshold on average has been set at 14.7 Each decision on age should be formalised in a protocol or guidelines, which should be evaluated and approved by an Ethics Committee as an independent body in order to verify the ethical and legal sustainability of the involvement of the child. Following the procedures approved by an Ethics Committee allows a biobank to codify its commitment to the value of respect for the people involved in the research. The paediatric biobanks should have a clearly articulated policy on whether, when and how the minor’s assent will be obtained and on what steps will be taken once such participants become legally competent to consent.8 The mentioned provision of the GDPR would confirm the hypothesis that 12-year-olds could be asked for assent, and since the age of 14 years and onwards, their participation could take the form of consent. If the physician must seek assent of a participant who is 12 years old, this means that his/her potential dissent should be respected (WMA Declaration of Helsinki, Article 29). Even if the adult is in

6

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4. 5. 2016 L 119/1. 7 Belgium (Article 7, Act on the Protection of Individuals with regard to the Processing of Personal Data (2018), Norway (Ch. 3, § 5, Personal Data Act), Portugal (Article 16 Act No. 58/2019, of 8 August), Denmark (Article 6, Data Protection Act), Estonia (Article 8, Personal Data Protection Act), Finland (Ch. 2, sec. 5, Data Protection Act), Latvia (Sec. 33, Personal Data Processing Law), Malta (Article 33 Data Protection Act, CAP. 586; Article 4 S.L. 586.11) and Sweden (Data Protection Act, ch. 2, § 4) establish the age of 13. The Italian (Article 2-quinquies of the Privacy Code), Spanish (Article 7, 92 of the Organic Law 3/2018 on the Protection of Personal Data and the guarantee of digital rights), Austrian (Article 2, § 4, (4) of the Federal Act concerning the Protection of Personal Data (DSG)), Bulgarian (Article 25c, Personal Data Protection Act 2002 (last amended in 2019) New, SG No 17 OF 2019), Cypriot (Article 8 (1) LAW 125(I) of 2018), Lithuanian (Article 6, Republic of Lithuania Law on legal protection of personal data) Data Protection Laws set the age threshold at 14 years. Greece (Article 21, LAW NO. 4624/2019), the Czech Republic (Sec. 7, Act No. 110/2019 Coll. Act of 12 March 2019 on personal data processing), France (Article 45, Law n° 78-17 of 6 January 1978 on data processing, files and liberties), and Slovenia (Article 8 Data Protection Law) set the age at 15 years. Poland (Personal Data Protection Act of 10 May 2018), the Netherlands (Article 5 (UAVG) Uitvoeringswet Algemene verordening gegevensbescherming, General Data Protection Regulation Implementing Act), Luxembourg (Act of 1 August 2018 on the organisation of the National Data Protection Commission), Ireland (Article 31, Data Protection Act 2018), Germany (Federal Data Protection Act [BDSG]), Croatia (The Act on Implementation of the GDPR [Official Gazette no. 42/2018; ‘AIGDPR’]), Romania (Law no. 190 of 18 July 2018) and Slovakia (Sec. 15, Data Protection Act) establish the age of 16. The mathematical average marks the age of 14 years and 4 months. 8 OECD Guidelines on human biobanks and genetic research databases, 22 October 2009, p. 10. https://www.oecd.org/sti/emerging-tech/44054609.pdf.

Consent and Assent by Children

117

favour of enrolling the child in the research activity, the biobank staff must consider his/her refusal to prevail over the parental consent, which will never be valid if given against the child’s will. According to the ‘median criterion’ put forward, the child from the age of 14 has the right to express effective consent as provided for by the GDPR. It follows that a child could make autonomous choices, even in cases of conflict with the parents9 (Cippitani 2021; Massie et al. 2022). This determines that if he/she wants to participate in biobanking, the researcher can involve him or her even if the parents are opposed. However, if the minor is not at the age of consent, the parents’ refusal to allow the child to participate in biobanking means that the researcher needs a different permission. Either the child or the researcher—depending on national law—can appeal to the court to obtain authorisation.

3 What Should Be Done When They Reach the Age: Obligations and Recommendations In general legal terms, a minor is incapable of acting and performing legal acts by which to acquire rights or assume obligations; this implies that in paediatric biobanks, the authorisation to participate in research is reserved to the person exercising parental responsibility, and the child’s material is collected with the consent of a third party, parent or guardian. However, if a person who was not able to consent, and whose biological materials were stored for future research, attains or regains the capacity to consent, reasonable efforts should be made to seek the consent of that person for continued storage and research use of his or her biological materials.10 For this reason, the biobank must certainly introduce procedures for when the minor reaches the age of majority in order to continue to use the samples and consult the data already processed, otherwise the samples must be destroyed and data deleted. However, this is not only significant when the minor legally acquires the capacity to act. In situations involving the child’s personality choices and the exercise of fundamental rights, his/her involvement must be promoted as soon as he/she acquires capacity to participate and, thus, even before the age of majority is reached.

9 The courts have mostly focused on the conflict in clinical care and not on participation in research. A recent example concerns the hypothesis for the administration of the COVID-19 vaccination. 10 Article 12, Recommendation CM/Rec (2016)6 of the Committee of Ministers to Member States on research on biological materials of human origin (Adopted by the Committee of Ministers on 11 May 2016 at the 1256th meeting of the Ministers’ Deputies).

118

A. Langella et al.

In fact, the ethical and legal rules of a person’s involvement must be ensured during research and in relation to changes in capacity that affect the child during his or her growth. After all, the minor’s incapacity is special and different from other cases of incapacity (Dalpé et al. 2019). The competence of children and their degree of maturity are destined to develop over time, and this development corresponds to the need to gradually provide for different forms of participation. Researchers should start involving the child as early as school age, providing them with age-appropriate information, asking the 12-year-old to express their assent and, finally, for full consent from the 14-year-old. From the age of 14, the consent of the child should replace that of the parents or guardians. However, the chances of renewing the consent initially given by those exercising parental responsibility should be greater when a relationship of trust has been established with the research staff from the outset. For this purpose, researchers should ask the parents to remind the child over time that the donation has taken place and maintain contact to enable the child to give consent at the appropriate time.11 This is because in biomedical research, consent must remain in place for the duration of the study.12 In addition, the use of tools to support a child’s ‘ongoing’ participation should be enhanced in order to modulate the child’s participation in the research activity according to his/her growing capacity. In this sense, ‘dynamic consent’, that is, allowing participants to consent to research activities over time via computer interface, should make it possible to comply with circumstances and personalise participation according to the age and development of the child. In paediatric biobanking, this consent model could promote the minor’s right to reconsider, confirm, assent, approve or withdraw research participation upon reaching ‘the age’. After all, even though some controversial aspects have been highlighted (Steinsbekk et al. 2013), dynamic consent could lead to a process of democratic research (Prictor et al. 2018): through this tool, participation in research can be facilitated when it involves certain groups of subjects whose engagement might be hindered, including minors.

11

CNB, Italian Bioethics Committee, Paediatric biobanks. International Ethical Guidelines for Health-related Research Involving Humans Prepared by the Council for International Organizations of Medical Sciences (CIOMS) in collaboration with the World Health Organization (WHO), (guideline 17). https://cioms.ch/wp-content/uploads/2017/01/ WEB-CIOMS-EthicalGuidelines.pdf.

12

Consent and Assent by Children

119

4 Conclusion Since children are a vulnerable and, therefore, specially protected population, careful consideration must be given to balancing the benefits and risks of their participation in research as well as their rights. Consequently, paediatric biobanks should develop transparent and specific procedures to collect consent and assent from minors. However, legislature do not always provide clear instructions, laws are fragmented and related guidelines are necessary to revise how to act in compliance with legal considerations about children’s involvement in research. In this chapter, recommendations to manage consent and assent of minors have been provided.

References Cippitani R (2018) Il trattamento dei dati genetici a fini di ricerca scientifica. Diritto e processo:95–133 Cippitani R (2021) La participatión de los menores en la vacunación contra la Covid-19. Derecho de la Integración 18. Centro de Estudios Comunitarios y Comparados, 57–86 Dalpé G, Thorogood A, Knoppers BM (2019) A tale of two capacities: including children and decisionally vulnerable adults in biomedical research. Front Genet 10:289 Field MJ, Behrman RE (2004) Ethical conduct of clinical research involving children. In: Institute of Medicine (US) committee on clinical research involving children. National Academies Press (US), Washington (DC) Langella A (2019) Il principio di proporzionalità nella ricerca biomedica. Diritto e processo:137–172 Massie J, Paxton GA, Crawford N, Danchin MH (2022) Vaccination of young people from 12 years of age for COVID-19 against parents’ wishes. Med J Aust 216(9):455–457 Prictor M, Teare HJA, Kaye J (2018) Equitable participation in biobanks: the risks and benefits of a “dynamic consent” approach. Front Public Health 6:253. https://doi.org/10.3389/fpubh.2018. 00253 Royal College of Paediatrics and Child Health: Ethics Advisory Committee (2000) Guidelines for the ethical conduct of medical research involving children. Arch Dis Child 82:177–182. https:// adc.bmj.com/content/archdischild/82/2/177.full.pdf Różyńska J (2021) Taking the principle of the primacy of the human being seriously. Med Health Care Philos 24:547–562 Simonsens S (2012) Acceptable risk in biomedical research. Springer. https://doi.org/10.1007/97894-007-2678-9 Steinsbekk KS, Kare Myskja B, Solberg B (2013) Broad consent versus dynamic consent in biobank research: is passive participation an ethical problem? Eur J Hum Genet 21:897–902 Williams G (2012) Children as means and ends in large-scale medical research. Bioethics 26(8): 422–430

Consent and Technology Is Dynamic Consent the Solution or Can an Interactive Website Solve the Problem of Consent? Andrea Maierà

1 Introduction The exponential evolution of biomedical research, knowledge, techniques, and applications of personalised medicine have led to a renewed paradigm in which data related to biological samples have assumed an increasingly important role (Shrager and Tenenbaum 2014). These advances, as one might expect, have been accompanied by the emergence of doubts and questions about not only scientific but also legal and ethical-social issues. Informed consent, and in particular its application in biobanking, is certainly one of the issues still associated with numerous doubts (Stoeklé et al. 2017). Admittedly, due to the absolute necessity of informed consent on the part of potential participants in research activities, as enshrined in various documents,1 it is necessary to consider the different forms of informed consent; thus, there have been numerous debates in literature on which is the best form applicable to biobanks’ activities. There are diametrically opposed assumptions between the more traditional clinical research and biobank activities, as it must be stressed that biological samples and related data stored in biobanks can potentially be used in a particularly large number of new projects and studies; these are generally stored for extremely long or even unlimited periods of time, i.e., at least in the order of years or decades. Moreover, the collection and preservation of biological samples and data takes place at a time when 1 World Medical Association Declaration of Helsinki: Ethical Principles for Medical Research Involving Human Subjects. World Medical Association 1964; http://www.wma.net/en/30 publications/10policies/b3/17c.pdf. UNESCO Universal Declaration on Bioethics and Human Rights, 2005. https://www.unesco.org/en/legal-affairs/universal-declaration-bioethics-and-humanrights.

A. Maierà (✉) Department of Medicine and Surgery, University of Perugia, Perugia, Italy © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_13

121

122

A. Maierà

most future research activities have not yet been planned or even conceived of. Moreover, these aspects that make specific consent difficult to apply are important strengths of biobanks in scientific research activities. Moreover, one of the advantages of biobanking is that it can collect and manage a large number of biological samples and data and thus exponentially increase the amount of information available for research activities, even more so if one considers the increasingly widespread and necessary sharing and networking activities. All this generates potentially enormous advantages for translational genomics research and for conducting studies of high statistical significance (Kaye 2012). The current context certainly poses major challenges, including the need to obtain an ever-increasing number of biological samples and therefore the need to recruit an ever-increasing number of donors (Johnsson et al. 2010; Fletcher et al. 2012), the need to keep donor participation alive in research and not reduce it to a passive activity, and the difficulties relating to informed consent (Budin-Ljøsne et al. 2016). The new forms of biomedical research and the greater ease of collecting and massively archiving biological samples and related data, as is typical of biobanks, have strongly challenged the traditional forms of informed consent. Amongst these, both specific consent and broad consent present critical points such that their adaptation and application to biobank activity presents challenges. It is therefore understandable to think, particularly in light of scientific, social, and contextual developments, that it is impossible to perfectly adapt one of the classic forms of informed consent to biobanking, but that it is necessary to rethink this instrument and instead adapt it to the renewed expectations and needs of donors, scientists, and all the stakeholders involved.

2 A New Model for Consent: Dynamic Consent It is precisely because of the problems that can be encountered with the classic forms of consent that some authors have proposed and advocated the use of new models or forms that have been adapted in order to better respond to the activities of biobanks. In particular, in the last few years, another form has appeared in the complex debate on perfect consent, namely that of so-called dynamic consent (Stein and Terry 2013), a tool with the aim of simultaneously facilitating research activities and protecting donors’ interests. According to some, dynamic consent is an evolution of specific consent. In reality, it would be more correct to define it as a form of consent that is able to assume the possibility of ‘shifting the concept of consent’ between different models, thus attempting to adapt to different contexts in the best possible way (Kaye et al. 2015), while at the same time inheriting the advantages and disadvantages of the different models. Dynamic consent is based on modern information technology and communication systems, aimed at refining and simplifying consent procedures for biobanking, as well as facilitating two-way communication between researchers and donors (Budin-Ljøsne et al. 2016). The term therefore refers to true personalised and interactive consent and communication platforms (Fletcher

Consent and Technology

123

et al. 2012) capable of engaging donors on an iterative basis (D’Abramo et al. 2015; Thiel et al. 2014). The core concept of this form of consent is to develop a digital platform that is accessible to the donor, who may thus be able to establish direct, continuous, and personalised contact with the biobank and the researchers, and thus indirectly with their biological samples and related data, in such a way as to allow the possibility of changing one’s preferences in this regard, in particular on the basis of constant observation of the biobank’s activities, while naturally maintaining the possibility of revoking consent (Budin-Ljøsne et al. 2016). Subjects can also decide how to be contacted for future activities or to obtain the results of studies using their samples (Wee et al. 2013). As previously mentioned, this form of consent may therefore be defined as a kind of evolution of specific consent, as it represents a simplified solution for obtaining specific consents for studies in a dynamic mode (Manson 2019). It can therefore be said that dynamic consent represents a consent framework that is strongly oriented towards the donor, who is no longer simply a passive source of biological material and data for study purposes, but who is valued, as is right and proper, and who represents an active partner in research activities. This is certainly a choice that promotes a culture of respect for those involved and simplifies the procedures for obtaining new consent. In practice, the application of such consent in biobanking could perfectly fit into long-term activities, as the donor could use the platform to provide new consents to activities not originally foreseen, or could change their preferences according to their changing views or circumstances (Fletcher et al. 2012). In addition, it should be noted that such platforms can be used to provide additional information, as well as regular updates on research activities throughout the life of the project. It is also possible for donors to decide how often they want to be contacted by researchers (Dixon et al. 2014). There is much debate in the literature on the possibilities that dynamic consent can strengthen donors’ right to autonomy by improving their understanding of the whole process and promoting their participation in research activities, and this could indeed have very good prospects (Williams et al. 2015; Kaye et al. 2015).

3 The Potential of a Dynamic Consent Interface The analysis of this tool is certainly able to highlight several advantages over more traditional forms of consent. First of all, continuous communication and information exchange give the donor refined and specific control of study activities that can be carried out using their samples and data, with relevant attention and enhancement of the donor’s wishes. In addition, new research needs not originally foreseen could be addressed in a much more cost-effective and simplified manner than with traditional forms of consent, which generally require face-to-face interaction with the subject and the exchange of sheet materials (Budin-Ljosne et al. 2015). In this respect, the attention and appreciation of the donor’s wishes is evident.

124

A. Maierà

Moreover, the continuous involvement of the donor in the course of the study activities conducted on their samples and data allows the participant to satisfy any doubts they may have surrounding their participation. It is also necessary to stress that the expression of individual autonomy is far from static, and therefore the potentially continuous interaction between participant and researcher permits the possibility of changing their preferences on the basis of changes in their ideals over time, manifesting itself as a tool that can adapt to the subject and evolve with them in unison.2 Moreover, the increased level of information that can be provided to participants could potentially be accessed from anywhere thanks to the Internet, making countless types of content available to the subjects, from texts to videos, from podcasts to actual applications, using different languages and different levels of detail, thus widening the audience. It should also be emphasised that the possibility of accessing progressively more detailed and broader information, according to the participant’s wishes, puts them in an advantageous position, so that dynamic consent has the potential to increase society’s scientific literacy rate. The strongly donor-oriented dynamic consent approach may be able to enhance recruitment by increasing society’s trust and respect for research and researchers, improving procedures and reducing recruitment costs (Kuehn 2013). On the other hand, it has been repeatedly shown that participants often believe that the altruistic benefits of sharing their data for research activities outweigh the potential risks, but they also expect transparency and respect from research institutions (Ludman et al. 2010; Burstein et al. 2014; Spencer et al. 2016; Trinidad et al. 2010). On the subject of communication, it is also important to stress that it is generally expected that it can be personalised in such a way as to allow the donor to choose how, when, and by what means they can be informed or contacted, thus avoiding subjecting participants to oppressive communication. Moreover, the aim of these platforms is not to force participants to communicate extensively, but rather to offer them the opportunity to do so. The provision of various tools for informative exposure has the potential to ensure that donors can better understand the objectives and risks of their participation, which would thus become more voluntary and conscious, so to speak, limiting the risks of misunderstanding associated with long and complex informed consent sheets (D’Abramo et al. 2015; Perry et al. 2016). Certainly, the difficulty of understanding on the part of the donor is one of the practical problems of traditional consent, which distances it from the theoretical ideal. However, it can be inferred that, if properly developed for a given context, the dynamic consent platform could also facilitate the understanding of information by cultures or groups that would have had difficulty with traditional forms of consent.

2

Institute of Medicine. Best care at lower cost: the path to continuously learning health care in America, 2012. http://www.iom.edu/reports/2012/best-care-at-lower-cost-the-path-to-continu ously-learning-health-care-in america.aspx.

Consent and Technology

125

The dynamic consent interface could also simplify the management of incidental findings by allowing researchers to better understand the wishes of participants, while at the same time allowing participants to be promptly informed and provide specific preferences. As one might expect, this form of consent also has its limits and concerns. First of all, it is clear that the implementation of such an innovative approach requires a significant cultural change both for the scientific community and for society itself. At the same time, from a practical and technical point of view, the design, implementation, and maintenance of such a platform is complex and can have a non-negligible cost. However, it can reasonably be expected that these costs will decrease in the future as procedures become easier and more standardised. At present, this is a cost that should be considered in the design of a new biobank. It is certainly possible to say that the investment of resources such as time, funds, expertise, and personal commitment is significant in any case. It should also be considered that ethics committees may find it difficult to interface with this type of consent, and for these reasons it is necessary to directly involve the reference committee in the design phases of the platform in order to guarantee support and ethical approval during all phases. Of course, dynamic consent may not be able to guarantee as high levels of participant autonomy as specific consent can. In particular, although this is a plausible problem for all forms of consent, possible external influence and the large amount of information may undermine the adequacy of decisions. Digital expression does not guarantee a controlled environment capable of guaranteeing autonomous choice, and this could be a risk especially for weaker groups that could be more influenced by different subjects. Moreover, given the very structure of dynamic consent, it is clear that not all potential donors may be willing to use these technological tools, and therefore some individuals, especially the disadvantaged, who may only be able to access technologies with difficulty or in a limited manner, or even cannot access them altogether, may in fact be excluded (Spencer et al. 2016; Kaye et al. 2015). This may be particularly true for the elderly, disabled, or disadvantaged individuals. However, it is true that with some measures it is possible to mitigate these limitations, e.g., by using technologies that are more widespread and accessible to disadvantaged groups, such as e-mail and SMS text messaging. Moreover, as set out in the literature by various authors (Kaye et al. 2015), including Kaye et al., on the basis of the shortcomings suffered by this type of consent it is possible to envisage traditional forms of consent as an alternative within the platform itself, such as that of broad consent and as, for example, already envisaged by some infrastructures.3 Finally, it is conceivable that the need to provide for multiple modalities may diminish over time as society becomes more familiar with technological tools.

3 The CHRIS Study (Cooperative Health Research In South Tyrol). In: EURAC Research. http:// www.eurac.edu/en/research/health/biomed/projects/Pages/default.

126

A. Maierà

Finally, as already mentioned, some studies have highlighted the risk that dynamic consent may lead the participant to a kind of “fatigue” and may therefore make their consent less meaningful and facilitate abandonment due to excessive interaction (Steinsbekk et al. 2013). In fact, this problem, which often emerges when comparing dynamic consent to broad consent, is a false problem since this instrument appears to be perfectly capable of meeting the needs of those who prefer more passive participation, so to speak. In fact, it is possible for this type of participant to limit interactions to a minimum or avoid them altogether, or to choose a form of broad consent, which is usually provided by dynamic platforms.

4 Conclusion Dynamic consent is an innovative form of consent, and because of its functioning it is more than a legal instrument useful to research activities. Indeed, it represents a real social agreement between researchers and participants (McCormack et al. 2016) that is able to allow relevant activities of communication, recruitment, and involvement. Its objective is to guarantee continuous and bidirectional information, and therefore a pivotal role is played by the donor, who takes on a renewed role, becoming a real active participant in the research (Mascalzoni et al. 2008). Dynamic consent could represent a particularly efficient and convenient solution for biobanks, capable of overcoming the shortcomings of broad consent. In addition, dynamic consent would be able to better support the flow of new knowledge and new questions usually introduced by research activities. From an informational point of view, although the potentially constant involvement of donors may create concerns for researchers (D’Abramo 2015), it would also mitigate the concerns associated with broad consent (Stein and Terry 2013). In today’s highly digitalised age, it is reasonable to assume that continuous communication and involvement of the participant in research activities may not hinder progress but, if utilised correctly, could even benefit all parties involved and thus ultimately benefit research and its results. On the basis of these conclusions, and considering the need to restructure some fundamental notions of informed consent that might currently be considered obsolete (Henderson 2011), it is believed that the shift from a broad consent perspective that is completely research-oriented to a dynamic donor-oriented consent perspective might be particularly suitable for biobanking, despite the inevitable questions and doubts that may arise.

References Budin-Ljosne I, Bentzen HB, Solbakk JH, Myklebost O (2015) Genome sequencing in research requires a new approach to consent. Tidsskr Nor Laegeforen 132:2031–2032

Consent and Technology

127

Budin-Ljøsne I, Teare HJ, Kaye J, Beck S, Bentzen H, Caenazzo L, Collett C, D’Abramo F, Felzmann H, Finlay T, Javaid MK, Jones E, Katić V, Simpson A, Mascalzoni D (2016) Dynamic consent: a potential solution to some of the challenges of modern biomedical research. BMC Med Ethics 18(1):4. https://doi.org/10.1186/s12910-016-0162-9 Burstein MD, Robinson JO, Hilsenbeck SG, McGuire AL, Lau CC (2014) Pediatric data sharing in genomic research: attitudes and preferences of parents. Pediatrics 133:690–697. https://doi.org/ 10.1542/peds.2013-1592 D’Abramo F (2015) Biobank research, informed consent and society. Towards a new alliance? J Epidemiol Community Health 69:1125–1128. https://doi.org/10.1136/jech-2014-205215 D’Abramo F, Schildmann J, Vollmann J (2015) Research participants' perceptions and views on consent for biobank research: a review of empirical data and ethical analysis. BMC Med Ethics 16:60. https://doi.org/10.1186/s12910-015-0053-5 Dixon WG, Spencer K, Williams H, Sanders C, Lund D, Whitley EA, Kaye J (2014) A dynamic model of patient consent to sharing of medical record data. BMJ 348:g1294. https://doi.org/10. 1136/bmj.g1294 Fletcher B, Gheorghe A, Moore D, Wilson S, Damery S (2012) Improving the recruitment activity of clinicians in randomised controlled trials: a systematic review. BMJ Open 2(1):e000496. https://doi.org/10.1136/bmjopen-2011-000496 Henderson GE (2011) Is informed consent broken? Am J Med Sci 342:267–272. https://doi.org/10. 1097/MAJ.0b013e31822a6c47 Johnsson L, Helgesson G, Rafnar T, Halldorsdottir I, Chia KS, Eriksson S, Hansson MG (2010) Hypothetical and factual willingness to participate in biobank research. Eur J Hum Genet 18: 1261–1264. https://doi.org/10.1038/ejhg.2010.106 Kaye J (2012) Embedding biobanks as tools for personalised medicine. Norsk Epidemiol 21(2) Kaye J, Whitley EA, Lund D, Morrison M, Teare H, Melham K (2015) Dynamic consent: a patient interface for twenty-first century research networks. Eur J Hum Genet 23:141–146. https://doi. org/10.1038/ejhg.2014.71 Kuehn BM (2013) Groups experiment with digital tools for patient consent. JAMA 310:678–680. https://doi.org/10.1001/jama.2013.194643 Ludman EJ, Fullerton SM, Spangler L, Trinidad SB, Fujii MM, Jarvik GP, Larson EB, Burke W (2010) Glad you asked: participants' opinions of re-consent for dbGap data submission. J Empir Res Hum Res Ethics 5(9–16):9–16. https://doi.org/10.1525/jer.2010.5.3.9 Manson NC (2019) The biobank consent debate: why ‘meta consent’ is not the solution? J Med Ethics Epub. https://doi.org/10.1136/medethics-2018-105007 Mascalzoni D, Hicks A, Pramstaller P, Wjst M (2008) Informed consent in the genomics era. PLoS Med 5(9):e192. https://doi.org/10.1371/journal.pmed.0050192 McCormack P, Kole A, Gainotti S, Mascalzoni D, Molster C, Lochmuller H, Woods S (2016) ‘You should at least ask’. The expectations, hopes and fears of rare disease patients on large-scale data and biomaterial sharing for genomics research. Eur J Hum Genet 24:1403–1408. https://doi.org/ 10.1038/ejhg.2016.30 Perry J, Wöhlke S, Hessling AC, Schicktanz S (2016) Why take part in personalised cancer research? Patients' genetic misconception, genetic responsibility and incomprehension of stratification-an empirical-ethical examination. Eur J Cancer Care (Engl) 26. https://doi.org/ 10.1111/ecc.12563 Shrager J, Tenenbaum JM (2014) Rapid learning for precision oncology. Nat Rev Clin Oncol 11: 109–118. https://doi.org/10.1038/nrclinonc.2013.244 Spencer K, Sanders C, Whitley EA, Lund D, Kaye J, Dixon WG (2016) Patient perspectives on sharing anonymized personal health data using a digital system for dynamic consent and research feedback: a qualitative study. J Med Internet Res 18(4):e66. https://doi.org/10.2196/ jmir.5011 Stein DT, Terry SF (2013) Reforming biobank consent policy: a necessary move away from broad consent toward dynamic consent. Genet Test Mol Biomarkers 17(12):855–856. https://doi.org/ 10.1089/gtmb.2013.1550

128

A. Maierà

Steinsbekk KS, Myskja BK, Solberg B (2013) Broad consent versus dynamic consent in biobank research: is passive participation an ethical problem? Eur J Hum Genet 21:897–902. https://doi. org/10.1038/ejhg.2012.282 Stoeklé H-C, Deleuze J-F, Vogt G, Hervé C (2017) Vers un consentement éclairé dynamique. Médecine/Sciences 33(2):188–192. https://doi.org/10.1051/medsci/20173302015 Thiel DB, Platt J, Platt T, King SB, Fisher N, Shelton R, Kardia SL (2014) Testing an online, dynamic consent portal for large population biobank research. Public Health Genomics 18:26– 39. https://doi.org/10.1159/000366128 Trinidad SB, Fullerton SM, Bares JM, Jarvik GP, Larson EB, Burke W (2010) Genomic research and wide data sharing: views of prospective participants. Genet Med 12:486–495. https://doi. org/10.1097/GIM.0b013e3181e38f9e Wee R, Henaghan M, Winship I (2013) Dynamic consent in the digital age of biology: online initiatives and regulatory considerations. J Prim Health Care 5:341–347 Williams H, Spencer K, Sanders C, Lund D, Whitley EA, Kaye J, Dixon WG (2015) Dynamic consent: a possible solution to improve patient confidence and trust in how electronic patient records are used in medical research. IMIR Med Inform 3(1):e3. https://doi.org/10.2196/ medinform.3525

Consent from Children and Vulnerable People What Protection Is Provided to People Who Are Not Able to Give Consent or Are Restricted in Their Ability to Give Consent, for Example, Children or People with Disabilities? Casimiro Benito Navarro Ojeda

1 Introduction Issues on how to obtain consent from minors or vulnerable people1 have drastically increased in the last few years, and the recent COVID-19 pandemic has significantly worsened their participation in medical activities, for example, in organ transplants or surgery. Thus, the question of how to protect the rights and interests of these vulnerable individuals has become of great relevance in the health context. The free expression of consent by children or persons with disabilities to medical or scientific experimentation is required by international2 and European Union legal instruments that recognise the freedom, responsibility and self-determination of these individuals as well as their rights to have access to age-appropriate and comprehensive information. As far as people with disabilities are concerned, health professionals are required to provide care of the same quality as provided to others, including the expression of free and informed consent, and to ensure that awareness is raised of their human rights, dignity, autonomy and needs through training and promulgation of ethical standards for public and private health care.3

For the purposes of this contribution, the expression ‘vulnerable people’ indicates people with intellectual disabilities or cognitive deficits threatening their capacity to understand, make decisions or plan activities. 2 UN convention on the Rights of Persons with Disabilities, New York 13 December 2006, 2515 UNTS 3, art. 15; art 23 b). 3 UN Convention on the Rights of Persons with Disabilities, cit. art. 25 d). 1

C. B. Navarro Ojeda (✉) Universidad de Las Palmas de Gran Canaria (ULPGC), Las Palmas de Gran Canaria, Spain e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_14

129

130

C. B. Navarro Ojeda

With reference to minors, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC—General Data Protection Regulation (hereinafter referred to as GDPR)4 expressly states that ‘Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data’.5 Moreover, a joint reading of art. 6 a) and art. 8 GDPR seems to indicate that in the case of a child below the age of 16, the processing of personal data for specific purposes is lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Another relevant provision within the wording of the GDPR that addresses vulnerabilities is art 9 c). This article deals with the processing of special categories and states that among the many exemptions, the processing of genetic data is allowed when ‘it is necessary to protect the vital interests of the data subject or of another natural person if the data subject is physically and legally incapable of giving consent.6 Against this background, the rise of medical–legal practise and the introduction of guidelines and international protocols have contributed to standardising the way consent must be obtained and, particularly, how potential risks to privacy should be tackled. When it comes to minors or people with disabilities, the need for protection enters the design of the clinical projects: the involvement of these vulnerable individuals not only requires appropriate competence and responsibility from health professionals but also demands social awareness through solidarity and legal safeguards (Simón 2000; Revnal Reíllo 2017). When minors and vulnerable people are involved in medical investigations and treatments, it is always necessary to ensure the maximum benefits and to limit the risks in view of their best interests. Depending on their age, physical and psychological maturity, minors should participate in decision-making processes (consent/ assent) and have the possibility to make choices. Children may lack the capacity to consent when they are affected by chronic diseases, or otherwise they may be competent irrespective of the maturity age (Revnal Reíllo 2017). When parents act on behalf of their children, they may be emotionally influenced in consenting to medical treatments or surgery: this emotional involvement may

4

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 5 GDPR, Preamble, Recital 38. 6 Ibid., art 9 c). Emphasis added.

Consent from Children and Vulnerable People

131

hamper effective awareness and engage minors and family caregivers in research projects that they probably do not really understand. Such difficulties may be overcome by framing informed consent into dynamic strategies that ensure dialogue and continuous two-way communication. Indeed, dynamic consent options may have the potential to increase parents and children’s awareness and educate patients about personalised medicine. From an ethical point of view, the more engaged procedures would result in a fairer relationship between doctors and patients, introducing dignity and human rights into medical practices. For this to happen, health professionals should combine knowledge and ethical values while considering consent as an interactive communication process that includes shared decisions and responsibilities between doctors and patients (Revnal Reíllo 2017; Kritko 2009).

2 Consent as an Ongoing Process for Medical Assistance Consent as an ongoing process begins when the doctor–patient relationship is established (Blake 2012) and continues throughout the monitoring of the pathology (Kvitko 2009). Informed consent does not only substantiate a legal and ethical obligation for the health professionals but also supports a person-centred care process involving patients’ understanding and willingness. Furthermore, each patient is unique, and data related to his/her health conditions increase in terms of quality and quantity during the disease journey (Simón 2000; Revnal Reíllo 2017). This implies that it is important to provide a constant dialogue with and access to information by the patient to guarantee his/her engagement. Healthcare providers have a duty to inform patients about healthcare treatments (not just operations) and the benefits and risks of procedures, and informed consent may be requested at different stages over the course of the treatments/diseases. Both parties of the informed consent process are required to act ethically: Healthcare providers must effectively communicate with the person to whom they are providing care, and patients must ensure that they fully understand and agree to treatments, procedures and interventions. When doctors enter into relationship with vulnerable individuals, their conduct is particularly scrutinised because of the fact that health conditions, the gravity of the disease or immaturity may considerably affect the self-determination and autonomy of these patients (Simón 2000; Kvitko 2009). Despite this, minors and people with an intellectual disability have the same rights to be asked for consent and to be involved in making decisions about their health. Moreover, impairment of the functioning of mind and brain as well as adolescence do not mean that people with disabilities or minors are unable to make decision. Thus, it remains essential to verify whether persons are mental capable to use information that is given and make communicable decisions. The specific

132

C. B. Navarro Ojeda

parameters to assess this capacity should be age, behaviours and cognitive development. Certain strategies must be applied to ensure and safeguard the participation of these patients in making health decisions, even when emergencies occur, including the use of accessible language and the provision of support in understanding the risks and benefits of decisions; giving consideration to patient opinions and attitudes; allowing the exercise of patient freedom (Simón 2000; Kvitko 2009). Considering informed consent as a process is even more relevant when tackling distant long-term consequences of health interventions or treatments. In this case, best interest decisions must be taken even with the support of family members.

3 The Legal Representative and Best Interest Decisions In principle, voluntary informed consent is essential when individuals have the legal capacity and are in a condition to freely make choices, without any constriction, fraud or violence. Informed consent also implies that the information provided is sufficient and understandable to allow responsible choices (Kvitko 2009; Revnal Reíllo 2017) to be made. In this context, the legal representative, whose involvement is mainly required by law, is a key figure in taking decisions on behalf of those children or persons who are legally incapable, mentally deficient or severely injured. When a patient cannot independently make decisions and there is no designation of a decision maker, laws may establish parameters to be followed to determine the legal surrogate decision maker. Sometimes a legal guardian may also be appointed by a court decision. Often parents and caregivers must be informed and taken into consideration when decisions will be made in the best interest of someone who lacks capacity or is legally incapable to consent. In this context, other people to be consulted or informed may be relatives or friends in a close relationship with the person involved, people who act or care for the person’s welfare and anyone previously indicated by the person to make decisions. When best interest decisions risk a restriction on the freedom of the person who lacks capacity, health professionals must ensure that such limitations are necessary to prevent the likelihood of harm or pain and that the restraints are proportionate in response to the disease. Respect for privacy and dignity must always be balanced with the necessity to act on behalf of the patients. A minor’s or other individual’s ability to make decisions may also be unclear or questionable. In this case, an assessment and evaluation by a psychiatrist may be requested to determine attitudes and competences.

Consent from Children and Vulnerable People

133

4 The Spanish Example in Tackling Health and Disability The aforementioned strategies and features to safeguard protection for minors or people with disabilities may be contextualised by taking the Spanish legal framework as an example. In Spain, it is established that any action in the health area generally requires the patient’s and user’s prior consent. Such consent must be obtained after appropriate information has been provided to patients; in fact, this ensures the patient’s right to access to information. In case of minors or patients with disabilities, it is mandatory to inform the legal representative. Informed consent is the result of a free, voluntary and intended decision of a patient. It is consciously expressed after the patient has received adequate information about the effects on health. Issues may arise in cases of denial or absence of consent or when patient consent is waived for medical treatments that negatively affect them or third parties. There are some circumstances in which consent cannot be given by the patient. These include: (a) he/she lacks the legal capacity to make decisions; (b) health professionals verify the physical or mental conditions that influence the cognitive abilities of the patients; (c) a final judgement or a competent Administration’s decision determines the mental inability or evaluates the degree of disability (Revnal Reíllo 2017; Cadenas Osuna 2018). In these cases, consent is provided by family members, and the same occurs if the patient is not assisted by a legal representative. Clinical trials and assisted human reproduction techniques are generally realised when individuals reach the legal age. When minors or people with judicially modified capacity undergo voluntary termination of pregnancy, a manifestation of willingness is required jointly with the expression of consent by the legal representative. When consent is granted by the legal representative or family members, the decision must be taken to ensure the greatest benefit for the life or health of the patient. Decisions that are contrary to the best interest must be reviewed by judicial authorities, directly or through the public prosecutor. Health professionals adopt all necessary measures to safeguard the life or health of the patient in cases of emergencies when there is not enough time to obtain judicial authorisation. People with disabilities must be supported by measures that ensure accessible and understandable information in order to encourage their participation and engagement in health decision making (Simón 2000; Kvitko 2009; Revnal Reíllo 2017). The first additional provision of the Organic Law 1/2015 of 30 November 2015, which modified the Organic Law 10/1995 of 23 November 1995, established that the sterilisation referenced in the second paragraph of art. 156 of the Criminal Code must be authorised by the judge who determines the disability degree or in a subsequent contradictory process. The request is made by the legal representative of the person who will undergo sterilisation, and the decision is taken after having heard the

134

C. B. Navarro Ojeda

opinion of two specialists and the public prosecutor and on the basis of the examination by the judge (Revnal Reíllo 2017; Cadenas Osuna 2018). The Royal Decree 1090/2015 of 4 December 2015, which adapts the Spanish legislation to the Regulation of the European Union for clinical trials of medicine for human use, establishes that in the case of disabled persons, the information will be shown in appropriate formats in the same way as for others in order to be accessible and understandable. Adequate supporting measures shall be taken to make it easier for that person to give his/her own consent (Cadenas Osuna 2018; Revnal Reíllo 2017). Pursuant to art. 4 b) of the Law 30/1979 of 27 October 1979 on the extraction and transplanting of organs (as reformed by Law 26/2011 of 1 August 2011 of normative adaption to the International Convention of the Human with Disabilities Rights), ‘the donor must have full mental faculties and must be previously advised about the consequences of his decision’ (Revnal Reíllo 2017; Cadenas Osuna 2018). Regarding cell and human tissue donation, it is Law-Royal Decree 9/2014 of 4 July 2014 that regulates the quality and security of the donation rules as well as the obtaining, evaluation, processing, preservation, storage and distribution of the human cells and tissues.

5 Conclusion Informed consent remains a key feature to ensure protection of vulnerable individuals, that is, minors and people with disabilities when making decisions about health. In the patient–doctor relationship, informed consent represents both a legal and ethical requirement of the due diligence of health professionals and the main element of patient self-determination and autonomy. The analysis has shown that many requirements of informed consent as established by international and European Union law instruments are introduced at the national level. Spanish laws, for example, provide evidence of the necessity of informed consent and require the presence of a decision-maker surrogate or legal representative in cases of incapacity. To answer the burning question, it would also be necessary to set up conditions for an active collaboration between health practitioners and patients by means of appropriate information tools and adequate explanations. This is to allow people with disabilities and minors to understand the consequences of their choices and have enough time to ask for support. However, it is necessary to be conscious of the existing contradictions in the law when it requires full capacity to act, and it is important to promote the awareness of programmes on intellectual disability in the health sector. This is not only to spread solidarity towards vulnerable individuals but also to support health professionals who care for patients with cognitive deficiencies.

Consent from Children and Vulnerable People

135

References Blake V (2012) When is a patient-physician relationship established? Virtual Mentor 14(5): 403–406. https://doi.org/10.1001/virtualmentor.2012.14.5.hlaw1-1205 Cadenas Osuna D (2018) El consentimiento informado y la responsabilidad médica. Agencia Estatal Boletín Oficial del Estado, Madrid Kvitko LA (2009) Consentimiento informado. Dosyuna, Buenos Aires Reíllo ER (2017) Consentimiento Informado y Responsabilidad en el Ámbito Sanitario. Aranzadi, Pamplona Simón P (2000) El consentimiento informado [Informed consent]. Triacastela, Madrid

Consent Withdrawal What Is the Procedure If Consent Will Later Be Withdrawn Valentina Colcelli

1 Introduction To answer the question about the consequences of withdrawing consent, we must recall the analysis about the consent applied to research, because of a distinction between the processing of health data for purely scientific research purposes and in the case of clinical trials. This distinction has an effect also when—and if—the data subject decides to withdraw her/his consent. On this point, the conclusion of the chapter R. Cippitani ‘Consent Requirements’ in this book must be evoked. We also must take into consideration the difference between informed consent according to art. 28 of Regulation (EU) n. 536/2014 of the European Parliament and of the Council of 16 April 2014 on Clinical Trials on Medicinal products for human use, and repealing Directive 2001/20/EC (hereinafter Regulation of Clinical Trial) from the explicit consent established in the art. 7 Reg. (EU) n. 679/2016 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter GDPR).1 Moreover, the legal basis grounding the treatment of personal data has an impact on how to manage the withdrawal of consent. In Sect. 2 of this chapter, we analyse some items to correctly define withdrawal. In Sect. 3, we study the effect of the withdrawal of consent in the case of purely

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

V. Colcelli (✉) Institute CNR-IFAC, National Research Council of Italy, Florence Research Area, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_15

137

138

V. Colcelli

scientific research purposes and in the case of clinical trials. Section 4 examines the interaction between consent and other lawful grounds in Article 6 GDPR, in the case of the withdrawal of consent. Section 5 concludes by trying to directly answer the main question.

2 Some Elements to Focus the Meaning of Withdrawal in Light of the GDPR According to Article 7 (3) of the GDPR, ‘The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.’ This statement shows how the withdrawal influences the explicit consent: if the withdrawal does not have the requirements dictated by the law, the mechanism of consent does not comply with the GDPR. Therefore, to acquire consent, the controller must inform the data subject about her/his right to withdraw and how to exercise that right.2 Moreover, the data subject may, without any resulting detriment and without having to provide any justification, withdraw from the purely research activities or from the clinical trial at any time by revoking her/his informed consent. Among the requirements mentioned above, the flexibility to withdraw is one of the most important: to withdraw has to be as easy as to give consent. The action for the exercise of the right of withdraw to be easy, it could be realised in the same way the data subject provided the consent. Actually, the GDPR does not require the same action, but it could be important in the case of consent for research activities in which the consent is obtained by technological instruments, as it could be in the case of using dynamic consent through a website in a biobank. The Work Group n art. 29 analysed such a situation as a general case: When consent is obtained via electronic means through only one mouse-click, swipe, or keystroke, data subjects must, in practice, be able to withdraw that consent equally as easily. Where consent is obtained through use of a service-specific user interface (for example, via a website, an app, a log-on account, the interface of an IoT device or by e-mail), there is no doubt a data subject must be able to withdraw consent via the same electronic interface, as switching to another interface for the sole reason of withdrawing consent would require undue effort.3

GDPR, Recital 39, which refers to Articles 13 and 14 of that regulation, states that ‘natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing’. 3 Guideline on consent under Regulation 2016/679, Article 29 Working Party published 28 November 2017, WP259, p. 21. https://ec.europa.eu/newsroom/article29/item-detail.cfm? item_id=623051. 2

Consent Withdrawal

139

The cases described will be common in the near future with the development of instruments to implement dynamic consent (see the chapter in this book: S. Brizioli ‘Dynamic Consent’) or the meaning of blockchain in biobanking activities (see the chapter in this book F. Zatti ‘Blockchain and Dynamic Consent’). Using technological instruments, such as an app or website, to obtain the consent of patients or participants in research means adopting an easy way to withdraw by the same actions used for giving consent. This easy approach seems usable when the consent is given in the context of a written declaration on paper. The consent form should always specify how to withdraw, such as by email. In light of the Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (hereinafter Guidelines) adopted by the European Data Protection Board (hereinafter EDPB) on 21 April 2020,4 which aim to shed light on legal questions concerning the use of health data for the purpose of scientific research and to analyse the application of the GDPR for the processing of health data for the purpose of scientific research in the context of the COVID-19 pandemic (see the chapter in this book: V. Colcelli ‘Covid-19’), withdrawal of consent is one of the data subject’s rights that cannot be limited. Although the jurisprudence from the European Union Court of Justice5 notes that any restriction of rights of the data subjects must be applied only to the extent necessary, the Guidelines underline that Article 89(2) of the GDPR allows the national legislator to limit (some of) the data subject’s rights set out in Chapter 3 of that regulation. However, the restrictions of data subjects’ rights may vary depending on the legislative provisions enacted in each member state. In this situation, the current COVID-19 outbreak does not suspend or restrict the possibility for data subjects to exercise their rights under Articles 12 to 22 of the GDPR, and the right to withdraw cannot be limited.

3 The Impact of the Withdrawal on the Purely Research Activity and/or Clinical Trial The EDPB considers that the withdrawal of informed consent under Article 28(3) of the Clinical Trials Regulation should not be confused with the withdrawal of consent under the General Data Protection Regulation (EDPB 2019) because in the context of clinical trials, the consent of the data subject is limited to processing exclusively related to research activities. If consent is used as a legal basis for processing

4

Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak, adopted by the European Data Protection Board on 21 April 2020. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_ healthdatascientificresearchcovid19_en.pdf. 5 CJUE 14.02.2019 C-345/17 (Buivids), recital 64.

140

V. Colcelli

health-related data for research purposes, the data subject is always entitled to withdraw her/his consent at any time, pursuant to Article 7(3) of the GDPR. The withdrawal of consent shall not affect the lawfulness of processing based on consent before the withdrawal. This a general rule that does not provide for any exception for scientific research.6 If consent is used as a legal basis for processing health-related data for research purposes, the data subject must have the opportunity to withdraw the consent at any time, pursuant to Article 7(3) of the GDPR. If consent is withdrawn, all processing operations that were based on consent remain lawful, in accordance with the GDPR, but Article 17(1)(b) and (3) of the GDPR reminds us that the controller must cease the processing activities in question and, in the absence of any other legal basis justifying retention for further processing (e.g., further storage), the data should be deleted. In the context of a clinical trial, the data subject may, without any resulting detriment and without having to provide any justification, withdraw from the clinical trial at any time by revoking her/his informed consent. Otherwise, as mentioned above, if in the context of clinical trials, the consent of the data subject is limited to processing exclusively related to research activities. This implies that in the event of withdrawal of consent by the data subject, all research activities carried out with the clinical trial data relating to that person must cease. Thus, withdrawal of consent shall not affect processing operations that are based on other legal grounds, in particular legal obligations to which the sponsor/experiencer is the subject, such as those related to security purposes (EDPB 2019). For clinical trial activity grounded on consent, according to art. 28 (3) of the Regulation on Clinical Trial, ‘the withdrawal of the informed consent shall not affect the activities already carried out and the use of data obtained based on informed consent before its withdrawal’.

4 The Case of Withdrawal of Consent and Other Legal Bases for Personal Data ‘Controllers have an obligation to delete data that was processed on the basis of consent once that consent is withdrawn, assuming that there is no other purpose justifying the continued retention. Besides this situation, covered in Article 17 (1)(b), an individual data subject may request erasure of other data concerning him that is processed on another lawful basis, e.g. on the basis of Article 6(1)(b).’7 This provision must also take into account the Clinical Trials Regulation and the different nature of the consent underlying the research activity.

6

Guideline on consent under Regulation 2016/679, Article 29 Working Party published 28 November 2017, WP259. p. 21. https://ec.europa.eu/newsroom/article29/item-detail.cfm? item_id=623051. 7 Ibid.

Consent Withdrawal

141

In the case of a clinical trial, processing operations purely related to research activities must be distinguished from processing operations related to the purposes of protection of health, while setting standards of quality and safety for medicinal products by generating reliable and robust data (reliability and safety related purposes). These two main categories of processing activities fall under different legal bases distinguished from consent. So, the withdrawal of consent does not affect the processing operations related to the purposes of protection of health. Therefore, in the processing of personal data in the context of the Clinical Trials Regulation, (1) a safety communication or inspection by the competent national authority, or (2) the retention of clinical trial data in accordance with the archiving obligations established by a clinical trial regulation or by the relevant national legislation, must be considered necessary to comply with the legal obligations to which the sponsor and/or the investigator (EDPB 2019, p. 5) are subject, whose legal basis for the treatment is not consent. At the same time, the processing of personal data by data controllers could be considered as ‘necessary for the performance of a task carried out in the public interest’ pursuant to Article 6(1)(e) GDPR also if the conduct of the clinical trial directly falls within the mandate, mission, and task vested in a public or private body by national law (European Commission-DG Health and Food Safety 2019). The legal basis shall be laid down by Union or member state law (Article 6(3) GDPR). In this case, as in the case of purely research activity, out of the application of the consent as a legal basis, Article 6 lays down the conditions for lawful processing of personal data and describes six legal bases on which a controller may rely: The application of one of these six bases must be established prior to the processing activity and in relation to a specific purpose. (. . . .) In cases where the data subject withdraws his/her consent and the controller wishes to continue to process the personal data on another lawful basis, they cannot silently migrate from consent (which is withdrawn) to this other lawful basis. Any change in the lawful basis for processing must be notified to a data subject in accordance with the information requirements in Articles 13 and 14 and under the general principle of transparency.8

5 Conclusion Consent in the context of the Clinical Trials Regulation should not be confused with the notion of consent as a legal basis for the processing of personal data under the GDPR. The difference will also have an impact in the case of withdrawal of consent: in the context of clinical trials, the data subject’s consent is limited to processing related exclusively to research activities. Without prejudice to the GDPR, the withdrawal of informed consent shall not affect the activities already carried out and the use of data obtained based on informed consent before the withdrawal. In the

8

Ibid.

142

V. Colcelli

case of withdrawal of consent by the data subject, all research activities carried out with the clinical trial data relating to that person must cease. Withdrawal of consent shall not affect processing based on other legal grounds, such as legal obligations to which the sponsor/experiencer is subject (e.g., those related to security purposes). When consent is used as a legal basis for processing health data for research purposes, if consent is withdrawn, all processing operations that were based on consent remain lawful, in accordance with the GDPR. However, the controller will cease the processing activities in question and the data will be deleted in the absence of any other legal basis justifying their retention for further processing.

References EDPB (2019) Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art. 70.1. b)). Adopted on 23 January 2019. https://edpb.europa.eu/sites/default/files/files/file1/edpb_ opinionctrq_a_final_en.pdf European Commission-DG Health and Food Safety (2019) Question and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation. https://ec. europa.eu/health/sites/health/files/files/documents/qa_clinicaltrials_gdpr_en.pdf Guideline on consent under Regulation 2016/679, Article 29 Working Party published 28 November 2017, WP259. https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_ id=623051 Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak, adopted by the European Data protection Board on 21 April 2020. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guide lines_202003_healthdatascientificresearchcovid19_en.pdf

Covid-19 Are the Rules of the GDPR on Scientific Research—If Correctly Applied: Able to Guarantee Personal Health Data in the Context of Covid-19 Research Activities? Valentina Colcelli

1 Introduction The pandemic crisis currently sweeping the world provides the European Union’s personal data protection system with a test case to verify its ability to support scientific research by tackling the health emergency. Guidelines 03/2020 in the context of the COVID-19 outbreak (hereinafter Guidelines) adopted by the European Data Protection Board (hereinafter EDPB) on the 21st of April 20201 aim to shed light on legal questions concerning the use of health data in the context of scientific research and to analyse the application of the GDPR2 for the processing of health data for scientific research purposes against the background of the COVID-19 pandemic. In the Guidelines, the EDPB affirms that GDPR rules for the processing of health data for scientific research purposes are also fully applicable in the context of the COVID-19 pandemic, and thus are sufficient to secure associated research and data, then they—a fortiori—can be more usefully applied to research activity beyond this particular period.

1

Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak, adopted by the European Data protection Board on the 21st of April 2020, in https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guide lines_202003_healthdatascientificresearchcovid19_en.pdf. 2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. V. Colcelli (✉) Institute CNR-IFAC, National Research Council of Italy, Florence Research Area, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_16

143

144

V. Colcelli

The Guidelines do not revolve around the processing of personal data for epidemiological surveillance, and in any case developing further and more detailed guidance for the processing of health data for the purpose of scientific research is part of the annual work plan of the EDPB. Thus, the Guidelines aim to shed light on the most urgent questions related to research activity related to the pandemic crisis, including its legal basis, implementation of adequate safeguards for such processing of health data and exercise of subject rights, and the application of GDPR for the processing of health data for scientific research purposes in the context of the COVID-19 pandemic. No special rules for such research activity processing under the pandemic crisis are required, nor are they applicable for scientific research efforts in the fight against SARS-CoV-2 in order to produce research results as fast as possible; this is because the GDPR foresees a specific derogation to the prohibition of processing of certain special categories of personal data, such as health data, where it is necessary for these purposes of scientific research (art. 9 (2) (j) GDPR and art. 89 (2) GDPR). As a matter of fact, while it is true that Regulation (EU) 2016/679 is a wideranging piece of legislation and includes several provisions related to scientific research that favour it—or rather favour an understanding of its specific needs—its application is not always easy in the context of research, or at least not well understood by researchers themselves. On the issue of processing health data for scientific research purposes, in the hypothesis of clinical trials, the GDPR should be applied simultaneously with the Clinical Trials Regulation in the European Union, which provides for specific relevant provisions but not derogations from the GDPR. The guidelines use the definition of personal health data denied in art. 4 point 15 of the GDPR, but it emphasises that the broad interpretation of the notion of data concerning health, as referred to in the case law of the Court of Justice of the European Union and also supplemented by the notion of mixed data as set out in Regulation (EU) 2018/1807 (datasets composed of both personal data and non-personal data whose former are inextricably linked to the latter), must be taken into account. Thus, starting from the aforementioned affirmation, this chapter will analyse the main questions derived from Guidelines 03/2020. The last paragraph concludes the key question, also in the light of the international data transfers because of COVID19 research.

2 Alternative Legal Basis to Consent: Public Interest or Legitimate Interest of the Data Controller The legal basis for processing changes depending on the purposes both when data of a health nature are processed for scientific research ‘or/as well as’ for scientific research related to clinical trials, on the assumption that they are connected to a

Covid-19

145

research project, has been drawn up in accordance with the methodological standards of the relevant disciplinary field. The legal basis for processing is not consent in the context of the Clinical Trials Regulation if the processing of personal data of a health nature is considered necessary in order to comply with the legal obligations to which the sponsor and/or the investigator are subject (such as in the case of a safety communication or inspection by the national competent authority, the storage of clinical trial data in accordance with the archiving obligations set out in the Clinical Trials Regulation, or as the case may be in the relevant national legislation). Thus, for reasons of reliability and safety in the case of clinical trials the legal basis is then art. 6(1)(c), i.e., the fulfilment of a legal obligation to which the data controller is subject (see the chapter in this book: V. Colcelli ‘Consent Withdrawal’). In contrast, research-related processing in the context of a clinical trial may fall under three different legal bases: consent (art. 6(1)(a), read in conjunction with art. 9(2)(a)); public interest (art. 6(1)(e)); or a basis that is necessary to pursue the legitimate interest of the controller (art. 6(1)(f), read in conjunction with art. 9(2) (i) or (j)). Additionally, the Guidelines state that in the COVID-19 context—if there was a need to do so with regard to the general approach underlying the GDPR—that the processing of health data for scientific research purposes must fall within one of the legal bases referred to in art. 6(1) of the GDPR, without prejudice to national law. Furthermore, the consent of the data subject, collected pursuant to art. 6(1)(a) and art. 9(2)(a) GDPR, may provide a legal basis for the processing of data concerning health in the COVID-19 context. Regardless, the processing of health data for research purposes may therefore be based on other legal bases than consent, i.e., on the conditions laid down in art. 6(1)(e) or (f): public interest or legitimate interest of the data controller. The Guidelines consider that, depending on the specific circumstances of the clinical trial, the appropriate condition in Article 9 for all processing of health personal data for exclusively research purposes could be: (a) ‘reasons of public interest in the field of public health [. . .] based on the law [. . .] of the Member States’ (art. 9(2)(i)) or, (b) ‘purposes of [. . .] scientific research [. . .] in accordance with art. 89(1), on the basis of Union or national law’ (art. 9(2)(j)). Moreover, art. 168 of the Treaty on the Functioning of the European Union (hereinafter EU) identifies a ‘high level of human health protection’ as one of the most important EU objectives that ‘shall be ensured in the definition and implementation of all Union policies and activities’. Union action shall cover the fight against the major health scourges by promoting research into their causes, their transmission and their prevention, and monitoring, providing early warning of and combating serious cross-border threats to health. On this basis, in the context of a clinical trial, as well as the COVID-19 outbreak, processing personal data ‘is necessary for reasons of public interest in the area of public health’. Consequently, an appropriate condition for the lawfulness of the

146

V. Colcelli

processing of special categories of data in the context of such obligations is art. 9(2) (i)—if it assures ‘[. . .] high standards of quality and safety of health care and of medicinal products and medical devices, on the basis of Union or Member State law providing for appropriate and specific measures to protect the rights and freedoms of data subjects, notably professional secrecy’ (EDPB 2019, p. 5). It is understood that the two aforementioned public interest hypotheses must find their basis in Union or Member State law, and thus be based on rules providing for appropriate and specific measures to protect the rights and freedoms of data subjects. A legal basis qualifying as public interest or legitimate interest of the data controller is applicable because of art. 9 GDPR, which provides for a specific derogation to the general prohibition to process special categories of data. This is indeed a foreseen possibility, with the indication that the derogating rules, be they European or enacted at Member State level, will have to pay special attention to professional secrecy with regard to the hypothesis referred to in letter (i) of Article 9, and apply only to the extent strictly necessary (in art. 89(2) GDPR) with regard to the necessary processing for archiving for public interest, scientific or historical research, or statistical purposes. Recital 45 of the GDPR clarifies that the Regulation does not require there to be a specific legislative act for each individual processing operation (i.e., for each clinical trial). A legislative act serving as a basis for several processing operations based on the performance of a task in the public interest may be sufficient (EDPB 2019, p. 8).3 In any event, all laws enacted based on art. (9)(2)(i) and (j) of the GDPR must be interpreted in light of the principles under Article 5 of the GDPR and in consideration of the case law of the ECJ. In particular, the exemptions and limitations in relation to data protection provided for in art. 9(2)(j) and art. 89(2) of the GDPR should only apply to the extent strictly necessary. So, for instance, a large population-based study conducted on COVID-19 patient records established by national rule certainly falls within the legal basis of public interest (EDPB 2019, p. 8). ‘For all other situations where the conduct of clinical trials cannot be regarded as necessary for the performance of public interest tasks conferred on the controller by law, the Committee considers that the processing of personal data could be ‘necessary for the purposes of pursuing the legitimate interests of the controller or a third party, provided that the interests or the fundamental rights and freedoms of the data subject are not overridden’ under art. 6(1)(f) of the General Data Protection Regulation’ (EDPB 2019, p. 8) (concerning the definition on legitimate interests of the controller or a third party, see the chapter in this book: T. Petrašević & R. Ćosić ‘Legitimate Interests’).

3

See also Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, adopted 9April 2014, WG29, p. 22.

Covid-19

147

3 Management of Personal Data for Scientific Research Purposes Related to the COVID-19 Pandemic: Transparency, Information, Retention Period In the context of the COVID-19 outbreak, one must pay particular attention to measures for safeguards and the security of personal health data. The Guidelines stressed specific focus on these elements. According to art. 89(1) of the GDPR, data processing for research ‘shall be subject to appropriate safeguards’ since safeguards shall ensure that technical and organisational measures are put in place, in particular to ensure that the principle of data minimisation is respected. The requirements of art. 89(1) of the GDPR emphasise the importance of the principle of data minimisation and the principle of integrity and confidentiality, as well as the principle of data protection both by design and by default. Data must be anonymised wherever possible to carry out scientific research, otherwise appropriate safeguards for the data subject are ensured by compliance with the principle of minimisation. In most cases in scientific research, it is possible to comply with the principle of minimisation by specifying the research questions and assessing the type and amount of information needed to adequately answer those questions. Such measures may include pseudonymisation, provided these purposes can be met in that way, or the use of encryption, non-disclosure agreements and strict authorisation, and restriction and record-keeping provisions. Considering the sensitive nature of health data and the risks when reusing such data for scientific research purposes, rigorous measurements must be carried out in order to ensure an appropriate level of security as required by art. 32(1) of the GDPR. There must also be an appreciation of whether or not a personal data protection impact assessment (DPIA) must be carried out pursuant to art. 35 GDPR when the processing ‘is likely to present a high risk to the rights and freedoms of natural persons’ (Recital 75 GDPR). International data transfers may be a risk factor to be considered in the context of a DPIA under art. 35 GDPR (see chapter in this book: R. Cippitani ‘Transfer of the Personal Data for Research Purposes Towards Non-EU Countries’). The Guidelines remind us that the main innovation introduced by the GDPR is the principle of accountability, which aims to ensure compliance with data protection principles and implies a cultural change that endorses transparent data protection, privacy policies and user control, internal clarity and procedures for privacy operations, and high-level, demonstrable accountability to external stakeholders and data protection authorities. The GDPR requires that the data controller is responsible for ensuring that all privacy principles are respected. In addition, the GDPR requires the organisation and body to demonstrate compliance with all the principles of the Regulation; namely, the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. The appointment of a Data Protection Officer (DPO) is one way of incorporating the principle of accountability.

148

V. Colcelli

The principles of both accountability and minimisation bring with them respect for the principle of proportionate storage periods. Proportionate retention periods (terms) must be established. In order to define such retention periods, criteria such as the duration of the research and its purpose must be taken into account. National provisions can also establish rules on the storage period and, therefore, must be considered. In the current pandemic situation, researchers may process health-related data that they have not obtained directly from the data subject, for example because they use data from medical records or from abroad. According to the GDPR, when data is collected from the data subject, information must be provided at the time the personal data is obtained and when the information is updated, in accordance with the general principles of fair and transparent processing (arts. 13 and 14). When data is collected through third parties and/or used for secondary purposes, information must be provided ‘within a reasonable period after obtaining the personal data, but at the latest within one month’ (art. 14 GDPR). In general, the obligation to provide information does not apply where and to the extent that the data subject has already received information about the processing. Where personal data have been obtained not from the data subject but from another source, there is an exemption from the obligation to provide information to the person if: – the provision of such information proves impossible, – the provision of such information would involve a disproportionate effort, and/or – the obligation is likely to render impossible or seriously prejudice the attainment of the research objectives of the processing of personal data. In the context of the emergency caused by COVID-19, to guarantee the rights and freedoms of data subjects, the Guidelines expressly call for consultations with ‘data protection officers regarding the processing of health data for scientific research purposes’.

4 Conclusion According to the Guidelines, the GDPR provides special rules for the processing of health data for scientific research purposes that are also applicable in the context of the COVID-19 pandemic.4 Following the logic of the EDPB, it can be argued that if the GDPR rules for the processing of health data for scientific research purposes are

4

No further legislation is needed for the EU to address the pandemic, and so in each Member State the national legislator may adopt specific legislative provisions in accordance with Article 9(2) (i) and (j) of the GPRS to allow the processing of health data for scientific research purposes. Guidelines 03/2020, cited p. 14.

Covid-19

149

sufficient to ensure research and data in the face of the current pandemic, these rules can be more meaningfully applied to research activities beyond this exceptional period. Therefore, we conclude by summarising how much of the Guidelines under consideration can be extended as a more general reflection on the issue of scientific research in the field of health data. The Guidelines do not apply to the processing of personal data for epidemiological surveillance. As a result, it is possible to answer the main question, namely whether the GDPR on scientific research—if correctly applied—is able to guarantee personal health data in the context of COVID 19 research activities, with the following specificities regarding its application. The Guidelines use the definition of personal health data in art. 4 point 15 of the GDPR, but it emphasises how the broad interpretation of the notion of data concerning health must be taken into consideration, as recalled by the jurisprudence of the Court of Justice of the European Union and integrated with the notion of mixed data as per Regulation (EU) 2018/1807 (sets of data composed of both personal data and non-personal data, the former of which are inextricably linked to the latter). The Guidelines analyse the legal basis of processing of health data and scientific research. The GDPR, the starting point in the hypothesis of clinical trials, must be applied simultaneously with the Regulation on clinical trials, which provides for specific provisions relevant to but not derogations from the general regulation on data protection. The legal basis for the processing of health data could change according to the purposes, both in the hypothesis in which the health data are processed for scientific research as well as for scientific research related to clinical trials (see chapter in this book: V. Colcelli ‘Consent Withdrawal’). The consent of the data subject, collected pursuant to art. 6 (1) (a) and art. 9 (2) (a) GDPR, may provide a legal basis for the processing of data concerning health in the COVID-19 context. It has to be noted that all the conditions for explicit consent, particularly those found in art. 4(11), art. 6(1)(a), art. 7 and art. 9(2) (a) GDPR, must be fulfilled. Notably, consent must be freely given, specific, informed, and unambiguous, and it must be made by way of a statement or ‘clear affirmative action’.5 Additionally, in light of the fight against COVID-19 the processing of health data for research purposes may, therefore, be based on legal grounds other than consent: public interest or legitimate interest of the data controller (art. 6(1)(e) or (f)). In the context of both a clinical trial and the COVID-19 outbreak, ‘processing is necessary for reasons of public interest in the area of public health’, meaning high standards of quality and safety of health care and of medicinal products and medical devices, if Union or Member State laws provide appropriate and specific measures to protect the rights and freedoms of data subjects. Indeed, Member States may

5

Guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak.

150

V. Colcelli

maintain or introduce more specific provisions adapting the application of the rules of the Regulation with regard to processing when such processing is necessary for compliance with a legal obligation to which the controller is subject or when such processing is necessary in order to protect the vital interests of the data subject or of another natural person, by determining more specific requirements for processing and other measures to ensure it is lawful and accurate. Taking into account the risks posed by data processing in the context of the COVID-19 outbreak, it is necessary to claim compliance with art. 5, paragraph 1, letter (f), art. 32, paragraph 1, and art. 89, section 1 of the GDPR. Moreover, the relevance of carrying out an impact assessment related to data protection in accordance with article 35 of the GDPR must be strongly considered. In the framework of the research activity for Covid-19, data retention periods should be proportionate. In this context, criteria such as the duration and purpose of the research should be examined. National provisions may also regulate the retention period, and this should be reviewed. More generally, all systems can be strongly influenced by legislation enacted at Member State level, given the constant reference to this possibility by the GDPR in art. 9(2)(i) and (j). In the field of pandemic control, international cooperation cannot be disregarded, involving international transfers of health data for scientific research purposes outside the EU (e.g., to identify treatments and/or develop vaccines); The international data transfers because of COVID-19 research, in the absence of a decision on adequacy under art. 45(3) of the GDPR or of adequate safeguards under Article 46 of the GDPR, could be realized according to the art. 49 GDPR. The above mentioned article: envisages certain specific situations under which transfers of personal data can take place as an exception. The derogations enshrined in art. 49 GDPR are thus exemptions from the general rule and, therefore, must be interpreted restrictively, and on a case-by-case basis. Applied to the current COVID-19 crisis, those addressed in art. 49 (1) (d) (“transfer necessary for important reasons of public interest”) and (a) (“explicit consent”) may apply.

References EDPB (2019) Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art. 70.1. b)). Adopted on 23 January 2019. https://edpb.europa.eu/sites/default/files/files/file1/edpb_ opinionctrq_a_final_en.pdf Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak, adopted by the European Data Protection Board on the 21st of April 2020. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_ guidelines_202003_healthdatascientificresearchcovid19_en.pdf Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC. Adopted on 9 April 2014, WG29 Statement on the processing of personal data in the context of the COVID-19 outbreak. Adopted on 19 March 2020

Dynamic Consent According to Sentence Three of Recital 33, Persons Whose Data Are to be Stored for Future Research Projects Should be Given the Opportunity to Provide Their Consent to Only Certain Areas of Research or Parts of Research Projects to the Extent Permitted by the Purpose Pursued. How Can This Be Realised? Sabrina Brizioli

1 Introduction To answer the question, a brief overview of dynamic consent is necessary. New ethical and regulatory concerns have arisen in the context of research activities because the ability of researchers to gather, store and analyse data has increased, but the involvement of participants has not kept pace with information technologies and digital networks (Kohane et al. 2007). The challenge for consent comes when further research activities and projects, or parts thereof, entail the use of data that were collected for previous specific research projects to which the participants had consented (Boddington et al. 2011). To meet the needs of the twenty-first century, the expression ‘meaningful informed consent’ (Mascalzoni et al. 2008) was coined and a more flexible way to give assent or approval emerged: dynamic consent. Looking closely at biomedical research developments, some scholars refer to dynamic consent as ‘both a specific project and a wider concept that offers a new approach to consent [. . .]’ and they put at its core ‘a personalised, digital communication interface that connects researchers and participants, placing participants at the heart of decision making’ (Kaye et al. 2015). The ongoing expression of donor consent across time implies subsequent proposals or interviews after the initial ‘broad’ consent was given; through the renewal of consent, the data donor gives a ‘social licence’ to the research activity, that is, the social and acceptable (and ideal) ‘permit to use’ that has the features of the promotion of the active participation of individuals and their awareness (Starkbaum and

S. Brizioli (✉) Department of Law, University of Perugia, Perugia, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_17

151

152

S. Brizioli

Felt 2019). In this sense, dynamic consent enriches and makes research more impactful by emphasising the importance of autonomy of choice and the value of individual knowledge. The increased participation of the data giver through dynamic consent satisfies both the legal and regulatory requirements for research consent and aims to transform participants into partners in the research process (Kaye et al. 2012).

2 Setting the Scene for Dynamic Consent To clarify the potentiality of the dynamic formula of consent, it is worth underlying its peculiarities while comparing it to the models of consent envisaged by the legal framework of the General Data Protection Regulation (hereinafter referred to as GDPR).1 Specific consent is generally required by the GDPR (art. 4 par. 11), but it also allows certain kinds of derogations in the name of scientific research that could challenge ethical requirements and the protection of participants. Recital 33 of the GDPR is crucial in this sense since it indicates that potential exceptions and broader manifestations of consent could occur for certain areas of scientific research, although the latter are not precisely defined. 2 The sole indication provided by the wording of the GDPR is that ‘data subjects should have the opportunity to give their consent only to projects to the extent allowed by the intended purpose’. The GDPR’ s legitimation of research based on dynamic consent relies on the assumption that all processing, storing and collection activities require justification. According to art. 9, there are at least three rationales for such an assumption: (a) explicit consent for one or more specified purposes; (b) substantial public interest; (c) archiving purposes in the public interest for scientific or historical research purposes. For these reasons, consent should be sought whenever possible and in relation to research relevance and its specificities. While specificity could be seen to be in direct conflict with broad consent, the reference to it in sentence 3 of recital 33 of the GDPR seems to offer support for dynamic consent, especially since the article recognises ‘the possibility to express consent’ for ‘certain areas of scientific research or parts of research projects to the extent allowed by the intended purpose’. The joint reading of these two short phrases signifies that scientific research projects can include personal data when they have well-described purposes, and subsequent granular consent should be expressed following the ex ante broad

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 2 GDPR, Recital 33, sentence 3.

Dynamic Consent

153

consent. In other words, as research advances, subsequent steps of the project need to be validated by the manifestation of consent before the next stage begins. That said, one should be aware of the peculiarities of dynamic consent compared to general and broad consent. Dynamic consent is not an alternative form of consent but is instead an approach to informed consent that aims to (re-)use and to enable on-going engagement of data subjects (Kaye et al. 2015). Its scope is to enhance communication between individuals, researchers and custodians of data to give or re-consider the manifestation of consent. But dynamic consent could also enable data subjects to enrol in a new study, to tailor the way they receive information or change their preferences. This could lead to ease of contact when individuals’ opinions are needed or new consent is required. Such involvement is particularly fruitful when considering at least two ‘delicate situations’: (a) results or research become available many years after sampling or after initial consent was expressed; (b) consent evolves alongside the project and should be more specific. Considering the interplay between dynamic consent and broad consent, it is possible to ascertain that both schemes of consent can be seen as means to respect the willingness of individuals to take part (or not) in research, but as said by its proponents, the main benefit of dynamic consent is that individuals give consent for research in real time rather than being asked to give broad consent at the beginning of the research (Steinsbekk et al. 2013). While the broad consent scheme requires a fit-for all and ‘monolithic’ decision at the initial steps of the research without further specificities or insights into the research stages, the dynamic consent formula gives participants the possibility of glimpsing preferences in manifesting consent for both primary and secondary use of data and in cases in which the new project is slightly different from the initial one. In fact, the broad consent model bases the re-consent process on the rational justification that new research projects and activities are essentially different, and for this, there is a need to ask participants something new that matters; on the contrary, dynamic consent asks participants to re-consent or opt-into decisions simply because the project is a new one.

3 Dynamic Consent in Practice Once the meaning of dynamic consent and its implications are clarified, the question posed requires scrutiny of how it can be implemented because research asks a sort of ‘particularisation’ of consent over time to make this latter one suitable for processing. Dynamic consent as an approach to consent enables patients to express granular decisions about their ongoing engagement in research activities through interactive digital participation. It has been explored in the fields of biobanking and genomics, in which frequent and close contact with patients is required (Prictor et al. 2020). The arranging of a system for dynamic consent requires attention to the awareness of data subjects and their willingness to the governance of their data over time.

154

S. Brizioli

Van Veen explored the downsides of dynamic consent in the context of clinical trials and observational research in cases in which patients provided dynamic consent but then stopped responding to notifications (Van Veen 2018, p. 76). When this occurs, researchers lie in a ‘limbo’, not knowing whether to continue because of the uncertainty of an enduringly broad consent. Moreover, even if technically possible, dynamic consent would be psychologically too demanding and stressful if individuals were consistently asked to renew their consent to the use of data in a large variety of ways or are ‘obsessively’ regularly updated. Negative aspects also arise when it comes to a consideration of the way information is conveyed, especially in those cases in which communication relies heavily on electronic devices that will risk excluding individuals or groups who do not have access to modern information and communication technology. The technological and digital divide issues surrounding dynamic consent could risk hampering the dialogue between researchers and donors of the information leading to a lack of confidence and lower recruitment as consequences. Despite these complexities, others have suggested instruments to both implement dynamic consent and assist the GDPR’s provisions dealing with transparency and revocability of consent to allow its granularity and maintain its requirements with respect to patients’ rights and faculties.

4 The Information Conveyed and How to Express Dynamic Consent Unlike the static and traditional ways to record consent, which have generally relied upon written limited options and single form documentation, dynamic consent uses e-consent methods and asks for a model that provides subjects with a digital platform that enables them to tailor their preferences and to receive information that is updated as progress in research develops. As stated by scholars, dynamic consent ‘focuses on using IT and engaging individuals as active participants, so that they can be informed, and re-consent can subsequently be obtained more easily’ (Mostert et al. 2016, p. 957). Looking closely at the kind of information transmitted, it should be clear, communicated in an understandable way to the participants and it should gather both the insights of the research and the relevant aspects in which the participants are involved. This is because more information in and of itself does not necessarily mean more informed consent; rather, information needs to be relevant and unambiguous to really qualify the informed consent. Moreover, only individualised information generates the reciprocity of dynamic consent that allows the fostering of trust and promotes personalised medicine, which is the strongest strategy in today’s biomedicine. Given the tools to express dynamic consent, there have been efforts to develop electronic, digital and web solutions to make the consent process interactive, and various means using information technologies have been proposed over the past

Dynamic Consent

155

decade to tackle dynamic consent. The discrepancies among these platforms depend on the issues of re-contact, opt-in or re-consent. The digital communication could employ multiple electronic media, web sites, card readers to convey information related to studies and devices such as graphics, audio, video, podcasts or passive and interactive channels to even simply obtain document informed consent (Spencer et al. 2016). Some scholars have developed a dynamic consent platform to provide relevant information about a research project in a user-friendly manner; the platform uses as many languages as necessary for subtitles, soundtracks and translated text to provide details that satisfy participant’s need for awareness. Websites, platforms or mobile applications provide information to explain how patients may register and to acknowledge that they will eventually be contacted by phone after registration to complete the consent process (Javaid et al. 2016). The use of dynamic consent platforms may be accompanied with local information meetings or leaflets. The consulting step is then the most challenging. Some studies have developed research by telephone consultations, and the participants may choose to download the informed consent sheet from the website, sign it and send it to the research team by postal mail or email (Budin-Ljøsne et al. 2017). They may also give their electronic sign off. Another form of dynamic consent could rely on interactive methods asking the participants to correctly answer before providing their consent (Spencer et al. 2016). It is also possible to refine consent and offer a fragmented consent, which is actually more useful than the all or nothing approach of broad consent. For instance, participants could consent to some aspect of the research depending on and according to their preferences or beliefs (Ja Teare et al. 2016). A dynamic consent platform could also ask about the type and modalities to access data and whether participants accept or not. Researchers could ask individuals to consent to other activities over time, for example, depositing data in public databases, the use of biological samples and data sharing with drug companies (Budin-Ljøsne et al. 2017). Some dynamic consent platforms also provide feedback to participants who decide to be contacted when the research results are final. This kind of dynamic consent is particularly useful when applied to the achievement of new therapies or preventive practices; participants could consent to receive feedback on their genetic research or may be recruited later for follow-up studies based on their genotype or disease (Budin-Ljøsne et al. 2013). Recent studies have proposed a novel mechanism for trusted and decentralised management of dynamic consent based on blockchain technology. As highlighted by its proponents, the use of blockchain avoids the need for a centralised and dedicated trusted third party by providing a self-contained infrastructure which interacts with external services (Albanese et al. 2020).

156

S. Brizioli

5 Conclusion Dynamic consent aims to reinforce the informational relationship between researchers and patients, and it changes the engagement of patients from passive ‘subject’ to active ‘participant’. Dynamic consent could be expressed through platforms, interactive tools and responsive formats that facilitate the consent process and two-way ongoing communication between researchers and participants. Patients can consent to new projects, alter their consent preferences in real time, change contact information and personal data and set preferences as to how often they receive information and in what format (e.g., text messages, emails, letters). On the other hand, researchers should replace the stand-alone online communication interface with other information systems to seek patient consent. Such strategies safeguard patient autonomy by enabling information and consent preferences to be exercised; in turn, they benefit research by facilitating the participation of populations, improving public trust and streamlining recruitment.

References Albanese G, Calbimonte J-P, Schumacher M, Calvaresi D (2020) Dynamic consent management for clinical trials via private blockchain technology. J Ambient Intell Human Comput 11:4909– 4926. https://doi.org/10.1007/s12652-020-01761-1 Boddington P, Curren L, Kaye J, Kanellopoulou N, Melham K, Gowans H, Hawkins N (2011) Consent forms in genomics: the difference between law and practice. Eur J Health Law 18:491– 519. https://doi.org/10.1163/157180911x598744 Budin-Ljøsne I, Soye JK, Tassé AM, Knoppers BM, Harris JR (2013) Genotype-driven recruitment: strategy whose time has come? BMC Med Genom 6(19). https://doi.org/10.1186/17558794-6-19 Budin-Ljøsne I, Teare HJA, Kaye J, Beck S, Bentzen HB, Caenazzo L, Collet C, D’Abramo F, Felzmann H, Finlay T, Javaid MK, Jones E, Katić V, Simpson A, Mascalzoni D (2017) Dynamic consent: a potential solution to some of the challenges of modern biomedical research. BMC Med Ethics 18(4). https://doi.org/10.1186/s12910-016-0162-9 Ja Teare H, Morrison M, Whitley EA, Kaye J (2016) Towards ‘Engagement 2.0’: Insights from a study of dynamic consent with biobank participants. Digit Health. https://doi.org/10.1177/ 2055207616628802 Javaid MK, Forestier-Zhang L, Watts L, Turner A, Ponte C, Teare H, Gray D, Gray N, Popert J, Hogg J, Barrett J, Pinedo-Villanueva R, Cooper C, Eastell R, Bishop N, Luqmani R, Wordsworth P, Kaye J (2016) The Rudy study platforms – a novel approach to patient driven research in rare musculoskeletal diseases. Orphanet J Rare Dis 11:150. https://doi.org/10.1186/s13023016-0528-6 Kaye J, Curren L, Anderson N, Edwards K, Fullerton SM, Kanellopoulou N, Lund D, Mac Arthur DG, Mascalzoni D, Shepherd J, Taylor PL, Terry SE, Winter SF (2012) From patients to partners: participant-centric initiatives in biomedical research. Nat Rev Genet 13:371–376. https://doi.org/10.1038/nrg3218 Kaye J, Whitley EA, Lund D, Morrison M, Melham K (2015) Dynamic consent: a patient interface for twenty-first century research networks. Eur J Human Genet 23:141–146. https://doi.org/10. 1038/ejhg.2014.71

Dynamic Consent

157

Kohane IS, Mandl KD, Taylor PL, Holm PL, Nigrin DJ, Kunkel LM (2007) Reestablishing the researcher-patient compact. Science 316(5826):836–837. https://doi.org/10.1126/science. 1135489 Mascalzoni D, Hicks A, Pramstaller P, Wjst M (2008) Informed consent in the genomics era. PLoS Med 5(9):e192. https://doi.org/10.1371/journal.pmed.0050192 Mostert, M., Bredenoord, L.A., Biesaart, M.C, & van Delden, J.J. (2016). Big Data in medical research and EU data protection law: challenges to the consent or anonymise approach. Eur J Human Genet, 24, 956–960. doi:https://doi.org/10.1038/ejhg.2015.239 Prictor M, Lewis MA, Newson AJ, Haas M, Baba S, Kim H, Kokado M, Minari J, Molnár-Gábor F, Yamamoto B, Kaye J, Teare HJA (2020) Dynamic consent: an evaluation and reporting framework. J Empir Res Human Res Ethics 15:175–186. https://doi.org/10.1177/ 1556264619887073 Spencer K, Sanders C, Whitley EA, Lund D, Kaye J, Dixon GW (2016) Patient perspectives on sharing anonymized personal health data using a digital system for dynamic consent and research feedback: a qualitative study. J Med Inter Res 18(4):e66. https://doi.org/10.2196/ jmir.5011 Starkbaum J, Felt U (2019) Negotiating the reuse of health-data: research, big data, and the European general data protection regulation. Big Data Soc 1–12. https://doi.org/10.1177/ 2053951719862594 Steinsbekk SK, Myskja KB, Solberg B (2013) Broad consent versus dynamic consent in biobank research: Is passive participation an ethical problem. Eur J Human Genet 21:897–902. https:// doi.org/10.1038/ejhg.2012.282 van Veen EB (2018) Observational health research in Europe: Understanding the general data protection regulation and underlying debate. Eur J Cancer 104:70–80. https://doi.org/10.1016/j. ejca.2018.09.032

Ethics Committees To What Extent Are Ethics Committees Relevant for the Activities of the Biobank? Roberto Cippitani

1 Introduction Research1 plays an important role in the European integration process (Molina del Pozo 2009). One of the main objectives of the EU is to establish the European Research Area (ERA), which is defined by Article 179, paragraph 1 of the Treaty of Functioning of the European Union (TFEU) as an area in which ‘researchers, scientific knowledge and technology circulate freely, and encouraging it to become more competitive, including in its industry’. To build a true European Research Area,2 the Union must encourage the free circulation of researchers and cooperation between undertakings, research centres and universities, removing obstacles (particularly legal and fiscal ones) to this circulation and cooperation. The EU strategies underline the need to increase investment at a European level as the main instrument for both economic and social development.3

When ‘Research and experimental development (R&D) comprise creative work undertaken on a systematic basis in order to increase the stock of knowledge, including knowledge of man, culture and society, and the use of this stock of knowledge to devise new applications’. See OECD, ‘Frascati Manual’, 2002, paragraph 6. 2 Communication of the Commission, ‘Towards a European Research Area’, COM (2000) 6 final, 18 January 2000. 3 See Communication of the Commission to the Spring European Council, ‘Working together for growth and jobs – A new start for the Lisbon Strategy’, n. 2. 1

R. Cippitani (✉) Institute CNR-IFAC, National Research Council of Italy, Florence Research Area, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_18

159

160

R. Cippitani

Furthermore, according to EU law, freedom of research is considered as a fundamental right (Article 13 Charter of Fundamental Rights of the European Union, hereinafter referred to as the EU Charter) (Cippitani 2015). However, to achieve the objective of building the European Research Area, it is necessary to face the risks arising from scientific research and innovation. As far as safeguards are concerned, the EU Charter affirms that ‘it is necessary to strengthen the protection of fundamental rights in the light of changes in society, social progress and scientific and technological developments’.4 Therefore, to reinforce the protection of fundamental rights in a ‘knowledgebased’ society, Europe must develop a system of shared values through debate at various levels.5 The European Union has committed itself in recent years to identifying and elaborating ‘ethical fundamental principles’, that is, legal provisions as well as other kinds of rules that have as their scope the protection of fundamental interests that may be affected by techno-science. This concern is expressed in the EU Charter; this is the first constitutional text to provide bioethical rules that establish rights to and limits on research and innovation activities (Bertrand 2009). The EU takes into consideration the need to respect ethical rules, especially within the funding of the Framework Programmes. These are the main instruments that implement the European policy on research and technological development.6 The Framework Programmes, such as ‘Horizon 2020’ (for the period 2014–2020), ‘Horizon Europe’ (2021–2027) and the other EU programmes, provide rules in order to ensure that projects funded by the European Union will comply with its ethical rules. Because of the relevance of ethical issues for research programmes, the European Commission has developed several documents on practice in order to ensure that research activities comply with fundamental ethical principles; these documents include: Guidance—How to complete your ethics self-assessment (European Commission 2021, p. 1); Roles and functions of ethics advisors/ethics advisory boards in EC-funded projects (European Commission 2012, p. 3); European textbook on ethics in research (European Commission 2010a); Syllabus on ethics in research; and Addendum to the European textbook on ethics in research (European Commission 2010b). These documents refer to the EU legislation and to the case law of the Court of Justice as well as to opinions and advice prepared by committees of experts, such as the European Group on Ethics in Science and New Technologies (EGE), the Article 29 Working Party and, today, the European Data Protection Board (on the protection of personal data).

4

See the Preamble of the EU Charter. Communication of the Commission, ‘Towards a European Research Area’, n. 4, paragraph 7.2. 6 See Article 180 TFEU. 5

Ethics Committees

161

2 Ethics Committees It is important to highlight the role played by ethics committees as a technique to deal with the ethical issues of research activities, including identification and application of ethical principles and rules. Ethics committees derive from experience with bioethics committees, particularly for clinical studies (Monnier 2009). Due to the fact that ethical issues may arise from any kind of research activity, such an experience may be generalised and used for ethics committees acting in several research fields. The UNESCO 2005 Guide No. 1, Establishing bioethics committees (UNESCO 2005), is built on the idea that an ethics committee ‘systematically and continually addresses the ethical dimensions of (a) the health sciences, (b) the life sciences and (c) innovative health policies’ (UNESCO 2005, p. 9). According to the UNESCO Guide, ‘A bioethics committee is typically composed of a range of experts, is usually multidisciplinary and its members employ a variety of approaches to work toward the resolution of bioethical issues and problems, especially moral or bioethical dilemmas’ (UNESCO 2005, p. 9). Article 2 no. 11 of Regulation (EU) no. 536/2014 on clinical trials adds that the committees have to take ‘into account the views of laypersons, in particular patients or patients' organisations’.7 The multidisciplinary composition of ethics committees mirrors the idea that the elaboration of ethical principles to regulate scientific activity cannot take place only through the legislative power, especially through the national legislature. The issue of the ethical limits of science seeks to strike a balance between constitutionally protected fundamental rights (on the one hand, the freedom of research and, on the other hand, dignity and other fundamental rights). The balance is difficult to achieve as this is a sector in which philosophical, ideological and political perspectives have an enormous impact, including on the application of legal norms. This allows the many perspectives arising from the ethical issues to be taken into consideration (Hunter 2007). In a democratic and pluralistic society, a single vision cannot be imposed (Rodotà 1996); rather, a continuous dialogue between different perspectives is necessary, even on bioethical issues, albeit in light of fundamental values (Scarpelli 1996). The dialogue concerns a constantly changing technical and scientific field. Therefore, it is not possible to develop permanent, or at least lasting, solutions to ethical dilemmas.

7

Regulation (EU) no. 536/2014 of the Europea Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC, 2014 O.J. (L 158).

162

R. Cippitani

3 Mandatory and Non-Mandatory Ethics Committees According to Article 2, paragraph 2, No. 11 of Regulation (EU) No. 536/2014 concerning clinical trials on medicinal products for human use, an ‘ethics committee’ under EU law is ‘an independent body established in a Member State in accordance with the law of that Member State and empowered to give opinions for the purposes of this Regulation’. Therefore, ethics committees are usually established in clinical studies, as provided by the relevant legislation. Ethics committees may also be voluntarily established by the legal entities carrying out research activities, such as universities, public research bodies and undertakings. A biobank may have its own committee dealing with ethical issues if its governance does not use the ethics committee of the establishment where the biobank acts, that is, the healthcare establishment or the university. In addition, the documents of the European Commission strongly recommend the use of ethics committees for the ethical assessment of research projects. Such ethics committees may be established ad hoc within a specific research project or research activity. The non-mandatory ethics committees have similar functions to ethics committees in clinical studies. However, the distinction between these types of committees cannot be too strict. The ethics committee of a legal entity may deal with issues other than clinical studies, and a local ethics committee may be appointed for the ethical assessment of a research project. In addition, the ethics committee established for a specific project or activity may be institutionalised.

4 Composition and Functions of the Ethics Committees Ethical committees are composed of experts who have different approaches to the ethical issues arising from medical treatments and research activities (also outside of the medical sector): practitioners, scientists, lawyers, philosophers, sociologists, psychologists, etc. The members of the ethics committees should have expertise in law, data protection/privacy and research ethics along with experience in the assessment of ethical issues in the specific area of the topics relevant to the research activities (European Commission 2012, p. 3). The documents of the Commission underline that it is easier to find experts in some fields, such as medical research and animal welfare, than in other areas (e.g., dual use, biosecurity, privacy or the societal implications of research). (European Commission 2012). The ethics committees are expected to be independent and free from any conflict of interest. (European Commission 2012, p. 38). In order to make the independence

Ethics Committees

163

of the ethics advisor effective, the EU sources recommend that the appointment is not gratuitous. Those recommendations may be in contrast to the praxis to establish committees involving the staff members of the legal entity on honorary bases. The activities and the role of the ethics advisor must be outlined in regulations adopted by the legal entity and within agreements (e.g., in a Memorandum of Understanding) drawn up with the members of the ethics committees. (European Commission 2012, p. 5). Ethics committees provide an independent and multidisciplinary review of the research activities, supporting the researchers and research establishments; applying in practice the ethical standards established by laws, guidelines and other related documents; and maintaining some form of institutional memory for decisions taken and permission given. In particular, ethics committees have the following main responsibilities: (a) Approving authorisations to use documents (i.e., the informed consent templates or guidelines) or protocols; (b) Providing advice and opinions; (c) Carrying out ethical audits (in itinere or ex post) of research projects. It is rarer to attribute to such committees other responsibilities, such as adopting disciplinary sanctions.

5 Ethics Advisors Within EU Programmes According to the documents of the European Commission, the consortium of beneficiaries of a research programme should be supported by experts to ensure that the programme appropriately complies with ethical requirements. In particular, the consortium is requested to appoint one or more ‘ethics advisors’ (Cippitani 2019; European Commission 2021). A group of advisors with varied expertise (forming an ‘advisory board’) is suggested when there are several ethical issues or the issues are particularly sensitive. The role of an ethics advisor is to provide to the consortium, its bodies (steering committees, general assembly, etc.) and each beneficiary advice on specific issues or general opinions about the ethical aspects of the research activities, including the regulations adopted by the body of the consortium. Therefore, the ethics advisor usually plays a consultancy role and does not have a decision-making function. The ethics advisor carries out a continuous ethical assessment of the project in cooperation with the governance body for the project, taking into account the dynamicity of the research activities, and gives support with the writing of a report for the funding authorities. Nevertheless, it is possible to attribute to the ethics advisor the power to authorise the beneficiaries to carry out particular activities (e.g., to transfer data or material), to

164

R. Cippitani

draw up a template (e.g., an informed consent form or information sheet) and to adopt specific regulations that are relevant from an ethical viewpoint. Other functions or powers can be attributed to the ethics advisor, depending on the ‘rules of engagement’ agreed upon by the partnership carrying out the research project. An ethics advisor can act as a ‘research regulator’. This implies ‘monitoring research, which can be carried out in a variety of ways such as requiring reports at regular intervals or at the end of a project, or even in some cases by carrying out ad hoc inspections or audits of research’ (European Commission 2005, p. 32). An ethics advisor might also be responsible for applying sanctions, such as the suspension or termination of research or the exclusion of researchers in cases of misconduct. In any case, as stated in the Commission documents, ‘An Ethics Advisor must not simply become a symbolic cipher without any effective power to influence the direction of the research activities or the methodology that will be used. The advisory role is a proactive one. The cultivation of mutual understanding between advisors and partners can see differences resolved through diplomacy and clear communications. Problems can be forestalled through cooperative endeavour and a culture of collaborative working’. (European Commission 2012, p.5). Therefore, the difference between an ethics advisor and ethics committee is that the first one has a consultive and professional function while the second is requested to carry out an external review of the research activity. Both functions are complementary and necessary for a complete ethical assessment of the research. In some cases, the two kinds of ‘ethical bodies’ may carry out similar functions, such as when the ethics advisor acts without the control of an ethics committee or when the advisor is appointed to provide an ethics audit of the project. Due to his or her professional role, the ethics advisor is expected to be independent in many more cases than the members of the ethics committees. However, if it is possible, the two roles should be kept separate.

6 Conclusion By means of discussion and the adoption of multidisciplinary viewpoints, ethics committees ensure a balance between interests and fundamental rights, such as the freedom of research and the individual rights of the persons involved in the scientific activities. Finding a balance is useful in those cases in which the interplay of interests is not ruled by the regulatory framework or when the law provides derogations to the individual rights for the benefit of the research activities. This may occur in many situations that are typical in biomedical research, including those related to biobanks. For example, the legislation on the protection of personal data provides the individual’s right to consent (see Article 8 Charter of Fundamental Rights of EU; Article 6, paragraph 1.a Regulation (EU) no. 2016/679), especially to medical

Ethics Committees

165

treatments and for medical research (Article 28 Regulation (EU) no. 536/2014; Articles 5, 14 and 16 of the Convention of Oviedo). However, the individual’s consent and the related rights on personal data may be subject to several exceptions to safeguard other interests recognised by constitutional norms. Privacy should be coordinated with these other important freedoms or rights recognised by constitutional norms. In particular, legal sources provide an important set of exceptions if personal information is used in scientific activities (European Commission 2016). Regulation (EU) no. 2016/679 establishes several derogations when ‘personal data are processed for scientific or historical research purposes or statistical purposes’, European and national laws may provide derogations from the rights normally belonging to the data subjects, such as the right of access (Article 15); right to rectification (Article 16); right to restriction of processing (Article 18); and the right to object (Article 21). Laws may also establish a derogation from the right to erasure (the right to be forgotten) established by Article 17, paragraph 1 of Regulation (EU) 2016/679. On the ground of recital no. 50 of the GDPR, it is possible to use personal data for research purposes even if such data were collected for other purposes, apparently without a new consent. Within research activities, consent is not expected to be as strict, such as in the frame of other activities, but may be broad on the ground of the recital no. 33 of the Regulation (EU) no. 2016/679 because ‘It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection’. Furthermore, Regulation no. 2016/679 is not applicable to deceased persons, and this is the case, for example, with data contained in biological materials collected in the past when informed consent and the legislation concerning the protection of personal data did not exist. Consent is not sufficient because of the vulnerability of the individual in respect to professionals and/or institutions carrying out research or other activities concerning personal data or because it is necessary to access the research activities to make them consistent with the ethical principles and with legal rules. In those cases, consent is not sufficient to ensure proper protection of individual interests (Otlowski 2009, p. 79) and, therefore, further tools are needed to integrate its effectiveness. In the aforementioned cases and in other specific situations, an important instrument to face the ethical problems arising with the use of both personal data and biological material is the control carried out by ethics committees or other third parties. The role of the ethics committee is affirmed by many documents of the Council of Europe in critical situations, such as when health data cannot be anonymised for technical reasons (see paragraph 12.2, Appendix to Recommendation (97), mentioned above), which normally is the case for genetic data; or if it is not possible with a reasonable effort to contact the person who has not given her/his consent to carry out research activities concerning biological material (see Article 21.2,

166

R. Cippitani

Recommendation (CM/Rec(2016)6). In those cases, the scientific purposes together with an external and independent evaluation carried out by an ethics committee allow for the research institution to overcome the lack of consent. At the national level, for example the Italian Authority of Privacy in its General Authorisation No. 8/2014 for the Processing of Genetic Data allows the processing of research for scientific purposes ‘directly linked’ to the original one. Otherwise, processing is authorised only if samples are anonymised or there is new consent, but in the absence of the latter, consent can be authorised by the relevant ethics committee and authority. However, it may not be simple to identify either the meaning of the ‘link’ or who has control over compliance.

References Bertrand M (2009) La bioéthique. Dalloz, Paris Cippitani R (2015) Academic freedom as a fundamental right. Paper presented at the 1st International Conference on Higher Education Advances, HEAd’15, Universitat Politècnica de València Cippitani R (2019) Ethics advisor on research projects. In: Bartolini A, Cippitani R, Colcelli V (eds) Dictionary of statuses within EU law (the individual statuses as pillars of European Union integration). Springer Nature, pp 193–200 European Commission (2010a) European textbook on ethics in research. Publications Office of the European Union, Luxembourg European Commission (2010b) Syllabus on Ethics in Research. Addendum to the European Textbook on Ethics in Research, https://op.europa.eu/en/publication-detail/-/publication/b38f1 fd1-994d-45bb-b765-bf24391b549e/language-en European Commission (2012) Roles and functions of ethics advisors/ethics advisory boards in EC-funded projects. https://ec.europa.eu/info/funding-tenders/opportunities/docs/2021-2027/ horizon/guidance/roles-and-functions-of-ethics-advisory-ethics-advisory-boards-in-ec-fundedprojects_he_en.pdf European Commission (2016) Open innovation, open science, open to the world – A vision for Europe. Brussels. https://op.europa.eu/en/publication-detail/-/publication/3213b335-1cbc-11 e6-ba9a-01aa75ed71a1 European Commission (2021) Guidance – How to complete your ethics self-assessment. https://ec. europa.eu/info/funding-tenders/opportunities/docs/2021-2027/common/guidance/how-to-com plete-your-ethics-self-assessment_en.pdf Hunter D (2007) Proportional ethical review and the identification of ethical issues. J Med Ethics 33:241–245. https://doi.org/10.1136/jme.2006.016782 Molina del Pozo CF (2009) El Derecho comunitario y la I+D+T. Hacia el diseño de un perfil para el futuro. UAH, Madrid Monnier S (2009) Les comités d’éthique et le droit: Eléments d’analyse sur le système normatif de la bioéthique. PUF, Paris Rodotà S (1996) Legiferare in bioetica, en Le scienze - Quaderni, n. 88. Bioetica, Milano Scarpelli, U. (1996). Bioetica: alla ricerca dei principi. Biblioteca della libertà, n. 99, ottobredicembre 1987 UNESCO (2005) Guide N.1 Establishing Bioethics Committes. UNESCO, Paris. https://unesdoc. unesco.org/ark:/48223/pf0000139309

Ethic and Biobanks What Are the Steps Needed to Implement Bioethical Issues in a Population-Based and Disease-Based Biobank? Daniela Capello and Antonio Rimedio

1 Introduction In order to answer this burning question,1 the following sections describe the design and equipment of bioethical issues in a regulatory framework, taking the experience of an Institutional Biobank as a case study. A biobank facility is one of the most valuable means that academic scientific organisations have to improve the competitiveness of their biomedical research, generate research collaborations and develop funding strategies (Zika et al. 2010). We present the model of a multispecialistic biobank with both a population- and disease-oriented commitment, with the aim of promoting studies finalised at exploiting knowledge on human health and encourage multidisciplinary scientific research. The Biobank will also encourage scientific research basing its activity on an inclusive model of the scientific community in which citizens, researchers, and institutions will actively participate. The analysis of this type of biobank might be useful to cast a light on the issue of bioethics in research activities involving biobanks and foster their role as both institutional and societal infrastructures, as

1

The chapter takes the experience of UPO Biobank as a case study, in particular the efforts focused on the design and equipment of bioethical and regulatory issues: UPO Biobank—Centro di Ricerca Traslazionale sulle Malattie Autoimmuni e Allergiche (CAAD) Corso Trieste, 15/A 28100 NOVARA (NO) contacts: [email protected].

D. Capello (✉) UPO Biobank, Department of Translational Medicine & CAAD, University of Eastern Piedmont, Novara, Italy e-mail: [email protected] A. Rimedio Ethics Committee of the University Hospital “Major of Charity” in Novara and local health Authorities Biella, Novara, Verbano Cusio Ossola, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_19

167

168

D. Capello and A. Rimedio

well as plots a way forward to implement bioethical issues in a population- and disease-oriented biobank (Jacobs et al. 2018). A typical multispecialistic research biobank is designed to collect biological samples from both individuals from the general population as well as patients involved in case-control and cohort studies. The facility is structured to house hundreds of thousands of different biological samples, including blood, urine, saliva, tissues, cells and their derivatives. Samples will be preferentially processed in a laboratory pertaining to the biobank and stored in vapour phase liquid nitrogen or in mechanical cryogenic freezers. The software Laboratory Information Management System (LIMS) is designed to support standard biobank operations and thus warrants the traceability of samples and data collection in agreement with the General Data Protection Regulation (EU) 2016/679 (GDPR) guidelines. Operating in a setting that often differs from that of hospital and healthcare facilities, a multispecialistic biobank benefits from having a dedicated consulting room for anthropometric and functional parameter evaluation, sample collection and questionnaire administration. Biobanks adopt strategies to enhance and maintain the quality of biological samples, from their handling to their final preservation, as well as to ensure data protection. Additionally, working in accordance with the biobanking-specific International Organization for Standardization (ISO) 20387:2019 certification will better guarantee a quality management system with documented standard operating procedures (SOP) and informed consent, in agreement with national and international indications.2 We start the analysis of the need to implement the aforementioned biobanking strategies, taking into consideration both the general classification in population and disease-oriented biobanks defined by the pan-European Biobanking and Biomolecular Resources Research Infrastructure (BBMRI), which has outlined two work packages on biobanks entitled WP2 (population-based biobanks) and WP3 (disease-oriented biobanks). At the end of this process, the biobank examined in this study will join the national node of the BBMRI network.3 As it is oriented towards disease4 (Parodi 2015) this biobank will promote research on human disease pathogenesis to improve diagnosis and therapy within specific areas of interest, such as autoimmune disorders and high-impact, chronic age-associated diseases. As it is also population-oriented, this biobank is engaged in

International Organization for Standardization (ISO 2018). UNI/ISO 20387 Biotechnology – Biobanking – General requirements for biobanking standard, published in August 2018, specifies the general requirements for the competence, impartiality and consistent operation of biobanks including quality control requirements to ensure biological material and data collections of appropriate quality. https://www.iso.org/standard/67888.html. In Italy, the accreditation of biobanks in accordance with the requirements of this standard will be operated by ACCREDIA. 3 BBMRI. https://www.bbmri.it. 4 Disease-oriented biobanks (which may also be referred to as clinical biobanks) are placed at the interface between clinical practice and research. They collect biological samples from patients, and aim to discover and validate genetic and non-genetic risk factors of diseases. 2

Ethic and Biobanks

169

prospective and cross-sectional epidemiological cohort studies involving citizens with specific characteristics or those that are representative of a geographical area, and is designed to address unmet social and scientific needs concerning human health. To achieve the goal of illustrating a path to implement bioethical issues in a population- and disease-oriented biobank, Sect. 2 will analyse the function of the Data Protection Impact Assessment (DPIA); in Sects. 3 and 4, the Code of Ethics and informed consent will be treated as institutional documents. Using the logical themes of broad consent, the research areas and purposes of the biobank will be clearly illustrated in both the regulation and in the informed consent. Section 5 concludes.

2 Data Protection Impact Assessment The nature of the processing of the data associated with and obtainable from the biobanked samples, from both patients and subjects of the general population, is a significant risk in relation to the rights and freedoms of subjects, particularly certain categories of data being processed, such as genetic data.5 For this reason, before starting biobank activities and, therefore, the processing, the DPIA is carried out or at least an alternative impact assessment on data protection, as provided by Articles 35 and 36 of the GDPR. Indeed, an assessment represents the mandatory tool for identifying and minimising the risks inherent in samples and associated data processing. In fact, the DPIA is a process designed to describe the processing, assess the necessity and proportionality of processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data.6 The DPIA should be started as early as is practical in the design of the biobank activity, even if some data collection and processing operations are still in progress. Furthermore, updating the DPIA throughout the lifecycle of the biobank will ensure that data protection and privacy are considered and promote the creation of solutions and compliance.

5

See Garante per la protezione dei dati personali (2019). Provvedimento recante le prescrizioni relative al trattamento di categorie particolari di dati, ai sensi dell’art. 21, comma 1 del d.lgs. 10 agosto 2018, n. 101. Roma, Registro provv. n. 146 del 05 giugno 2019. Allegato 1 (4, 5). https:// www.garanteprivacy.it. 6 Data Protection Working Party (2017). Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679 (WP 248 rev.01). Adopted on 4 April 2017. As last revised and adopted on 4 October 2017. https://ec.europa.eu/newsroom/article29/items/611236/en.

170

D. Capello and A. Rimedio

3 The Population Biobank Code of Ethics The need for a Code of Ethics emerged from the initial reflection on the mission of this type of biobank, in order to provide an ethical and at the same time regulatory framework for the budding biobank. As known in general terms, the fundamental activities of a biobank7 are the collection, processing, organised storage and distribution of biological materials and associated personal data for research and diagnosis purposes (Kinkorová 2016). This biobank will be qualified as a ‘population biobank’, whose prospects and potential are well outlined in the recent Organisation for Economic Co-operation and Development (OECD) document (March, 2021): ‘Population-based biobanks monitor the health status of participants over time to assess the natural occurrence and progression of common diseases. These biobanks, combined with genomic and health data, can enable a more personalised approach to medicine by locating the genetic component of human disease. Moreover, [the] growth of genomics markets and associated health sectors offers wider societal benefits including the potential to increase investment in innovation, generate new economic activity and create new jobs’.8 Moreover, this biobank is a ‘non-profit public institution’, a ‘service unit’,9 whose mission is characterised by two main purposes: (1) to encourage and increase a network of relations on the territory between bodies and associations dealing with public health, in particular with hospitals and the territorially competent local health services; and (2) to encourage the training of university students, so that they are initiated into rigorous research on a scientific level and respectful of ethical principles. In the historical time we are currently living in, characterised by the SARS-CoV-2 pandemic, the urgent implementation of territorial medicine has been advocated by many, a future in which population biobanks will play an ever greater role. The Code of Ethics is inspired by the model of ‘participatory governance’, which, if fully implemented, requires the involvement of all the actors involved: citizens who ‘entrust’ the biobank with their biological samples and associated data (settlors), and researchers and stakeholders who support the biobank and have expectations of its activities. By adopting this organisational model, the biobank can achieve the virtuous circularity that transforms individual contributions into ‘public benefit’.10

The Organisation for Economic Co-operation and Development (2006) defines a biobank as ‘a collection of biological material and the associated data and information stored in an organized system, for a population or a large subset of a population’ (OECD Creation and Governance of Human Genetic Research Databases. Glossary of Statistical Terms. http://stats.oecd.org. 8 Organisation for Economic Co-operation and Development (2021). Building and sustaining collaborative platforms in genomics and biobanks for health innovation. March 2021, No. 102, 1. Introduction. https://www.oecd-ilibrary.org. 9 BBMRI.IT, Biobanche. Cos’è una biobanca. https://www.bbmri.it. 10 UNIUPO (2021). UPO Biobank. https://www.uniupo.it/upobiobank. 7

Ethic and Biobanks

171

‘Trust’ remains the core value in the relationship between a public biobank and settlors, because ‘residual biological materials’ are transformed by research into important information resources, up to and including the mapping of the biological-informational identity of the person from which they originate. Moreover, it is essential to consider that population surveys might extend to previous pathologies, lifestyles, eating habits and in some cases even to the sexual activity of settlors, whose health is monitored over time. From the widely discussed and now outdated paradigm of ‘property rights’ on biological materials, the literature has progressed to enhancing the ‘personality rights’ of privacy. This entails highly complex issues because genomic information is detailed and inherently identifiable in nature. Moreover, this kind of information relates not only to the person from whom it was obtained, but also to their family members. For all of these reasons, a population biobank must match the ‘trust’ of citizens with the ‘trustworthiness’ of its governance: ‘It has long been recognised that public trust is crucial if the promises of personalised, genomics-based medicine are to be realised. [. . .] Trustworthiness, the quality of being deserving of trust, is an intrinsic ethical value, and is also instrumental in increasing research participation and improving the perception of research by the public’ (OECD 2021, p. 33). Trust and trustworthiness have already gained positive results in clinical trials; ‘evidencebased medicine’, traditionally linked to ‘objective’ data, has improved its results by listening to and allowing the active participation of patients and their associations, which today partially fund the research itself (Hamerlijnck 2017; Calvert et al. 2018). Analogous results can be obtained by a biobank which in its supervisory and governance structures integrates11 the values of the settlors, the expectations of the stakeholders and the needs of a research study to which the clinic proposes challenges of increasing complexity (Winickoff and Winickoff 2003). In the case of the population biobank, the research ethics review is carried out by the territorially competent Ethics Committee.12 The Ethics Committee, after having read the Regulations and approved the Code of Ethics,13 plays an active role in the independent review of individual research projects and provides advice on information/consent models. It is a work in progress, fuelled by its awareness that it matures as the activities progress. It is hoped that, at full capacity, the population biobank will have its own ‘ethics advisors’, whose fundamental task will be to evaluate the impact of the research activities and procedures on the declared ethical principles in order to increase the trustworthiness of the public facility (Cippitani 2019, p. 193).

We consider the model of ‘participatory governance’ as more appropriate for European regulatory principles, although the ‘charitable trust model’ or ‘biotrust,’ proposed by common law jurists, can be taken into account when defining the organisation of a biobank. 12 European Commission (2010). European Textbook on Ethics in Research. Chap. 1. Locating ethics in research, pp. 11 ff. https://ec.europa.eu. 13 Council of Europe (2006). cit., art. 18. 11

172

D. Capello and A. Rimedio

4 Towards a Model of ‘Mixed’ (Specific and Broad) Informed Consent The need for free consent for the purpose of biobanking biological material and related personal data is undisputed. However, a consensus has not been reached regarding the type of consent to be adopted. There is no problem with regard to the ‘specific informed consent’, which concerns the use of samples and data in the context of a specific and single research study. But this consent does not correspond to the purposes of a biobank, which collects biological materials and personal data especially for future research. A comparison of the logic of ‘informed consent’ linked to clinical trials allows us to better identify these specificities. For the purposes of a clinical trial, the logic of ‘informed consent’ is linked to the therapeutic interventions and the risk/benefit ratio, in terms of efficacy and proportionality of the treatment: the primary objective is treatment, while the processing of personal data is needed by the care relationship. The logic of research on biological samples, on the other hand, is entirely focused on the processing of data which, as highlighted previously, would be able to reveal the biological-informational identity of the person if put through a laboratory analysis. In this circumstance, the benefit to one’s individual health is indirect or even remote, while the risks associated with a lack of protection of personal data assume primary importance. These risks can create distrust and lead to a person declining to give their consent or even withdrawing it after it has been given. For the purposes of the conservation of biological samples, and according to the literature, broad informed consent is indicated as appropriate (Hallinan 2020; Mikkelsen et al. 2019). As stated by the Council for International Organizations of Medical Sciences: ‘Broad informed consent encompasses the range of future uses in research for which consent is given. Broad informed consent is not blanket consent that would allow future use of bodily material without any restriction. On the contrary, broad informed consent places certain limitations on the future use of bodily materials. Broad informed consent forms should specify: the purpose of the biobank; the conditions and duration of storage; the rules of access to the biobank; the ways in which the donor can contact the biobank custodian and remain informed about future use; the foreseeable uses of the materials, whether limited to an already fully defined study or extending to a number of wholly or partially undefined studies; the intended goal of such use, whether only for basic or applied research, or also for commercial purposes; and the possibility of unsolicited findings and how they will be dealt with. The research ethics committee must ensure that the proposed collections, the storage protocol, and the consent procedure meet these specifications’.14

14

Council for International Organizations of Medical Sciences (2016). International Ethical Guidelines for Health-related Research Involving Humans. Guideline 11: Collection, Storage and Use of biological materials and related data, pp. 41 ff. https://cioms.ch.

Ethic and Biobanks

173

Similarly, within the GDPR15 is a direct reference to the broad informed consent in Recital No. 33: “It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research.” This opening was compared with the Guidelines on consent under Regulation 2016/679—Article 29 Working Party,16 in which the ‘granularity’ of consent is reiterated (§ 3.1.3). This general rule remains valid. But with reference to scientific research, the principle of ‘purpose limitation’ states that the further processing of personal data already collected for specific purposes “shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes” (GDPR, art. 5, 1 b), provided that the principle of data minimisation is applied, which may include measures of pseudonymisation (GDPR, art. 89, 1). From this perspective, the Italian Node of BBMRI observes, for instance: “When the purpose can be described only in general terms, BBMRI.it agrees on the fairness [of distinguishing] [. . .] the purpose of [the] research and on the research process, in order to inform [. . .] the area of research in general term[s], but specifically on the process”.17 The fundamental problem for a population biobank is to guarantee the settlors that their data are protected. Consequently, for the purposes of biobanking, the fulfilments of informed consent can be considered respected if the information illustrates the purposes that the biobank pursues, which are ‘general’ but not ‘generic’, within which the objectives of individual future research projects are inserted. At the same time, the information must be highly precise and rigorous on the processing of the samples, on the types of analyses that are carried out and on the processing and protection of personal data. From these considerations emerge the intrinsically ‘mixed’ nature of informed consent for biobanking. It is the responsibility of the competent research ethics committee to approve the individual research projects and monitor compliance with the conditions set out in the international guidelines and applicable legislation. The ‘mixed’ model can also be seen as convenient on an operational level. In fact, in current practice, consent is required, starting from specific research, the objectives of which are clearly indicated. Therefore, the information/consent form can be combined or kept separate, with the ‘specific’ informed consent for the single

15

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J.4.5.2016 L 119/1. 16 The European Data Protection Board (EDPB 2020). Guidelines 05/2020 on consent under Regulation 2016/679. Version 1.1 adopted on 4 May 2020, § 3.1.3 Granularity. https://edpb. europa.eu. 17 BBMRI-ERIC (2018). BBMRI-ERIC joint comments to the Article 29 Working Party Guidelines on Consent under Regulation 2016/679 (wp259) and Transparency under Regulation 2016/679 (wp260). January, 2018. National Node - Italy. p. 24. https://www.bbmri-eric.eu/wp-content/ uploads/WP29_consent-joint-comments_BBMRI-ERIC_as-submitted.pdf.

174

D. Capello and A. Rimedio

research and the ‘broad’ informed consent with reference to the general purposes of the biobank. However, both consents provide detailed information on the processing of personal data. This simplification is intended to facilitate the request for biobanking by clinicians and the reading of information by the patients interviewed. The discussion surrounding the consent template acquires meaningful significance and is closely linked to the theme of trust and trustworthiness. In fact, the request for consent to biobanking should not be seen as a final act, but as the beginning of a collaboration path that will last over time. From the perspective of ‘participatory governance’, we can with good reason speak of an ‘interactive and dynamic consent’, which also presupposes the use of information technologies, in order to ensure direct and constant interaction between the biobank’s settlors, researchers and governance. Information technologies contribute to making settlors feel part of a community that is committed to achieving the objectives of public health, an objective that is sorely needed in the current SARS-CoV-2 pandemic.

5 Conclusion From the earliest stages of its development, this multispeciality biobank model should be inspired by the indications of BBMRI-ERIC, the European Research Infrastructure for biobanking, in order to better achieve its original institutional goals. As a ‘service unit’, this biobank aspires to become the vital junction between: (1) the objectives of research in the university sphere, both for the training of young doctors and researchers and for excellence in research, which can offer appreciable results on an international level; (2) support for the translational research of a large hospital-university structure; (3) attention to the health needs of the territory through population studies, particularly on aging, and pathology studies; and (4) the involvement of the population, local government authorities and stakeholders. By progressively involving the population, the biobank will be considered the ‘beating heart’ of biomedical research in its area. Indeed, as a result of the enduring experience of COVID-19, citizens have understood the importance of research for the protection of collective health.

References Calvert M, Kyte D, Mercieca-Bebber R, Slade A, Chan A-W, King MT, SPIRIT-PRO Group, Hunn A, Bottomley A, Regnault A, Ells C, O’Connor D, Revicki D, Patrick D, Altman D, Bash E, Velikova G, Price G, Draper H, Blazeby J, Scott J, Groves T (2018) Guidelines for inclusion of patient-reported outcomes in clinical trial protocols: the SPIRIT-PRO extension. JAMA 6:483–494. https://doi.org/10.1001/jama.2017.21903 Cippitani R (2019) Ethics advisor on research projects. In: Bartolini A, Cippitani R, Colcelli V (eds) Dictionary of statuses within EU law (the individual statuses as pillar of European Union integration). Springer Nature, Cham, pp 193–200

Ethic and Biobanks

175

Hallinan D (2020) Broad consent under the GDPR: an optimistic perspective on a bright future. Life Sci Soc Policy 16:1. https://doi.org/10.1186/s40504-019-0096-3 Hamerlijnck D (2017) The importance of patient involvement in clinical trials. ERS – Respiratory Equipment and Devices Exhibition Magazine. https://3qksc436bu713cqimwcfglyj-wpengine. netdna-ssl.com Jacobs G, Wolf A, Krawczak M, Lieb W (2018) Biobanks in the era of digital medicine. Clin Pharmacol Ther 103(5):761–762. https://doi.org/10.1002/cpt.968 Kinkorová J (2016) Biobanks in the era of personalized medicine: objectives, challenges, and innovation: overview. EPMA J 7:4. https://doi.org/10.1186/s13167-016-0053-7 Mikkelsen RB, Gjerris M, Waldemar G, Sandøe P (2019) Broad consent for biobanks is best provided it is also deep. BMC Med Ethics 15:71. https://doi.org/10.1186/s12910-019-0414-6 Organisation for Economic Co-operation and Development (2021) Building and sustaining collaborative platforms in genomics and biobanks for health innovation. March 2021, No. 102, 1. Introduction. https://www.oecd-ilibrary.org Parodi B (2015) Biobanks: a definition. In: Mascalzoni D (ed) Ethics, law and governance of biobanking: the international library of ethics, law and technology. Springer, Dordrecht, p 14. https://doi.org/10.1007/978-94-017-9573-9_2 Winickoff DE, Winickoff RN (2003) The charitable trust as a model for genomic biobanks. N Engl J Med 18:1180–1184. https://doi.org/10.1056/NEJMsb030036 Zika E, Paci D, Schulte In Den Bäumen T, Braun A, Rijkers-Defrasne S, Deschênes M, Fortier I, Laage-Hellman J, Scerri C, Ibarreta Ruiz D (2010) Biobanks in Europe: prospects for harmonisation and networking. JRC57831, EUR 24361 EN. Publications Office of the European Union, Luxembourg. https://op.europa.eu

Ethical Principles and Legal Provisions What Ethical Principles Apply to Biobanking Activities? Roberto Cippitani

1 Ethical Principles Within EU Law Many legal sources are applicable to biobanking activities, particularly sources within EU law that are referred to in the present book. These include the Treaty on European Union (TEU), the Treaty on the Functioning of the European Union (TFEU), and the Charter of Fundamental Rights, as well as various Regulations, Directives and measures adopted by the supranational institutions, such as: Directive 2004/23/EC of the European Parliament and of the Council of 31 March 2004 on setting standards of quality and safety for the donation, procurement, testing, processing, preservation, storage and distribution of human tissues and cells and the other related dispositions at EU and national levels; Commission Directive 2006/ 17/EC of 8 February 2006 implementing Directive 2004/23/EC; Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use; and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the General Data Protection Regulation (GDPR).1 Additionally, legal provisions of the Council of Europe and other international organisations are applicable. EU, international and national legal provisions applicable to biobanking activities contain some ‘ethical principles’ which are briefly addressed in the present paper. 1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

R. Cippitani (✉) Institute CNR-IFAC, National Research Council of Italy, Florence Research Area, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_20

177

178

R. Cippitani

A general principle is defined as a concept which runs across an entire legal system, and which can be expressed in other provisions (see, for example, Betti 1971, p. 312). General principles ensure the coherence of the entire legal system, and therefore they constitute an important guide in the interpretation and application of norms. This is true, in particular, in fields such as ethics, which are subject to many legal provisions at different levels (i.e. international, EU, national and local) but also to various ideological approaches as well as deontological and professional rules. For these reasons, in the field of ethics so-called ‘principlism’ is very popular; this is the use of principles to solve ethical issues, particularly when there is a conflict between different interests (European Commission 2010, p. 28). This approach was initially developed, with respect to the biomedical sector, in the North American scientific environment during the 1970s, through the so-called Belmont Report of 19782 and the work by Tom L. Beauchamp and James F. Childress entitled Principles of biomedical ethics. According to these works, the main principles for tackling ethical issues in biomedicine are: respect for autonomy (the obligation to respect the decision-making capacities of autonomous persons); non-maleficence (the obligation to avoid causing harm); beneficence (the obligation to provide benefits and to balance benefits against risks); and justice (the obligation of fairness in the distribution of benefits and risks). However, the above-mentioned principles are not necessarily relevant in other cultural contexts (Ladikas et al. 2015), legislative frameworks, or fields of research different from biomedicine. Within the European Union’s legislative system, one can observe the tendency to prefer ethical principles such as: (i) dignity; (ii) self-determination; (iii) solidarity; (iv) the precautionary principle; and (v) necessity and proportionality. The next paragraphs are focused on the application of those principles in research and, in particular, in the research activities of biobanks.

2 Dignity Dignity is the cornerstone of the international sources protecting human rights (see UN Charter of 1945)3 and within national legislation (see, for example, Article 2 of the Italian Constitution and Article 1 of the German Grundgesetz; see also Article 16 French Civil Code). 2

National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research, The Belmont Report: Ethical Principles and Guidelines for the Protection of Human Subjects of Research (1978). http://www.hhs.gov/ohrp/humansubjects/guidance/belmont.html. 3 The UN Charter states: ‘To save succeeding generations from the scourge of war, which twice in our lifetime has brought untold sorrow to mankind’ it is necessary ‘to reaffirm faith in fundamental human rights, in the dignity and worth of the human person, in the equal rights of men and women’, ‘to promote social progress and better standards of life in larger freedom’.

Ethical Principles and Legal Provisions

179

In addition, dignity is a founding value of the European Union (together with freedom, democracy, equality, the rule of law and respect for human rights, including the rights of persons belonging to minorities: see Article 2 TEU). Dignity can be defined as the unassailable and non-negotiable core of any human right arising from the ‘primacy’ of the individual in modern legal systems. It is considered a ‘concept-matrix’ that protects humanity and especially vulnerable people (Mislawski 2010). As mentioned above, dignity is also an ethical principle that must be respected in research and in other projects and activities involving individuals (Andorno 2009; see also the preambles of both the Charter of Fundamental Rights and the Oviedo Convention). The persons involved in such activities must therefore not be subject to any degrading treatment from a physical or psychological point of view, and they must not suffer any unnecessary stress or pain. In addition, dignity implies the prohibition of the economic exploitation of a person, and of his/her body and any part of it (see Charter of Fundamental Rights, Article 3; French Civil Code, Article 16-1). This means that the acquisition of biological material from natural persons is forbidden, and people are only able to donate their tissues or cells. A person can be reimbursed only for the expenses ultimately incurred as a result of participating in a medical study or donating his/her biological material (see Directive 2004/23/EC, Article 12). The principle of dignity does not prevent biological material being acquired from a biobank or other provider in compliance with the requirements of EU legislation and the national authorities (see, in particular, Directive 2006/17/EC).

3 Self-Determination Research activities must respect the self-determination (or ‘autonomy’) of people involved in a project. This principle implies that a person has the right to agree or to refuse to be subject to an investigation or to participate in research, after having been informed about its nature, purposes, benefits and risks. European Union law and the system of the European Convention on Human Rights (the ECHR) deal with consent across Europe. In particular, ‘bio-legal’ issues are framed within the Charter of Fundamental Rights. Article 3, paragraph 2 of the Charter establishes the general rule that: ‘In the fields of medicine and biology, the following must be respected in particular: (a) the free and informed consent of the person concerned, according to the procedures laid down by law’. The issue of informed consent is not directly addressed by the ECHR, but the European Court of Human Rights has found a requirement for it in health matters in Article 8 ECHR (Right to respect for private and family life). The Council of Europe promoted the adoption of a specific regional convention on the subject of biomedicine, namely the Convention of Oviedo and its Additional Protocols.

180

R. Cippitani

In the discipline of personal data protection, the consent of the person concerned represents the fundamental condition for the legitimate processing of data and materials, as laid down in Article 8, paragraph 2 of the Charter of Fundamental Rights and in secondary EU law, as well as in the GDPR, Regulation (EU) 536/2014 and Directive 2004/23/EC (see, in particular, Article 13 of this Directive). The content and characteristics of informed consent are addressed in other chapters of the present book (e.g. see ‘Terms and conditions of informed consent’). Although informed consent is normally the condition required for the processing of personal data and biological material, this condition may be not sufficient, because the law or the reason for the activity could require the authorisation of, or an opinion issued by, an authority or ethics committee (see the chapter entitled ‘Ethics Committees and Ethics Advisors’ in this book). On the other hand, informed consent may not be necessary if giving information or gathering consent would be impossible (which is the case, for example, for deceased persons or in the case of historical biobanks; see Cippitani and Colcelli 2021) or would imply a disproportionate effort (see GDPR, recital 62). In those cases, the controller is requested to show that providing the information is ‘likely to render impossible or seriously impair the achievement of the objectives of . . . processing’ in cases when the processing of personal data is carried out for ‘archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1)’ (see GDPR, Article 14, paragraph 5). In addition, ‘the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available’ (see GDPR, Article 14, paragraph 5, as above). Furthermore, in those cases it is advisable to justify the derogation from the principles of self-determination and to assess that derogation from an ethical viewpoint (e.g. by the opinion of an ethics committee).

4 Solidarity Constitutional systems are based on the protection of fundamental rights in the context of the duty of solidarity (Cippitani 2010): see, for example, Article 2 of the Italian Constitution of 1948; Article 10, paragraph 2, Constitution of Spain; and the French Constitution of 1946, referred to in the Preamble of the Constitution of the Fifth Republic. Solidarity in its modern meaning (Peces-Barba Martinez et al. 2001) can be defined as the duty to protect the interests of other people, particularly vulnerable people. From the ethical viewpoint, the solidarity principle means that the researcher or other professional must also take into consideration interests that are different from those of their activities, and especially the interests of the persons involved in those activities. As is provided by Article 2 of the Convention of Oviedo, ‘Primacy of the

Ethical Principles and Legal Provisions

181

human being: The interests and welfare of the human being shall prevail over the sole interest of society or science’. According to international, European and national legal sources, particular protection within research activities must be ensured for ‘vulnerable people’, that is children or, more generally, ‘those who are relatively (or absolutely) incapable of protecting their own interests’ (see the International ethical guidelines for biomedical research involving human subjects (2002)).4 Children and other vulnerable people need special protection (Goodin 1985; Macklin 2003; Schroeder and Gefenas 2009) because of their state of ‘dependency’. Dependency is defined by the Committee of Ministers of the Council of Europe as the state of those who are in need of help or assistance to perform activities of daily living and who lack autonomy.5 Dependency can be caused by various factors, such as those ‘arising from age, illness or disability, and linked to a lack or loss of physical, mental, intellectual or sensory autonomy’.6 Vulnerable people deserve particular protection to avoid their exploitation. For this reason, the involvement of vulnerable people in research activities should be allowed only if participation is necessary because similar results could not possibly be obtained otherwise, and the risks and burden to such participants must be minimal.7 In addition, the European system of protection for human rights provides that such persons must be guaranteed the highest possible level of autonomy,8 and that any restrictions upon autonomy must be strictly necessary9 and respect the principle

4

Council for International Organizations of Medical Sciences. http://www.cioms.ch/publications/ layout_guide2002.pdf. 5 Committee of the Ministers of Council of Europe, Recommendation n° R 98(9) concerning dependency, Annex of 18 September 1998. https://wcd.coe.int/com.instranet.InstraServlet? command=com.instranet.CmdBlobGet&InstranetImage=532369&SecMode=1&DocId=4 86242&Usage=2. 6 See Article 2 (2) of Spanish Law no. 39/2006, of December 14 of the Promotion of Personal Autonomy and Care (Ley 39/2006, de 14 de diciembre, de Promoción de la Autonomía Personal y Atención a las personas en situación de dependencia). http://www.boe.es/buscar/doc.php?id=BOEA-2006-21990. 7 See. for example. Regulation (EU) 536/2014, Article 32, paragraph 1, letters e), f), g), which provide that the involvement of children in a clinical trial is allowed if, among other conditions: ‘(e) the clinical trial is intended to investigate treatments for a medical condition that only occurs in minors or the clinical trial is essential with respect to minors to validate data obtained in clinical trials on persons able to give informed consent or by other research methods; (f) the clinical trial either relates directly to a medical condition from which the minor concerned suffers or is of such a nature that it can only be carried out on minors; (g) there are scientific grounds for expecting that participation in the clinical trial will produce: (i) a direct benefit for the minor concerned outweighing the risks and burdens involved; or (ii) some benefit for the population represented by the minor concerned and such a clinical trial will pose only minimal risk to, and will impose minimal burden on, the minor concerned in comparison with the standard treatment of the minor’s condition’. 8 ECtHR (Grand Chamber), Stanev v Bulgaria, 17 January 2012. 9 ECtHR, Shtukaturov v Russia, 27 March 2008, paragraphs 90, 93–95.

182

R. Cippitani

of proportionality.10 As a matter of fact, if vulnerable people need special protection, this does not mean that they are not able to exercise their fundamental rights (see UN Convention on the Rights of Persons with Disabilities, Article 12(2), which provides that ‘persons with disabilities enjoy legal capacity on an equal basis with others in all aspects of life’). In particular, the right to autonomy of vulnerable people is affirmed by the Charter of Fundamental Rights: Article 24, paragraph 1, provides that a minor has the right to express their opinion and that there is a duty to take this opinion into consideration in accordance with their maturity; and Articles 25 and 26 affirm the right to independence of elderly people and persons with disabilities. In this context, European sources prefer, instead of a formal definition of capacity, an objective approach based upon a substantial and dynamic understanding, represented by ‘competence’ (see among others: Beauchamp and Childress 2009; Buchanan and Brock 1990; Culver and Gert 1990; Drane 1985; Jonas 2007). Competence can be defined as the ability ‘to understand relevant information, to evaluate that information and make a reasoned decision, to decide without undue influence, and to communicate consent or refusal’ (European Commission 2010, p. 55). Competence may be ‘contextually relative’ (when it relates to types of interests) or ‘complexity relative,’ (Buller 2001) when, for example, a person may have competence in respect of decisions on their health, yet still be unable to take care of their property interests. It may also be considered ‘risk-relative’ according to the type of risk which might arise as a result of an intervention (Wilks 1997). The legal sources applicable to biobanking address the issue of competence accordingly, in particular with respect to minors (see the chapter of this book entitled ‘Consent and Assent by Children’). Regulation (EU) 536/2014, Article 32, paragraph 1, requires that, in the case of clinical trials, the informed consent of the legally designated representative of a minor must be obtained. However, the same article provides that: (b) the minors have received the information referred to in Article 29(2) in a way adapted to their age and mental maturity and from investigators or members of the investigating team who are trained or experienced in working with children; (c) the explicit wish of a minor who is capable of forming an opinion and assessing the information referred to in Article 29(2) to refuse participation in, or to withdraw from, the clinical trial at any time, is respected by the investigator.

In addition, paragraph 2 of the above-mentioned Article 32 lays down that: ‘The minor shall take part in the informed consent procedure in a way adapted to his or her age and mental maturity’. Furthermore, Article 8 GDPR provides that minors who are at least 16 years old are entitled to give their consent; Member States can reduce the age at which lawful consent can be give to 13 years.

10

ECtHR, Salontaji-Drobnjak v Serbia, 13 October 2009.

Ethical Principles and Legal Provisions

183

5 Prevention of Risks and the Precautionary Principle The beneficiaries, like anybody else, are subject to the duty to not harm their counterpart or third parties. The consequence of a breach of this duty is the application of the civil law sanctions (e.g. compensation by way of damages) or other sanctions provided by the law and by the contract. To avoid causing harm, everyone has the duty to take every ‘reasonable’ precaution to prevent the harmful consequences of their conduct. This duty to act with caution is particularly important in activities such as science and technology which may put at risk the integrity of persons and their other fundamental interests. In general, when complying with the duties at issue, the beneficiaries are required to act carefully to prevent any damage to staff or to any other third party who could be affected by their participation in the project. In particular, EU legal sources consider the case when potentially dangerous effects deriving from an activity have been identified but the scientific evaluation does not allow the risk to be determined with sufficient certainty (see the Communication of the Commission on the Precautionary Principle COM (2000) 1 final). In this case, it is necessary to act in compliance with the ‘precautionary’ principle. This principle has been developed within the EU and international public policies concerning the protection of the environment (see Article 191(2) TFEU and the 1992 Rio Declaration on Environment and Development). On the other hand, it has to be implemented in other areas, such as health,11 the protection of consumers, research and technological development, and it can be extended to other activities which could be dangerous.12 The implementation of the precautionary principle ‘should start with a scientific evaluation, as complete as possible, and where possible, identifying at each stage the degree of scientific uncertainty’ (European Commission, 2000, COM (2000) 1 final, paragraph 4). Therefore, the precautionary principle is the basis of a decision-making process for the assessment of risk.13 This process has to identify the degree of uncertainty

11

This principle concerning the protection of human health is recognised, for example, in the judgment of the Court of First Instance of 11 September 2002, T-13/99, Pfizer Animal Health SA v Council of the European Union, ECLI:EU:T:2002:209, paragraph 114 and in the abundant case law (see, for example, the judgment referred to in paragraph 115 of the decision at issue). 12 European Commission, Future Brief: The precautionary principle: Decision-making under uncertainty, September 2017, Issue 18 Science for Environment Policy, DOI 10.2779/709033, p. 4. In the case law, see, for example, Court of Justice, 16 June 2022, joined Cases C-65/21 P and C-73/21 P to C-75/21 P, SGL Carbon SE and Others v European Commission, ECLI:EU:C:2022:470, paragraph 95: ‘that principle is also applicable in the context of other EU policies, in particular the policy on the protection of public health and where the EU institutions adopt, under the common agricultural policy or the policy on the internal market, measures for the protection of human health’. 13 On the risk assessment to be put in place by the EU institution see the judgment in Pfizer Animal Health SA v Council of 2002, as mentioned above, paragraphs 151–161.

184

R. Cippitani

attached to the evaluation of the scientific information, and then it is necessary to establish the ‘acceptable’ level of risk for society which, in any case, cannot affect the dignity and the integrity of persons. The risk must be present (not merely hypothetical)14 and not such as can be ruled out, even if it is not certain.15 To avoid unacceptable risks, adequate measures must be put in place, depending on the typologies of activities to be carried out. In the case of clinical trials, Regulation (EU) 536/2014, Article 28, paragraph 1, states that the research activities must be conducted only if ‘the anticipated benefits to the subjects or to public health justify the foreseeable risks and inconveniences and compliance with this condition is constantly monitored’ (letter a) and ‘the clinical trial has been designed to involve as little pain, discomfort, fear and any other foreseeable risk as possible for the subjects and both the risk threshold and the degree of distress are specifically defined in the protocol and constantly monitored’ (letter e). According to Directive 2004/23/EC, tissue establishments ‘shall include in their standard operating procedures special provisions for the handling of tissues and cells to be discarded, in order to prevent the contamination of other tissues or cells, the processing environment or personnel’ (Article 20, paragraph 3) and ‘shall establish and apply procedures for the control of packaging and storage areas, in order to prevent any situation arising that might adversely affect the functioning or integrity of tissues and cells’ (article 21, paragraph 3). With respect to the protection of personal data, the controller must adopt security measures in accordance with Article 32 GDPR, such as pseudonymisation. In addition, the controller has other obligations concerning security, such as the communication of any data breach to the supervisory authorities and to the data subjects (see Articles 33 and 34), as well as the creation of the Data Protection Impact Assessment (DPIA) document if the processing is likely to result in a high risk to the rights and freedoms of natural persons (this is the case for health and genetic data; see, for example, Annex 1 to Provision no. 467 of 11 October 2018 [web doc. No. 9058979]: List of types of treatment subject to impact assessment by the Italian Supervisory Authority).

14

According to the Court of Justice (Court of First Instance, order 28 September 2007, T-257/07 R, French Republic v European Commission, ECLI:EU:T:2007:300, paragraph 79), ‘since a “zero risk” cannot actually exist, the precautionary principle can therefore apply only in situations in which there is a risk, in particular to human health, which, although it is not founded on mere hypotheses that have not been scientifically confirmed, has not yet been fully demonstrated’. 15 Court of Justice, 9 September 2020, C-254/19, Friends of the Irish Environment Ltd v An Bord Pleanála, ECLI:EU:C:2020:680, 51.

Ethical Principles and Legal Provisions

185

6 Proportionality A principle of special importance within EU law is the principle of ‘proportionality’, which today constitutes a pillar in the equilibrium between fundamental interests (see, in particular, the Charter of Fundamental Rights, Article 52). The principle of proportionality requires the activity of public authorities, in particular, and moreover that of EU institutions, not to exceed what is appropriate and necessary for attaining the objective pursued,16 with the minimum possible sacrifice for citizens. In addition, the principle of proportionality has to be observed in other activities and relationships regulated by EU law, such as research activities. As argued by the European Data Protection Supervisor (hereinafter referred to as the ‘EDPS’) in its toolkit on the assessment of necessity,17 proportionality in a broad sense refers to ‘both the necessity and the appropriateness of a measure, that is, the extent to which there is a logical link between the measure and the (legitimate) objective pursued’ (paragraph 2). In a strict sense, the proportionality principle means that ‘the advantages resulting from the measure should not be outweighed by the disadvantages the measure causes with respect to the exercise of the fundamental rights’. References to the principles of necessity and proportionality can be found in many EU legal sources, and in particular, in the discipline concerning the protection of personal data, that is to say in Article 8 of the Charter of Fundamental Rights and in the GDPR. According to the GDPR, personal data can be processed in compliance with certain ‘principles’ (see GDPR, Article 5, paragraph 1), among them ‘purpose specification’ (i.e. only for explicit and legitimate purposes and without being further processed in a manner that is incompatible with those purposes); ‘data minimisation’ (i.e. in a manner ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’); and ‘storage limitation’ (i.e. ‘for no longer than is necessary for the purposes for which the personal data are processed’). These principles of processing are expressions of necessity and proportionality, because they establish a link between the activities and the objectives and imply a minimum impact on other interests. In any case, the principles at issues are implicitly implemented in other legal sources relevant to compliance with ethical standards (such as in biomedical fields, animal experimentation, use of technologies, protection of the environment, and security issues).

16

Court of Justice, 17 May 1984, 15/83 Denkavit Nederland, ECLI:EU:C:1984:183, paragraph 25; and Court of First Instance, 12 October 1999, T-216/96, Conserve Italia v Commission, ECLI:EU: T:1999:252 paragraph 101. 17 See the document of the European Data Protection Supervisor, Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit, of 11 April 2017.

186

R. Cippitani

7 Proportionality and Research Biobanks Biobanks do not seem to comply with principle of proportionality: the scientific importance of biobanks is associated with the availability of a massive quantity of data and materials, stored for an undefined period, and which may be used for research activities that are not known at the moment of the collection. It is possible to reply to this issue with at least two arguments. The first one is the more general, and takes into account the fact that proportionality is not an absolute but a relative principle. According to the GDPR, data must be relevant and limited to what is necessary in relation to the purposes allowed by the law (cf. Article 5, paragraph 1, c). One may argue that the collection of a large quantity of materials and data is necessary to achieve the objective of modern science, as mentioned above and as recognised by the GDPR itself. As is explained in recital 157 of the Regulation: By coupling information from registries, researchers can obtain new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression. On the basis of registries, research results can be enhanced, as they draw on a larger population. Within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions. Research results obtained through registries provide solid, high-quality knowledge which can provide the basis for the formulation and implementation of knowledge-based policy, improve the quality of life for a number of people and improve the efficiency of social services.18

However, in the interpretation of the EDPS (EDPS 2020, p. 22) on the basis of the wording of Article 8(2) of the Charter of Fundamental Rights, specification and lawfulness have to be seen as two separate and cumulative requirements. Therefore, the use of personal data from a biobank for research should not be considered a specific purpose. The second argument is that some specific provisions are applicable when the above-mentioned principles have to be applied in research activities. According to the rule of storage limitation, data must ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’ (GDPR, Article 5, paragraph 1, e). This provision itself recognises that use for research is considered as a legitimate reason for maintaining health-linked personal data, including genetic data, for a longer period (see also article 4(1)(f) draft Recommendation on the protection of health-related data). According to a document issued by the EU Agency for Fundamental Rights and the Council of Europe, ‘keeping data for future scientific, historical or statistical use 18

In the case of historical research purposes, the value of archiving is underlined by recital 158 which states that ‘Member States should also be authorised to provide for the further processing of personal data for archiving purposes, for example with a view to providing specific information related to the political behaviour under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes’.

Ethical Principles and Legal Provisions

187

is explicitly exempt from the principle of limited data retention’. (European Union Agency for Fundamental Rights, Council of Europe 2014, p. 73). However, the arguments above are not without their drawbacks. The EDPS, which is an important interpreter (see the ‘Preliminary Opinion on data protection and scientific research’), has continually affirmed that the derogations for research activities should not be considered as a general authorisation to infringe the principles and the provisions of the GDPR. For example, it underlines that the research exception to the principle of storage limitation is applicable only when the data are stored ‘solely’ for research purposes (which is a problem for biobanks in biomedical fields when the data may also be used for other purposes, including therapeutic activities, epidemiological surveillance, etc.). In addition, the EDPS affirms that ‘the intention of the lawmaker appears to have been to dissuade unlimited storage even in this special regime, and guards against scientific research as a pretext for longer storage for other, private, purposes. If in doubt, the controller should consider whether a new legal basis is appropriate’ (pp. 23–24 of the Preliminary Opinion). Other problems derive from the fact that the GDPR provides that the special rules for research activities are to be applied in conjunction with article 89 which, in turn, refers to more detailed provisions to be adopted by the EU and national lawmakers. (European Union Agency for Fundamental Rights, Council of Europe 2014, p. 31). When those specific rules are absent, it is not clear if the controller may implement the special rules for research purposes.

References Andorno R (2009) Human dignity and human rights as a common ground for a global bioethics. J Med Philos 34:223–240. https://doi.org/10.1093/jmp/jhp023 Beauchamp TL, Childress JF (2009) Principles of biomedical ethics, 6th edn. University Press, Oxford Betti E (1971) L’interpretazione della legge e degli atti giuridici. Giuffrè, Milano Buchanan AE, Brock DW (1990) Deciding for others: the ethics of surrogate decision making. Cambridge University Press, Cambridge Buller T (2001) Competence and risk-relativity. Bioethics 15:93–109 Cippitani R (2010) La solidarietà giuridica tra pubblico e privato. ISEG Cippitani R, Colcelli V (2021) Bio-legal issues in the establishment of a historical collection of human tissues: the case of the Umbria Biobank Project. Med Hist 5(1):1–9 Culver CM, Gert B (1990) The inadequacy of incompetence. Milbank Q 68:619–643 Drane JF (1985) The many faces of competency. Hastings Centre Rep 15(2):17–21 EDPS (2020) A preliminary opinion on data protection and scientific research. https://edps.europa. eu/data-protection/our-work/publications/opinions/preliminary-opinion-data-protection-and-sci entific_en European Commission, Directorate-General for Research and Innovation (2010) European textbook on ethics in research. Publications Office. https://data.europa.eu/doi/10.2777/51536 European Union Agency for Fundamental Rights, Council of Europe (2014) Handbook on European data protection law. Publications Office of the European Union, Luxembourg

188

R. Cippitani

Goodin RE (1985) Protecting the vulnerable: a re-analysis of our social responsibilities. The University of Chicago Press Jonas MF (2007) Competence to consent. In: Ashcroft RE, Dawson A, Draper H, McMillan JR (eds) Principles of health care ethics. John Wiley & Sons, pp 255–262 Ladikas M, Chaturvedi S, Zhao Y, Stemerding D (2015) Science and technology governance and ethics: a global perspective from Europe, India and China. Springer Macklin R (2003) Bioethics, vulnerability and protection. Bioethics 17:472–486 Mislawski R (2010) Dignité, autonomie, vulnérabilité: approche juridique. In: Hirsch E (ed) Traité de bioétique (Vol. I, Fondements, principles, repères). Érès, pp 262–280 Peces-Barba Martinez G, Fernández García E, De Asís Roig R (2001) Historia de los Derechos fundamentales (t. II, Siglo XVII, vol. I, El contexto social y cultural de los derechos. Los rasgos generales de evolución). Dykinson, S.L. Schroeder D, Gefenas E (2009) Vulnerability: too vague and too broad. Camb Q Healthc Ethics 18: 113–121 Wilks I (1997) The debate over risk-related standards of competence. Bioethics 11:413–426. https:// doi.org/10.1111/1467-8519.00081

EU Legislation and Health Data Protection For the Processing of Medical Personal Data in Biobanking Activities, is the GDPR the Sole Reference Legislation in the EU? Nataliia Mushak

1 Introduction The new data protection rules brought in by the GDPR give back to citizens control over their data, in particular by granting them rights such as the right to be forgotten, the right to data portability and the right to be informed about personal data breaches. The GDPR provides for the strengthening of the rights and obligations of those responsible for the processing of personal data, and gives appropriate powers to monitor and enforce the rules on the protection of personal data and to apply sanctions to violators in EU Member States. However, there are other legal sources containing requirements for personal data protection in the EU legal framework. The area of personal data is governed by primary law and by the secondary legislation of the European Union, where the EU institutions play an important role. Because of the EU institutional mechanism, it has gradually become possible to ensure a fairly high level of personal data protection.

2 Personal Data Protection and the EU Treaties: Are There Articles of the EU Founding Treaties that Regulate Personal Data Protection? The legal mechanisms of the European Union with regard to personal data protection are contained in the EU’s founding treaties, the EU Charter of Fundamental Rights and the EU secondary legislation. In particular, the TFEU provides that everyone has

N. Mushak (✉) Department of International and Comparative Law - Faculty of International Relations, Kyiv National Aviation University, Kyiv, Ukraine © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_21

189

190

N. Mushak

the right to the protection of personal data relating to him or her (Article 16).1 The rules for the protection of persons in relation to the processing of personal data by institutions, bodies, and agencies, as well as by the EU Member States in the implementation of activities within the scope of EU law, are established by the European Parliament and the Council of the EU, acting in accordance with their ordinary legislative procedure (Article 16(2)). In addition to the TEU and the TFEU, the protection of information is currently the subject of regulation and is subject to the EU Charter of Fundamental Rights. Just like the TFEU, the EU Charter guarantees every person the right to the protection of their personal information (Article 8).2 This right must be respected and guaranteed by the EU institutions and the EU Member States (Article 51 of the EU Charter). In the practice of the EU Court of Justice, the right to the protection of personal data is to some extent opposed to the right to freedom of expression enshrined in Article 11 of the EU Charter. The content of the right to freedom of expression is revealed through the freedom to respect for one’s views, and the right to obtain and disseminate information without interference by public authorities and regardless of state borders.

3 The Bridge Between the EU Treaties and the GDPR: What Is the Role of the GDPR in the Legal Mechanism for Personal Data Protection? The GDPR is based on Article 16 of the TFEU, which sets out a new legal basis for the introduction of data protection rules and provides for the establishment of updated rules for the protection of individuals in the processing of personal data by the EU Member States in the conduct of activities subject to EU law, as well as the introduction of rules for the free movement of personal data, including personal data processed by the EU Member States or private organizations (Melnyk 2013). The GDPR is one of the most significant pieces of legislation applying to the regulation of personal data,3 and it came into force on May 25, 2018. The GDPR is an important component of EU privacy law and human rights law, which is set out, in particular, in Article 8(1) of the EU Charter of Fundamental Rights. The right to privacy is an integral part of the European Convention for the Protection of Human Rights and Fundamental Freedoms, which states that

1

Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community. 2 Charter of Fundamental Rights of the European Union (2000/C364/01). 3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

EU Legislation and Health Data Protection

191

‘Everyone has the right to respect for his private and family life, his home and his correspondence’ (Article 8). The European Union has sought to ensure the protection of this right through legislation. The GDPR is a Regulation, not a Directive, and as such it is directly applicable. At the same time, it provides flexibility to allow certain aspects of the Regulation to be adjusted by individual EU Member States (Dalrymple 2021). The GDPR defines the basic principles of the right to the protection of personal data, and these principles are implemented through the following legal provisions: the information should be used in accordance with the established rules for a certain purpose and on the basis of the permission of the person concerned or on other legal grounds provided for by law; every person has the right to access and correct the information collected about him or her; and compliance with these rules is subject to control by independent bodies. The primary aim of the GDPR is to enhance individuals’ control and rights over their personal data. Although it was drafted and passed by the European Union, it imposes obligations on organisations located anywhere if they target or collect data related to people in the EU. Special attention is paid in the GDPR to the so-called special categories of personal data. Such data by their nature may pose a threat to the subjects whose personal data are processed and, accordingly, require enhanced protection in order to avoid the improper application of the data. Therefore, the permission to process this category of data should be granted only with special guarantees. The GDPR defines the following ‘special categories of personal data’: (1) personal data that reveal racial or ethnic origin; (2) personal data that reveal political, religious or other beliefs; and (3) personal data relating to health or sexual life. For example, in Criminal proceedings against Bodil Lindqvist (Case C101/01), the EU Court of Justice stated that a reference to the fact that a person has injured his leg and works part-time for medical reasons constitutes personal data relating to health.4 The Regulation also added trade union membership to the list of the special categories of personal data, as this information can be a significant identifier of political beliefs or party membership. The GDPR also defines categories of users of personal data whose status is clearly regulated. These include owners, processors, controllers, recipients and third parties (Kolah and Foss 2015). In accordance with Article 4 of the GDPR there are definitions in regard to the above mentioned categories of users of personal data. For instance, the controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (para 8 Article 4). Controllers are responsible for taking all necessary measures to ensure the correctness of personal data. The processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (para 8 Article 4).

4 Judgment of the ECJ of 6 November 2003. Criminal proceedings against Bodil Lindqvist. Case C-101/01. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62001CJ0101.

192

N. Mushak

In its turn, the recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. The processing of the data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. Finally, the third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. The owner of personal data means a person or a team who makes the decisions such as who has the right to access and edit data and how it’s used. Article 89 of the GDPR is the critical provision for a discussion on biological samples (Davey et al. 2022); it creates an exception that eases the GDPR requirements on data processing. According to the Regulation, exceptions can be stipulated in national law concerning data processing for scientific research purposes that limit the right of access (GDPR art. 15), the right to be informed, the right to restriction of processing (GDPR art. 18), and the right to object (GDPR art. 21). These exceptions may result in differences emerging between the Member States in their data processing principles. It should be highlighted that the exceptions stipulated in GDPR art. 89(2) are acceptable only if they are based on national laws and not on established codes of conduct.

4 The Key Principles of Personal Data Protection in the European Union: Which Principles Apply to Personal Data Protection in the European Union? The key principles of personal data protection in the European Union are the following: the principle of legality, the principle of the specification and limitation of purpose, the principle of the limited storage of personal data, the principle of data compliance, the principle of data accuracy, the principle of thoroughness of data processing, the principle of transparency, and the principle of accountability. Under the principle of the legality of data processing, the processing of personal data is legal if it complies with the law, has a legitimate purpose and is necessary in a democratic society to achieve a legitimate goal. The principle of the specification and limitation of purpose means that the legality of the processing of personal data depends on the purpose of processing, which must be clearly defined. The principle of the limited storage of personal data implies that data must be deleted as soon as it is not necessary for the purpose for which it was collected. The principle of data compliance means that only those data that are adequate and relevant with respect to the purpose for which they are collected and/or processed are subject to processing.

EU Legislation and Health Data Protection

193

The principle of data accuracy stipulates that the owner of personal data should not use the information provided without making sure that it is accurate and up-todate. The principle of thorough processing means that the processing should be transparent and careful, especially with respect to personal data subjects. The principle of transparency obliges the owner of personal data constantly to inform the subjects of the personal data about how the data are used. The principle of accountability requires owners to implement active measures in order to maintain and protect personal data while it is being processed. There are also important innovations in the GDPR that apply to the rights of personal data subjects. Thus, art. 15 of the GDPR obliges personal data controllers to inform personal data subjects about the retention period as well as about their rights to correct and delete personal data, and to inform them of the mechanism for filing a complaint with an authorised body (Phillips 2018). Article 17 gives further details, clarifying the right to delete data and defining the conditions for the use of the right to be forgotten, including the obligation of the owner who published the personal data to notify third parties of the data subject’s request to eliminate any references to the relevant personal data, as well as to delete any copies of such personal data. It also provides for the right to limit the volume of processing in certain cases, while avoiding the use of the ambiguous term ‘data blocking’.

5 Conclusions: How Efficient Is the Legal Mechanism that Regulates the Protection of Personal Data? Recent decades have seen a dynamic development of biobanks (which, according to the International Organization of Standardization’s definition, are legal entities driving the process of the acquisition and storage of, together with some or all of the activities related to the collection, preparation, preservation, testing, analysing and distributing of, defined biological material as well as related information and data) (Hallinan and Friedewald 2015) In the contemporary world, biobanks have become vital instruments for research and practical uses (Nordberg 2021, p. 61) The collection of human biological material and data broadens knowledge about the genetic, behavioural and environmental determinants of many diseases, supports the development of new biomarkers and drugs, and improves medical care in the move towards more personalised medicine (Tzortzatou et al. 2021). Another term— biobanking—is also widely used alongside the term biobank. Biobanking often refers to the collection, processing and storage of a specimen and associated data. In both cases, therefore, biobanks and biobanking are closely associated with information and data. From the processed data it can sometimes be possible to identify the natural person who submitted their material to the biobank, and so data protection in this respect poses a particular concern. This is why respecting privacy, confidentiality and data protection are among the most significant ethical

194

N. Mushak

and legal challenges for this activity. The risks of a breach of privacy are among the most common and significant problems (Mondschein and Monda 2019). The legal mechanism for the protection of personal data is a comprehensive system of legal acts, which is formed, on the one hand, by the founding treaties of the EU and the EU Charter of Fundamental Rights, and, on the other, by the secondary legislation of the European Union adopted by the EU institutions in the form of directives, regulations, decisions, notifications, and so on, which regulate in detail the rules for data processing, the methods for data storage, and so on. Despite the fact that the legal mechanism for the protection of personal data is a comprehensive system of legal acts, the various problems and challenges in regard to the application of the protection of fundamental rights to biobanking activities can be faced only by taking into consideration the different rules in the EU legal framework as set out above.

References Dalrymple HW (2021) The general data protection regulation, the clinical trial regulation and some complex interplay in paediatric clinical trials. Eur J Pediatr 180:1371–1379. https://doi.org/10. 1007/s00431-021-03933-3 Davey MG, O’Donnell JP, Maher E, McMenamin C, McAnena PF, Kerin MJ, Miller N, Lowery AJ (2022) General data protection regulations (2018) and clinical research: perspectives of patients and doctors in an Irish university teaching hospital. Ir J Med Sci 191(4):1513–1519. https://doi. org/10.1007/s11845-021-02789-8 Hallinan D, Friedewald M (2015) Open consent, biobanking and data protection law: Can open consent be ‘informed’ under the forthcoming data protection regulation? Life Sci Soc Policy 11: 1. https://doi.org/10.1186/s40504-014-0020-9 Kolah A, Foss B (2015) Unlocking the power of data under the new EU General Data Protection Regulation. J Direct Data Digit Mark Pract 16:270–274 Melnyk K (2013) Legal mechanisms for the protection of personal data in the European Union. Leg Inform 4(40):55–62 Mondschein CF, Monda C (2019) The EU’s General Data Protection Regulation (GDPR) in a research context. In: Kubben P, Dumontier M, Dekker A (eds) Fundamentals of clinical data science. Springer, pp 55–71. https://doi.org/10.1007/978-3-319-99713-1 Nordberg A (2021) Biobank and biomedical research: responsibilities of controllers and processors under the EU General Data Protection Regulation. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Individual rights, public interest and research regulation across Europe. Springer, pp 61–89. https://doi.org/10.1007/978-3-030-49388-2 Phillips M (2018) International data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR). Hum Genet 137:575–582 Tzortzatou O, Slokenberga S, Reichel J, Andrade A, Barbosa C, Bekaert C, Veen E, Carlos M, Romeo-Casabona C, Cathaoir K, Chassang G, Debucquoy A, Derèze J-J, Dollé L, Fält S, Halouzka R, Hartlev M, Hisbergues M, Hoppe N et al (2021) Biobanking across Europe postGDPR: a deliberately fragmented landscape. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Individual rights, public interest and research regulation across Europe. Springer, pp 397–419. https://doi.org/10.1007/978-3-030-49388-2

Forensic Databases (Part I) Forensic Use of Research Biobanks: How Does the GDPR Regulate the Issue?’ Francesca Aime, Noemi Argirò, Miriam Merli, Lisa Lonetti, and Francesca Scarpone

1 Introduction Forensic DNA databases, which constitute an important investigative instrument in criminal justice systems all over the world (Santos et al. 2013), allow for the ‘conservation of resources’ and aim to both solve crimes more quickly and accelerate the judicial proceedings through the consolidation of evidence (Asplen 2004). Most EU Member States are enacting legislation to set rules for national forensic DNA databases and criteria for the inclusion and retention of genetic profiles with data also deriving from research biobanks, though this is not thoroughly regulated at present. Once identified, the DNA is selected and quantified in the laboratory while the biological material is collected, stored, and characterised. The genetic data obtained from the sample is called ‘profile’—an encrypted set of values of a group of genetic markers identified in an individual’s DNA by DNA profiling (also known as DNA fingerprint, DNA type, or genetic fingerprint)—and must be considered as sensitive; this is because once processed, it could provide personal information about the donor and their identification, potentially leading to psychological and social consequences (Machado and Silva 2015). The peculiarity of forensic databanks is that they are both databases and biobanks, collecting genetic data, as well as the biological material from which it is extracted (Grasso et al. 2014).1 This implies that specific protocols of confidentiality, traceability, monitoring, and limitations of access to data must be followed to protect and safeguard the scope of this tool.

1

This implies that specific protocols of confidentiality, traceability, monitoring, and limitations of access to data must be followed to protect and safeguard the scope of this tool.

F. Aime (✉) · N. Argirò · M. Merli · L. Lonetti · F. Scarpone Department of Medicine and Surgery, University of Perugia, Perugia, Italy © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_22

195

196

F. Aime et al.

Genetic databases and biobanks are generally considered as separated entities for many reasons: firstly, they are supposed to have different fields of application, forensic and biomedical, respectively; secondly, they have different objectives as genetic databases are related to legal aspects, while biobanks have research purposes. Lastly, while medical biobanks are grounded on personal choices and consent due to their reliance on voluntary participation, forensic databases are established to serve public interests (namely criminal investigations) and contain the genetic data obtained from samples collected at the crime scene (Machado and Silva 2015). On the other hand, there are certain continuities between biobanks and forensic databases; the genetic data comes from biological samples, but the information acquired could also be used in biomedical research (Elger et al. 2009). This opens controversies about the secondary uses of samples, considering that forensic access to non-forensic biobanks is on the rise. It is, however, true that both medical biobanks and forensic DNA databases provide great social benefits; whereas medical biobanks are seen as one of the most promising instruments for fighting disease and improving public health, forensic DNA databases are tools that can improve public safety and security. This said, those EU states presenting more expansive legislation (Austria, Denmark, Estonia, Finland, Latvia, Lithuania, Scotland, Slovakia, England, and Wales) may allow for biological samples, together with personal information, to be retained for the same period of time as the DNA profiles; in this situation, the forensic DNA databases are equivalent to biobanks. Thus, DNA profiles can be obtained from these samples and compared with those from a crime scene; in turn, one can easily imagine the potential value of these biospecimens to aid criminal investigation and prosecution purposes. Typically, the analysis performed on the samples to be processed for forensic purposes involves the use of the Restriction Fragment Length Polymorphism (RFLP) technology, consisting of the extraction and segmenting of the analysed DNA in small sections (Parven 2013). This type of analysis does not focus on gene mutations or markers for diseases as it is only able to identify Single Nucleotide Polymorphisms (SNPs), leading to the differentiation between two samples by establishing unique patterns necessary for comparisons (Parven 2013). Various types of genetic profiles converge in forensic databases, including those derived from traces found at the crime scene, those of convicted criminals, in addition to those of suspects and people involved in the investigation, but several criteria must be taken into account (ENFSI 2012). According to the ENFSI DNA Working Group, two types of DNA profiles are almost always present in a DNA database: persons and crime-related stains, which are the DNA profiles that are assumed to originate from the crime’s perpetrators (ENFSI 2012). Among these, it is possible to find DNA profiles of: • Convicts: persons who have been found guilty of a criminal offense by a court of law and may be sentenced to imprisonment, a fine, a work sentence, hospitalisation, or a combination of these. In some countries, it is possible to include persons in the national DNA database who have been convicted in the

Forensic Databases (Part I)

• • • • •

197

past and who have already completed their prison sentence; this is called retrospective sampling. Suspects: persons who have not yet been found guilty, but who are officially the subject of investigation and/or prosecution. Arrestees: persons who have been taken into custody by the police but who are not yet considered as suspects, as previously defined. Volunteers: persons outside the aforementioned categories who have agreed to give a DNA sample for investigative purposes. Victims of both ongoing investigations and unsolved crimes. Missing persons if foul play is suspected.

If the trace is of unclear origin, the reference samples (i.e., from the victim or witnesses) should be collected and the DNA profiles compared with those of the crime-related samples to prevent DNA profiles of innocent persons from being included in the DNA database. The organisation of the main European databases follows the template set by the US’s Combined DNA Index System (CODIS) (Grasso et al. 2014) concerning the individuation of the genetic data subjected to the archiving and its cataloguing. The differences amongst Member States are regulated by each State’s legislation and are to be found in the object itself of the cataloguing, in the conservation of the material, and in the retention of the associated data (Santos et al. 2013). All currently existing European DNA databases use Short Tandem Repeat (STRs) sequences for identification purposes (Parson et al. 2009) but according to Grasso et al. and due to the lack of a generally agreed upon model, European DNA databanks can be schematically reduced to three styles: the English model, the French model, and the German model.2 It is, however, possible that the DNA profile uploaded does not match any other profile on the database. When this happens, investigators resort to “familial

2

The English model, following a conservative approach, allows for the collection of DNA profiles in a coercive way following an arrest (Schneider 1998). The genetic profile is uploaded to a sole databank—namely the United Kingdom’s National DNA Database (NDNAD)—and compared to existing profiles derived from casework, as well as from reference DNA of suspects or volunteers, and that of convicted offenders Grasso et al. 2014). Data Retention: Le biobanche forensi. Il, 50. The ownership of the data held on the NDNAD is of the submitting authority; however, biological material such as skin, blood, etc., is kept permanently while linked to the database and stored by the companies that analyse it for an annual fee (National Dna Database Strategy Board Biennial Report 2018–2020, 2020). The French or “crisis” model, pursuant to Article 706–55 of the Code de procédure pénale, allows the conservation in the Fichier National Automatisé des Empreintes Génétiques (FNAEG)—the French national DNA database—of genetic fingerprints gathered from biological traces, those of persons found guilty of, or suspected of, and/or of persons against which there are serious or concordant indications making it probable that the person is guilty of, one of the offences mentioned in Article 706–55 (Code de procédure pénale, 2021). The German model is considered to be at an intermediate level between the English and the French ones. The entry of a DNA profile obtained from routine casework analysis is automatic but must be ordered by a judge. Moreover, a judging based on the likelihood of the person becoming a repeat offender is needed for the inclusion in the database when dealing with serious crimes in which no DNA analysis was performed but it is possible to separately obtain the DNA profile of a suspect or convicted felon.

198

F. Aime et al.

searching” to generate new leads: the DNA profile is reanalysed in order to find close, partial matches usually belonging to siblings, parents, or children of the person whose DNA is being processed (Granja and Machado 2019). If all else fails, in some cases authorities have sparked controversy by covertly turning to recreational DNA databases for long-range familial searches (Guerrini et al. 2018), which use SNPs, significantly expanding the subject pool. These recreational DNA databases also present significant differences for what concerns their regulation, in particular, the lack of governance and oversight of the latter even after the adjustments made by private companies in February 2019; this refers to FamilyTreeDNA admitting to allowing the FBI to upload genetic profiles from ongoing investigations to the platform without informing their users (Kennett 2019).

2 Legislation Applicable and Standards of Conduct Depending on the legislation of the country concerned, samples and profiles may be stored permanently or for a limited time, routinely examined for matches with crime scene samples, used for familial searching, and for research relevant to crime detection. Concerning Europe, the protection of personal data has been regulated within the framework of the General Data Protection Regulation (‘GDPR’) since 2018. In addition, the European Data Convention no. 108 of the Council of Europe and the European Convention of Human Rights (ECHR), assists States in the establishment of safeguards while providing fundamental general principles. While the Council of Europe (CoE) implemented Convention 108 to clarify this margin in their domestic law, EU law demands a stricter set of rules to harmonise the level of data protection among Member States. This coordination is provided by Regulation (EU) 2016/679, which entered into force on 25th May 2018: the GDPR. In the context of protection of natural persons, regarding the processing of personal data by competent authorities for the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, Directive (EU) 2016/680, along with Regulation (EU) 2016/679, set out a common framework for the protection of personal data for all EU Member States. Indeed, Directive (EU) 2016/680 mirrors the GDPR as many of the rules contained therein are similar, if not identical, but are specific to the processing carried out by the competent authorities for the purposes of the prevention, investigation, detection, and prosecution of crimes, the execution of criminal sanctions, safeguarding and preventing threats to public security (Recital (3) Directive (EU) 2016/680), as well as the free circulation of such data (Recital (4) Directive (EU) 2016/680).3

3

Nonetheless, Member States should grant the right to information, access to, and rectification or erasure of said data and restriction of processing must be carried out in accordance with the national rules on judicial proceedings.

Forensic Databases (Part I)

199

Although the ECHR does not recognise a right to data protection, the storing and retention of personal data by police or national security authorities constitutes an interference with its Article 8 concerning the right to respect for private life, family life, home, and correspondence. However, many European Court of Human Rights (ECtHR) judgments deal with such interference, as in the S. and Marper v. the United Kingdom case regarding the retention of biometric data of persons charged with, but not convicted of, criminal offences. The case claimed that the retention of their DNA samples and profiles violated their right to respect for private life, as this sensitive information was linked to their personal identity, thus violating Article 8, as the retention of biometric data must be proportionate to the purpose of collection and limited in time, especially in the police sector. Furthermore, in accordance with Article 4 of GDPR and similarly as per Article 5 of Convention 108, Member States must ensure that personal data is kept in a form that permits the identification of data subjects for no longer than necessary for the purposes for which the data was collected or for which they are further processed and erased thereafter, meaning this data could therefore be lawfully stored as pseudonymised (Regulation (EU) 2016/679 Art. 4(5)). The European Parliament and the Council, pursuant to Article16 paragraph 2 of the Treaty on the Functioning of the European Union (‘TFEU’), have the power to establish regulations relating to the protection of individuals concerning the processing of personal data and its free movement in the Union. Furthermore, Directive (EU) 2016/680 in its Recital (4), (5), (53), and (64) stresses the importance of international cooperation and the necessity to protect the data when it is being sent to third countries. An important example of institutionalised cross-border cooperation is Council Decision 2008/615/JHA, which in 2008 subsumed the Prüm Convention (or Treaty)4 into EU law under the name the “Prüm Decisions”. This document presents Member States’ aim to achieve an improved sharing of information in the fight against transnational crime, especially concerning terrorism. For this purpose, the Prüm Decisions set out provisions concerning the automated access to DNA profiles and establishes the compulsory exchange of biometric data and genetic profiles amongst Member States, while retaining ownership of the uploaded data. The databases made available under the Prüm Decisions are entirely subject to national law, but the exchange of data falls under Articles 44, 45, 46, and 49 of Regulation (EU) 2016/67. The competent bodies for the supervision of such data flows are the national data protection supervisory authorities, as per Article 4(22) of Regulation 2016/679. These supervising organs combine to form the European Data Protection Board (EDPB), which ensures the coordination of action and correct interpretation of the GDPR by the supervising national authorities and approves several documents for the interpretation and improvement of the rules therein implied; its tasks are

4 An international police cooperation agreement signed in 2005 by Austria, Belgium, France, Germany, Luxembourg, the Netherlands, and Spain.

200

F. Aime et al.

outlined in Art. 57 and its corrective power defined in Art. 59 of Regulation (EU) 2016/679. The application of the aforementioned European legal framework to forensics data may lead to some issues that will be subsequently addressed. It is important to note that the outlined legislation is the same as that regulating the use of medical biobanks in the European Union and thus highlights the importance of providing accurate and timely information to data subjects, in particular about the purpose and objectives of the biobank and its governance structures, the possible and inadmissible uses of the samples, the variables to be registered in the database, the retention time and availability of the samples, the type of samples stored, the procedures associated with the recovery of samples and data, the terms under which samples and data can be accessed, the rights of individuals, and a list of the foreseeable risks and benefits regarding the functioning of biobanks and forensic DNA databases. Moreover, it calls for adjustment between the expectations and responsibilities of all players involved in the reality of medical research and to the use of genetic databases to support criminal investigation and prosecution activities.

3 Data and Material Retention The European Commission has identified population (or genetic) biobanks as a population-based collection of biomaterials created or transformed to yield related personal data and associated genealogical, medical, and lifestyle information, which may be periodically updated. In its processing, biobanks need to consider and uphold the individual rights under the GDPR. Council Decision 2008/615/JHA and the GDPR set very broad rules regarding DNA databases, especially for judicial purposes, so it is up to each Member State to establish and enforce the appropriate regulation. Moreover, the rules for data retention concerning criminal investigations are outlined in Recital (26) and (49) and Artt. 5, 18 of Directive (EU) 2016/680. Indeed, Member States do not share the same criteria for the inclusion of the DNA profiles, their management, retention, and deletion, and nor is there common ground as for which authorities—either judicial authorities, police forces, or agents of the judicial system—can or cannot access the genetic data. This dissensus results in a geographically varied normative, making it harder to ensure harmonious compliance with legal and ethics principles throughout Europe (Machado and Granja 2020). Concerning the European scenario on genetic databases, four major discrepancies can be encountered in relation to the criteria for entering individual profiles, the rules for the destruction of the sample, the retention time of the DNA profile of a convicted offender, and the circumstances requiring the deletion of the DNA profile (Westermark et al. 2020).

Forensic Databases (Part I)

3.1

201

Criteria for Entering Individual Profiles

The act of taking a DNA sample must always be performed in accordance with standard medical guidelines. Furthermore, this must follow the ethics of the subject’s right to information concerning the foreseeable risks and uncertainties posed by the sample’s collection and resulting DNA profiling, as well as the regulations outlining their storage and retention period. Moreover, special attention must be paid to their processing and free movement, as the procedures associated with their recovery and the authorised access are to be thoroughly detailed. Countries’ rulings on which profiles are to be included into the DNA database and under which circumstances vary. Generally, the profiles inserted are of suspects or convicted felons, depending on the severity of the offence in question and the country’s policy: Austria and Germany require a statutory term of imprisonment of at least 1 year (Abs. 5 StPO§ 124Rz. 29; 75 Abs. 2 Bundesdatenschutzgesetz (BDSG)); in Denmark, the threshold is 1 year and 6 months (Act on the Central DNA Profile Register, Sect. 2). In Sweden, it is sufficient that the offence led to imprisonment of any length (Act on the Processing of Personal Data by the Police, Chap. 5, Sect. 4, 2003). A unique case is that of the UK, allowing the retention of DNA profiles from suspects and convicts independently from the offence at play (Protection of Freedoms Act, 2012). Higher thresholds can be observed in countries such as France, where the offences leading to the retention of DNA profiles are listed in Article 706–55 of the Code de procédure pénale and primarily concern crimes against the person. Similarly, Dutch law allows for the storage of DNA profiles when sentences exceed 4 years in length, if they entail a pre-trial detention, or if they are pursuant with Sect. 67 of the Dutch Code of Criminal Procedure (Westermark et al. 2020). Likewise, 5-year sentences or above are general practice in Spain, with specific felonies not meeting this time criteria listed in a special directory (L.O. 10/2007). Transcending from the criteria outlined in these regulations, Belgium and Italy have other requirements rather than a minimum term of imprisonment for the upload of DNA profiles in their national database (Loi du 7 nov. 2011;5 Decreto Min. Int. 12 mag. 20176). As a matter of fact, Belgium entries solely depend on an extensive list of offences, mainly concerning crimes against the person.

5

Loi du 7 nov. 2011 mod. le Code d’instruction criminelle et Loi du 22 mars 1999 relative à la procédure d’identification par analyse ADN en matière pénale. 6 Allegato C del Decreto del Ministero dell’Interno 12 mag. 2017, G.U., 16 giu. 2017 n. 137, Art. 5.1.

202

3.2

F. Aime et al.

Rules for the Destruction of the Sample Used for the Creation of the DNA Profile

In countries such as the Netherlands and Spain, destruction of the sample corresponds to the deletion of the DNA profile (Art. 13 Abs. 2 lit. a BeDNA-U; Art. 5 L. O), whereas in others—like France and Italy—it takes place immediately after the positive identification (Art.R53–14-1 du Code de procédure pénale; Decreto Min. Int. 12 mag. 2017) (Asplen 2004). By contrast, others destroy the sample within a fixed period of time, as in the case of Sweden, which proceeds with its destruction within 6 months from the date of collection (Act on the Processing of Personal Data by the Police, Chap. 5, Sect. 9, 2003). Be that as it may, most countries resort to a mixture of these rules, in particular when concerning the retention of convicts’ profiles rather than suspects. Indeed, Belgian law states that samples taken from suspects must be destroyed within 6 months, whereas those obtained from convicts must be destroyed immediately (Art. 44quinquies § 9 C. instr. crim.). Moreover, in Germany it is mandatory for the sample to be destroyed following the final judging on the case (§ 81a Abs. 3 in Verbindung mit § 81e Strafprozessordnung (StPO)), and for the UK it must be destroyed as soon as the profile is obtained from the sample and, regardless, within 6 months of the date of collection (Protection of Freedoms Act, 2012).

3.3

Retention Time of the DNA Profile of a Convicted Person

The most common regulatory approach is to set a fixed time limit and, generally, the retention period varies according to the severity of the crime in question. Indeed, Dutch law provides for retention periods varying from 20 to 80 years (Art. 17 Abs. 3 BeDNA-U); in Spain, the retention period shadows that of the deletion of the criminal record for the offence at issue or, alternatively, the time period for the prescription of that offence (Art. 9 L.O.). German law, on the other hand, provides no specific time limit for the retention and leaves the evaluation on the necessity of retaining the data within a certain time frame—within 10 years for adults and 5 years for juveniles—to the police (§ 77Abs. 1S. 2Bundeskriminalamtgesetz (BKAG)); others, like Belgium, leave its establishment at the discretion of the courts (Westermark et al. 2020). While most countries apply retention periods of more than 20 years, there are instances of more restrictive legislations: in Sweden, for example, DNA profiles must be deleted 10 years after the subject’s release from prison (Act on Criminal Records, Sect. 17). Lastly, indefinite retention is only allowed by UK law and usually for more serious offences.

Forensic Databases (Part I)

3.4

203

Circumstances Requiring the Deletion of the DNA Profile

In some jurisdictions, a DNA profile must be deleted upon acquittal or if prosecution is not pursued, whereas others allow for continuous retention. Certain countries, such as Sweden, require immediate deletion without considering the reason for acquittal or non-pursuance of the prosecution (Act on the Processing of Personal Data by the Police, Chap. 5, Sect. 7), while in Austria and Germany continuous storage—in cases of acquittal and non-pursued prosecution—is allowed following a risk assessment, which should be carried out by law enforcement authorities (§ 75 StOP; §77Abs. 3S. 2 Bundeskriminalamtgesetz (BKAG)). It is also possible to encounter retention even in cases of acquittal or non-pursued prosecution. This is true of Denmark—where the DNA profile is retained for 10 years in case of acquittal or the prosecution is not pursued, unless another person is subsequently charged and convicted of the offence, or the charge is declared unfounded (Act on the Central DNA Profile Register, Sect. 3–4)—and similarly in Spain (Art. 5 L.O.) and in the UK. In the latter, retention depends on whether one is charged with an offence and subsequently not convicted or if one is arrested but then not charged (Prevention of Freedoms Act, Sect. 64, 2012).

4 Conclusion DNA profiling brings into collaboration the disciplines of science and law. Despite the legal sources previously analysed, however, there remains a lack of uniformity in the European Union regarding the regulation of forensic applications of biomedical biobanks. In spite of the GDPR’s attempt, a certain margin of Member State discretion persists as the Regulation merely expresses general concepts to which to abide. An endeavour to provide more specific guidance for criminal investigations and judicial proceedings is found in Directive (EU) 2016/680, but this essentially mirrors the GDPR, adding little to no guidance for the resolution of the issues addressed. Critical points of rupture relate to the use and regulation of the profiles collected in the biobank. Despite the general indication stating that personal data must be ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’ (Art. 5 par. 1 Regulation 2016/679), each State establishes its own criteria for the profiles’ inclusion in its national databases, different periods of retention for data, and different retention periods for the sample and data extracted from it, giving rise to a highly diverse regulatory landscape, producing widespread cohesion. While it is not feasible to thoroughly regulate each and every possible use of research biobanks, considerable effort has been made concerning the dissemination of the results to individuals, the scientific community, and the justice and healthcare systems.

204

F. Aime et al.

References Asplen CH (2004) The application of DNA technology in England and Wales. Database, p 31. https://www.ncjrs.gov/pdffiles1/nij/grants/203971.pdf Elger BS, Hofner MC, Mangin P (2009) Research involving biological material from forensic autopsies: legal and ethical issues. Pathobiology 76(1):1–10. https://doi.org/10.1159/ 000178150 ENFSI (2012) DNA database management. Review and reccommendation. pp 1–85. https://enfsi. eu/wp-content/uploads/2016/09/final_version_enfsi_2016_document_on_dna-database_ management_0.pdf Granja R, Machado H (2019) Ethical controversies of familial searching: the views of stakeholders in the United Kingdom and in Poland. Sci Technol Hum Values 44(6):1068–1092. https://doi. org/10.1177/0162243919828219 Grasso P, Mango R, Giardina E, Novelli G (2014) Data retention: Le biobanche forensi. SicurezzaeGiustizia:50–52 Guerrini CJ, Robinson JO, Petersen D, McGuire AL (2018) Should police have access to genetic genealogy databases? Capturing the Golden State Killer and other criminals using a controversial new forensic technique. PLoS Biol 16(10):1–9. https://doi.org/10.1371/journal.pbio. 2006906 Kennett D (2019) Using genetic genealogy databases in missing persons cases and to develop suspect leads in violent crimes. Forensic Sci Int 301:107–117. https://doi.org/10.1016/j. forsciint.2019.05.016 Machado H, Granja R (2020) Forensic genetics in the governance of crime. In: Forensic genetics in the governance of crime. https://doi.org/10.1007/978-981-15-2429-5 Machado H, Silva S (2015) Public participation in genetic databases: crossing the boundaries between biobanks and forensic DNA databases through the principle of solidarity. J Med Ethics 41(10):820–824. https://doi.org/10.1136/medethics-2014-102126 Parson W, Steinlechner M, Scheithauer R, Schneider PM (2009) National DNA intelligence databases in Europe – report on the current situation. Promega Corporation, pp 2–4 Parven K (2013) Forensic use of DNA information V. Human rights and privacy challenges. Univ West Sydney Law Rev 17(2009):41 Schneider PM (1998) DNA databases for offender identification in Europe – The need for technical, legal and political harmonization. 2nd European Symposium on Human Identification, pp 40–44. Retrieved from http://scholar.google.com/scholar?hl=en&btnG=Search&q=intitle: DNA+databases+for+offender+identification+in+Europe+?+The+need+for+technical+,+legal +and+political+harmonization#0 Santos F, Machado H, Silva S (2013) Forensic DNA databases in European countries: is size linked to performance? Life Sci Soc Policy 9(1):1–13. https://doi.org/10.1186/2195-7819-9-12 Westermark H, Aronovitz A, Curran J, Fausch I, Fournier J, Hohenecker L, Kleczewski A, Pretelli I, Polanco Lazo R, Topaz Druckman K, Viennet C, Went F, Zheng J (2020) The regulation of the use of DNA in law enforcement. E-Avis ISDC. https://www.isdc.ch/media/1 953/e-2020-02-20-016-use-of-dna.pdf

Forensic Databases (Part II) How Does EU Law Address Issues Concerning Access for Forensic Purposes to Research Biobanks? Francesca Aime, Noemi Argirò, Miriam Merli, Lisa Lonetti, and Francesca Scarpone

1 Introduction: Issues Regarding the Circulation of DNA Profiles Within the EU and Non-EU Countries Though differing legislations can slow down and hinder the cross-border transfer of personal data, biobanks are often involved in collaborative research projects that call for the international harmonisation of the legal framework or the development of global governance of biobanks based on key principles and norms; indeed, an attempt at this can be identified in the GDPR,1 which seeks to harmonise data protection legislation across the EU, while also facilitating the free movement of personal data across Member States (as per Art. 1), thus aiding in the support of collaborative transnational research. The importance of international cooperation in the fight against transnational criminality (ENFSI 2012) is highlighted in Declaration 21 of the Treaty of Lisbon, which also acknowledges the need for specific rules concerning judicial and law enforcement cooperation for the protection and free movement of personal data in matters of criminal investigations due to the sensitive and complex nature of these fields.2 The need for the free exchange of data in settings of judicial and police cooperation is also underlined in the GDPR, in particular in Recital (19): The protection of natural persons with regard to the processing of personal data by competent 1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 2 Following Article 16 of the Treaty on the Functioning of the European Union (TFEU) and Recital (10) of Directive 2016/680. F. Aime (✉) · N. Argirò · M. Merli · L. Lonetti · F. Scarpone Department of Medicine and Surgery, University of Perugia, Perugia, Italy © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_23

205

206

F. Aime et al.

authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. DNA profile comparisons within the EU are possible using the following databases: The Prüm Data Exchange Network Following the Prüm Decisions, each Member State can search other countries’ DNA databases in an automated manner thanks to the implementation of a standardised table structure carrying a copy of each DNA database. This system, which only compares DNA profiles, can be accessed by the common data exchange and DNA matching software available in each country. If a match is found, countries obtain the personal and/or case-related information associated with the matching DNA profile through existing police or judicial channels.3 Europol and Eurojust Europol4 set up the Europol Information System (EIS),5 which processes DNA profiles and provides Member States with a database for the exchange of intelligence and crime-related information through the Europol Nation Units (ENUs). While the data protection system used by Europol is strict, it still operates on the principles of Convention 108+ and of the General Data Protection Regulation and is subject to the control of the European Data Protection Supervisor. Together with Europol, Eurojust can process personal data to the extent necessary to achieve its objectives, but limited to specific information on persons suspected or convicted of a criminal offence within its competence and, if required, can extend the processing of data and broaden the exchange of information to several EU institutions and bodies (EU Agency for Fundamental Rights, Council of Europe, and European Data Protection Supervisor 2018). The European Commission participates in outlining the rules for the protection of personal data of EU citizens outside Europe; in particular, Arts. 44–50 of Regulation 2016/679 concerning the transfer of personal data to third countries or international organisations and the definition of different levels of protection and eligibility criteria for the transfer. In light of these databases, exchanges between biobanks of the same nature are extensively regulated, whereas the contours of a legislative scenario exists for cooperation between databases with different purposes.

3

Ibid. The law enforcement agency assisting Member States in the prevention and investigation of European organised crime and terrorism. 5 Council Decision 2009/371/JHA. 4

Forensic Databases (Part II)

207

2 Challenges Surrounding the Prüm Decisions The development of the Prüm system gave rise to several lines of enquiry, mostly concerning the lack of a generally agreed upon model regarding the organisational structure of national DNA databases and the ethical issues arising from the profiling consequential to the transnational automated processing of personal data. Firstly, there is no clear definition of ‘DNA profile’, nor which of these can be inserted in national or supranational databases. Furthermore, the creation of such databases calls attention to concerns regarding data protection, the breach of fundamental rights, and the need for supervising authorities; the latter merged in the European Data Protection Board (EDPB)—an independent body replacing the Article 29 Working Party—with the purpose of ensuring the consistent application of the General Data Protection Regulation and the promotion of cooperation among the EU’s data protection authorities. Building on this, the ethical implications of the transnational exchange of forensic DNA data under the Prüm regime are paramount, challenging data protection, the excessive surveillance of citizens, and the potential threats to civil rights (McCartney et al. 2011). Additionally, such issues are compounded by the lack of systems ensuring cohesion, transparency, accountability, and trust, as well as ethical oversight of the transnational flow of law enforcement information (McCartney and Hufnagel 2014; McCartney et al. 2011; McCartney 2013; McCartney 2014; Prainsack and Toom 2010; Prainsack and Toom 2013). In terms of data protection, while the Prüm Decisions might render a wide group of people subject to surveillance, it might also lead to a more targeted exchange of personal data, and thus reduce the amount of transborder information sharing as this is only sent after a match has been confirmed. Another crucial topic concerns the technical complications encountered during the practical implementation of this system due to the major disparities in national legislation across EU Member States. As it became mandatory for Member States to store data in national databases that are available to other countries on a hit/no hit basis, the Decisions highlighted the need for such databases to exist at the national level, which was not always the case. In addition to technical implementation, Member States must fulfil numerous formal requirements: firstly, Art. 25(2) of Decision 2008/615/JHA foresees the implementation of data protection provisions in national law prior to the supply of personal data; secondly, according to Article 20, before any operational automated searching, each Member State should pass an evaluation procedure submitted to the Council and, after unanimous decision, to the Parliament that rules on their conformity. The tardiness of the implementation of the system can be attributed to various factors, primarily linked to financial and technical difficulties. For example, neither Greece, Italy, nor Ireland had DNA databases or dedicated legislation when the Prüm Decisions were adopted and later failed to comply with them, leading to formal

208

F. Aime et al.

notices being sent out by the Commission; however, the infringement remains open regarding Italy and Greece. The binding of diverse regulations regarding the collection and retention of forensic bioinformation resulted in inherent heterogeneities of the Prüm regime (Prainsack and Toom 2013) as, even though most Member States are operational and enable automated processing, the degree of connectivity with other members’ databases varies considerably. Furthermore, forensic practitioners actively involved in transnational DNA data exchanges under the Prüm system at National Contact Points (NCPs) highlighted problems related to good laboratory practices such as receiving contaminated samples, the reporting of false positives to other countries, and those concerning accountability due to the decentralised network for information exchange. Lastly, relating to the free mobility of citizens within the EU, the Prüm system entails both cooperation and coordination, though it enforces the assumptions about deterritorialised criminality linked to the movements of suspect communities across the EU, stigmatising specific populations from certain regions (Machado and Granja 2020).

3 Controversies Around Secondary Uses As previously analysed, recommendations and laws do not always explicitly address the ethical issues related to research on material obtained during forensic autopsies. A distinction exists between biomedical research and forensics: someone giving broad consent to future biomedical research has a basic understanding that materials will likely be used to produce generalisable medical knowledge, even if the exact details are unclear at the time; by contrast, a person could be surprised to see their genealogical data used in criminal investigations as this would be far from the original scope for which the information was given. Indeed, more than 30 million people worldwide have taken a commercial at-home DNA test provided by private companies and not directly under government control; nevertheless, they may be surprised to find themselves part of the latter category concerning criminal investigations (Berkman et al. 2018). The rapid expansion of such “recreational databases”, which try to determine biogeographical ancestry and/or predisposition towards certain health conditions from a DNA sample, question the existing regulatory frameworks and set forth concerns on ethical issues. Furthermore, these direct-to-consumer (DTC) genetic databases are also open to broader applications concerning forensic investigation techniques; they could thus aid law enforcement agencies in the identification of a suspect, in missing person cases, and when encountering unidentified remains. In the aftermath of the Golden State Killer investigation, long-range familial searches in recreational DNA databases are increasingly being used for investigative purposes by law enforcement agencies. Although the use of these databases is mainly restricted to the US, in recent years they have faced a worldwide expansion.

Forensic Databases (Part II)

209

Indeed, investigative genetic genealogy (IGG) was employed in a 2020 Swedish crime investigation, leading to the arrest and confession of a double-murder suspect. Additionally, following the identification of unknown human remains in Sweden through GEDmatch, the Netherlands are currently setting up a similar protocol (de Groot et al. 2021). Among the ethical concerns raised by IGG are those of privacy and informed consent, which are in turn complicated by the international, transgenerational, and commercial nature of this practice. On the one hand, the data uploaded can result in the arrest of guilty relatives; on the other, false positives could also create burdens for those who are later deemed innocent. For what concerns consent, the genetic relatedness complicates the issue as it can be argued that people related to the person uploading the sample do not have the possibility to opt out. In addition, it is occasionally reported that in some countries—including Norway, the UK, and Sweden—biological samples collected for scientific research, healthrelated practices, and other non-forensic purposes are sometimes used for criminal investigations, disaster victim identification, or paternity establishment (Bowman and Studdert 2011; Hansson and Björkman 2006; Kaye 2006; Mccartney 2004). This notwithstanding, forensic access to non-forensic biobanks is limited to reports on individual cases. This is the case with the Huddinge University Hospital’s biobank in Sweden—set up for hereditary disease screening in newborns—which granted authorities access to its collection of blood samples for the investigation of the murder of Swedish foreign minister Anna Lindh in 2003 and for the identification of victims of the 2004 Indian Ocean tsunami (Hansson and Björkman 2006). The tension between medical confidentiality and the solving of crime can be recognised in some case examples of Forensic Use of Biobanks (FUB). In particular, in the US’s “Bind Torture Kill (BTK)” case—concerning the murder of at least 10 people between 1974 and 1991—law enforcement obtained a partial DNA match by turning decades later to the university clinic in which the suspect’s daughter’s cervical cell material was stored; following this discovery, the original suspect was arrested and convicted. Though reaching a conviction, the issue of confidentiality was raised due to the involvement of the bodily material of a family member of a suspect and not of the suspect himself. Indeed, it can be argued that the privacy of the daughter’s medical conditions was violated, as the kind of tissue sample collected already discloses a (plausible) condition. The fact that the bodily material that is stored in biobanks constitutes highly sensitive information is a major issue when considering FUB as it entails access to both phenotypical profiling, genetic ancestry, parental links, and predisposition to hereditary diseases. In contrast with the aforementioned cases, law enforcement authorities unsuccessfully attempted FUB, though were not granted access on the grounds of medical confidentiality. For instance, in 2004, a police officer was killed during a bank robbery in Norway. A thorough investigation ensued and led to the identification of some persons of interest; unfortunately, one of the main suspects had died of cancer a few months after the robbery. The police requested access to the deceased’s tissue samples stored at Aker University Hospital in order to compare them to DNA samples found at the crime scene; however, the hospital refused to provide the

210

F. Aime et al.

samples due to confidentiality concerns. The Norwegian Supreme Court eventually ruled in favour of the hospital’s decision, and, in its ruling, the Court emphasised the importance of the right to privacy both before and after death, as human bodily material can provide information about one’s genes, diseases, and other data ‘now and in the future’. Arguably, the various types of forensic access and risks associated with such uses are likely to be perceived differently, therefore it is important to address the different endowed solutions. The first solution would be to ignore it and the second—as drastic as the former— would be to ban it. Examples of this approach can be found in some northern European legislations such as the Estonian Human Genes Research Act—which specifically states that the Estonian Genebank cannot be accessed by the police (Parliament of Estonia 2000)—a policy implemented at a high level of the legal system that puts privacy and confidentiality before societal interests (Laurie et al. 2013; Rothstein and Talbott 2006). The third solution considers that forensic access is not well received when it becomes routine rather than an exceptional procedure. Accordingly, it proposes its limitation by means of legal instruments ensuring confidentiality and data protection that, though circumstantially defeasible, should achieve the expected outcome. A more fine-grained approach to consent is called for if the reasons backing the grant of forensic access are variable. The 2009 Organisation for Economic Cooperation and Development’s (OECD 2009) Recommendation on Human Biobanks and Genetic Research Databases (HBGRD)—intended to be applied as broadly as possible—aims to provide guidance for the establishment, governance, management, operation, access, use, and discontinuation of human biobanks and genetic research databases. In particular, it states that, except when required by the law, operators should not share participants’ biological materials or data with third parties for non-research purposes. The limits of DNA evidence also suggest that restrictions should be placed on its use as the regulatory landscape is wholly different between forensic genetic databases and IGG. For the former, somewhat of a legal framework is already present and includes guidelines for familial searching, while for the latter, the regulatory structure is often opaque and lacks directives on privacy protection. Moreover, in light of an opt-in policy to aid law enforcement searches and due to these systems being a novelty in Europe, specific legislation is often absent, thus making it possible to sidestep stricter regulations by resorting to DTC servers. Indeed, most European guidelines apply to material obtained from donors in general and do not always contain specific and clear provisions on the research use of forensic material. The 2006 Recommendation of the Committee of Ministers to Member States regarding research on biological materials of human origin states, in its Art. 13, that biological materials should not be removed from the body of a deceased person for research activities without appropriate consent or authorisation. However, it is not better defined to which extent these procedures are appropriate; nonetheless, if the deceased person is known to have objected to research activities, any procedure will be invalidated.

Forensic Databases (Part II)

211

The CoE, through Art. 14 of Regulation 2016/679, allows exceptions for consent to research involving so-called ‘residual material’ when the proposed use is not within the scope of prior consent if, despite reasonable efforts and in compliance with the safeguards and conditions referred to in Art. 89(1), it is not possible to contact the data subject, or when the obligation is likely to render impossible or seriously impair the achievement of the objectives of that processing. Moreover, Regulation 2016/679 does not apply if the data subject is deceased, as outlined in Recital (27). The controller must thus take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available. Nevertheless, these exceptions should not become routine practice as families must be approached and give their informed consent, unless the deceased person left written directives on the matter. The problem of research involving stored biological material is that the details of future research projects are unknown. The Swiss federal law project provides an interesting consent waiver, limited to cadaveric tissue, foreseeing the possibility for research without the consent of the deceased or of their relatives if three conditions are fulfilled simultaneously: the samples are anonymised, the quantity of material used is minimal, and there is no document attesting the refusal of the deceased person (Law Project: Loi fédérale relative à la recherche sur l’être humain (loi relative à la recherche sur l’être humain, LRH).6 This would permit research at the histological or microscopic level relieving forensic pathologists from the obligation of contacting the deceased’s relatives if permission was obtained from the judicial authorities who allowed tissue removal in the first place. However, any objections to storage on the part of close relatives must be taken into account.

4 Ethical Questions Associated with the Use of Forensic DNA Databases The features of genetic data give rise to ethical issues deriving from the type of information that can be obtained from DNA analysis. While fingerprints only reveal a person’s identity, samples used for DNA profiles may reveal much more information (Machado and Granja 2020). Indeed, both the Declaration of UNESCO and Art.9(1) of Regulation 2016/679 recognise genetic information with having a ‘particular status’ as it differs from other types of information. Specifically, it identifies a specific individual in a permanent way (‘immutability’), it includes information about present and future medical conditions (‘predictability’), and it refers to people sharing the same genetic patrimony also establishing known and unknown kinship ties (‘familiarity’).

6

See https://www.fedlex.admin.ch/eli/cc/2013/617/it.

212

F. Aime et al.

Since genetic information is considered a special category of personal data, the main legal instrument for its protection is represented by the discipline of privacy, recognised in the GDPR; however, it cannot only be brought back to this. The seemingly wide derogations from this regulation, justified by investigative purposes, must be implemented in accordance with ethics principles—aimed at making the processing of data consistent with the protection of other fundamental rights—such as that of dignity, necessity, proportionality, and precaution, which are becoming increasingly relevant due to the progressively growing use of forensic DNA databases. Firstly, genetic information is an important component of individuality, and its use must therefore respect the dignity and rights of the data subject. In particular, the protection of dignity is essential in avoiding discrimination based on genetic characteristics like those arising from the implications of forensic DNA phenotyping and forensic DNA databases. In addition, revealing racial or ethnic profiles of suspects or felons might further compound discriminatory practices against already vulnerable groups. Furthermore, with regards to FUB, access to hospital biobanks—in which the proportion of ill individuals is over-represented when compared to healthy individuals—by law enforcement poses a greater threat for prosecution to said vulnerable groups and raises the issue of inequality when considering the discrimination implied by bodily material being stored. Due to the ethical and legal issues, it is of the utmost importance not to decontextualise the information provided by DNA evidence and be aware that perceiving science and technology as immune to social bias—especially when directly compared with eyewitnesses’ accounts—could result in severe miscarriages of justice. Secondly, in the application of the principle of necessity, the processing of genetic data is allowed only when its protection is guaranteed, the appropriate safeguards are in place, and its use is justified as part of ongoing criminal investigations (Recital (52) Regulation (EU) 2016/679). Moreover, Article 52, par. 1, EU Charter allows the limitation of privacy, subject to the respect of proportionality imposing a minimisation of the quantity of gathered and processed data (Art. 89, par. 1, Regulation 2016/679). Furthermore, the myth of the infallibility of DNA profiling and the creation of forensic DNA databases allows for ‘reconstructive surveillance’, a system containing information that could be applied retrospectively, leading to the inferential reconstruction and monitoring of people and their actions, guided by the idea of the relative superiority of the interests of the community and its safety, thus justifying the constraints on individual rights on the basis that all individuals may be guilty (the enthusiastic model of the use of DNA databases) (Beyleveld 1997). On the other hand, special attention should be paid to the harmful consequences potentially brought upon defendants arising when the extension of the inclusion criteria in a DNA database are disproportionate to the potential benefits and second to public safety (the pessimistic model of the use of DNA databases) (Beyleveld 1997).

Forensic Databases (Part II)

213

Lastly, the application of the principle of precaution implies a risk assessment of the processing of personal data and a comparison with the direct or indirect benefits brought upon the data subject, always considering the respect of fundamental human rights, including freedom, autonomy, privacy, and the presumption of innocence and equality.

5 Conclusion The balance between individual and collective rights, the state–citizen relationship, the notions of human nature, and social commitments to what is worth protecting, as well as the reasons thereof, involves complex values and normativity, both of which are under the constant review of public scrutiny. Indeed, the work of biobanks and forensic DNA databases, along with the dissemination of the results to individuals, the scientific community, and the justice and healthcare systems is often left to interpretation. This notwithstanding, the act of taking a DNA sample is always expected to be performed in accordance with standard medical guidelines, and the right to information of data subjects on the foreseeable risks and uncertainties posed by DNA sample collection and DNA profiling—specifically concerning the possible and inadmissible uses of the samples, as well as their storage time and availability, and the movement of the associated data—is paramount. Vital concerns arise around secondary uses as very little legislation is present for any use other than biomedical research; this makes it difficult to use the material for other purposes that could serve the public interest. For what concerns access, the risk of forensic access to non-forensic biobanks is not one to underestimate. Indeed, it poses a great threat to major ethic principles such as the right to privacy. Being a special category of data as defined by the GDPR and other legal sources, when processed, such genetic data implies the rising occurrence of many ethical concerns; these must be addressed in order for the processing to not affect the freedom and dignity of the data subjects. A one-size-fits-all solution is not available as the differences in the European landscape are significant. In order to overcome these issues, it must be accepted that, rather than aspiring to be identical, it is more advisable to achieve a high level of similarity. A possible solution would be to draft a new regulation defining more specific guidelines, evening out the regulatory landscape for what concerns retention periods, inclusion in the analysed databases, and the growing use of recreational and privately-owned databases by police forces in their fight against criminality. Above all, it is important to always act following the highest ethical standards: the processing must be carried out while respecting the principle of dignity—the intrinsic value of a human being that can be affirmed when one’s worth is recognised, validated, and honoured—by always obtaining consent and consent to data processing. Moreover, it is necessary to foresee the implementation of the principle of accountability outlined in art. 24(1) of Regulation 2016/679, for which the controller shall implement appropriate technical and organisational

214

F. Aime et al.

measures, which must be periodically reviewed and adjourned, to ensure and demonstrate that processing occurs in accordance with current regulations. The principle of accountability is expressed, as per arts. 25(1), (2), by the concept of privacy by design—stating that any action undertaken by a company must be carried out with data protection at mind—and privacy by default—by which the strictest privacy settings must be applied—which are a precautionary and safety measure, and as such they must be implemented. To conclude, it is vital to keep in mind that the achievement of the purpose of social security is always secondary to treating its members with dignity.

References Berkman BE, Miller WK, Grady C (2018) Is it ethical to use genealogy data to solve crimes? Ann Intern Med 169(5):333–334. https://doi.org/10.7326/M18-1348 Beyleveld D (1997) Ethical issues in the forensic applications of DNA analysis. Forensic Sci Int 88(1):3–15. https://doi.org/10.1016/S0379-0738(97)00078-0 Bowman DM, Studdert DM (2011) Newborn screening cards: a legal quagmire. Med J Aust 194(6): 319–322. https://doi.org/10.5694/J.1326-5377.2011.TB02985.X de Groot NF, van Beers BC, Meynen G (2021) Commercial DNA tests and police investigations: a broad bioethical perspective. J Med Ethics 47(12):788–795. https://doi.org/10.1136/medethics2021-107568 ENFSI (2012) DNA database management. Review and reccommendation, pp 1–85. https://enfsi. eu/wp-content/uploads/2016/09/final_version_enfsi_2016_document_on_dna-database_ management_0.pdf EU Agency for Fundamental Rights, Council of Europe, & European Data Protection Supervisor (2018) Handbook on European data protection law. Publications Office of the European Union, Luxembourg. https://doi.org/10.2811/69915 Hansson SO, Björkman B (2006) Bioethics in Sweden. Camb Q Healthc Ethics 15(3):285–293. https://doi.org/10.1017/S0963180106060361 Kaye J (2006) Do we need a uniform regulatory system for biobanks across Europe?. Eur J Hum Genet 14(2):245–248. https://doi.org/10.1038/sj.ejhg.5201530 Laurie, G., Hunter, K., & Cunningham-Burley, S. (2013). Storage, use and access to the Scottish Guthrie card collection: Ethical, legal and social issues. https://www.gov.scot/publications/ guthrie-cards-scotland-ethical-legal-social-issues/pages/2/ Machado H, Granja R (2020) Forensic genetics in the governance of crime. In: Forensic genetics in the governance of crime. https://doi.org/10.1007/978-981-15-2429-5 McCartney C (2004) Forensic DNA sampling and the England and Wales national DNA database: a sceptical approach. Crit Criminol 12(2):157–178. https://doi.org/10.1023/b:crit.0000040255. 29101.7a McCartney C (2013) Opting in and opting out: doing the hokey cokey with EU policing and judicial cooperation. J Crim Law 77(6):543–561. https://doi.org/10.1350/JCLA.2013.77.6.879 McCartney C (2014) Transnational exchange of forensic evidence. In: Encyclopedia of criminology and criminal justice, pp 5302–5313. https://doi.org/10.1007/978-1-4614-5690-2_234 McCartney C, Hufnagel S (2014) Police cooperation against transnational criminals. In: Boister N, Currie RJ (eds) Routledge handbook of transnational crime. Taylor & Francis, pp 107–121 McCartney CI, Wilson TJ, Williams R (2011) Transnational exchange of forensic DNA: viability, legitimacy, and acceptability. Eur J Crim Policy Res 17(4):305–322. https://doi.org/10.1007/ s10610-011-9154-y

Forensic Databases (Part II)

215

OECD (2009) Guidelines on human biobanks and genetic research databases. https://www.oecd. org/sti/emerging-tech/44054609.pdf Prainsack B, Toom V (2010) The Prüm Regime: situated dis/empowerment in transnational DNA profile exchange. Br J Criminol 50(6):1117–1135. https://doi.org/10.1093/BJC/AZQ055 Prainsack B, Toom V (2013) Performing the union: the Prüm Decision and the European dream. Stud Hist Philos Sci C: Stud Hist Philos Biol Biomed Sci 44(1):71–79. https://doi.org/10.1016/ J.SHPSC.2012.09.009 Rothstein MA, Talbott MK (2006) The expanding use of DNA in law enforcement: what role for privacy? J Law Med Ethics 34(2):153–164. https://doi.org/10.1111/J.1748-720X.2006.00024.X

Future Research How to Deal with the Problem that Future Research May Often Not Be Able to Be Defined in Narrow and Specific Terms, as It Depends on the Current State of Research? Valentina Colcelli

1 Introduction Answering the question that opens the present chapter refers to the notion of ‘scientific research’, specifically to the notion of ‘genuine scientific research’. The word ‘genuine’ is the key point to understand the focus of Regulation (UE) 2016/ 679, called General Data Protection Regulation (hereinafter GDPR),1 on ‘future research’. To reach our goal, the chapter will be organised as follows: Sect. 2 aims to define the meaning of scientific research to apply the GDPR to the treatment of personal data of scientific purpose. As a matter of fact, the GDPR links the notion of scientific research as technological development and demonstration, fundamental research, applied research and privately funded research, taking into account the Union’s objective under Article 179(1) TEU of achieving a European Research Area. Recital 159 GDPR explains that ‘Scientific research purposes should also include studies conducted in the public interest in the area of public health’; it also states that specific conditions for processing personal data for scientific research purposes should particularly apply as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes. Furthermore, the meaning of ‘scientific research’ has to be clarified. Section 3 is a short commentary on the ethical dimensions of research activity because particular attention to ethical standards is required by genuine research projects as standard to qualify ‘future research’. 1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

V. Colcelli (✉) Institute CNR-IFAC, National Research Council of Italy, Florence Research Area, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_24

217

218

V. Colcelli

Section 4 describes Recital 33, the general framework of the GDPR, Regulation (EU) 2014/536 on clinical trials and Recommendation n. 1762 (2006) of the Parliamentary Assembly of the Council of Europe concerning the protection of academic freedom of expression and how it could support us in dealing with the problem of future research. Section 5 fully describes how the notion of future research is closely linked to the use of broad consent. Finally, Sect. 6 concludes and answers the main question.

2 Defining ‘Scientific Research’ Despite freedom of research being considered a fundamental right (art. 13 Charter of Fundamental Rights of the European Union, hereinafter referred to as the ‘EU Charter’) (Cippitani 2015) in the European Union (hereinafter EU) legal system, there is no universally agreed definition. The current meaning of research and scientific research therefore must be clarified. Typically, the aim of the advancement of knowledge is the core aspect of research: ‘Pure basic research is research carried out for the advancement of knowledge, without working for long-term economic or social benefits and with no positive efforts being made to apply the results to practical problems or to transfer the results to sectors responsible for its application’;2 ‘Research and experimental development (R&D) comprise creative work undertaken on a systematic basis in order to increase the stock of knowledge, including knowledge of man, culture and society, and the use of this stock of knowledge to devise new applications’.3 The EU documents are commonly focused on freedom of research and free circulation of researchers according to art. 179(1) of the Treaty on the Functioning of the European Union (hereinafter TFEU), the EU Charter, the European Charter for Researchers and Code of Conduct,4 as well as—in recent years—on shaping data according to the EU strategy on data.5 Thus, from the definition of ‘scientific research’ arises the definition of researchers, 6 research organisations across the

2

https://stats.oecd.org/glossary/detail.asp?ID=2206. OECD, ‘Frascati Manual’, 2002, para. 63. 4 Commission Recommendation of 11 March 2005 on the European Charter for Researchers and on a Code of Conduct for the Recruitment of Researchers https://euraxess.ec.europa.eu/sites/default/ files/am509774cee_en_e4.pdf. 5 A European strategy for data Brussels, 19.2.2020 COM(2020) 66 final: https://eur-lex.europa.eu/ legal-content/EN/TXT/?qid=1593073685620&uri=CELEX%3A52020DC0066 and European Commission, ‘A Digital Single Market Strategy for Europe’ COM(2015) 192 final, 15. 6 Council Resolution of 10 November 2003 on the profession and the career of researchers within the European Research Area (ERA) OJ C 282, 25.11.2003, pp. 1–2. 3

Future Research

219

Union7 (public or private8), and infrastructures9 (also cloud10) to support researchers sharing knowledge. Starting from this framework, research is work on the conception or creation of knowledge, products, processes, methods and systems of a novel nature and in the management of corresponding projects (Molina del Pozo and Balaur 2019). Thus, ‘the conduct of research must allow testing of hypotheses, with both the conclusion and the reasoning transparent and open to criticism. Openness and transparency help distinguish between science and pseudo-science’.11

3 Ethical Dimensions of Research Activity ‘To achieve the objective of building the European Research Area it is necessary to face the risks arising from scientific research and innovation. As [a] matter of fact, the EU Charter affirms that ‘it is necessary to strengthen the protection of fundamental rights in the light of changes in society, social progress and scientific and technological developments’ (see the Preamble of the EU Charter) (. . .). The EU takes into consideration the need to respect ethical rules, especially within the funding of the Framework Programmes. These are the main instruments that implement the European policy on research and technological development (see art. 180 TFEU) (Cippitani 2019). EU law contains many provisions dealing with ethical issues;12 it is also possible to identify several bioethical principles recognised by international law (Andorno 2013). 7 According to art. 3, point 1, of 2019 Copyright Directive (Directive (EU) 2019/790), ‘research organisation’ means a university, including its libraries, a research institute or any other entity, the primary goal of which is to conduct scientific research or to carry out educational activities involving also the conduct of scientific research: a) on a not-for-profit basis or by reinvesting all the profits in its scientific research; or b) pursuant to a public interest mission recognised by a Member State; in such a way that the access to the results generated by such scientific research cannot be enjoyed on a preferential basis by an undertaking that exercises a decisive influence upon such an organisation. 8 ‘The term “public research organization” as it is used here includes both specialized technology research organizations (TROs), and higher education institutions (HEIs) that engage in research and development and research training (RDT) activities with substantial funding support from public and quasi-public (e.g., charitable and non-profit foundation) sources’, see David and Metcalfe (n. d.). 9 OpenAIRE, in https://www.openaire.eu/. 10 European Commission’s press release, ‘European Cloud Initiative to give Europe a global lead in the data-driven economy’ (19 April 2016). 11 European Data Protection Supervisor, A Preliminary Opinion on data protection and scientific research: https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en. pdf, p. 11. 12 Cippitani R., Ethics Advisor on Research Projects, remenbers us: ‘EU law protects several fundamental interests that might be affected by research activities, such as: (a) human rights (Art. 6 Treaty of Functioning of the European Union, hereinafter referred to as ‘TEU’; Art. 1 EU Charter; including the protection of personal data, see Art. 8 EU Charter and Art. 16 FEU), not only within

220

V. Colcelli

There are normally two basic components of these ethical standards: – informed consent; and – independent ethical review. These represent the essential safeguards against researchers determining the admissibility of an experiment on their own. The first component requires researchers to obtain the informed consent of all human participants in any research project. (. . .) Researchers should disclose information about the purpose, risks, procedures and measures of a study in the event of harm arising from participation. The second component requires that research involving human participants be reviewed by independent ethics committees or institutional review boards that assess whether the research is ethical, legal and provides adequate safeguards’.13

4 ‘Academic Expression’ and Scientific Research in Light of the GDPR According to the main constitutions of the Member States, as well as several international and European documents, f.i the Recommendation 1762 (2006) of the Parliamentary Assembly of the Council of Europe,14 the academic freedom of researchers, scholars and teachers and the institutional autonomy of universities are recognised and guaranteed. Academic expression has always resulted in intellectual relapse as a fundamental requirement of any democratic society. The GDPR takes ‘academic expression’ into

Europe but also in research activities carried out in and in collaboration with third countries; (b) respect for the beginning of human life (Article 18, para. 1, Convention of Oviedo); (c) the rights of vulnerable persons (Articles 24, 25, 26 EU Charter); (d) the integrity of genetic patrimony (Article 3 EU Charter); (e) Security; (f) the environment (Article 37 EU Charter); and (g) the wellbeing of animals (Article 13 TEU). In order to protect these fundamental interests and to achieve an equilibrium with freedom of research, some ethical principles arising from the European legal system should be implemented: (i) dignity (Article 2 TEU; Preamble of EU Charter), which represents a pivotal principle of the European ethical system; (ii) self-determination (Article 3, para. 2, EU Charter; Article 5 Convention of Oviedo); (iii) precaution (Article 191 TFEU); (iv) proportionality (Article 12 Convention of Oviedo); and (v) solidarity (Article 2 TEU). Furthermore, (it is) required to apply EU law in specific fields that are relevant in the protection of fundamental interests, such as laws relating to the protection of personal data (Regulation (EU) No. 2016/679), clinical experimentation (Regulation (EU) No. 536/2014) and human tissues (Directive 2004/23/EC), animals in experimental activities (Directive 2010/63/EU), ‘double-use’ technologies (Council Regulation (EC) no, 428/2009), the use of the genetic resources of third countries (Regulation (EU) No. 511/2014), etc.’ 13 A Preliminary Opinion on data protection and scientific research cit., p. 11. 14 Recommendation 1762 (2006) of the Parliamentary Assembly of the Council of Europe. https:// pace.coe.int/en/files/17469/html.

Future Research

221

consideration and invites Member States by law to reconcile the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression. ‘Academic expression’ is protected through the freedom of expression clause (art. 85 (2)) GDPR on an equal basis to journalism but is not listed in the art. 89 GDPR provision. As a result, these provisions only provide possible derogations as regards very limited aspects of general data protection and in any case subject their use to peremptory and restrictive tests, thus ‘academic expression’ in light of the GDPR does not fall within the provisions of data protection law, including the special ‘research and ‘archiving’ provisions set down in art. 89 and in domestic implementation of the GDPR, ‘because research in areas such as politics and history is unlikely to be compatible with the research model set out in art. 83 [now art. 89] and may not be permitted otherwise’.15 Furthermore, ‘the research provisions have their origins in thinking about the needs of biomedical research and continue to focus on situations where data must be especially safeguarded due, for example, to the researcher having a fiduciary relationship to those under study’.16

5 Current State of Knowledge and Future Research Starting from the aforementioned framework, dealing with the problem of future research depends on the current state of knowledge. As such, our reference area is Recital 33, the general framework of the GDPR, Regulation (EU) 2014/536 on clinical trials and Recommendation n. 1762 (2006) of the Parliamentary Assembly of the Council of Europe concerning the protection of academic freedom of expression. The proper meaning of ‘future research’ arises from Recital n. 33 of the GDPR, because it recognises that it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Additionally, Recital n. 33 states that the EU legal system could use so-called “broad consent” to collect personal data for processing in the context of scientific research purposes.

15

Welcome Trust, Academic research perspective on the European Commission, Parliament and Council texts of the proposal for a General Data Protection Regulation – 2012/0011 (COD) (2015), p. 10. https://wellcome.ac.uk/sites/default/files/research-perspective-data-protecton-regulation-pro posal-wellcome-jul15.pdf. 16 See British Academy and Economic & Social Research Council submission to the Department of Culture, Media and Sport (DCMS) call for views on the General Data Protection Regulation derogations. https://www.thebritishacademy.ac.uk/documents/104/2017-05-10_DCMS_GDPR_ Derogations_submission.pdf.

222

V. Colcelli

So-called “broad consent”—before the entrance into force of the GDPR—was not taken into immediate consideration by EU laws, despite the international ethical and legal frameworks in the health and clinical fields always pushing for the use of broad consent and approving its use in 2016, f.i. the World Medical Association as well as the Council for International Organizations of Medical Sciences/World Health Organization (CIOMS/WHO). In the EU, its regulation was only implemented in 2018 with the GDPR. Recital n. 33 remembers that ‘Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose’, if—and only if—the research project is ‘in keeping with recognized ethical standards for scientific research. When research purposes cannot be fully specified, the controller must seek other ways to ensure the essence of the consent requirements, for example, to allow data subjects to consent to a research purpose in more general terms and for specific stages of a research project that are already known to take place at the outset. As the research advances, consent for subsequent steps in the project can be obtained before the next stage begins or for the scientific area. Despite this, such consent should still be in line with the applicable ethical standards for scientific research. Taking into consideration the last affirmation and the meaning of scientific research in the EU framework, we can identify the possibility of dealing with the problem of future research. The GDPR covers broad areas of scientific research, provided that they are genuine scientific studies. As stated by the European Data Protection Supervisor, genuine scientific research does not equal ethical scientific research.17 The Guidelines on Consent under Regulation 2016/679 realised by the Art. 29 Work Group define the notion of scientific research in the framework of GDPR as a research project established by relevant sector-related methodological and ethical standards, in conformity with good practice.18 This means, firstly, that personal data could be treated only if connected with a research project developed in the framework of the activities of public or private research organisations. The project has to define and adopt the property measures according to the GDPR and indicate the data treatment controllers. If article 3 of the Attachment 1 of Provision N. 515 (19.12.2018) of the Italian Data Protection Authority19 requires them to do so, all members of a research project must sign a declaration in respect of the deontological requirements arising from the GDPR.

17 European Data Protection Supervisor -04-12_fifth_world_congress_freedom_scientific_research_en. 18 Guidelines on Consent under Regulation 2016/679 (wp259rev.01), adopted on 28 November 2017 and revised an Adopted on 10 April 2018, pp. 27–31. https://ec.europa.eu/newsroom/article2 9/item-detail.cfm?item_id=623051. 19 Regole deontologiche per trattamenti a fini statistici o di ricerca scientifica pubblicate ai sensi dell’art. 20, comma 4, del d.lgs. 10 agosto 2018, n. 101–19 dicembre 2018, Gazzetta Ufficiale n. 11 del 14 gennaio 2019).

Future Research

223

According to these suggestions from the Guidelines, during its activities a research study should (art. 5 GDPR) (a) collect, process and store the data in a way that is lawful, fair and transparent to the data subject (‘lawfulness, fairness and transparency’) (b) the data shall be collected for specified, explicit and legitimate purposes and shall not thereafter be processed in a way incompatible with those purposes (‘justification’) (c) the data must be collected in a way that is adequate, relevant and limited to the extent necessary in relation to the purposes for which they are processed (‘data minimisation’) (d) the data must always be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’) (e) data must then be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed (‘storage limitation’); and (f) the data must be processed in such a way as to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). Furthermore, the Guidelines analyse the notion of personal health data according to Article 4 (15) GDPR and emphasise that the broad interpretation of the notion of health data, derived for instance from the case law of the Court of Justice of the European Union, can also be taken into account. According to Article 4 (15) GDPR: ‘data concerning health’ means ‘personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status’, thus these data could include the definition arising from the European Court of Justice’s (‘ECJ’) wide interpretation of ‘data concerning health’ derived from different sources, for example C-101/01 (Lindqvist) paragraph 50:20 1. Information collected by a health care provider in a patient record (such as medical history and results of examinations and treatments). 2. Information that becomes health data by cross referencing with other data, thus revealing the state of health or health risks (such as the assumption that a person has a higher risk of suffering heart attacks based on high blood pressure measured over a certain period of time). 3. Information from a ‘self check’ survey, where data subjects answer questions related to their health (such as stating symptoms).

20

TJUE 6.11.2003, C-101/01 (Lindqvist), p. 50.

224

V. Colcelli

4. Information that becomes health data because of its usage in a specific context (such as information regarding a recent trip to or presence in a region affected by COVID-19 processed by a medical professional to obtain a diagnosis). Health data also include genetic information (art. 4 point 11 GDPR) ‘kept for diagnostic and health purposes and for medical and other scientific research purposes’ (International Declaration on Human Genetic Data) (Cippitani 2018), as well as information on people’s lifestyle and environment if linked to health information, clinical data and genealogical data (McHale 2004, p. 72). The guidelines specify that information collected by a healthcare professional in a patient’s medical record (such as medical history and results of examinations and treatments) becomes health data by cross-referencing it with other data, thus revealing health status or health risks (such as the hypothesis that a person has an increased risk of suffering heart attacks based on high blood pressure measured over a certain period of time); information from a ‘self-monitoring’ survey, where data subjects answer questions related to their health (such as a declaration of symptoms); and information that becomes health data because of its use in a specific context (such as information about a recent trip or presence in a region affected by COVID-19 processed by a doctor to make a diagnosis).

6 Conclusion The issue of the identification of future research—that can often not be defined in narrow and specific terms to obtain consent from patients for lawful personal data treatment—depends on the current state of research and could be answered by saying that there exist several small relationships between future research and the current state of research. In other words, the qualification of future research in the framework of the GDPR—or better still in the framework of its rules about consent—does not link just to the current state of research, but also to the general notion of scientific research. In the framework of GDPR, the final one coincides with the concept of research project set up by relevant sector-related methodological and ethical standards, in conformity with good practice. Thus, especially in relation to biobanking activities and building a research database, it is possible to talk about future research having lawful broad consent for the use and re-use of personal data, only if further activity/future research could qualify as a ‘genuine research project’ developed in the framework of the activities of public or private research organisations: • This is true if the future research is set up by relevant sector-related methodological and ethical standards, in conformity with good practice, and with the proper application by an ethics committee if necessary; • if the project will treat personal data based on lawful consent with the purpose correctly described. For the cases where purposes for data processing within a

Future Research

225

scientific research project cannot be specified at the outset, we could have its purpose described at a more general level: – just related to specific areas of research, – for specific stages of a research project that are already known, – or as the research advances, consent can be obtained for subsequent steps before that next stage begins. • The ‘academic expression’ as defined in Recommendation 1762 (2006) of the Parliamentary Assembly of the Council of Europe concerning the protection of academic freedom of expression does not fall under the definition of ‘scientific research’ by Art. 29 WG and Recital 33, so it fails to sustain the qualification of ‘future research’ in the meaning of GDPR.

References Andorno R (2013) Principles of international biolaw: seeking common ground at the intersection of bioethics and human rights. Bruylant, Brussels Cippitani R (2015) Academic freedom as a fundamental right. Paper presented at the 1st International Conference on Higher Education Advances, HEAd’15, Universitat Politècnica de València Cippitani R (2018) Genetic research and exceptions to the protection of personal data. In: Rainer A, Cippitani R, Colcelli V (eds) Genetic information and individual rights. Series “Law & Science”, vol 1. Universität Regensburg, Regensburg, pp 54–79 Cippitani R (2019) Ethics advisor on research projects. In: Bartolini A, Cippitani R, Colcelli V (eds) Dictionary of statuses within EU law. Springer, Cham, pp 193–200. https://doi.org/10.1007/ 978-3-030-00554-2_25 David PA, Metcalfe S (n.d.) Universities and public research organisations in the ERA fulfilling universities’ critical societal roles in the advancement of knowledge and the support of sustained innovation-driven economic growth in Europe EC (DG-Research) Expert Group on “Knowledge and Growth”, in http://www.eurosfaire.prd.fr/7pc/doc/1236265408_david_metcalfe_ report5.pdf McHale JV (2004) Regulating genetic databases: some legal and ethical issues. Med Law Rev 12: 70–96 Molina del Pozo CF, Balaur R (2019) Researcher. In: Bartolini A, Cippitani R, Colcelli V (eds) Dictionary of statuses within EU law. Springer, Cham. https://doi.org/10.1007/978-3-03000554-2_64

Genetic Data What Are the Ethical–Legal Consequences Entailed in the Exceptional Nature of Genetic Information?’ Roberto Cippitani

1 Introduction The General Data Protection Regulation (hereinafter referred to as the ‘GDPR’), 1 unlike the previous Directive 96/95/EC, deals explicitly with ‘genetic data’ (see GDPR, Article 4, no. 13,) and defines them as ‘special categories’ of data (see GDPR, Article 9, paragraph 1). Although this is an important recognition, the GDPR does not take sufficient account of the ‘genetic exception’, that is, of the fact that genetic information is very different from other personal data. As a matter of fact, particular genetic information is held in common by many individuals and contains information (on several characteristics of the data subject) that may be developed during future years as a consequence of the evolution of technology. Although genetic information is protected by the legislation concerning personal data, the UNESCO Declaration, as well as other documents (see ‘Working document on genetic data’ 2004, paragraph 2),2 recognises them as having a ‘particular status’. Starting from the aforementioned genetic exception, this chapter analyses the presumed particular nature of genetic information from the ethical and legal viewpoints (Cippitani 2018).

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 2 Article 29 Data Protection Working Party, Working Document on Genetic Data, adopted on 17 March 2004. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/ index_en.htm. R. Cippitani (✉) Institute CNR-IFAC, National Research Council of Italy, Florence Research Area, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_25

227

228

R. Cippitani

2 The Special Status of Genetic Data The above-mentioned special status of genetic data may be observed in relation to several cases. As a matter of fact, genetic information is different from other typologies of information, because it identifies a specific individual in a permanent way (‘immutability’) and is predictive of predispositions to diseases (‘predictability’). Furthermore, genetic information belongs not only to the concerned person but also to people sharing the same genetic patrimony (‘familiarity’) (Taylor 2006, p. 51). For example, with respect to the use of genetic data in criminal investigations, it has been argued that ‘DNA samples or profiles are intrinsically “more private” objects or their collection involves greater infringement of bodily integrity than, for example, fingerprints or photographs’ (Williams et al. 2004, paragraph 6.2.2, p. 78). DNA is akin to a ‘future diary’ of a person (since it contains information about their present and future medical conditions), and the right of protection from unwanted ‘readership’ must be imposed in order to maintain autonomous control of personal and sensitive information (Annas 2004). The above-mentioned features of genetic information should lead to specific regulation, which should also take into account the great risks of misuse and/or re-use for various purposes and the risk of discrimination and stigmatization which may affect the individual. Moreover, some authors underline the point that the discipline of privacy can cover only some aspects of the protection of genetic information and the related rights (Taylor 2012).

3 The Use of Genetic Information in the Context of Research Activities in Particular: The Specific Issues Certain issues may arise from the use of genetic information, especially in the context of research activities, such as the information to be given to the data subject, and the rights of other subjects. A first problem arises if the new development of a technique may give more information in comparison with what was possible in the past. With reference to biomedical research, this hypothesis seems to be covered by article 24 of the Additional Protocol to the Convention of Oviedo on Biomedical Research, which provides for the re-examination of a research project, in the ‘light of scientific developments or events arising in the course of the research’, when the ‘research participants, or if applicable their representatives, need to be informed of the developments or events’ (paragraph 2.ii). When information does not refer to the health of persons, it does not seem to be mandatory to inform the data subjects.

Genetic Data

229

Another problematic aspect is constituted by so-called ‘incidental findings’, which means those ‘findings’ (findings) that concern a specific research participant, but which are not directly related to the primary or secondary objectives of the project in question (incidental). This includes information which there was no plan to find during the research or diagnostic practices, such as information on on-going diseases or predispositions to diseases, or information concerning biological parentage and so on. For example, the General authorization no. 8/2012 of the Italian Garante imposes a requirement that an individual, before genetic testing, also has to be informed of the possible results of such testing, especially ‘with regard to unexpected findings’ (paragraph 5.b). That caution should not be necessary for the processing of other kinds of personal data (such as an individual’s political opinion or health situation). It is not clear what happens if information on someone’s health situation, or other information (for example concerning parentage), arises from research activities. It is probable that, in this case, that data subject should have been requested to give her or his authorisation to be informed, including of any unexpected findings. However, if such authorisation was not requested or could not be acquired (on the grounds of some of the rules mentioned above), the problem remains as to whether the researchers have an obligation to inform the concerned persons. No obligation in this respect seems to be provided by the legislation, even if the importance of health would suggest that the persons concerned should be informed at least about the existence of findings concerning diseases, particularly if those diseases may be treated.

4 Information Shared Between Persons of the Same Genetic Group From the ‘proprietary’ viewpoint on which the discipline of the GDPR is also based, the personal data are owned by the data subject and, therefore, the disclosure of the information to his/her relatives is subject to his/her consent (Godard et al. 2006). However the genetic information is not only the ‘property’ of the data subject, but is also common to his/her biological family members, who may have important interests, particularly the protection of their health. However, the GDPR considers genetic information to be personal information concerning only a specific person. According to the GDPR, Article 14, a data subject also has a right to receive information from the controller (or his representative) when the data has not been obtained from that data subject. In consequence of this aspect of genetic information, a physician or other health professional who found a risk of a genetic disease when examining a person’s biological material might be confronted with the following dilemma: on one hand, he/she could be bound by the obligation of secrecy, as well as the right of the person concerned not to know; on the other hand, he/she could be obliged, under article

230

R. Cippitani

11, to provide information to data subjects who are relatives sharing the same genetic line. There is no clear answer to that question within the discipline concerning privacy, nor in the supranational and international legal sources. According to article 18 of the Additional Protocol to the Convention of Oviedo on genetic testing, ‘Where the results of a genetic test undertaken on a person can be relevant to the health of other family members, the person tested shall be informed’. In any event, the consequences and the conditions of that information are not clear. According to paragraph IV of the ‘Working document on genetic data’ of the Article 29 Working Group of 2004, at least two scenarios may be imagined. ‘One is that other family members could also be considered as “data subjects” with all the rights that follow from this. Another option is that other family members would have a right of information of a different character, based on the fact that their personal interests may be directly affected’. Within Europe, an interesting solution is provided by French law, even if this does not directly refer to scientific activities. In the Code de la santé publique, Article L.1131-1-1 provides a specific duty for a physician to inform a person of the risks, if those family members were not properly informed, to their family members in the case of a diagnosis of a serious disease (Sect. 1). This provision also lays down a duty of the person concerned to prevent the consequences of genetic abnormalities for their relatives, when preventative measures could be adopted (Sect. 3). The person may also decide not to be informed about the results of the diagnosis. In this case, as in the case where the persons concerned do not feel they are able to make the communication, the physician is requested to inform the relatives (Sect. 4). In any case, the doctor will not reveal the name of the patient, nor the genetic abnormality, or the risk associated with it. Basically, the physician has to invite family members to take a genetic test, envisaging the existence of a potential risk.

5 Conclusions Some scholars do not agree with the presumed particularity of genetic information, feeling that it is overestimated and increases the resistance of public opinion towards genetic technologies (Richards 2001). Indeed, the so-called ‘genetic exceptionalism’ has been criticised because of the exaggerated view of the significance of genetic information in people’s lives, based on unacceptable genetic determinism and genetic reductionism (Murray 1997). It is necessary, however, to take into account certain specific features of genetic information that—by their nature—have an impact on its use in research activities, because genetic information differs from other types of information in that it permanently identifies a specific individual and is predictive of predispositions to

Genetic Data

231

disease, as well being owned not just by the individual concerned but also by their relatives who have the same genetic make-up. Thus, this means that certain caution must be applied when using genetic information in research activity. The use of genetic information, in the light of constant technical developments, may mean that more information can be inferred from that information, and thus more information can be provided to the data subject and can affect the rights of others. In this, the action to be taken may be suggested by article 24 of the Additional Protocol to the Oviedo Convention on Biomedical Research, which provides precisely for the possibility of reviewing a research project if ‘in the light of scientific developments or events arising in the course of the research’, ‘the participants in the research, or their representatives as the case may be, need to be informed of the developments or events’ (paragraph 2.ii). Thus, in this case there is an obligation to inform the research participant, but only if the information relates to people’s health. With respect to so-called ‘incidental findings’, there is no unified approach at EU level; from a comparative reading of some national rules, and in the light of ethical guidelines, the person concerned must be required to give his or her authorisation to be informed, including about any unforeseen findings. If such authorisation has not been requested, or cannot be acquired (on the basis of some of the rules mentioned above), researchers seem to have no obligation to inform those concerned. Consent should certainly be sought, although the importance of health would suggest that the persons concerned should at least be informed of the existence of findings concerning diseases, in particular when the disease can be cured. As mentioned above, genetic information does not only belong to a specific person, but is shared among people of the same genetic group, and the question concerns the risk of a genetic disease that may affect not only the research participant, but also his or her family members. There is no clear answer to this question within the privacy regulations (Article 11 and 14 GDPR) or in supranational or international legal sources. One guideline is offered in Article 18 of the Additional Protocol to the Oviedo Convention on Genetic Testing, which requires the person tested to be informed if the results of a genetic test performed on them may be relevant to the health of other family members. Account must be taken of the fact that other family members may be considered ‘interested parties’, with all the rights that this entails, even if the rights are of a different nature from those of the person who took part in the activity, as set out in the Working Paper on Privacy referred to above.

References Annas GJ (2004) Genetic privacy. In: Lazer D (ed) DNA and the criminal justice system: the technology of justice. MIT Press, Cambridge, pp 337–366 Cippitani R (2018) Genetic research and exceptions to the protection of personal data. In: Arnold R, Cippitani R, Colcelli V (eds) Genetic information and individual rights. Universität Regensburg, Regensburg, pp 54–79. https://doi.org/10.5283/epub.36785

232

R. Cippitani

Godard B, Hurlimann T, Letendre M, Égalité N (2006) INHERIT BRCAs, guidelines for disclosing genetic information to family members: from development to use. Familial Cancer 5:103–116 Murray TH (1997) Genetic exceptionalism and future diaries: is genetic information different from other medical information. In: Rothstein MA (ed) Genetic secrets: protecting privacy and confidentiality in the genetic era. Yale University Press, pp 60–73 Richards M (2001) How distinctive is genetic information? Stud Hist Philos Biol Biomed Sci 32: 663–687 Taylor MJ (2006) Data protection, shared (genetic) data and genetic discrimination. Med Law Int 8(1):51–77 Taylor MJ (2012) Genetic data and the law: a critical perspective on privacy protection. Cambridge University Press Williams R, Johnson P, Martin P (2004) Genetic information and crime investigation: social, ethical and public policy aspects of the establishment, expansion and police use of the National DNA Database. Durham University, School of Applied Social Sciences

Granularity When Processing Personal Data and Biological Material in Research Activities, Is It Possible to Derogate from the General Rules and, in Particular the Rule of Granularity of Consent? Roberto Cippitani

1 Introduction Biobanking activities use not only samples explicitly given by voluntary donors, but also samples collected for other reasons (in particular samples derived from medical treatment) and also, in some cases, biological materials from ‘historical’ collections collected in periods (such as the last century) when legislation and practice were very different from what they are now and, in particular, when there was neither an obligation to acquire informed consent from individuals nor a culture of doing so (see Cippitani and Colcelli 2021). In brief, research and other activities carried out within biobanks of human tissues may not be consistent with the right of the individual to give his/her consent to the processing of personal data. Understanding the nature of the consent required in the light of the research activities and the biobank activities means understanding the broad consent model. The emergence of biobanks as a vital research tool in the medical sciences has led to widespread debate in the literature about how best to handle the consent procedures governing the enrolment of participants in research and the subsequent use of participant samples and data in other studies. When the broad consent model is applied, general consent is gathered at the time of enrolment (subject to a set of limitations and restrictions that are formulated by the biobank and/or a regulatory authority and stated in the consent form). Subsequently, samples stored in the biobank can be used for new studies that fall within the scope of the consent, without consent having to be reobtained from the participants. Medical researchers defend the broad model by arguing that it is the best way to make large-scale biobank research feasible. The truth is that, at the time of enrolment, the ways in which samples deposited in a biobank may be used in future research are not normally R. Cippitani (✉) Institute CNR-IFAC, National Research Council of Italy, Florence Research Area, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_26

233

234

R. Cippitani

known, and it would seem that, for consent to be informed, this kind of knowledge is required. This chapter addresses the problem of the best type of consent to support research activities in a biobank.

2 ‘Granularity’ of Consent and Special Rules for Consent in Research Activities Because stored materials and data can be processed for different projects in the future, biobanks may contravene the rule that consent should be ‘granular’,1 that is to say, that consent should be given for limited aims and for specific situations. When the purposes of the processing or the situation of the data subject changes, the person should be requested to provide a new consent. Within EU law, this rule is laid down by Article 8(2) of the EU Charter of Fundamental Rights and by several provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the General Data Protection Regulation (hereinafter referred to as the ‘GDPR’), 2 particularly Article 6(1)a. The granularity of consent is also required in other legal sources, such as, in Europe, Article 16(1)(v) of the European Convention on Human Rights and Biomedicine of the Council of Europe (the Oviedo Convention 1997), and the Recommendations of the Committee of Ministers of the Council of Europe (see, for example, Recommendation of the Committee of Ministers of the Council of Europe Rec(2006)4 of 15 March 2006, which states, in Article 10(2), that ‘information and consent or authorisation to obtain such materials should be as specific as possible with regard to any foreseen research uses and the choices available in that respect’). This granularity rule for consent may constitute an obstacle to research activities. As a matter of fact, the collection of data is normally carried out in the framework of other activities, such as diagnostic analysis, and the data are then processed for scientific purposes. These purposes are not specific at the moment of data collection, and they can change over time. Furthermore, the same database may be useful for many types of research, and even for research in different fields (genetic data can be processed in the medical, biological, anthropological and sociological fields, for example). Therefore, there can be difficulties if consent is acquired concerning a

1

Article 29 Data Protection Working Party, Opinion 15/2011 on the definition of consent 13 July 2011, paragraph III.A.1. 2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

Granularity

235

specific programme of research, and it can be problematic and expensive to require consent for each specific scientific activity. This is especially true for the activities of biobanks. The GDPR addresses these issues, establishing specific rules for research activities (see Cippitani 2018, 2019). First, recital 33 of the GDPR affirms that it may not be possible to identify fully the purpose of the processing of personal data for scientific research at the time of collection. In such a case, the data subjects should be allowed to give their consent within certain areas of scientific research, provided that recognised ethical standards for scientific research are observed. The same approach is followed by the Council of Europe in its Recommendation on the protection of health-related data of 2019, 3 which has replaced the Recommendation of 1997 (see Article 4(1)(b)); this also seems to consider that it may be difficult to provide detailed information to the data subject about the use of healthrelated data at the time of collection (see Article 11(2)). Secondly, the GDPR and other European sources extend the effectiveness of consent. If the principle of the limitation of purpose prescribes that ‘the processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected’ (recital 50), nevertheless ‘further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes’ (Article 5(1) (b) GDPR). In an analogous way, Article 12(1) of the Recommendation of the Committee of Ministers of the Council of Europe of 2006 concerning research on biological material of human origin requires that biological material collected for purposes other than scientific research (i.e. for therapeutic purposes) should not be used without consent or authorisation. Thus, when subsequent activity is ‘substantially different’ from that authorised by the individual,4 new consent should be given. Thirdly, the GDPR, according to recital 62 and Article 14(5)(b), allows derogations from the consent rule when obtaining consent is impossible or would involve a disproportionate effort that could make the attainment of the research objectives impossible or seriously jeopardise them. In such cases the number of data subjects, the age of the data and any appropriate safeguards in place may be taken into account. The 2016 Recommendation of the Committee of Ministers follows a similar approach in the case of the collection of biological material. According to Article

3

Recommendation CM/Rec(2019)2 of the Committee of Ministers to Member States on the protection of health-related data (Adopted by the Committee of Ministers on 27 March 2019 at the 1342nd meeting of the Ministers’ Deputies). 4 Council of Europe, Explanatory report to the convention on human rights and biomedicine, 1997, paragraph 214.

236

R. Cippitani

21, if the proposed use is not within the scope of the prior consent or authorisation, if any, given by the person concerned, reasonable efforts should be made to contact the person concerned (paragraph 2(a)), and the process must be subject to an independent evaluation (paragraph 2(b)).

3 Issues Concerning the Exceptions to the Requirement for Specific Consent The exceptions to the granularity of consent within research activities, as mentioned above, are not without problems (Cippitani et al. 2022). The first issue is that these exceptions are not always phrased in a clear manner. Leaving aside the frequent choice to place the special rules for research in the preamble of the GDPR (this may increase the confusion, but should not exclude the prescriptiveness of the ‘recitals’), the wording used by the GDPR may be ambiguous. For example, recital 33 may be interpreted as allowing for ‘broad consent’ for research activities, but this is just an interpolation which derives from the ‘observation’ contained in recital 33 that: ‘It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection’. From the substantive viewpoint, the special rules provided by the GDPR are interpreted in a very strict manner by the authorities when dealing with the protection of personal data. In the Preliminary Opinion referred to above, the European Data Protection Supervisor (EDPS) argues that recital 33 does not, however, take precedence over the conditions for consent (see Articles 4(11), 6(1)(a), 7 and 9(2)(a) of the GDPR), and the controller is required to carefully evaluate the rights of the data subject, the sensitivity of the data, the nature and purpose of the research and the relevant ethical standards. Therefore, the EDPS continues, when research purposes cannot be fully specified, a controller would be expected to do more to ensure that the essence of the data subject’s rights to give valid consent is preserved, including through as much transparency as possible and other safeguards. With respect to biobanks, in addition to the necessary respect for ethical standards and the confidentiality of the personal data, it can be difficult, according to the EDPS, to use ‘broad’ consent because of the obligation to comply with the ordinary rules to acquire the consent (i.e. the ‘specific’ consent foreseen by Articles 4(11) and 9(2)(a)). However, with that interpretation, the specificity of recital 33 is downgraded. With respect to the rule of the ‘presumption of compatibility’ of recital 50 of the GDPR, the EDPS (paragraph 6.7 of the Preliminary Opinion) affirms that ‘in principle personal data collected in the commercial or healthcare context, for example, may be further used for scientific research purposes, by the original or a new controller, if appropriate safeguards are in place’, while on the other hand pointing

Granularity

237

out that: ‘The presumption is not a general authorisation to further process data in all cases for historical, statistical or scientific purposes’. In addition, the EDPS holds that since the ‘recital is not accompanied by a specific provision in the main body of the GDPR, this appears not so much a blanket exemption to the separate steps set out in the Charter, Article 8(2)—applicable to all circumstances—but rather advisory’. Therefore, the supervisory authority recommends, following the opinion already expressed by the Article 29 Working Party (see paragraph III.2.3 Opinion 03/2013 on purpose limitation, adopted on 2 April 2013), that respect for the rights of the data subject should be ensured and that the ‘compatibility test under Article 6(4) should still be considered prior to the reuse of data for the purposes of scientific research, particularly where the data was originally collected for very different purposes or outside the area of scientific research’. The ‘test of compatibility’ according to Article 6(4) refers to cases in which the personal data are processed (on a lawful basis but) without the consent of the data subject, and provides that the controller is requested to check on certain conditions, such as those in Article 6(4) GDPR (‘any link between the purposes for which the personal data have been collected and the purposes of the intended further processing’ (Article 6(4)(a)), or ‘the context in which personal data have been collected’ (Article 6(4)(b))). However, if such a test seems to be necessary to identify the ‘compatibility’ in general, under recital 50 this evaluation of compatibility seems to be made by the GDPR itself. Otherwise, the difference between research activities and other activities would not be clear, but on the contrary this difference is pointed out by recital 50 GDPR. Outlining this difference is necessary precisely because the processing of personal data is normally not ‘compatible’ in the meaning of the first part of recital 50. The difference is understandable from the viewpoint of the favourable legal framework for research. With respect to the derogation to the duty of information involving the ‘disproportionate effort’ referred to in recital 62 and Article 14(5), the EDPS does not affirm specific restrictions (see the Preliminary Opinion, paragraph 6.4), but instead recalls the opinion of the Article 29 Working Party, which requires the controller to find a balance between the effort involved in providing the information to data subjects and the impact and effects on the data subjects if they are not provided with the information (Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260, adopted on 29 November 2017 and last revised on 11 April 2018, pp. 28–31). In this case, in consequence of the reference to Article 89 GDPR, it is possible to observe different interpretations among the EU Member States,5 and it is likely that

5 For example, Article 110(1) of the Italian Code of Privacy (as amended in consequence of the entry into force of the GDPR) provides that, in the above-mentioned case, the biomedical research must be assessed by the local Ethics Committee and by the Italian Data Protection Supervisory Authority (the Garante).

238

R. Cippitani

this is also because the data/materials can refer to deceased persons and, in this case, the GDPR is not applicable (see recital 27 GDPR) and therefore national provisions may be in force (or they might not exist). In any case, the demonstration of what is a ‘disproportionate effort’ as well as the ‘impossibility’ or ‘serious impairment to the achievement of the objectives of research’ is not very easy and is the responsibility of the controller.

4 Conclusions The GDPR considers the situation in which it is not possible to fully identify the purposes of the processing of personal data for scientific research at the time of data collection. The derogation from the principle of ‘granularity’ is allowed in research by recital 33 of the GDPR. In addition, the GDPR and other European sources extend the effectiveness of consent. The principle of the limitation of purpose prescribes that ‘the processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected’ (recital 50), but, nevertheless, ‘further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) GDPR, not be considered to be incompatible with the initial purposes’ (Article 5(1)(b) GDPR). For purposes of this type, there is a sort of presumed consent. The same approach was chosen by the Council of Europe in its Recommendation on the protection of health-related data of 2019, which replaced the Recommendation of 1997 (see article 4(1)(b)); this recommendation also seems to consider that it may be difficult to provide detailed information to the data subject about the use of health-related data at the time of collection (see Article 11(2)). Starting from this framework, the problem of future research is dealt with in accordance with the current state of knowledge. For this reason, our reference points are recital 33, the general framework of the GDPR, Regulation (EU) 2014/536 on clinical trials, and Recommendation 1762 (2006) of the Parliamentary Assembly of the Council of Europe concerning the protection of academic freedom of expression. The proper meaning of ‘future research’ arises from recital 33 of the GDPR because this recognises that it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Additionally, recital 33 states that the EU legal system could use so-called ‘broad consent’ to collect personal data for processing in the context of scientific research purposes. Recital 33 indicates that ‘Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose’ if—and only if—the research project is ‘in keeping with recognised ethical standards for scientific research’. When the research purposes cannot be fully specified, the controller must seek other ways to ensure that

Granularity

239

the essence of the consent requirements are fulfilled by, for example, allowing data subjects to consent to a research purpose in more general terms and to specific stages of a research project that it is known at the outset will take place. As the research advances, consent for subsequent steps in the project or other scientific areas can be obtained before that next stage begins. Despite this, such consent should still be in line with the applicable ethical standards (see the chapter in this book R. Cippitani: ‘Ethical Principles and Legal Provisions’).

References Cippitani R (2018) Genetic research and exceptions to the protection of personal data. In: Arnold R, Cippitani R, Colcelli V (eds) Genetic information and individual rights. Universität Regensburg, Regensburg, pp 54–79. https://doi.org/10.5283/epub.36785 Cippitani R (2019) Finalità di ricerca scientifica ed eccezioni alla disciplina della protezione dei dati personali. Ciberspazio e diritto 20(62):161–176 Cippitani R, Colcelli V (2021) Bio-legal issues in the establishment of a historical collection of human tissues: the case of the Umbria Biobank Project. Med Hist 5(1):1–9. https://www. mattioli1885journals.com/index.php/MedHistor/article/view/11535 Cippitani R, Mandarano M, Pelliccia C, Colcelli V, Sidoni A (2022) Biobanking-related bioethical and legal unresolved issues. Virchows Arch. https://doi.org/10.1007/s00428-022-03450-0

Imaging Biobank What Are the Areas of the GDPR Bearing on an Image Biobank? Andrea Barucci, Valentina Colcelli, and Anna Gottard

1 Introduction In this chapter, we try to answer this burning question through a reflection on some legal and ethical aspects addressed in the creation of the imaging biobanks and the application of artificial intelligence (AI) techniques and statistical models to explore the data, predict a diagnosis and evaluate treatments. We also define imaging biomarkers. Regulation EU 2016/679 on protecting personal data (EU General Data Protection Regulation or GDPR)1 is also applied to medical imaging biobanks and images of clinical examinations. These images are commonly qualified as personal data as they can be associated with the patient’s data, albeit indirectly. At the same time, the use of AI is strongly linked to imaging biobanks, with AI techniques used in such biobanks to transform the old qualitative or semi-

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. A. Barucci (✉) National Research Council, IFAC Institute, Florence, Italy Institute CNR-IFAC, National Research Council of Italy, Florence Research Area, Italy e-mail: [email protected]; [email protected] V. Colcelli Institute CNR-IFAC, National Research Council of Italy, Florence Research Area, Italy e-mail: [email protected] A. Gottard Department of Statistics, Informatics, Applications ‘G. Parenti’ (DiSIA), University of Firenze, Florence, Italy e-mail: anna.gottard@unifi.it © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_27

241

242

A. Barucci et al.

quantitative clinical imaging into a fully quantitative and data-driven perspective. This approach is known today as radiomics (Barucci and Neri 2020; Scapicchio et al. 2021), and it represents the first real effort to achieve this goal, starting from clinical images, such as computer tomography (CT) or magnetic resonance imaging (MRI), to developing mathematical models to classify diseases and/or predict their development, such as for the case of Prostate tumour classification using MRI (Bertelli et al. 2022). In this framework, the correct application of the GDPR is a way to face the problems of the application of the principle of fairness under AI for imaging biobanks. During the collection and preparation of imaging databases for the development and testing of AI algorithms, standardised metadata and key variables (e.g., sex/gender, ethnicity, gender, age, gender identity and geography) are used for the purpose of data collection (enriching the number of variables to be analysed by algorithms) that allows group identification and AI verification. This is all personal data that can be necessary for algorithm training. Thus, GDPR and its principles, such as pseudonymisation, should be applied. All the elements that define the fairness of AI, such as metadata that allows for measuring the similarity of medical conditions to verify the equal treatment of all similar cases (e.g., clinical information) should be considered in the labelling process. To reach this goal, we analyse the relationship between the GDPR and clinical imaging in the light of imaging biobanks and imaging biomarkers (Sect. 3), after first defining an imaging biobank (Sect. 2). In Sect. 4, we analyse the use of AI in imaging biobanks and the necessary interference with the GDPR with specific attention to the case of data fairness for AI system training. Paragraph 5 concludes.

2 Imaging Biobanks A collection of biological material, which usually and initially consists of tissues, is at the core of the ‘infrastructure’ for scientific research qualified as a biobank (see the OECD notion of a biological resources centre2 and the European Union law idea of research infrastructure).3 A biobank may be defined as ‘any collection of biological materials, whether the source be human, plant, or animal, fungi, bacteria, microorganisms or other living families, as well as bioinformatic data on such organic materials’ (Perry 2013, p. 267) as well as ‘a non-profit service unit for the collection, processing, storage and distribution of human biological samples and related data for

2

See OECD, Best practice guidelines for biological resource centres, 2007. See, in Europe, the ESFRI (European Strategy Forum for Research Infrastructures) roadmap for research infrastructures, which lists research infrastructure for biobanks and biomolecular resources (BBMRI).

3

Imaging Biobank

243

research and diagnosis, (. . .) officially recognised by the competent health authorities, [that] applies a quality system and guarantees the rights of those involved’.4 In recent years, imaging data have been included in the notion of biobanks; thus, it is possible to talk about imaging biobanks. According to the definition established by the Imaging Biobanks Working Group (WG) of the European Society of Radiology (ESR) in 2014 (ESR 2015), we can describe an imaging biobank as: ‘organised databases of medical images and associated imaging biomarkers, shared among multiple researchers, linked to other biorepositories’. Starting from this definition, an imaging biobank is not just an archiving and transmission system for clinical images similar to the PACS (Picture Archiving and Communication System) used in hospitals nor is it just a platform that allows the storage and retrieval of medical images and associated metadata. In an imaging biobank, the data are linked to imaging biomarkers, extracted through radiomic analysis of imaging data (typically radiological imaging data), and to clinical, molecular, biological and genomic data from a typical tissue biobank. The great potential of imaging biobanks is the ability to provide multi-omics data for the study of advanced imaging techniques on imaging pools with a sufficient sample size. This availability of data is necessary for researchers to find an association between phenotype and genotype, to design and validate new imaging biomarkers, as well as to understand their biological significance, which can be a crucial point in precision medicine. Once large, high-quality and well-curated datasets are available within the Biobank, they can be used for data mining and data analysis, respectively referring to the process of discovering patterns and developing models in large datasets, potentially leading to new biomarkers (Berti et al. 2022). With the advent of the fourth wave of AI in the past 15 years, biobanks have entered into a new phase in which the historical role of data archive is today inevitably linked to data analysis through techniques such as machine learning and deep learning (subfields of AI that are really responsible for the great success of its applications). Thanks to such techniques, biobanks are mainly used today to transform the old qualitative or semi-quantitative clinical imaging into a full data-driven, quantitative and automatic (or semi-automatic) data analysis process. In order to give the reader some clues about what can be done with AI, let us delve into some details about radiomics.5 The first question that arises is: ‘What can we do with radiomics and AI?’ The answer is ‘many different things’, such as developing mathematical/statistical models (for example, using machine learning) in order to perform:

4

See BBMRI-IT definition at https://www.bbmri.it/en/nodo-nazionale/biobanche/. Radiomics essentially means the extraction of a high number of quantitative features (descriptors of an image) from medical images, aiming to develop a diagnostic/predictive/prognostic model in the framework of precision medicine (supporting personalised clinical decisions and improving individualised treatment selection).

5

244

A. Barucci et al.

• Classification: characterising tissue/disease/phenotype in images • Segmentation: that is, identification of the pixels in images corresponding to lesions/tissues/organs • Other things, such as creating images with super resolution, data generation and simulations. The idea behind radiomics is to discover previously unseen image patterns using mathematical algorithms, defining what are called ‘features’. These features represent salience information extracted from images. However, it must be kept in mind that radiomics is a hypothesis-free approach; that is, there is no a priori hypothesis on the clinical relevance (and biological meaning) of the features extracted. There are two approaches to radiomics, classical and deep: • Classic Radiomics – predefined or hand-crafted features, created by ‘human image processing experts’. – data analysis process performed in two steps: features extraction and model development. • Deep Radiomics – features are learned by the AI algorithm in the training process, without the need for any human intervention. – Based on deep learning. – Analysis of the images done in a single step, with images given as input to the algorithm.6 Given this brief introduction to radiomics, we come back to the general view of AI in clinical imaging. The use of AI to understand medical imaging (especially in radiology) is still very baffling in several aspects due to issues related to: (i) data acquisition and pre-processing (uniform protocols across clinical sites, and dependence on the device and operators); (ii) data quality (curation, annotation, segmentation); (iii) data protection for both image data/metadata and associated health records; (iv) known and unknown biases management; (v) continuous monitoring of model/concept/performance drift; and (vi) reproducibility, accountability, explainability, and interpretability. Moreover, even if strategies exist for balancing and augmenting a dataset or detecting and managing biases, not all of these strategies could be applied in the medical/clinical setting. Well-known phenomena, such as model overfitting and inappropriate model assumptions (rarely verified), could negatively affect the

6 This view is an oversimplified view; in reality, the difference between classic and deep radiomics can be fuzzier, with a plethora of mixed methods/approaches available.

Imaging Biobank

245

knowledge extraction from radiological images (Borgheresi et al. 2022; Scapicchio et al. 2021). Another interesting application of AI in the context of clinical imaging is in radiotherapy treatment planning development (Siddique and Chow 2020) in which three broad approaches can be found, namely the classical approach, a so-called modern approach and an AI-based approach. In the first approach, medical physicists and radiotherapists design the treatment plan using medical experience; in the second approach, the physics-based algorithm designs the treatment plan using equations checked by medical physicists and radiotherapists; and in the last approach, an AI-based algorithm designs the treatment plan, which is checked by medical physicists and radiotherapists. The treatment plan can be checked by performing experimental measurements on phantoms or in vivo. In conclusion, AI approaches are widespread in the field of clinical imaging (diagnosis/therapy/treatment), with many types of software already used in clinical practice. Imaging biobanks are at the core of the development of such algorithms and software, thanks to the availability of a large amount of quality standardised data. This paper aims to perform a reflection on the legal and ethical aspects that should be addressed in the creation of image biobanks (Aghakhanyan et al. 2022; Borgheresi et al. 2022; Berti et al. 2022) and the application of AI to develop imaging biomarkers.

3 The Relationship Between GDPR and Images in the Light of Imaging Biobanks and Imaging Biomarkers Because of the nature of an imaging biobank and imaging biomarkers created by integrating and collecting digital content from hospitals involved in a biobank, the relationship between the GDPR and the images must first be understood. Since our focus is on biobanks for medical imaging, the relationship must logically be discussed before a discussion of the legal nature of clinical images as defined by the GDPR. The processing of special categories of data is subject to additional protections. According to the GDPR, biometric data constitutes a ‘special’ category of personal data. The GDPR states that the processing of biometric data for identification purposes is prohibited. Processing is only justified if the explicit consent of the relevant person exists, specific legal obligations apply or the processing is required for reasons of public interest. The GDPR (art. 4) defines biometric data as ‘personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images’. To understand clinical images—a part of the patient’s medical record—we can treat them as photographs, also as special photographs. According to the Recital n. 51 to the GDPR:

246

A. Barucci et al.

The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.

Therefore, the processing of images should not be systematically considered to be the processing of special categories of personal data. Clinical images only fall within the definition of biometric data if they are processed by a specific technical means that allows for the unambiguous identification or authentication of a natural person. Biobanks for medical imaging pseudo-anonymise or anonymise the personal data of the patient. In the context of biobanking for research, it is necessary to consider the possible reidentification of a pseudonymised or anonymised biospecimen. Especially in the case of research projects,7 image anonymisation is used. The difficulty in carrying out and guaranteeing anonymisation is not analysed here; it is just mentioned as an introduction to some problematic issues affecting the fairness of AI in biobanks of images. Recital 26 of the GDPR defines the conditions of anonymisation which must be fulfilled: The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

Anonymisation is a process applied to personal data to achieve irreversible reidentification of the data subject. Consequently, the basic prerequisite is that personal data must have been collected and processed in compliance with the applicable legislation on the retention of data in an identifiable manner. The notion of reasonable effort on the part of the data controller or a third party necessitates an account of: (a) The technical tools at hand, bearing in mind possible changes in the development of information and communication technologies (ICT).

7

E.g., the project Pro-Cancer AI (European Union’s Horizon 2020 research and innovation programme under grant agreements No 952159) used the anonymisation for treating health personal data and images.

Imaging Biobank

247

(b) Guaranteeing the widest extent of data aggregation. As a consequence, the reduction of immediately identifiable features is not in itself enough to warrant the identification of the data subject. It will probably be necessary to take additional measures to avoid identification, always depending on the specific circumstances and scope of the processing for which the anonymous data are to be used. (c) Third parties need to consider the risks of reidentification. This includes a situation in which a research project receives anonymised data and then has to perform an extra procedural check to address the risks of identification, connection and implication. In any case, the reidentification via comparison with reference material remains theoretical since access to and the amount of reference material (whole biobank archives), the required personnel, the equipment and the finances to perform such analyses would be immense and, thus, would imply criminal energy. Even in the case of a medical imaging biobank, images of clinical examinations are commonly qualified as personal data because they can be associated with the patient’s personal data, albeit in a very indirect manner. In particular, this applies to images in biobanks, although it is a common trap into which doctors and health specialists could fall in light of Article 51. As a matter of fact, Recital 26 GDPR does not clarify that pseudonymised data should not be considered personal data in the hands of an entity that does not possess the code to reidentify the data as long as appropriate measures are put in place to prevent the holder of the data from gaining access to the key or otherwise linking the data set to other data sources that may permit reidentification.

4 Fairness in AI Systems in the Light of the GDPR The use of AI to comprehend medical imaging, particularly in radiology, is still very difficult due to a number of factors, including: (i) data acquisition and pre-processing (uniform protocols across clinical sites and dependence on the device and operators); (ii) data quality (curation, annotation, segmentation); (iii) data protection for both image data/metadata and associated health records; (iv) known and unknown biases management; and (v) continuous model/concept monitoring. To put it another way, even though there are methods for balancing and enhancing datasets and for identifying and managing biases, not all of these methods could be used in a medical or clinical setting. In addition, well-known phenomena, such as model overfitting and the underestimation of the assumption of statistical significance knowledge extraction from radiological images, could be negatively impacted by the occurrence of statistical significance hypotheses (rarely validated; Borgheresi et al. 2022). Ethical legal issues related to an innovative AI technique include socio-legal challenges regarding the requirements that any AI system should meet to be fair and trustworthy and in which the juridical and ethical component to be faced is not

248

A. Barucci et al.

limited to the treatment of personal data but, more importantly, to the intelligibility and transparency of the reasoning process. The main idea is that AI algorithms should incorporate the principles of democracy, the rule of law and the fundamental rights arising from the EU legal system beginning from the stage of design. In the case of imaging biobanks, it is very well documented in international scientific papers (Park et al. 2020; Seyyed-Kalantari et al. 2021) that an AI algorithm trained with imaging data that are imbalanced with respect to sex, socioeconomics or ethnicity will likely result in a model that will lead to biased predictions given the health differences within and across these groups. If the problem of bias in AI is common to all medical applications, it is even more problematic in medical imaging as personal attributes such as sex, age, ethnicity and socioeconomics are not always retained during the data preparation to minimise the possibility of patient identification because of the use of images. This also has an impact on the process of collecting and preparing the datasets because it should be transparent and documented through informed consent and participant recruitment. Thus, ‘Imaging AI algorithms should be impartial and maintain the same performance when applied to similarly situated individuals (individual fairness) or to different groups of individuals, including underrepresented groups (group fairness), whenever the grouping has no direct effect on the output. Healthcare, which is an expensive but critical service for society, should be provided equally for all patients independently of their gender, ethnicity, income and geography. AI algorithms should not exacerbate existing health disparities, but instead should facilitate and enhance access to high-quality radiology services for all individuals and groups. Medical AI algorithms should be built such that they address common as well as hidden biases in training datasets’ (Lekadir et al. 2021). According to the definition of fairness, medical AI algorithms for imaging biobanks and imaging biomarkers should be built so that they address common as well as hidden biases and are able to guarantee individual fairness and group fairness. To face bias in AI for imaging biobanks and imaging biomarkers, we need to consider the consequences of the application of GDPR on the side of the anonymisation as well as of the pseudo anonymisation. The central aspect of a fair approach in the use of AI in the treatment of images lies in the choice of an adequate algorithm and the construction of a training dataset that is capable of a representation of patients that does not hide common biases based on gender, ethnicity, income and geographical origin. From the juridical point of view, the errors—that could be derived from the training of AI algorithms—become biased towards underrepresented groups or develop some discriminatory characteristics of the patient and, hence, exacerbate existing health disparities. Thus, it is crucial to handle the treatment of images in relation to the reference to personal data. This is particularly important because, in the case of images, mere anonymisation may not be sufficient to prevent identification. For instance, there may be instances where gender identification is necessary for diagnosis. This possible identification could negatively influence the decision of the radiologist. In contrast, personal attributes, such as gender, age, ethnicity and socioeconomics, are not always maintained during data preparation, and the anonymisation

Imaging Biobank

249

process in the preparation of images minimises the possibility of patient identification. Pseudonymisation should be applied instead and include all the elements that define fairness. In this case, metadata that allows the measurement of the similarity of medical situations to verify the equal treatment of all similar cases (e.g., clinical information) is the process of labelling. It is important to label the metadata (labelling) in imaging datasets, such as sex, gender, ethnicity, skin colour, socioeconomics or geography, to develop and evaluate fair AI solutions. The activity must compete for compliance with data processing regulations. A labelling operation that is not conducted in compliance with the GDPR could undermine fairness. As a matter of fact, key areas of data labelling include informed consent, privacy and data protection, ownership, objectivity, transparency, the gap between those who have and do not have the resources to handle large data sets and the provision of meaningful access rights to data (Lekadir et al. 2021).

5 Conclusion The relationship between the GDPR and clinical imaging exists. In a biobank for medical imaging, this relationship must logically be placed before the discussion of the legal nature of clinical images as defined by the GDPR because a biobank for medical imaging will anonymise or pseudo anonymise the use of personal data of the patient. For this purpose, a ‘list of personal data of the patient that can be stored and associated with the Clinical images’ for a biobank should be realised at the starting point of the project. The list of personal data of the patient that can be stored and associated with the clinical images has an impact on several matters for the future biobanks. Here, the subject who will provide the images, data and, of course, the basis of past consensual approval for the acquisition is crucial. At the same time, at this stage of knowledge about all types of research biobanks, we must take into consideration the impact of AI, with a special focus on imaging biobanks. Focusing on fairness and its legally relevant aspects is very useful, not least of all because the elements derived from the analysis of fairness have a direct impact on other principles, such as universality, traceability, usability, robustness and, especially, explicability. If the problem of bias in AI is common to all medical applications, it is even more problematic in medical imaging as personal attributes, such as sex, age, ethnicity and socioeconomics, are not always retained during data preparation to minimise the possibility of patient identification. The anonymisation process in the preparation of images minimises the possibility of patient identification, which is needed over some medical predictions and could be biased because of the missing metadata labelling for fairness. On the other hand, despite personal data not being retained, the image still allows the sex, age or ethnicity of the person to be traced even when this may not be necessary with respect to the purpose for which the system is being trained. This has an impact on the process of collecting and

250

A. Barucci et al.

preparing the datasets because they should be transparent and documented through informed consent and participant recruitment. In addition, in the case of imaging biobanks, if an AI algorithm is trained with imaging data that are imbalanced with respect to sex, socioeconomics or ethnicity, it is likely that the resulting model will lead to biased predictions given the health differences within and across an underrepresented group or similarly situated individuals. This issue occurs whenever the omitted variables are not independent of the outcome given the images. In the case of AI training, there is a risk that trained AI algorithms will become biased towards underrepresented groups and similarly situated individuals and hence exacerbate existing health disparities. This tells us how discrimination occurs in imaging biobanks: AI tools can generate undetected errors with harmful consequences to the patient when they are applied to imaging conditions that may differ or unexpectedly deviate, even slightly, from those used for training. Also, the overconfidence in the outcome of AI support may affect fairness, with specific attention to the diagnostic images and especially the interpretation of images and the skills of experienced and less experienced radiologists.

References Aghakhanyan G, Barucci A, Colantonio S, Colcelli V, Pasquinelli F, Gini R et al (2022) NAVIGATOR: an imaging biobank to precisely prevent and predict cancer, and facilitate the participation of oncologic patients to diagnosis and treatment. Annual Congress of the European Association of Nuclear Medicine October 15-19, 2022 Barcelona, Spain. Eur J Nucl Med Mol Imaging 49(Suppl 1):1–751. https://doi.org/10.1007/s00259-022-05924-4 Barucci A, Neri E (2020) Adversarial radiomics: the rising of potential risks in medical imaging from adversarial learning. Eur J Nucl Med Mol Imaging 47:2941–2943. https://doi.org/10.1007/ s00259-020-04879-8 Bertelli E, Mercatelli L, Marzi C, Pachetti E, Baccini M, Barucci A, Colantonio S, Gherardini L, Lattavo L, Pascali MA, Agostini S, Miele V (2022) Machine and deep learning prediction of prostate cancer aggressiveness using multiparametric MRI. Front Oncol 11:802964. https://doi. org/10.3389/fonc.2021.802964 Berti A, Carloni G, Colantonio S, Pascali MA, Manghi P, Pagano P, Buongiorno R, Pachetti E, Caudai C, Di Gangi D, Carlini E, Falaschi Z, Ciarrocchi E, Neri E, Bertelli E, Miele V, Carpi R, Bagnacci G, Di Meglio N, Mazzei MA, Barucci A (2022) Data models for an imaging bio-bank for colorectal, prostate and gastric cancer: the NAVIGATOR project. In: IEEE-EMBS International Conference on Biomedical and Health Informatics (BHI), Ioannina, Greece, pp 1–4. https://doi.org/10.1109/BHI56158.2022.9926910 Borgheresi R, Barucci A, Colantonio S, Aghakhanyan G, Assante M, Bertelli E, Carlini E, Carpi R, Caudai C, Cvallero D, Cioni D, Cirillo R, Colcelli V, Dell’Amico A, Di Gangi D, Erba PA, Faggioni L, Falaschi Z, Gabelloni M, Navigator Consortium Group (2022) NAVIGATOR: an Italian regional imaging biobank to promote precision medicine for oncologic patients. Eur Radiol Exp 6:53. https://doi.org/10.1186/s41747-022-00306-9 European Society of Radiology (ESR) (2015) ESR position paper on imaging biobanks. Insights Imaging 6:403–410. https://doi.org/10.1007/s13244-015-0409-x Lekadir K, Osuala R, Gallin C, Lazrak N, Kushibar K, Tsakou G, Ausso S, Alberich LC, Marias K, Tsiknakis M, Colantonio S, Papanikolaou N, Salahuddin Z, Woodruff HC, Lambin P, Bonmat

Imaging Biobank

251

LM (2021) FUTURE-AI: guiding principles and consensus recommendations for trustworthy artificial intelligence in medical imaging. Preprint submitted to arXiv, 30 September 2021 Park Y, Jackson GP, Foreman MA, Gruen D, Hu J, Das AK (2020) Evaluating artificial intelligence in medicine: phases of clinical research. JAMIA Open 3(3):326–331 Perry M (2013) Accessing accessions, biobanks and benefit-sharing. In: Pascuzzi G, Izzo U, Macilotti M (eds) Comparative issues in the governance of research biobanks. property, privacy, intellectual property and the role of technology. Springer, pp 267–279. https://doi.org/10.1007/ 978-3-642-33116-9 Scapicchio C, Gabelloni M, Barucci A, Cioni D, Saba L, Neri E (2021) A deep look into radiomics. Radiol Med 126(10):1296–1311 Seyyed-Kalantari L, Liu G, McDermott M, Chen IY, Ghassemi M (2021) Fairness gaps in deep chest x-ray classifiers. In: BIOCOMPUTING 2021: proceedings of the pacific symposium. World Scientific, pp 232–243 Siddique S, Chow JCL (2020) Artificial intelligence in radiotherapy. Rep Pract Oncol Radiother 25(4):656–666. https://doi.org/10.1016/j.rpor.2020.03.015

Industry Perspective Contracting in the Light of the GDPR: What Are the Key Considerations for Transfers of Biosamples and Data from an Industry Perspective? Lisa Oster

1 Introduction Interest in biological samples of human origin and related datasets is not limited to hospitals and academic institutions. Samples1 and data are also of great importance to companies that use them to develop a wide range of health-related products and services, such as medicinal products, medical devices and analytical software applications. The successful development of any such product by a company will be the fortunate outcome of many years of scientific effort and considerable investment. In most cases, companies do not directly interact with donors but will seek support from expert partners, such as clinical research organisations (CROs), commercial or academic biobanks, universities and other scientific research institutions. The interaction with the expert partner will take different forms depending on the specific needs of the company and will range anywhere from a mere transfer of samples and data to a full-blown collaboration project with joint research activities. A standard case is the provision of samples and related data2 (hereinafter: metadata) by a

Please note that the views and opinions expressed in this text reflect the professional approach of the author and do not represent any official policies or positions of Bruker. Throughout this text, the notion ‘sample’ will always refer to a biosample of human origin. The metadata typically include information about the donor and/or the sample, such as the donor’s age, country of residence and pre-existing conditions, and information about the collection and storage conditions of the material. If samples are transferred, they will usually come with a number or barcode (often referred to as ‘sample ID’) to link the sample to the corresponding set of metadata. In case the provider has access to additional information allowing him to identify the donors (e.g., if the provider is a hospital treating the donor as a patient), he typically also uses this code to disguise the identities of the donors to the outside. 1 2

L. Oster (✉) Legal Counsel & Privacy Responsible EMEAR, Bruker BioSpin GmbH, Ettlingen, Germany e-mail: [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_28

253

254

L. Oster

biobank to the company. Depending on whether the partner offers laboratory services, it may also perform tests3 on the samples as requested by the company and then provide the test results along with certain metadata.4 From the perspective of a legal department, any project should be properly described and governed by a suitable contract5 to clarify the actual rights and obligations of the parties. Determining the role of each party is of particular importance with a view to data protection law because remaining legal uncertainties in this field translate into unease about the appropriate contractual content when transferring samples, metadata and analytical results. The following analysis is an attempt to describe the dogmatic challenges presented by the GDPR6 and to offer a consistent approach to contracting for the aforementioned common interactions between biobanks and companies.

2 The GDPR as One Element Within a Complex Legal Framework There are two major challenges in contracting on projects involving the transfer of samples, metadata and results: First, in case of an international transaction, the applicable laws and regulations usually differ from country to country. Second, even if a project falls within the scope of the same laws or regulations, formal legal harmonisation does not automatically lead to the uniform interpretation of such text by local authorities and stakeholders (for an overview on the challenges produced by legal fragmentation see e.g., Tzortzatou et al. 2021; European Commission 2012, pp. 34–48). Thus, when assessing the legal embedding of a transfer, the first important piece of information is the geographical setting of the interaction. The transaction may also be subject to boundaries set by previous agreements. This applies frequently to onward transfers of samples, metadata and results that have been obtained in a previous collaboration.7 In any event, the most important legal document in this regard is the consent form used for the collection of samples and metadata. Devising a consent form is a complex undertaking because the text

3

E.g., tests for product evaluation under IVD regulations. In this scenario, the partner will typically keep the samples and transfer only data to the company. 5 The type of contract to be concluded will have to match the nature of the interaction between the parties, which requires a case-by-case assessment. The titles of contractual documents serve only as landmarks in this regard. 6 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 7 Collaboration agreements often contain provisions that limit the right to use the samples, metadata and/or results in a restrictive manner and thus may allow for onward transferring only with the prior consent of the former collaboration partner. 4

Industry Perspective

255

needs to address various legal and ethical requirements.8 To the extent that the collection of samples is governed by civil law, the consent form should clearly address the allocation of property rights and, if legally required, grant a right to use as needed for the onward transfers to the envisioned recipients. From an industry perspective, it is crucial that the data protection layer of the consent form includes information about onward transferring of the samples9 and metadata to industry for research activities, including product development purposes that may lead to the marketization of new or optimised devices, software, and services.10 For full transparency, the consent form should also mention that subsequent recipients may process the data in anonymized form or based on alternative legal bases in line with the original consent, which may alter or exclude the data subject rights initially available under data protection law.11 The different topics to be addressed in a contract bring about another pitfall, which is the creation of overlaps and contradictions between different sections of an agreement. Some legal departments tend to use very broad definitions of confidential information, results and intellectual property in an attempt to reach a seemingly solid level of protection. However, this approach could risk the creation of overlapping provisions and inconsistencies with an ambiguous outcome. Therefore, the scope of each topic should be delimited very consciously to match the actual needs of the parties.

8 Unless each topic is covered separately, consent forms are usually designed to address different layers of requirements, e.g., property law with regard to the ownership of the sample and/or the right to use it, criminal law with regard to the injury inflicted in case of invasive sample collection and ethical regulations. From a data protection law perspective, the consent form needs to fulfil the right to information of the data subject (art. 13 GDPR) and commonly also serves as a legal basis for data processing. 9 According to the definition of genetic data in art. 4 (13) GDPR and Recital 34, the GDPR is applicable to personal data which result from an analysis of a biological sample, but not to the sample itself. Thus, the sample has to be considered as a container of information that may be processed at some point. As for any other information, it needs to be assessed on a case-by-case basis then whether the information generated from a sample represents personal data or not. 10 For the avoidance of doubt, the products and services potentially developed in the field of pharmaceuticals and medical devices do not normally contain any physical sample material nor will the metadata itself be sold by industry. Samples and metadata are essential resources to create new products and services in the health sector, e.g., with a view to product performance evaluations and analytical algorithms built on databases. 11 Depending on the legislation and as the case may be, the recipient may be able to pursue the agreed purposes based on specific legal permissions (see e.g. art. 9 (2) lit. j, 89 GDPR or art. 9 (2) lit. i GDPR) which, in summary, allow the processing of personal information for scientific research and certain other activities in the public interest. However, even if such processing is ‘technically’ based on a legal basis other than the original consent, the choices made by the data subject on the purposes of use must still be observed insofar as they represent contractual conditions.

256

L. Oster

3 The Decisive Factor: Taking a Stance on Anonymisation One aspect will make a huge difference at the receiving end of a transfer: Does the information to be received qualify as personal information or can it be considered anonymous? This seemingly trivial question has a substantial impact on contracting requirements because data protection law focuses on personal information and does not apply to anonymised data.12 This is also a question which is connected to a long history of discussions about the meaning of personal data and the notion of identifiability (see, e.g., Spindler and Schmechel 2016, para. 3; Mitchell et al. 2020, pp. 35–61; Finck and Pallas 2020; Gierschmann 2021). Leaving aside the manifold nuances of the debate, the different views expressed have been attributed to either of two contrasting concepts that are referred to as the ‘absolute approach’ and the ‘relative approach’. Both are anchored in the definition of personal data, which has not substantially changed since the time of the Data Protection Directive13 and, according to article 4 (1) GDPR, reads as follows: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Hence, to understand if and to what extent its activities are governed by data protection law, any entity handling samples, metadata and results must assess whether the individuals behind the data are identifiable. The divergence between the absolute approach and the relative approach is founded on different answers to the question of what the threshold is in terms of efforts required for re-identification to consider a natural person unidentifiable. The absolute approach considers all possibilities and chances available to anyone in the world to identify the individual behind the information. In contrast, the relative approach considers only realistic chances of the entity handling the data to identify the data subjects (Spindler and Schmechel 2016, para. 12–14).

12

See article 2 GDPR that describes the material scope of the regulation as well as Recital 26 GDPR that states its boundaries: ‘(. . .) The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes’. 13 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995. The former definition in article 2 lit. a of the Data Protection Directive reads: ‘“personal data” shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’.

Industry Perspective

257

The core of the problem is that from a purely text-based perspective, the GDPR is ambiguous in its statements and does not offer crystal-clear guidance on how to draw the line between personal data and anonymous data. At first sight, Recital 26 reads like a risk-based approach for the assessment of identifiability by stating that to (...) determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments (...).

However, it remains unclear whether ‘another person’ refers to any other person or only those other persons within the factual or legal reach of the controller. Moreover, any approach on identifiability has to be brought in line with the concept of pseudonymisation, which according to article 4 (5) GDPR means ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’. Again, it is unclear whether this statement is made from the perspective of an individual controller or from an absolute standpoint. As the GDPR holds elements that seemingly serve both the absolute approach and the relative approach (Spindler and Schmechel 2016, para. 31), a number of additional considerations may help to shape a consistent approach to identifiability. First, sustainable anonymisation is very hard to establish from a technical perspective because it can eventually not be excluded that at some point, the individuals behind the data may again become identifiable, for example, by means of additional information (Finck and Pallas 2020, pp. 22–35). Second, from a practical perspective any meaningful assessment of the means likely to be used to identify an individual must be performed in a certain context (Mitchell et al. 2020, pp. 38–50). For the recipient, it is simply not possible to know what means not just the provider but any other person in the world may use either now or later and whether that could lead to a re-identification of the data subjects behind a dataset. Third, from a teleological perspective, it generally does not take such an overwhelming exercise, including the assessment of potential actions of unknown players, to safeguard the privacy rights of natural persons, which is the overall intent of the GDPR. It is undisputed that from the moment any natural or legal person can undoubtedly identify the data subjects behind the data they are processing, data protection law will be applicable (again) to their activities. Thus, for many scenarios,14 there won’t be any gap in protection that would need to be closed by artificially

14 The inexistence of a gap can be stated at least for any third party located within the EU or in a country with an adequate level of protection based on local data protection laws. It needs to be

258

L. Oster

subjecting data that is factually anonymous in the hands of one specific entity to data protection law only because an autonomous third party may be able to link the same data to the data subjects. If that third party is not subject to the GDPR in its own right and happens to act outside of the scope of any data protection law (e..g a hacker located in a country without data protection regulations), this gap will be caused by the fragmentation of legislation on the international level and cannot be closed by raising the threshold for anonymisation for somebody else. Fourth, several provisions within the GDPR15 recognise that the data subject rights provided by the GDPR can hardly be honoured by a ‘pseudo-controller’ that itself has no viable means to link the data in its hands to individual data subjects.16 Instead of forcing such processing into the scope of the GDPR without any tangible value added, the data subject’s right to transparency may be more appropriately respected by being adequately informed about the possible use of its data for the indicated purposes, also in anonymised form, which then will take place outside the data subject’s legal reach.17 Moreover, in case the data subject’s consent includes the desire to be informed about incidental findings, the provider must contractually oblige the recipient of samples and metadata to share such results, regardless of whether or not the recipient is formally considered as a controller. Fifth, if the threshold to reach anonymisation for any data within the scope of the GDPR is set too high, there won’t be any room left to distinguish between pseudonymous and anonymous data. This would blur the concept of personal data and thus shake the foundations of contemporary European data protection law. Raising the bar on attaining anonymisation by applying the absolute approach may also reduce the incentives for controllers to de-personalise data, which undermines the goals of data protection (Finck and Pallas 2020, p. 36).

assessed on a case-by-case basis whether the activities of the third party fall within the territorial scope of the GDPR (art. 3 GDPR), may be subject to the national data protection law of a non-EU country or may be unregulated. 15 See art. 11 (2) GDPR that grants the data subject rights in arts. 15–20 GDPR only if the relevant individual can be identified by the controller thanks to additional information provided by the data subject and art. 14 (5) lit. b GDPR which states that the right to information does not apply if the provision of information proves impossible or would involve a disproportionate effort, 16 The issue is also relevant for constellations in which the recipient, if subjected to GDPR, would be a joint controller of the provider. Art. 26 GDPR states that when two or more controllers jointly determine the purposes and means of processing, they shall in a transparent manner determine their respective responsibilities for compliance with the GDPR, in particular in regard to the exercising of the rights of the data subject and their respective duties to provide the information referred to in art. 13 and 14 GDPR by means of an arrangement between them. A controller not able to identify the data subjects would need to allocate the fulfilment of any data subject rights with the other controller who must either way fulfil them in its own right, which raises the question of what kind of value the joint controllership agreement can actually add. 17 Unless the data subject enables the ‘pseudo-controller’ to identify the data sets relating to that individual by providing additional information that will make the ‘pseudo-controller’ turn into a controller under the GDPR.

Industry Perspective

259

Sixth, the application of the relative approach is consistent with the reasoning of the European Court of Justice (CJEU) in Breyer vs. Germany, recently confirmed by the General Court of the European Union (GCEU) in SRB vs. EDPS (GCEU, Case T-557/ 20). In Breyer vs. Germany, the CJEU was asked whether a dynamic IP address constitutes personal data with regard to a website provider which registers IP addresses when a person accesses the provider’s websites, even if only a third party, namely the internet service provider of the website visitor has the additional data necessary to identify that person (CJEU, Case C-582/14, para. 31). The CJEU stated that it must be determined whether the possibility to combine a dynamic IP address with the additional data held by the internet service provider constitutes a means likely reasonably to be used to identify the data subject, and that this would not be the case if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant (CJEU, Case C-582/ 14, para. 45–46). If the CJEU had applied the absolute approach, this question would have been irrelevant, because it would have sufficed that the internet service provider can identify the person behind the IP address to make it personal information also for the website provider. The relative approach is even more evident in SRB vs. EDPS, in that the GCEU states that it is necessary to put oneself in the recipient’s position in order to determine whether the information transmitted to it relates to identifiable persons (GCEU, T-557/20, para. 97). Finally, by its nature the GDPR has not been construed to absolutely avoid any risk taking but represents in many aspects a balancing act between the right to privacy of the individual and the interests of various stakeholders to legitimately process personal data under the governance of a range of risk-mitigating instruments.18 This is legally consistent as data protection law is embedded in a broader legal landscape and must be interpreted in the light of the EU Charter of Fundamental Rights (EUC). The Charter not only stipulates the protection of privacy rights (art. 7 and 8 EUC) but establishes also other freedoms as the right to conduct a business (art. 16 EUC) and the right to property (art. 17 EUC). If such fundamental rights collide, an adequate balance must be found (Lenaerts 2012, p. 10). From this angle, the relative approach seems to offer more balanced solutions than the absolute approach to the potential tension created between data subject rights and datadriven research activities in the health sector. Based on these considerations, the most consistent way to navigate through the practical challenges while respecting the GDPR’s fundamental principles will be to accept a potential split in the legal sphere surrounding the transfer of samples,

18

See, e.g., the objective of free movement of personal data in art. 1 (3) GDPR, the fundamental principles in art. 5 GDPR, the requirements to apply risk-based security measures (art. 24 and 32 GDPR), the concepts of privacy by design and by default (art. 25 GDPR), the obligation to report data breaches depending on the risk level to the rights and freedoms of the data subjects (art. 33 and 34 GDPR) and the obligation to perform a data protection impact assessment for processing activities that are likely to result in a high risk to the rights and freedoms of natural persons (art. 35 GDPR).

260

L. Oster

metadata and results. This will be the case if a biobank has access to additional information linking the data to the donors, whereas the company, including any person within its factual or legal control, has no viable means reasonably likely to be used to identify any individuals. Thus, the metadata and any individual-level results shared are personal information to the biobank but will be anonymous for the recipient (the same approach is suggested, e.g., by the Art. 29 Working Party 2007, pp. 19–20; Dierks et al. 2021, pp. 7–8).

4 Contractual Building Blocks: Covering the Past, the Present and the Future When applying the relative approach, the chronology of activities before and after the transfer may serve to structure the contract document along the lines of the shifting spheres of responsibility. The collection of the samples and personal information prior to the transfer took place before the involvement of the recipient, who therefore has to trust the biobank with regard to their provenience. Consequently, as between the parties, this phase belongs to the responsibility of the provider.19 The provider must guarantee that the samples and personal information have been collected in accordance with applicable laws and that the biobank has acquired all rights to the samples and data which are necessary to allow for the transfer to the company. If the rights of the biobank to the samples and metadata are in any way restricted beyond the rules imposed by data protection law (e.g., with regard to the purposes of use), these limitations must be passed on to the company (e.g., by means of describing the permitted use).20 The parties should also state which of them will apply for approval with the competent ethics committee if and to the extent the transfer is subject to such permission.21

19

This applies regardless of whether the biobank collected the samples and metadata itself or received them from a former partner. If the biobank did not perform the collection but received the samples and metadata from a former partner, the biobank should make sure to obtain the same contractual guarantees from that partner. 20 In the present case, the recipient will not have to observe data protection law for data which is anonymous to him. However, the data could be governed by restrictions established in previous contracts, which may include limitations set by the relevant consent forms (e.g., regarding purposes of use). 21 In Germany, this requirement may arise, e.g., for the sponsor of a clinical study based on the Medical Products Act (AMG), Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices (IVDR), Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices (MDR) in connection with the Medical Device Adaptation Act (MPEUAnpG), or for the participating physician based on local medical regulations (e.g., § 15 Professional Regulation by the Medical Association Baden-Württemberg).

Industry Perspective

261

If the biobank is a controller in the sense of the GDPR22 and the transfer qualifies as processing within the meaning of art. 4 (2) GDPR,23 the biobank must identify the legal basis that allows for the provision of the personal information to the company. In any event, processing is only lawful if and to the extent one of the six legal bases in art. 6 (1) GDPR applies. For certain special categories of personal data as per art. 9 (1) GDPR, which includes health-related personal data, processing is prohibited unless (at least) one of the requirements laid down in art. 9 (2) GDPR is fulfilled in addition to art. 6 (1) GDPR.24 If consent25 is chosen as a legal basis, it is advisable for the company to perform some form of due diligence with regard to the consent forms that have been used26 by actively screening them against the relevant legal requirements.27 If this process is unsuitable,28 the contract should contain a commitment by the biobank to provide the relevant consent form(s) upon request. The choice to use consent as the legal basis for the transfer is not necessarily without alternatives (for further details on the different legal bases potentially available for biobanking and the challenges and implications involved, see Nordberg 2021, pp. 74–81; Duguet and Herveg 2021). Depending on the activities of each party in the project, the purposes of use and the applicable national data protection law and/or sector-specific regulations, the transfer may be based, for example, on the legitimate interest of the biobank to support the company with its development of a pharmaceutical drug or medical device (art. 6 (1) lit. e or f, 9 (2) lit. i GDPR in

22

If the biobank does not fall within the scope of the GDPR, its role must be assessed based on applicable national law. 23 Art. 4 (2) GDPR states that processing means ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’ (Emphasis added by author). 24 In order for the processing of special categories of personal data to be lawful in accordance with the GDPR, the requirements of art. 6 (1) GDPR and art. 9 (2) GDPR must be cumulatively fulfilled. The function of art. 9 GDPR as an additional threshold is in line with the risk-based nature of the GDPR. It is also suggested by Recital 51 (5) which states: ‘In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing’. 25 Consent can be a lawful legal basis as per art. 6 (1) lit. a, 9 (2) lit. a GDPR, provided that the requirements in art. 7 GDPR have been observed and the data subject has been informed about the processing in accordance with art. 13 GDPR. 26 For the avoidance of doubt, any legal check will be applied to the model text only. The company must not ask for signed consent forms and the provider must not provide such documents that would disclose the identities of the donors. The disclosure of signed forms would violate the principle of data minimization (art. 5 (1) lit. c GDPR). 27 To assess whether the consent form can serve as a legal basis for the transfer in the meaning of the GDPR, it will suffice to check the form from a data protection law perspective. However, each company is obviously free to define its own due diligence standard. 28 This may be the case because of disproportionate efforts required, e.g., if the company doesn’t have legal staff, if many different consent forms have been used and/or if the consent forms have been set up in foreign languages.

262

L. Oster

connection with the relevant applicable sector-specific law demanding for clinical studies29) or to support the company with its scientific research for the development of a health-related product (art. 6 (1) lit. f, 9 (2) lit. j GDPR in connection with the legal basis for research in national data protection law30). Such alternative legal bases may also offer a viable solution for the transfer if the consent forms were found to be insufficient. If and to the extent the transfer of metadata and samples to the company has not been appropriately described to the donor at the time of collection, the biobank must hence provide any additional information to the donors as may be legally required by art. 13 GDPR.31 Considering that the events up to the transfer reside in the legal sphere of the biobank, the company will usually expect some form of indemnification commitment by the provider in case the latter errs on the scope of its legal authorisation to perform the transfer and thereby causes damage to the recipient. For a maximum of risk-minimisation with regard to potential re-identification, the biobank should transfer the metadata to the company from the start without any identifiers which the biobank32 maintains and instead use some basic form of consecutive numbering for the datasets. However, this is usually only practicable for transfers of data without samples because the efforts required to physically renumber the samples are considerable. In any event, the company must delete any original identifiers as soon as possible after receipt (and should consider the same for any other original numbering) and substitute the former codes or numbers with new internal elements as needed.33 The goal to be achieved is the elimination of any link that may potentially establish a connection between the data and the donor. The earliest point in time when this operation can take place will depend on the necessities of the provider, namely whether any results obtained by the company shall be shared with the biobank either for scientific purposes or because the provider must be notified about incidental findings that it may need to report to the relevant donor.34 It is crucial to document within the contract exactly how the samples and 29

For example, art. 10 (3), 61 MDR and art. 5 (3), 56 IVDR. Within the scope of the GDPR, this will only be an option in countries that have used the opening clause in art. 9 (2) j GDPR and created a specific legal basis for research purposes in national law, such as § 27 Federal Data Protection Act (BDSG) or § 13 State Data Protection Act (LDSG) BadenWürttemberg in Germany. The relevant legal basis may come with additional requirements. 31 The company is not required to provide any additional information about its use of the data to the donor. Art. 14 GDPR is not applicable as there isn’t any personal information processed by the recipient who thus is not a controller. 32 Or its trusted third party if applicable. 33 Depending on the structure of the datasets and any connections needing to be conserved between metadata and results, there may be alternative and even better ways to free the data from any link to the original identifiers. 34 One may consider whether based on an even more cautious application of the relative approach, the metadata and results should be qualified as personal data also from the recipient’s perspective until the elimination of the original identifiers has taken place. From an industry standpoint, this would be rather problematic, in particular with regard to potential consent withdrawal when the recipient cannot resort to an alternative legal basis. In a worst-case scenario of data being shared 30

Industry Perspective

263

information will be anonymised prior to and/or after the transfer as well as the reason it is extremely unlikely that the recipient will ever be able to re-identify the donors (e.g., no factual or legal access to the identification information held by the biobank). Any remainders of the samples received by the company are usually either returned or destroyed after analysis as agreed between the parties. With regard to unforeseen occurrences in the future, the parties may agree that in the event of changes to the legal environment, the design of the collaboration, or technological developments that make the use of the metadata and results in the hands of recipients subject to data protection law, the biobank will reasonably support the company in fulfilling its information obligations pursuant to art. 14 GDPR vis à vis the donors upon request.35 Very likely any phase of the project that may have represented a joint controllership as per art. 26 GDPR36 will have ended at this point in time. The autonomous use of the metadata and results by the company for product development will take place on its own responsibility37 and does not demand any additional rules between the parties, unless the recipient is located in a country outside of the EEA that is not covered by an adequacy decision (art. 44 GDPR). In the latter case, the biobank should oblige the recipient to enter into any additional agreement that may be required to retrospectively safeguard the transfer in accordance with art. 46 GDPR.

5 Conclusion Dealing with legal uncertainties is a challenge that is not limited to the realm of data protection law because it is common that legal texts leave room for interpretation that will be filled over time by guidance from competent authorities, proposals from legal scholars and professionals and eventually court decisions. The answer to the original burning question is an attempt to mend the inconsistencies within the text of the

based on the original consent within a large-scale research collaboration and many consents being withdrawn, the company may invest huge efforts and a considerable amount of money and eventually end up with nothing. On the other hand, the sole benefit to the data subjects of this more cautious approach would seem to be a slight extension of the effect generated by consent withdrawal in terms of timeline and data coverage. 35 When the forwarding of this information to the donors proves impossible or would involve a disproportionate effort, the duty to provide information does not apply (art. 14 (5) GDPR). 36 The existence of a joint controllership situation between a biobank and a company is a rather hypothetical case because the parties will normally not engage in joint research activities beyond the sharing of samples, metadata and results. The latter is much more likely in a scientific collaboration between a company and a research institution. 37 Any company within the EU that can resort to a legal basis for scientific research purposes under national data protection law will have an interest to do so because the processing based on the original consent could potentially jeopardise the internal research efforts with a view to the possibility of consent withdrawal. This is particularly relevant for analytical applications built on databases.

264

L. Oster

GDPR by taking into account its nature as a risk management tool for the processing of personal information and to offer a practical proposal on how to approach contracting on transfers of samples, metadata and results between biobanks and industry. Whereas the information to be transferred is often personal data to the biobank, it is anonymous to any recipient that does not have any viable factual or legal access to information that would link the data to the donors. This text offers some ideas on how this legal embedding can be implemented on the contract level. At the same time, many aspects certainly need further clarification, in particular the consistent conceptual segregation between overlapping legal regimes.

References Dierks C, Kircher P, Husemann C, Kleinschmidt J, Haase M (2021) Data privacy in European medical research: a contemporary legal opinion, TMF series, vol 18. MWV, Berlin Duguet AM, Herveg J (2021) Safeguards and derogations relating to processing for scientific purposes: article 89 analysis for biobank research. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Individual rights, public interest and research regulation across Europe. Springer, pp 105–120. https://doi.org/10.1007/978-3-030-49388-2 Finck M, Pallas F (2020) They who must not be identified – distinguishing personal from non-personal data under the GDPR. Int Data Priv Law 10(1):11–36 Gierschmann S (2021) Gestaltungsmöglichkeiten durch systematisches und risikobasiertes Vorgehen – Was ist schon anonym? ZD 2021:482–486 Lenaerts K (2012) Die EU-Grundrechtecharta. Anwendbarkeit und Auslegung. EuR 1:3–17 Mitchell C, Ordish J, Johnson E, Bridgen T, Hall A (2020) The GDPR and genomic data. The impact of the GDPR and DPA 2018 on genomic healthcare and research. University of Cambridge, PHG Foundation Nordberg A (2021) Biobank and biomedical research: responsibilities of controllers and processors under the EU general data protection regulation. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking, Law, governance and technology series, vol 43, pp 61–89 Spindler G, Schmechel P (2016) Personal data and encryption in the European general data protection regulation. JIPITEC 7:163–177 Tzortzatou O, Slokenberga S, Reichel J, da Costa Andrade A, Barbosa C, Bekaert S, van Veen EB, Romeo-Casabona CM, Cathaoir KÓ, Chassang G, Debucquoy A, Derèze JJ, Dollé L, Fält SE, Halouzka R, Hartlev M, Hisbergues M, Hoope N, Huys I, Falzon RV (2021) Biobanking across Europe post-GDPR: a deliberately fragmented landscape. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Individual rights, public interest and research regulation across Europe. Springer, pp 397–419. https://doi.org/10.1007/978-3-030-49388-2

Joint Controller Agreement What Is the Function of the Joint Controller Agreement in Sharing Personal Data with a Large Research Consortium or Biobank Infrastructures? Valentina Colcelli

1 Introduction The case of sharing personal data with large research consortiums or biobank infrastructures commonly arises, even thinking about the circumstances of collaboration agreements for scientific research activities between several entities dedicated to the performance of a project that uses personal data for research activities, or in the case of biobanks that collect personal health data from hospitals involving donors, or of companies that jointly manage personnel and support activities, and similar cases in which data processing takes place in an intra-group context. Indeed, ‘the scale of collaboration and the need for data sharing increasingly require European science to operate through consortia, with formal management structures, reporting requirements, and written rules and regulations to cover areas of responsibility from data ownership to research dissemination’ (Morrison et al. 2020). Furthermore, ‘conventional consortia governance structures pose specific problems for meaningful public and participant involvement, data sharing, transparency, and “legacy”’ (Morrison et al. 2020). The governance of a research project by consortiums or biobank infrastructures raises the question of contracts for data management. According to General Data Protection Regulation (GDPR)1 aims, organisations are obliged to demonstrate that their processing activities are compliant with the Data Protection Principles (Recital 85; art. 5(2) and Rec. 74; art. 24 GDPR), an 1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

V. Colcelli (✉) Institute CNR-IFAC, National Research Council of Italy, Florence Research Area, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_29

265

266

V. Colcelli

arrangement between joint controllers can help organisations to demonstrate compliance with all the principles of the regulation: principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. Thus, in paragraphs two (2) and three (3) the chapter will analyse the structure of the Joint controller agreement, and the meaning of the relationship between controller and processor in the light of art. 28 GDPR in paragraph four (4). Paragraph five (5) concludes by answering the main research question.

2 The Essence of the Joint Controller Agreement: Purposes and Means of the Processing of Personal Data The GDPR requires the controller to ensure all privacy principles are adhered to (Emili 2019, p. 121) ‘The data controller must adhere to what is stipulated under Article 5 GDPR, which states that personal data must be processed lawfully, fairly, and in a transparent manner (lawfulness, fairness and transparency). (. . .) The personal data must be collected for specified, explicit, and legitimate purposes (purpose limitation) and must be adequate and necessary in relation to the purposes for which it is collected (data minimisation)’ (Clarke et al. 2019). The controller and joint controllers also have to monitor ‘the behaviour of data subjects’, as mentioned in Recital 24 of the GDPR. This activity clearly includes all forms of tracking and profiling on the internet; ‘However, the notion of monitoring is not restricted to the online environment, and online tracking should only be considered by way of example. WP29 interprets ‘regular’ as meaning one or more of the following: ongoing or occurring at particular intervals for a particular period; recurring or repeated at fixed times and constantly or periodically taking place. Whereas, WP29 interprets ‘systematic’ as meaning one or more of the following: occurring according to a system; pre-arranged, organised or methodical; taking place as part of a general plan for data collection and carried out as part of a strategy’ (Emili 2019, p.122). Where two or more controllers jointly determine the purposes and means of the processing of personal data, they are joint controllers (Rec.79; Art.4 (7), and Art.26). On 2 September 2020, the European Data Protection Board (EDPB) published new Guidelines 07/2020 (Guidelines) for public consultation on the concepts of controller and processor under the European GDPR.2 The Guidelines underline that joint controllership is not just where there is no joint determination of purposes, but also where there is a convergence of decisions on the purposes and means of processing that leads to inseparable processing activities by joint controllers and

2

Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Version 1.0. Adopted on 02 September 2020. https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guide lines_202007_controllerprocessor_en.pdf.

Joint Controller Agreement

267

the real operative terms between joint controllers that detail how personal data will be handled by the parties in practice. Core activities of the controller or the processor are intended to be ‘the key operations necessary to achieve the controller’s or processor’s goals; however, they should not be interpreted as excluding activities where the processing of data forms an inextricable part of the controller’s or processor’s (Emili 2019, p.122) activity.3 A company/organisation decides ‘why’ and ‘how’ personal data should be processed by the data controller, so if the determination is made with one or more organisations, the latter are joint controllers. Because of the GDPR, joint controllers must enter into an arrangement setting out their respective responsibilities for complying with GDPR rules. This means that both controllers will have to take into account the jointly determined nature, scope, context and purpose of the processing, as well as the risks to which each party is exposed, in terms of probability and severity, and to determine appropriate technical and organisational measures to ensure and be able to demonstrate that the processing complies with the Regulation. It is necessary, that is, the exact and explicit determination of the aims of the treatment, so much so that in the event that a public body establishes the rules and regulations of the institution, it may also establish the purposes for which this is done by the implicit definition of the purposes that are not sufficient to legitimise the treatment. The arrangement may represent a contribution to the documentation of the legitimacy of the purpose, which in any case must be made explicit, thus excluding the possibility that they could ever settle per relationem (contra Navarretta 2007, p. 322).

3 Terms of the Arrangement Between Joint Controllers The GDPR imposes significant and specific requirements that must be included in all data processing agreements. The contract to comply with the elements established by art. 26 GDPR must be characterised as follows: (a) The respective responsibilities between the controllers for compliance with the obligations under the GDPR must be established. (b) It has a duty to reflect: (i) the respective roles and relationships of the joint controllers vis-à-vis the data subjects. (ii) the protection of the rights and freedoms of data subjects. (c) It may designate a contact point for data subjects. ‘Processor’ shall mean a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller. (Definitions of ‘controller’ and ‘processor’ in Article 2 (d) and (e) of Directive 95/46/E). 3

268

V. Colcelli

(d) It has to determine the clear allocation of the responsibilities and liability of controllers and processors under the GDPR. The essence of the arrangement shall be made available to data subjects; this is to clarify the distribution of control. Nevertheless, at the national level just two Data Protection Acts provide general guidelines on joint controllership: the Norway Act of 15 June 2018 no. 38 and the Belgian Act of 30 July 2018 Federale Overheidsdienst Justitie, Federale Overheidsdienst Binnenlandse Zaken En Ministerie Van Landsverdediging ‘Wet betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens’.4 This means that for legal operators it is not easy to work on a well-constructed joint controller agreement because there is no deep analysis by national legislators of its requirements. Furthermore, following Art. 26, we can summarise how the joint controllers shall in a transparent manner determine their respective responsibilities for compliance with the obligations under the GDPR. The arrangement clauses in particular must be explicit as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14 GDPR to the data subjects. The aforementioned articles require the information to be provided where personal data are collected from the data subject (art. 13) and the information to be provided where personal data have not been obtained from the data subject (art. 14). At the same time, article 26 invites clarification regarding to whom the data controllers are subject, as well as the definition of the respective functions of communication of the information. The responsibility and the liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, must be established. The arrangement requires a clear allocation of the responsibilities under the GDPR, ‘including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller’ (Recital 79 EU GDPR). These clauses are the core of the arrangement and explicitly established by the GDPR; the clauses listed in Art. 26 GDPR raise new questions about what happens if one of these clauses is not planned in the text. ‘With respect to data subjects, it is important that transparent information is provided to the intended subjects by the data controller on the methods by which their data will be processed’ (Clarke et al. 2019), so the information that must be provided to data subjects seems to be a mandatory requirement and compulsory to reach the GDPR goal.

4 Belgian Act in the art. 52. ‘(. . .) Mutual arrangements shall establish the respective responsibilities of the joint controllers in a transparent manner, in particular with regard to the exercise of the rights of the data subject and to provide the information referred to in Articles 37 and 38, unless their respective responsibilities have been established by the law, the decree, the ordinance, the European regulations or the international agreement. A single point of contact for the parties involved can be designated in the mutual arrangement’.

Joint Controller Agreement

269

The GDPR seems to be a communitarian compulsory rule, especially as transparent data processing is mandatory in private enforcement of the law. If so, it could have a huge effect on the enforcement of the GDPR: for example, under the Italian legal system, the joint controller’s agreement contrary to mandatory rules on transparent data processing information would be void (art. 1418 Italian Civil code). This means that void contracts have neither binding force nor legal effectiveness and that the nullity may be claimed by anyone, and it can also be declared by a national court. Moreover, it is possible to insert other kinds of clauses to well-equip the agreement, f.i. the possibility for each party (A) to terminate the Agreement (with or without immediate effect) if the other party does not comply with all the obligations imposed on a controller under the GDPR in the performance of its obligations under the Joint Controller Agreement; (B) to ascertain that the provisions of the Agreement shall continue to apply to any personal data in the possession of either party which was covered by the Agreement that had eventually expired; (C) to foreseen a mutual assistance in complying with all applicable requirements of the GDPR; (D) to establish how and if implementing appropriate technical and organisational security measures to protect personal data in possession of the other party; (E) to inform each other of any data breaches; (F) to establish clear rules to ensure information will not be processed outside of the EU without the appropriate security measures and how all partners must be informed of this intent with sufficient notice in writing. Data subjects are always entitled to enforce their rights in respect of and against each of the controllers, so the essence of the arrangement shall be made available to the data subject. In particular, it may be important, albeit not necessary, to identify the “contact point for [the] data subjects” in order to exercise the rights provided for by the Regulation. In the case of the arrangement between joint controllers and the laws relevant to the cross-border research project (see the chapter in this book: V. Colcelli ‘Applying National Law in Cross-Border Research Activity’), GDPR does not address the issue of appointing a lead authority in situations when two or more joint controllers based in the EU jointly determine the purposes and means of processing. The controllers in joint controller situations shall transparently decide their respective duties for compliance with their obligations under the Regulation, as stated in Article 26(1) and Recital 79. Therefore, to take advantage of the one-stop-shop principle, the joint controllers should specify which establishment of the joint controllers will have the authority to implement decisions about the processing with regard to all joint controllers (among the establishments where decisions are taken).5

5

Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01.

270

V. Colcelli

4 The Arrangement Between Controller and Processor If, on the other hand, the performance of processing activities is delegated, the controller will have to enter into a contract pursuant to Article 28(3) of the GDPR with a data processor. If the need for delegation arises in respect of a joint controller, then the latter will be required to obtain written consent from the other joint controllers before concluding such a contract or issuing such an act of appointment. The agreement referred to in Article 28 GDPR binds the controller to the data processor, providing that the latter is chosen from among controllers providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of this Regulation and ensures the protection of the rights of the data subject. The provision strongly emphasises the moment of the choice of the controller by using the expression ‘only resort’. The reasons for the choice and the justifications, also expressed in a comparative manner, for the identification of a controller in accordance with the principle of accountability will have to be documented, similarly to a public selection procedure in the case of an administration. Certainly, the very preparation of the specifications or the negotiation more generally must clearly show the criteria referred to in the first paragraph of Article 28, and therefore: (a) process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; (b) ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) take all measures required pursuant to Article 32; (d) respect the conditions referred to in paragraphs 2 and 4 for engaging another processor; (e) take into account the nature of the processing, assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III [of GDPR]; (f) assist the controller in ensuring compliance with the obligations pursuant to Articles 32–36 taking into account the nature of processing and the information available to the processor; (g) at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data; (h) make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and

Joint Controller Agreement

271

contribute to audits, including inspections conducted by the controller or another auditor mandated by the controller. The advantages offered by such an agreement are manifold; it is vital to underline that, as an alternative to the appointment of a controller under Article 28 GDPR, the controller is able to negotiate a joint ownership agreement setting out mutual obligations and responsibilities, and avoid, for example, the audit of the controller that would otherwise be required under letter (h) paragraph 3 of said Article.

5 Conclusion Each contractual structure, generally speaking called consortia, that might support a research activity realised in an intra-group context or a biobanking activity must take in strong consideration the agreements designed by the GDPR to array the regulatory requirements from data protection and health and safety laws. These agreements are designed in art. 26 GDPR, the so-called Joint Controller Agreement and in art. 28 GDPR for the engagement of a processor. Additionally, we need to approach, albeit in a dissimilar manner, the sharing of personal health data from hospitals involving donors in biobank infrastructures from the sharing personal data in a research consortium in the framework of research project. In the case of a Biobank, two or more public bodies are the controllers of personal data, and their processing takes place in an intra-group context, thus the Joint Controller Agreement is strongly recommended due to its core contractual clauses being able to clarify the distribution of control and the responsibility and liability of controllers. Art. 26 GDPR requirements can facilitate the joint controllership of data in remaining manageable and transparent, especially with controllers from member states of different background regimes, where joint controllership could become ‘unmanageable and insufficiently transparent for the data subjects’ (van Veen 2018, p. 75). At the same time, the arrangement referred to in paragraph 1 of art. 26 GDPR ‘shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects’ and ‘the essence of the arrangement shall be made available to the data subject’. When discussing collaboration agreements for scientific research, the Guidelines remind us that ‘research project[s] by [several research institutes can] decide to participate in a specific joint research project and to use to that end the existing platform of one of the institutes involved in the project. Each institute feeds personal data it holds into the platform for the purpose of the joint research and uses the data provided by others through the platform for carrying out the research. In this case, all institutes qualify as joint controllers for the personal data processing that is done by storing and disclosing information from this platform since they have decided together the purpose of the processing and the means to be used (the existing platform). Each of the institutes however is a separate controller for any other

272

V. Colcelli

processing that may be carried out outside the platform for their respective purposes’. Consequently, the latter has to permit a generalised control on the function of the agreement to stress—on the EU dimension—the value of individual control or informational self-determination; ‘Now that we are living in the GDPR era, one thing is for sure, the increased enforcement power and higher maximum fines, plus the enhanced awareness of data subjects’ rights and their ability to exercise those rights means that controllers and processors will be held to account for their processing activities now more so than ever’ (Pantlin et al. 2018, p. 885). On the other hand, we are faced with a contract as referred to in Article 28 GDPR when a processing operation is carried out on behalf of the controller by a data processor, where the contractual agreement will have to highlight the safeguards offered by the controller as sufficient to put in place appropriate technical and organisational measures so that the processing meets the requirements of the Regulation and ensures the protection of the rights of the data subject. The controller and the processor may, in fact, enter into an agreement, pursuant to Article 28 of the third paragraph of the GDPR, in order to regulate the obligations and responsibilities of the controller vis-à-vis the processor. Some scholars have identified, for example, that a contract under Article 28 of the GDPR should be used for data management in the case of observational research, when patient data are derived from different health systems: in such a case, the centre collecting the research data ‘should be the sole controller and data transfer agreements (DTAs) should regulate processing through that database. The Data Officer of the receiving centre should ensure that the conditions are effectively met, alongside potential other project governance mechanisms such as decision-making procedures on the use of the database for specific protocols, where applicable’ (van Veen 2018, p. 75). In fact, in the hypothesis described, the choice of the use of the contract under Article 28 of the GDPR may not be automatic and instead the appropriate solution may be the use of a co-ownership contract under Article 26 of the GDPR. Indeed, it is the specific case as well as the modality that is considered most appropriate for the principle of accountability or reporting to become concrete acts. Indeed, notwithstanding the difference between the two contracts as inferred by the rule, there may be borderline situations where the choice of the contract to be put in place is not clear: a situation could sometimes qualify as a joint agreement between joint controllers under Article 26, or as a contract between controller and processor under Article 28 of the GDPR. The application in the concrete case may be difficult, making it difficult to identify in practice the hypotheses of co-ownership. In some cases, the involvement of the Data Protection Authority may be necessary in order to qualify the concrete situation and subsume it under a more suitable legal provision.

Joint Controller Agreement

273

References Clarke N, Gillian V, Reeves EP, Kirwan M, Smith D, Farrell M, Hurl G, McElvaney NG (2019) GDPR: an impediment to research? Ir J Med Sci 188:1129–1135. https://doi.org/10. 1007/s11845-019-01980-2 Emili AM (2019) Data protection officer. In: Bartolini A, Cippitani R, Colcelli V (eds) Dictionary of statuses within EU law. Springer International, Cham, pp 121–126. https://doi.org/10.1007/ 978-3-030-00554-2 Morrison M, Mourby M, Gowans H, Coy S, Kaye J (2020) Governance of research consortia: challenges of implementing Responsible Research and Innovation within Europe. Life Sci Soc Policy 16:13. https://doi.org/10.1186/s40504-020-00109-z Navarretta E (2007) Commento sub art. 11 del D.lgs., 30 giugno 2003, n. 196. In: Bianca CM, Busnelli FD (eds) La protezione dei dati personali. Commentario al D.Lgs. 30 giugno 2003, n. 196 («Codice della privacy»), I. Cedam, Padova Pantlin N, Wiseman C, Everett M (2018) Supply chain arrangements: the ABC to GDPR compliance—a spotlight on emerging market practice in supplier contracts in light of the GDPR. Comput Law Secur Rev 34:881–885 van Veen E-B (2018) Observational health research in Europe: understanding the General Data Protection Regulation and underlying debate. Eur J Cancer 104:70–80. https://doi.org/10.1016/ j.ejca.2018.09.032

Legitimate Interests Are Legitimate Interests Lawful Grounds for Processing Retrospective Health Data and Tumour Tissue? Tunjica Petrašević and Romana Ćosić

1 Introduction Regulation (EU) 2016/679 (General data Protection Regulation1 [hereinafter referred to as GDPR]) is aimed at streamlining data protection legislation across EU Member States to ensure individual rights for every EU citizen. Its Article 5(1) (a) sets out the three prerequisites that underlie the protection of individual rights: personal data must be ‘processed lawfully, fairly and in a transparent manner in relation to the data subject’ (Gil Gonzales and Hert 2019, p. 601). Article 6(1) of the GDPR prescribes the six legal grounds that underlie lawful processing of personal data. Between them, the most controversial grounds—and the most malleable, at least in the view of these authors—are the legitimate interests of the controller or another third party. And while not specifically tailored to protect human or genetic research data, (Pormeister 2018, p. 711) the scope of the GDPR does encompass them. Here, the scope is to tackle retrospective2 health data and tumour tissue (effectively genetic data and, as such, constituting personal data) in order to ask: Does the GDPR protect—and to what extent—the personal data used for research purposes when it is processed on grounds of a legitimate interest of the controller or 1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, O.J. 4.5.2016 L 119. 2 A retrospective study is performed a posteriori, using existing data that have been recorded for reasons other than research. T. Petrašević (✉) Faculty of Law Osijek, Josip Juraj Strossmayer - University of Osijek, Osijek, Croatia e-mail: [email protected] R. Ćosić Faculty of Law Osijek, Josip Juraj Strossmayer - University of Osijek, Osijek, Croatia Municipal Court in Vukovar, Vukovar, Croatia © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_30

275

276

T. Petrašević and R. Ćosić

another third party? Are retrospective health data and tumour tissue lawfully processable on grounds of a legitimate interest?

2 Legitimate Interest as Grounds for Data Processing Per Article 6(1)(f) of the GDPR, processing is lawful only if ‘necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child’. While the GDPR does not strictly define ‘legitimate interests’, its recitals 47 and 48 offer examples thereof. However, the examples serve only to determine the rights and freedoms that override legitimate interest.3 In recital 47, one such example sees the existence of a legitimate interest provided there is a relevant and appropriate relationship between the data subject (e.g., a client or an individual in the service of the controller) and the controller. At any rate, legitimate interest must be probed on a case-by-case basis, especially in regard to whether a data subject is aware of the possible processing of the respective personal data. Further examples of legitimate interest, as offered in the preamble, include fraud prevention, direct marketing, transmitting of personal data within a group of undertakings for internal administrative purposes (including the processing of clients’ or employees’ personal data) and ensuring network and information security (including preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems) (Zanfir-Fortuna et al. 2018, p. 7) Formulated as they are, most of these examples use businesses and their underlying economic considerations for illustration purposes, framing such considerations as legitimate interests. Not one of the examples deals with health data or medical records in any context. Nevertheless, legitimate interest for processing retrospective health data and tumour tissue should not be excluded as potential lawful grounds. Legitimate interest has yet to be strictly defined (either by the GDPR or another EU regulation). Nevertheless, certain fundamental rules on data processing on grounds of legitimate interest have been set within the case law of the Court of Justice of the European Union (CJEU), signalling the EU’s efforts to balance the interests, rights and freedoms of the individual with the legitimate interests of the controller, processor or a third party (Zanfir-Fortuna et al. 2018, p. 11). In Rigas4 and Manni,5 the CJEU set the criteria for the lawful use of legitimate interests as grounds for lawful processing of data and also explained how legitimate interests may be

3 GDPR: legal grounds for lawful processing of personal data. https://www.i-scoop.eu/gdpr/legalgrounds-lawful-processing-personal-data/. 4 CJEU, Case C-13/16 Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiks, 4 May 2017, ECLI:EU:C:2017:336. 5 CJEU, Case C-398/15 Camera di Commercio, Industria, Aritigianato e Agricoltura di Lecce v. Salvatore Manni, judgement from 9 March 2017, ECLI:EU:C:2017:197.

Legitimate Interests

277

used to legitimise a data processing operation supplementary to other grounds. Essentially, in the two cases, the CJEU formulated a three-tiered test that allows a data processing operation, such as disclosure of personal data, to be grounded on the necessity for a legitimate interest: (1) existence of a legitimate interest, (2) necessity of the processing of that data for the purpose of the legitimate interest pursued (under the ‘strict necessity’ test) and (3) the balancing of the rights and interests at stake. First, while it may seem self-evident, without a legitimate interest, there can be no lawful processing of data. Thus, a legitimate interest (of any kind, in any context) of a controller or even a third party must be factual and correspond to current activities or reasonably soon affect benefits. Further, it must be legitimate in the sense that it must be lawful or, rather, permissible under relevant EU and national law. Second, for the legitimate interests to be achieved, the personal data undergoing processing must be necessary. In other words, if it forms no direct association with the accomplishment of the legitimate interests pursued, data processing cannot be lawful. Third, the processing of personal data must pass a balancing test between the interests of the processor (or similar party) and the interests (the fundamental rights and freedoms) of the individual whose data are undergoing the processing. In performing the balancing test, the first step entails an examination of the nature and the source of the legitimate interests as well as its effects on the rights of the data subject. The reasonable expectations of the data subject must simultaneously be considered based on their relationship with the controller (or similar party). The legitimate expectations of the data subject are determinable based on their reasonable expectation—at the time and in the context of the data collection—that their data would be processed for a stated purpose (Zanfir-Fortuna et al. 2018, p. 6–7). In effect, to process data on grounds of legitimate interest, one must have a factual and current legitimate interest, data processing must be necessary to achieve that particular interest and the rights of the data subject must not be violated in the process. Processing is lawful when the said three criteria are simultaneously satisfied. But does this principle automatically extend to more specific types of data— such as retrospective health data and tumour tissue—when the above criteria are met? Can such specific data be processed lawfully on the very same grounds?

3 Processing Retrospective Health Data and Tumour Tissue on Grounds of Legitimate Interest While neither retrospective health data nor tumour tissue are mentioned in the GDPR per se, its Article 9 does establish specific rules on lawful grounds for processing special data categories, including genetic and health-related data. The data falling under the special categories may be processed only if any of the exceptions set out in

278

T. Petrašević and R. Ćosić

Article 9(2) apply, including the existence of explicit consent by the data subject, legal claims, substantial public interest, medical purposes, public health, etc. Since they fall under the GDPR’s special data category, the processing of retrospective health data as well as tumour tissue solely on grounds of legitimate interest is currently impermissible and unlawful. Legitimate interests of a data controller or a third party do not constitute alternative grounds for lawful data processing of retrospective health data and tumour tissue. Even though such data could never be processed on such grounds alone, in the authors’ view, it doesn’t preclude data controllers or third parties from invoking legitimate interest conjointly with, for example, reasons of public interest, medical purposes, public health or any other lawful grounds for data processing under the GDPR. To place this into perspective, it was only recently that the world was shaken by the COVID-19 pandemic. Many a researcher, private company, university and other public health researchers had already been conducting research on the coronavirus and potential vaccines, perhaps even on the virus’ genetic base. The image— that of these various actors joining efforts, sharing their knowledge (and data) to find a solution (the vaccine) to save lives and to put an end to the pandemic—was a compelling one. Under such circumstances, not many challenged the right to data processing nor the right to the processing of retrospective data or the data of deceased persons (that was obtained without prior consent). The prime concern was public health and surviving another day of pandemic outbreaks—legal considerations formed the perimeter. The premise, then, is that the said processing of retrospective data was and still is grounded on the protection of public health (or—in simpler terms—the greater good). But why then could not the lawfulness of processing retrospective data be reinforced with legitimate interests? Did not the aforementioned private companies consider the public interest and public health as equally as the benefits and profits from the vaccine production? As it is, it is not inconceivable that the processing of retrospective data be legitimised if co-grounded in public health/interest protection and legitimate interest. However, processing such data solely on the ground of legitimate interests doesn’t seem applicable or lawful at the moment. Retrospective health data and tumour tissue fall under a special category of data, as recognised by the GDPR. Very special and very great care should be paid in processing this data as an intrinsic part of any human and thus their human right. Moreover, personal health data could benefit the research (e.g., tissue-focused) as carried out in biobanks, medical clinics or research institutes much like they have benefited vaccine development. Having a lawful ground to use the data subjects’ health data for research purposes offers a platform for further research, potentially allowing endless research progress. Re-requesting consent to use retrospective data or tumour tissue in such situations may be onerous, overly expensive or even impossible due to the passage of time. These circumstances are hardly the only examples in which—in these authors’ view—legitimate interest is imaginable as a supplemental ground for lawful processing of that data type.

Legitimate Interests

279

4 Conclusion Research has historically been governed by ethics rather than law. Even with regards to human research, supranational legal standards are a rare breed compared to the plethora of international ethics instruments (Pormeister 2018, p. 707). Thus, there is no easy answer to the question of lawful data processing and the lawful processing of health data, especially retrospective data and tumour tissue, even though the chief law resource on data protection at the EU level, the GDPR, does not specifically prescribe lawful processing of retrospective health data and tumour tissue. It does, however, regulate to a certain point the processing of health data as a special data type. And this is exactly the junction at which the morals of researchers eclipse the law. On the one hand, as a special data type, health data cannot be lawfully processed solely on grounds of legitimate interests under any circumstance. On the other hand, researchers may claim specificity on account of retrospective data having been previously collected, some even prior to the introduction of the GDPR. Researchers may also contend that given that the data subjects were aware of participating in medical research, they would likely agree to it again. However, if the high demands of re-requesting the data subjects’ consent to use retrospective data or tumour tissue and the researchers’ potentially legitimate interest to process that data type were conjoined, they just might be the golden ticket, that is, constitute a lawful ground for such processing. Nevertheless, both under the GDPR and in the authors’ view, retrospective health data and tumour tissue are and should be treated as a special data type. As such, they should not be lawfully processable solely on grounds of legitimate interests, even if the legitimate interests could pass the tripartite test. In other words, legitimate interests alone should not constitute lawful grounds for processing retrospective health data or tumour tissues even if a controller had legitimate interests and was able to demonstrate that the data processing is necessary for furthering those interests, and if individuals’ rights were balanced therewith. In some cases, however, legitimate interests should be allowed as ground for lawful processing of data, but only as supplemental to another lawful ground, such as public health interest or the data subject’s consent.

References Gil González E, Hert P (2019) Understanding the legal provisions that allow processing and profiling of personal data—an analysis of GDPR provisions and principles. ERA Forum 19: 597–621 Pormeister K (2018) Genetic research and applicable law: The intra-EU conflict of laws as a regulatory challenge to cross-border genetic research. J Law Biosci 5:706–723. https://doi. org/10.1093/jlb/lsy023 Zanfir-Fortuna G, Troester-Falk T, McCluskey M (2018) Processing personal data on the basis of legitimate interests under the GDPR – practical cases. Future of privacy Forum, Nymity. https:// fpf.org/wp-content/uploads/2018/04/20180413-Legitimate-Interest_FPF_Nymity-2018.pdf

Ownership of Human Biological Material To Whom Does the “Ownership” of the Human Body and Its Parts Belong? Who Has the Right to Dispose of It and for What Purpose? Roberto Cippitani and Valentina Colcelli

1 Introduction There is legal uncertainty linked to the validity and sustainability of the property transfer of a sample from the donor to the biobank and what legal effect a withdrawal of consent (as a standard wording in the consent forms) can have on it, including any analytical results derived from such sample in the context of secondary use, not to speak of uses made of data derived from the sample that later have become protected under IP laws. The problem is linked to the ethical-legal issue of ‘ownership’ of the human body and parts of it, of the possibility of disposing of the human body (Björkman and Hansson 2006). Today, the human body and its parts, as such, cannot be an object of commercialisation or a source of profit as provided by several normative sources. In Europe, it is important to refer to Article 3 (2) (c) of the Charter of Fundamental Rights of the European Union and Article 21 of the Convention of Oviedo. The Explanatory Report to the Convention clarifies the meaning of ‘body parts’, which includes ‘organs and tissues proper, including blood’, but excludes ‘hair and nails, which are discarded tissues, and the sale of which is not an affront to human dignity’.1 European law is shaped by the fundamental principle of the prohibition against financial gain from the human body and its products and also by the philanthropic view that the donation of human organs, tissues and cells should be unpaid and seen 1

Council of Europe (1997). Explanatory Report to the Convention for the Protection of Human Rights and Dignity of the Human Being with regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine, paragraph 133.

R. Cippitani (✉) · V. Colcelli Institute CNR-IFAC, National Research Council of Italy, Florence Research Area, Italy e-mail: [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_31

281

282

R. Cippitani and V. Colcelli

either as a moral duty or as a public welfare service—the ‘no-property rule’. This is in order to protect human dignity by avoiding the possibility that the donation may be forced by economic reasons (see the chapter in this book: R. Cippitani ‘Ethical Principles and Legal Provisions’).

2 The Legal Framework May Be Subject to the Processing for Commercial and Research Purposes Because of Human Tissues The approach described in the last paragraph of the Introduction does not prevent human tissues from being subject to processing for commercial and research purposes, as allowed by the Tissue Directive (Directive 2004/23/EC of the European Parliament and of the Council of 31 March 2004 on setting standards of quality and safety for the donation, procurement, testing, processing, preservation, storage and distribution of human tissues and cells). Also, Directive 98/44/EC of the European Parliament and of the Council of 6 July 1998 on biotechnological inventions states in Article 5 that, on the one hand, ‘The human body (. . .) cannot constitute patentable inventions’ (paragraph 1), but, on the other hand, ‘An element isolated from the human body or otherwise produced by means of a technical process, including the sequence or partial sequence of a gene, may constitute a patentable invention’. The legal trend today, and not only in Europe,2 is to separate the dimension of personal dignity from the necessity that the biological sample should be used on the grounds of informed consent of the individual, without compensation. Once human dignity is respected, there is no reason to avoid the use of biological material for research purposes or commercial activities, subject to the measures to grant the privacy and the security of the persons. However, there are different opinions that consider that the ‘ownership rights will be the perfect way to protect the rights of the patients and the subjects under research, given the fact that the ownership rights offer mechanisms of control that allow

2

The originating case in this area was decided in 1990 in Moore v. Regents of University of California, 51 Cal. 3d 120; 271 Cal. Rptr 146; 793 P.2d 479 (‘Moore’). The patient sued the institution after discovering that his cells had been used for research that resulted in economic gain without his knowledge or consent. The Supreme Court of California found that the patient did not have property rights to his excised tissue but could sue for breach of fiduciary duty due to the lack of informed consent. In this case, a distinction was drawn between property rights and the dignity and privacy interests that are based on informed consent principles. Moore later negotiated and came to a settlement agreement with UCLA that covered his legal fees on the basis that he had not been informed nor had he agreed to the research. In 1991, the U.S. Supreme Court also rejected Moore’s claim regarding the profit issues, stating that a hospital patient does not own rights to excised tissue, even if they are valuable through commercialisation.

Ownership of Human Biological Material

283

individuals to control what happens with their anatomic pieces’ (Lobato de Faria 2009).3 There is not a common legal framework concerning the rights on the samples stored in a biobank. In Europe, there are countries, such as Portugal (see Article 19°/13 of Law n.° 12/2005 of 26 January on personal genetic data and health data), where the law establishes that the samples are owned by the donors or their relatives—after their death or disability—and should be stored as long as the samples are of proven use to current and future family members. In this regard, Spanish law no. 14/2007 concerning Biomedical Research states that in the case of withdrawal of consent, biological samples will be destroyed. With a different approach, the UK Biobank states that participants ‘will have no property rights in the samples’4 and that this will be explained in the consent process. This does not preclude the capacity of donors to agree to rights of access to information or to withdraw from the project or, in some cases, to have the sample destroyed. Another issue is represented by the right to data arising from the biological material. In that field, there is a common tendency to maintain the data deriving from the research activities, and legal systems, such as the Portuguese and Spanish systems, clearly affirm the rights of the donors to their biological material. With particular regard to personal data, Article 7 (1) of Regulation (EU) 2016/679 can be applicable, which establishes that ‘The data subject shall have the right to withdraw his or her consent at any time’; at the same time, it states that ‘The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal’. Therefore, it seems that at least the on-going research activities should not be affected by the withdrawal of consent, even this is not clearly addressed (see chapter in this book: V. Colcelli ‘Consent Withdrawal’). It should be emphasised that the guarantee of withdrawal of consent is weak and difficult to concretise, especially as far as the information dimension is concerned, due to the considerable size achieved by the reach of biobanks and the continuous exchange of materials and data among researchers.

3 EUROBIOBANK (Network of DNA, Cell and Tissue Banks for Rare Diseases). Funded by the European Union V Framework Research (QLRI-CT-2002-02769)/REPIER (Rare Diseases Epidemiological Research Network) Network funded by the Instituto de Salud Carlos III. File N.o G03/123., Outstanding legal and ethical issues on biobanks an overview on the regulations of member states of the eurobiobank project. https://www.leukemia-net.org/kompetenznetzleukaemie/content/studieninfrastruktur/themen/biobanken/e11377/infoboxContent11379/ Eurobiobank_Uranga_etal_2006_ethical_legal_issues.pdf. 4 Wellcome Trust, Medical Research Council and Department of Health UK. UK Biobank, Ethics and Governance Framework, Version 3.0; October 2007.

284

R. Cippitani and V. Colcelli

3 Some Legal Issues for Biobank Policies and Procedures for the Exploitation of Material Stored in a Biobank and Associated Data and Information The results, meaning the data, information, knowledge and tangible and intangible assets produced as a result of the activities carried out by the biobank, may have different regulations, depending on the organisational model chosen. The commercial implications associated with these results and the potential profits that can be derived from them pose the need to clearly define the ethical– legal position of the biobank as the entity that manages the samples. The question of the economic exploitation of material stored in a biobank is still the subject of extensive debates and reflections.5 The key aspect is to protect the donor and data subject from any form of economic exploitation while recognising the possibility of profits attached to intellectual property deriving from the establishments managing the biobank and from the services they can provide. Therefore, the material stored in the biobank cannot be exploited for direct profit by the individuals but can indirectly give rise to revenues and financing linked, for example, to the development of therapies or diagnostic tests. According to current legislation, a refund could be provided to cover, among other things, the operating and storage costs of the sample, the management of the request for samples and the shipment and treatment of the sample before shipment. In compliance with the principle of human dignity, no personal economic benefits will be derived for the subject from which the sample was originally taken or for the researcher, but the biobank manager must protect the interest of the community to which the subject belongs so that any economic profits are invested in future research and in works and services useful for the community, including the economic sustainability of the biobank itself. Thus, if the main point for a tissue biobank is the definition of the legal status of the human body and the ownership of the tissue with which it is endowed, then consideration must be given to the balance between donor rights and the exploitation of the stored material in the general interest of the biobank and the community, which are related to: (1) whether collections of data attract or do not attract copyright protection; and (2) extraction and/or re-utilisation of the data in whole or in part. European Union laws try to solve the question of how to manage the starting point by stating that collections of data are subject to copyright protection only when 5

The reference provisions are represented by the UNESCO Declaration (1997), which states that the human genome is a heritage of humanity and of the family; the Oviedo Bioethics Convention (1997), which, protecting human dignity, establishes that the body and its parts, as such, must not be a source of profit; it should nevertheless be noted that the collected material can be stored or used for different purposes as long as the donor has given informed consent; and finally, the Directive of the European Parliament and of the Council on the legal protection of biotechnological inventions (98/44 / EC), implemented in Italy with the decree-law of 10 January 2006, n. 3, converted, with modifications, by law 22 February 2006, n. 78, which specifies the limits of the patenting of biological material.

Ownership of Human Biological Material

285

the way in which the content is selected and arranged bears in itself an element of authorial originality or creativity. Under EU law, even when databases do not meet the threshold of copyright protection, they are eligible for a sui generis form of protection. The sui generis database right, which was introduced in 1996 by the Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases (‘European Database Directive’), affords protection to virtually any aggregation of contents on the conditions that ‘substantial investment’ has been made and the aim is ‘either the obtaining, verification or presentation of the contents’ (Article 7 of the Database Directive).6 Neither of these conditions is difficult to meet. As to the ‘substantiality’ requirement, it has been interpreted by the Court of Justice as a de minimis rule that should not preclude, for instance, databases that are mere ‘spin-offs’ of other activities that attract protection. What seems to be relatively more challenging is the second condition, namely ‘towards what’ is the investment directed. In a series of cases brought before the Court of Justice, the requirement has been developed as implying a distinction between the expenditure of resources and skills to create the content of the database and investment directed towards the collection of pre-existing content.7 While the latter is eligible, the former is not. The rationale of this distinction is to exclude from protection the so-called ‘sole source’ databases, that is, databases that contain data or information that is not available elsewhere. A biobank made up of data not otherwise available leads to the creation of sole source databases, and exclusive rights over these types of databases would result in a de facto monopolisation of facts and information. According to the Court of Justice, this would be contrary to the intention of the EU legislator. At the same time, under EU law, even databases that do not meet the threshold of copyright protection are eligible for a sui generis form of protection. A biobank will have policies that impose specific conditions on the use of its data. Although the biobank is not expected in itself to lead to patentable inventions that return significant income, this possibility is not excluded in principle; commercial companies and public or private researchers are allowed to access the database if their proposal falls within the biobank purpose and complies with the usual scientific and ethics requirements established in the biobank access regulation. In any case, the main point is that the biobank has the duty to inform donors, families, institutions and public and private entities about who (research groups or

6

Court of Justice, judg. 19 December 2013, Innoweb, C-202/12, EU:C:2013:850, paragraph 22, interpreting the protection by Article 7 on the ground that ‘the maker shows that there has been qualitatively and/or quantitatively a substantial investment in the obtaining, verification or presentation of the database contents’. 7 See, for example, Court of Justice, judg. 3 June 2021, C-762/19, SIA ‘CV-Online Latvia’ v SIA ‘Melons’, ECLI:EU:C:2021:434, paragraph 25; Id., judg. 9 November 2004, The British Horseracing Board and Others, C-203/02, EU:C:2004:695, paragraph 31; and Fixtures Marketing, C-338/02, EU:C:2004:696, paragraph 24.

286

R. Cippitani and V. Colcelli

laboratories) collaborate with the infrastructure or about the results of the activities carried out.

4 Conclusion The biobank is responsible for the correct conservation and management of such materials and the data connected to them in the general interest of research, for the protection of the community and in the interest of the donor. For these reasons, the biobank must guarantee as far as possible the provision of all useful information to the person from whom the material was originally taken as well as to the family members, and compatibly with the research purposes, must protect the integrity of the sample and personal data itself, establishing in this regard detailed rules as internal regulations. The main point for a tissue biobank is the definition of the legal status of the human body and the ownership of the tissue with which it is endowed. The legal trend today, and not only in Europe, is to separate the dimension of personal dignity from the need for the biological sample to be used on the grounds of the individual’s informed consent, without compensation. The commercial implications associated with these results and the potential profits that may be derived from them raise the need to clearly define the ethical– legal position of the biobank as the entity handling the samples. The question of the economic exploitation of the material stored in a biobank is still the subject of extensive debate and reflection. The key issue is to protect the donor and the interested party from any form of economic exploitation, while at the same time recognising the possibility of gain associated with the intellectual property arising from the structure of the biobank and the services it may share. In line with these trends, therefore, the material stored in the biobank cannot be exploited for direct profit but can indirectly generate revenue and funding linked, for example, to the development of therapies or diagnostic tests.

References Björkman B, Hansson SO (2006) Bodily rights and property rights. J Med Ethics 32(4):209–214. https://doi.org/10.1136/jme.2004.011270 Lobato de Faria P (2009) Ownership rights in research biobanks: do we need a new kind of ‘biological property’? In: Solbakk J, Holm S, Hofmann B (eds) The ethics of research biobanking. Springer, pp 263–276. https://doi.org/10.1007/978-0-387-93872-1_18

Paediatric Biobanks (General Overview) How to Tackle the Protection of Personal Data and Other Ethical Issues in a Paediatric Biobank? Tiziana Franchin and Rossana Ruggiero

1 Introduction. The Principle of Solidarity and Research Biobanks Balancing the protection and the limits of scientific research freedom is essential. Its dynamism stems from the free engagement and intellectual achievements at the service of mankind, while its main features (such as autonomy, creativity, independence and transparency) operate within the boundaries of what is considered ethically acceptable. Therefore science, as other human activity, goes hand in hand with fair practices and requires a sense of ethical responsibility (Bergoglio 2017). The fair interplay of freedom and responsibility in science is ensured by the principle of solidarity that operates as a moral virtue and an enabler of ethical standards. The principle of solidarity inspires man’s awareness to make knowledge functional and decisive for the health and care of others. As was well-described by Roberto Cippitani, a different meaning was attributed to solidarity between the mid-nineteenth century and the beginning of the twentieth century. Solidarity moved from being an eminently organisational principle of the community to be perceived as a ‘social’ leap of protection towards disadvantaged people.1 A strong

This article is realised starting from the experience of the IRCCS Children’s Hospital Bambino Gesù (Città del Vaticano-Roma). The Children’s Hospital Bambino Gesù of Rome, acting as Scientific Hospitalisation and Treatment Institutes (IRCCS) set up a Pediatric Research Biobank in 2018, with the aim of collecting and preserving biological material from pediatric patients attending the Institute according to specific quality standards. 1 The meaning of solidarity not only has ancient origins in continuity with religious or philosophical concepts, such as hospitality, humanitas, pietas and clementia but also with the Gospel’s ‘ágape’

T. Franchin · R. Ruggiero (✉) IRCCS Children’s Hospital Bambino Gesù (OPBG), Rome, Italy e-mail: [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_32

287

288

T. Franchin and R. Ruggiero

connection could be envisaged with the etymology of ‘caritas’ (service in favour of others), which anticipated the new idea of solidarity, understood as ‘taking on as one’s own the interest of another person’ (Cippitani 2010, p. 23). Solidarity cannot be considered in an isolated manner while scrutinising the dynamism of science. Another relevant concept allied to solidarity is reciprocity and its sense of circularity. Reciprocity allows researchers and scientists around the world to find comfort in reciprocal and mutual contributions in the realm of scientific and research progress. A pragmatic application of this form of mutual solidarity is the creation of biobanks because they are a ‘bank account of organic material in which people deposit their blood and other tissue samples in order to receive medical benefits in return in the more or less near future’.2 The collection and preservation of biological material represents an invaluable practice for translational research aimed at understanding pathogenetic mechanisms and improving human health and wellbeing. Both are realised according to quality standards that guarantee the complete traceability of the activities using biological samples as well as the significance of their clinical–scientific information. A research biobank is a non-profit service unit for the collection, processing, storage and distribution of human biological samples and linked data for research purposes. It is officially recognised by the competent health authorities, applies a process quality management system and guarantees the rights of those involved.3 Samples stored in biobanks play a key role in the shift from conventional medicine to personalised, predictive and preventive medicine, considering the unfolding potential of new ‘-omics’ methods and new cell biology technologies used in the study of rare and ultrarare diseases. Biobanks also have potential in various fields of research: oncological and immunological studies, investigations in human microbiota and in all pathogenesis research for innovative therapeutic approaches. Despite this, implementing the reciprocity of the solidaristic purpose across the creation, management and implementation of a research biobank and through the contribution of biological material by individuals often raises several ethical and legal issue. These concerns are often assisted by the setup of appropriate limits and safeguards that are far more crucial when minors, as vulnerable persons, are involved.

(the ‘care of the other and for the other’) and ‘brotherhood’ (i.e., respect for the other as equal by definition). 2 As defined in a 2009 Time magazine article and in conjunction with the creation of the first US National Cancer Institute (NCI) national biobank. The article also referred to biobanks as one of the Top 10 ideas that change the world precisely because most of today’s biomedical knowledge derives from the systematic investigation of human biological samples stored in biobanks, containing materials such as blood, cells, tissues and DNA, as well as information associated with the aforementioned samples and their donor. 3 Italian BBMRI node. https://www.bbmri.it/nodo-nazionale/biobanche/.

Paediatric Biobanks (General Overview)

289

European Union (EU) and international conventions, recommendations and regulations4 protect the dignity and self-determination of individuals, ensuring them the fundamental right to choose whether to consent to the donation and use of their biological material. This mainly occurs if biological materials or samples are used for research activities and regardless of the benefit that the donor may derive from them. Consent realises the mutual solidaristic purpose of a research biobank when it is fully granted for the donation of samples for research purposes and is given by a legally capable person or a legal representative on behalf of children (i.e., parents/ legal guardian). Thus, solidarity operates not only in favour of those who conduct research activities but also for the benefit of the civil society at large.

2 General Framework for Ethics and Functioning of a Paediatric Biobank: Benefits and Risks The creation and management of biobanks entails ethical and legal questions and may give rise to concerns in society (Gaskell et al. 2010), especially in the case of paediatric biobanks. Generally speaking, biobanks represent a benefit for the advancement of medical treatments and diagnosis: collected biological samples are used for research that has predominantly solidarity purposes, even though benefits for the participants are at best possible or probable.5 When donations of biological samples are made by minors with the consent of their parents and/or legal representatives, special safeguards must be ensured to protect the rights and interests of the children and adolescents involved in the research.6 The ethical questions due to the participation of children in biobanks may be different from those posed by the engagement of adults. Ethical concerns in the field of paediatric biobanks are dissimilar to those arising from the participation of children in clinical trials (Hens et al. 2011a). Among the many ethical questions (for example, minimal risks and no direct benefit to the child, return of results), the

4

See WMA Declaration of Helsinki—Ethical principles for medical research involving human subjects (2013) Fortaleza, General Principles, Articles 8 and 9. https://www.wma.net/policies-post/ wma-declaration-of-helsinki-ethical-principles-for-medical-research-involving-human-subjects/; Council of Europe, Recommendation Rec(2006)4 on research on biological materials of human origin, Preamble. https://www.coe.int/t/dg3/healthbioethic/Activities/10_Biobanks/Rec%282006% 294%20EM%20E.pdf; UNESCO (1997), Universal Declaration on the Human Genome and Human Rights, Paris, Introduction; Convention on Human Rights and Biomedicine,1997 Oviedo, (ETS no.164), Article 2. 5 Comitato Nazionale per la Bioetica (2014). Biobanche pediatriche. p. 8 https://bioetica.governo.it/ media/1821/p116_2014_biobanche_pediatriche_it.pdf. 6 Ibid.

290

T. Franchin and R. Ruggiero

consent issue is the major theme in the ethical discussion of participation by children in research using stored samples. As children are considered vulnerable and deserve special protection, risks and benefits in the creation and management of paediatric biobanks are subject to more accurate scrutiny: (a) the degree of risks; (b) the prognosis of benefits for similar individuals; and (c) the necessity to include children (Hens et al. 2011a, p. 406). The rationale behind these parameters lies in the assertion that the engagement of children is justified when the research cannot be performed or cannot be carried out equally well with adults (CIOMS 2002). The types of risks associated with paediatric biobanks may be risks of emotional and phycological burden, privacy risks and the breach of children’s values and interests. Privacy risks are associated with access to genetic information leading to discrimination, personal stigma and risks related to genetic privacy. For this reason, it is essential that paediatric biobank governance establish appropriate data protection policies especially when data and samples are shared (Hens et al. 2011b, c, d).

3 Consent and Protection of Personal Data, General Overview As far as the aspects of consent and data protection are concerned, international regulations have for some decades now placed research on biological materials on an equal footing with research on human subjects (The European Group on Ethics in Science and New Technologies 1998). This makes the creation of a fiduciary relationship between biobanks and participants possible, as participants are identified with donors of biological material for advancing the progress of medicine and, subsequently, increasing the promotion of transparency and accountability of biobanking (as understood in Article 5, paragraph 2 of Regulation (EU) 2016/679, hereinafter referred to as GDPR). The collaboration between biobanks–participants triggered the shift from ‘narrow’ to ‘broad’ and dynamic informed consent and resulted in a more engaged communication with participants on research results (ELSI 2013, p. 47). In a 2011 paper by Simon et al. that was aimed at collecting the opinion of biobank participants (citizens interviewed by telephone), it emerged that a broad consent model was preferred over study-specific models (‘a prospective opt-in over an opt-out consent approach’) because it is a solution that allows for an active and informed choice that promotes participant re-contact and the dissemination of scientific knowledge and that largely facilitates the future use of biological material in research without having to give up any additional choices (Simon et al. 2011, p. 821). The willingness of a subject to participate with their biological material and provide their data for future scientific research is directly proportional to the certainty of governance that can ensure that the samples and associated data are used for

Paediatric Biobanks (General Overview)

291

authorised purposes, without any abuse of the participant’s wishes as expressed in an informed consent. This aspect takes on an even higher level of seriousness when it comes to paediatric biobanks, in which the consent to preserve the biological material of the minor, incapacitated or disqualified participant is not expressed by the participant but by a parent or legal guardian. Parents tend to take less risk for their children than the risk they take for themselves, so more guarantees are required that the child will not suffer any negative consequences from participation in the activities of a research biobank. For instance, the Italian National Bioethics Committee was already emphasising in 2014 that the interest and welfare of the subjects whose biological materials are used for research purposes—all the more so if they are minors—must always prevail over the sole social or scientific interest,7 defining some points of ethical relevance to be considered at the regulatory level: (i) adequate and detailed information for the consent of the parents or the restricted or partially restricted legal representative (scientific interest of the research, protection of privacy, time and place of the research, person in charge of the biobank); (ii) listening to the will of the minor in relation to his or her progressive degree of maturity and informing the minor about his or her previous biobanking practice that took place at the will of the parents or legal representative; (iii) the limitation of the parents’ right to know or not to know in cases in which the information is reliable and useful for the minor’s health at the preventive and therapeutic level; (iv) guarantee of the right to know or not to know on the part of a minor who has become an adult and is capable of expressing an appropriate will.

3.1

Informed Consent and Recruitment Procedures for a Research Paediatric Biobank

In 2020, the European Data Protection Supervisor, a European authority that monitors data protection compliance in the bodies and institutions of the European Union, published an interesting document on the protection of personal data for scientific research, pointing out the solutions adopted by biobanks regarding the management of informed consent (European Data Protection Supervisor 2020). Research biobanks increasingly rely on ‘broad consent’ for the use of data for further scientific research projects that are unknown at the time of sample collection to decrease subsequent risks in the use of biological material and on ‘dynamic consent’ in which participants are asked to consent to different activities over time via a computer interface (Steinsbekk et al. 2013, p. 897). The use of ‘broad consent’ in paediatric biobanks has several advantages, such as reducing the need for study-specific consent and the use of samples until the participant reaches the age of majority. 7

Ibid.

292

T. Franchin and R. Ruggiero

However, the use of broad consent implies the promotion of an ongoing process of supervision and approval of future research activities and the detailing of specific points, such as whether to return research results to participants and, if so, how to provide information or communicate with participants and their families (Tarling et al. 2021, p. 101). As for the information process, the role of the doctor who enrols participants in the biobanking is crucial. A participant is most stimulated to read brief and simple information to be able to express his or her wishes; the professional’s contribution in this is his or her ability to explain in detail and in a simple, clear and appropriate manner the information provided in the information sheet and the consent, paying particular attention to the emotional state and culture of the parents or legal guardian of the paediatric patient. In the interview between doctor and parent/legal guardian, it is essential to allow time for doubts and questions about the information and the consent to be expressed to verify understanding of the information process. Establishing a cohort of paediatric participants is of particular value for future research activities, considering that the numerosity of such cohorts is most often lower than that of adult cohorts. The interest in the appropriate preservation of biological material collected at a paediatric age justifies a greater need to address peculiar ethical and social challenges, particularly when the biological material is sufficient to trace the identity of the child (Article 9 of the GDPR). Children themselves are involved in the discussion and decision-making process to develop their ability to understand concepts concerning research, in particular biobanking; this process is known as assent (De Lourdes Levy et al. 2003, p. 629). A study conducted in the context of clinical trials (Kimberly et al. 2006, p. 1706) demonstrated the existence of variability in the way consent is recorded and in the age at which consent should be obtained, with results that have been shown to be comparable to other pediatric settings over the years and have led to the suggestion of evidence-based policies for enrolling children in research biobanks (Kasperbauer and Halverson 2021). The time to discuss consent for biobanking is particularly critical in the paediatric setting, especially when the collection of biological material from a child or adolescent occurs during surgery. The ethical obligation prior to the start of the clinical procedure to inform the patient about the implications of participating in biobanking for research purposes can add further emotional strain to what the parents and the patient themselves have already experienced. Specifically, a research paediatric biobank must prepare an information sheet accompanying the informed consent form. The main information provided includes: (a) the structure and the purpose of the biobank;8 (b) the technical and organisational measures put in place to ensure the quality of the preservation of the samples;9 (c) the benefits and risks deriving from the preservation of the biological samples at the

8

With indications on the Head of the Research Biobank and on how to contact the structure. These measures also specify the maximum duration of preservation and the confidentiality of the subjects involved.

9

Paediatric Biobanks (General Overview)

293

research biobank, specifying any commitments required of the subject (or his/her legal representative); (d) the right of the subject (or legal representative) to revoke consent to the use of the sample at any time;10 (e) the right of the subject (or legal representative) to have access at any time to his/her sample present in the Research Biobank; (f) the right of the subject (or legal representative) to know in which research studies the sample has been used and the possibility of the subject (or legal representative) to want to have access to the results associated with such study or to renounce it; (g) the clarification that the subject (or legal representative) to whom the sample refers has no right to receive any profits that may be obtained from the results of the research carried out on the sample (e.g., obtaining further funding for research purposes, development of patents, etc.); (h) indications regarding the criteria for evaluating the scientific quality and ethical acceptability of the requests for use of the samples, also specifying the types of entities (public and private) that may make such requests; and (i) indications about the consent to the processing of clinical and genetic data (in the Italian legal framework according to the General Authorisation to process genetic data of 24 June 2011 and the General Authorisation to process personal data for scientific research purposes of 1 March 2012 issued by the Italian Data Protection Supervisory Authority).

3.2

Process Digitisation for the Acquisition of Informed Consent

Policies establish measures to protect the genetic privacy of minors as well as innovative strategies to express informed consent. Different e-Consent platforms have been developed over the years to digitise the process, thanks to the feedback from the numerous technological solutions implemented to collect consent for research studies in an increasingly user-friendly manner. The fundamental objective is always to create a product that preserves and makes available interactive multimedia content to improve patient involvement and adequately inform the patient about the purpose of the research project or clinical trial. Fundamental to the achievement of a digitisation process is the computer interface to be used by healthcare professionals during the acquisition of informed consent; it must be intuitive for the target audience and easy to use for optimal involvement of the participant. There are numerous experiences that have demonstrated the need for an iterative development approach that also involves clinicians and participants to achieve this (Boutin et al. 2016). Some e-Consent solutions were designed based on the Cognitive Theory of Multimedia Learning (Mayer 2020, p. 29), that is, on the principle that information should be structured on learning principles based on working memory and cognitive

10 This faculty is exercised without prejudice or other consequences for the subjects involved, obtaining further funding for research purposes and development of patents.

294

T. Franchin and R. Ruggiero

load. In this way, the interface for the user—doctor and patient—is developed by always considering the continuous improvement of the process of computer literacy of healthcare personnel and patient involvement in research. The continuous evaluation of the usability of the interfaces for healthcare personnel and patients is the necessary tool to shape the IT solutions in order to achieve a high level of user satisfaction and to explore new areas of development, such as future iterations of e-Consent platforms on mobile devices. The process of digitising consent has opened a further path of information interoperability; that of managing consent directly from electronic health records. The electronic health record has considerably improved the process of storing patients’ clinical data, allowing the realisation of big data storage systems that meet the necessary authorisations and provide the possibility of advancing personalised medical services. Before using and sharing this information, it is mandatory to verify the patient’s will, as expressed in the consent collected during clinical practice. The solutions adopted over the years have seen a gradual shift from a centralised architecture that was built by delegating to third parties the responsibility to assess the patient’s consent and ensure that the signed template matches to decentralised solutions using blockchain technology (Benchoufi and Ravaud 2017). and access systems based on the purpose of information use to ensure that data is only used for the purpose expressed by the participant. Such solutions include an access control model based on the privileges assigned to healthcare personnel according to their role in the organisation’s hierarchy as well as a consent storage architecture relatable to the metadata collected in medical records. Harmful modification of data integrity or abuse of data use is practically impossible (Tith et al. 2020, p. 265).

4 Conclusion Solidarity as a novel principle in bioethics finds a pragmatic application in the creation and management of paediatric biobanks that lie middle ground between the individualism of benefits and the collectivism of scientific progress. Despite this ethical inspiration, these infrastructures pose specific ethical risks when minors, as vulnerable and incapable subjects, are involved in research activities or treatment developments. For a paediatric biobank, it is fundamental from an ethical point of view to balance the need for scientific research to develop new knowledge crucial for the health and care of others with the protection of those who donate their biological samples from the point of view of the correct acquisition of consent and the protection of personal data. Those values are as follows:

Paediatric Biobanks (General Overview)

295

(i) Excellence understood as the continuous striving to reach the highest level in every situation and attitude and to which professionalism, research, technology and behaviour must be oriented. (ii) Centrality of the person understood as full recognition of and respect for the dignity of the person (child, parent, healthcare worker) in the service of which every expression of care and scientific and technological research activity must be guided. (iii) Scientific and translational research marked by ethical values and the human person, carried out in full governance of resources and with the aim of ensuring management balance and the continuous adaptation of activities to the needs of the most advanced biomedical science. In the light of future advancements in the expression of consent, a research paediatric biobank has to provide information factsheets that both safeguard the right to access information and monitor the use of relevant biological material and data shared. Such documents not only guarantee continuous oversight of the research using valuable samples but also enable a two-way communication between the health care professionals and scientists operating in intensive care sectors.

References Benchoufi M, Ravaud P (2017) Blockchain technology for improving clinical research quality. Trials 18:335. https://doi.org/10.1186/s13063-017-2035-z Bergoglio JM (2017) Address to participants at the plenary of the Pontifical Council for Culture on ‘The future of humanity: new challenges to anthropology’ (Vatican, 15–18 November). https:// press.vatican.va/content/salastampa/en/bollettino/pubblico/2017/11/18/171118e.html Boutin NT, Mathieu K, Hoffnagle AG, Allen NL, Castro VM, Morash M, O'Rourke PP, Hohmann EL, Herring N, Bry L, Slaugenhaupt SA, Karlson EW, Weiss ST, Smoller JW (2016) Implementation of electronic consent at a biobank: An opportunity for precision medicine research. J Pers Med 96(2):17. https://doi.org/10.3390/jpm6020017 Cippitani R (2010) La solidarietà giuridica tra pubblico e privato. Monografie di diritto e processo a cura di Antonio Palazzo. Università degli Studi di Perugia, ISEG, Roma-Perugia De Lourdes Levy M, Larcher V, Kurz R, Ethics Working Group of the Confederation of European Specialists in Paediatrics (CESP) (2003) Informed consent/assent in children. Statement of the ethics working group of the Confederation of European Specialists in Paediatrics (CESP). Eur J Pediatr 162(9):629–633. https://doi.org/10.1007/s00431-003-1193-z European Data Protection Supervisor (2020) A preliminary opinion on data protection and scientific research. EDPS Europe, pp 24–26 Gaskell G, Stares S, Allansdottir A, Allum N, Castro P, Esmer Y, Fischler C, Jackson J, Kronberger N, Hampel J, Mejlgaard N, Quintanilha A, Rämmer A, Revuelta G, Stoneman P, Torgersen H, Wagner W (2010) Europeans and biotechnology in 2010. Winds of change? Report to the European Commission’s Directorate-General for Research. https://doi.org/10. 2777/23393 Hens K, Lévesque E, Dierickx K (2011a) Children and biobanks: a review of the ethical and legal discussion. Hum Genet 130(3):403–413. https://doi.org/10.1007/s00439-011-1031-8 Hens K, Nys H, Cassiman JJ, Dierickx K (2011b) The return of individual research findings in paediatric genetic research. J Med Ethics 37:179–183. https://doi.org/10.1136/jme.2010.037473

296

T. Franchin and R. Ruggiero

Hens K, Nys H, Cassiman JJ, Dierickx K (2011c) Risks, benefits, solidarity: a framework for the participation of children in genetic biobank research. J Pediatr 158(5):842–848. https://doi.org/ 10.1016/j.jpeds.2010.12.036 Hens K, Nys H, Cassiman JJ, Dierickx K (2011d) The storage and use of biological tissue samples from minors for research: a focus group study. Public Health Genomics 14:68–76. https://doi. org/10.1159/000294185 Kasperbauer TJ, Halverson C (2021) Adolescent assent and reconsent for biobanking: recent developments and emerging ethical issues. Fron Med 9(8):686264. https://doi.org/10.3389/ fmed.2021.686264 Kimberly MB, Hoehn KS, Feudtner C, Nelson RM, Schreiner M (2006) Variation in standards of research compensation and child assent practices: a comparison of 69 institutional review boardapproved informed permission and assent forms for 3 multicenter pediatric clinical trials. Pediatrics 117(5):1706–1711. https://doi.org/10.1542/peds.2005-1233 Mayer ER (2020) Multimedia learning. Cambridge University Press, Cambridge, pp 29–62 Simon CM, L’Heureux J, Murray JC, Winokur P, Weiner G, Newbury E, Shinkunas L, Zimmerman B (2011) Active choice but not too active: public perspectives on biobank consent models. Genet Med 13(9):821–831. https://doi.org/10.1097/GIM.0b013e31821d2f88 Steinsbekk KS, Kåre Myskja B, Solberg B (2013) Broad consent versus dynamic consent in biobank research: is passive participation an ethical problem? Eur J Hum Genet 21(9): 897–902. https://doi.org/10.1038/ejhg.2012.282 Tarling TE, Goldenberg A, Ellis A, Chow V, Velenosi A, Vercauteren SM (2021) Ethical challenges for pediatric biobanks. Biopreserv Bioban 19(2):101–105. https://doi.org/10.1089/ bio.2020.0116 The European Group on Ethics in Science and New Technologies (1998) Ethical aspects of human tissue banking (Opinion No. 11). Publications Office of the European Union Tith D, Lee JS, Suzuki H, Wijesundara WMAB, Taira N, Obi T, Ohyama N (2020) Patient consent management by a purpose-based consent model for electronic health record based on blockchain technology. Healthc Inform Res 26(4):265–273. https://doi.org/10.4258/hir.2020.26.4.265 Working Group on Ethical, Legal, and Social Issues (ELSI) of the Biobanking and Biomolecular Resources Research Infrastructure (BBMRI) (2013) Ethics for biobanks: a new notion of consent? In: Biobanks and the public: governing biomedical research resources in Europe. BBMRI Report, pp 47–56

Public Interest Who Decides on the Existence of a Public Interest? Jeanise Dalli

1 Introduction The ‘public interest’ is a fundamental concept in biobank research and in the treatment and processing of personal health data for research purposes. In this type of research, data access and data sharing are vital, and without the possibility to invoke the principle of public interest, data access and sharing would not be possible. Following the adoption of the European Union’s (EU) General Data Protection Regulation1 (GDPR), this principle arguably assumed more importance for biobank research within the EU, particularly because the GDPR sets out rather stringent requirements for the treatment and processing of personal health (including genetic) data for research purposes. This regulation has also strengthened the rights of the data subject and of individuals as individual research subjects or participants in scientific studies. Nevertheless, derogations from individual rights could be possible under the same regulation if research is deemed to be in the public interest. This study explores and attempts to unpack the notion of ‘public interest’ in the context of biobank research and activities within the EU. The first part gives a brief analysis of the concept of ‘public interest’ with reference to different theories of public interest in scholarly literature, while the second part examines how this concept features and is explained under the GDPR. The following two sections attempt to answer two fundamental and connected questions. The first question asks whether biobank research is generally regarded to be in the public interest, or rather, 1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

J. Dalli (✉) Department of Civil Law, Faculty of Laws, University of Malta, Msida, Malta e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_33

297

298

J. Dalli

what type of biobank research is deemed to be in the public interest. By way of example, reference is made to Embryonic Stem Cell (ESC) and to scientific research related to the COVID-19 pandemic. The second question asks who decides whether a particular type of research is or is not in the public interest and what criteria exist for determining what is and what is not in the public interest. The analysis concludes that despite the harmonisation of data protection requirements for research under the GDPR, the question of public interest is largely at the discretion of the EU Member States.

2 Understanding the Concept of ‘Public Interest’ The concept of public interest is a subjective one, and scholars have interpreted and approached this notion in different ways. For example, McHarg (1999, as cited by Taylor and Whitton 2020) categorised different views on the public interest into three distinct groupings, namely ‘common interest’ theories, ‘preponderance’ theories and ‘unitary’ theories. The basic idea behind common interest theories is that something is in the public interest if it serves the ends of the whole public rather than those of some sector of the public. One of the problems with this approach is that within a pluralistic society, it is unclear which interests are truly common to all or to the majority. Preponderance theories can be distinguished from common interest theories because in these theories, it is not necessary for interests to be common to all persons but sufficiently prevalent to indicate a path toward utility maximisation. In the third category of unitary theories, the public interest is perceived as an interest which transcends and, at the same time, reconciles apparently conflicting individual or sectional interests (McHarg 1999, pp. 675–676). Scientific research is itself a means of safeguarding the public interest through the provisions of adequate healthcare. At the same time, scientific researchers must concurrently provide the means to proportionately protect the rights of private individuals as data subjects. A fair balance is achieved through sound scientific, ethical and legal principles and by responsibly committing to benefit-sharing (Laurie et al. 2010, p. 333). Some scholars have suggested the use of a test to help researchers maintain the public interest while ensuring the least harm possible. Graeme Laurie and others have suggested three tests for this purpose, namely (a) the ‘test of effectiveness’, which requires coming to terms with the ultimate goal of a particular action; (b) the ‘test of necessity and subsidiarity’, which tests whether an action is indispensable to achieving a desired aim and that no ‘less intrusive’ measure is possible; and (c) the ‘test of fair balance’, which calls for a strict balance between the aims achieved and the harm caused through that achievement (Laurie et al. 2010, p. 324).

Public Interest

299

3 The Public Interest Under the GDPR Although the GDPR per se is not a legal instrument that regulates biobanking activities or scientific research in general, it does provide a very important provision, namely Article 89, which can be said to create a research exemption within a complex scientific regime which shapes how personal data within scientific research is regulated within the EU and how it could further be developed by the EU itself and by individual EU Member States (Slokenberga et al. 2021, pp. 1–2). This exception puts the notion of public interest in competition with individual rights. Article 89 is the key legal provision providing for ‘Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’. It thus enables derogations from individual rights for scientific research purposes. Although the concept is mentioned multiple times throughout the regulation, the regulation does not provide for any definition of this important concept. However, the same concept is qualified in various provisions, such as in Recital 50 which refers to ‘important objectives of general public interest’ and Recital 112 which refers to ‘important reasons of public interest’. Recital 159 then directly refers to scientific studies ‘in the area of public health’ as studies that could potentially be in the public interest (Slokenberga et al. 2021, pp. 23–24). Although these qualifiers suggest that the concept of public interest can have different meanings, the notion within the GDPR leaves much to be desired. A closer analysis of the notion indicates that public interest features in three ways under the GDPR: (a) as a legal basis, (b) as a derogation for the processing of genomic and health data and (c) as a transfer mechanism. As a legal basis, the regulation provides that controllers may process personal data if such is ‘necessary for the performance of a task carried out in the public interest’. Therefore, relying on the public interest as a legal basis also allows for curtailing and overriding the right of the data subject to give consent, or rather, to object to the processing of personal data concerning them (Beauvais 2021). Under the GDPR, public interest also features as a derogation for the processing of genomic and health data in two different ways. First, when the processing is ‘for reasons of substantial public interest’ (GDPR, Article 9 [2] [g]), then the public interest is the only justification available for automated decision making with respect to genomic and health data apart from the explicit consent of the data subject (GDPR, Article 22). ‘Substantial’ means that a balance should be ensured between the public interest and the risks that the processing of genomic and health data poses. Second, such processing may be legitimated when ‘it is necessary for reasons of public interest in the area of public health, such as protecting against serious crossborder threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices (GDPR, Article 9 [2] [i]). As will be further elaborated and illustrated, this is very relevant in cases such as pandemics. Controllers may still export data out of the EU or the European Economic Area if ‘the transfer is necessary for important reasons of public interest’ (GDPR, Article

300

J. Dalli

49 [1] [d]) in the absence of an adequacy decision or other suitable safeguards. In this specific case, both public and private entities may rely on this transfer mechanism (Beauvais 2021). The European Court of Justice has interpreted the ‘necessity’ requirement under proportionality in the sense that proportionality informs the necessity analysis and the data processed must have a close link to the attainment of the processing’s objectives (Tranberg 2011). Other authors have observed that the GDPR takes a practical approach to the public interest by viewing it as an end in itself rather than a means; that is, at the expense of individual rights. Therefore, under the GDPR, the public interest is understood as an object for the needs and interests of the EU, its Member States and their citizens which could lead to constraints on the rights of data subjects (Slokenberga et al. 2021, p. 23).

4 The Application of Public Interest One of important questions to ask in the context of scientific research is: What type of research is in the public interest? This question is vital, especially when considering that what may be considered in the public interest within a specific context may not necessarily be deemed so in another. Specifically in the context of biobanking, the fundamental question is whether biobank research is generally regarded to be in the public interest; or rather, what type of biobank research is deemed to be in the public interest? The answer to this question depends on several factors, such as who is the researcher or research institution, whether it is a non-profit researcher or research institution or is commercially driven and on who is deciding on the existence of the public interest (Slokenberga et al. 2021, pp. 23–24). To illustrate the above argument, reference may be made to ESC research that has been highly controversial both ethically and politically as it involves the creation and use of human embryos preserved in biobanks as well as their destruction. It is undisputed that a human ‘blastula’ or ‘embryo’ has the potential to develop into a full human being if implanted into a woman’s uterus at the appropriate hormonal phase; otherwise, it cannot survive on its own. However, there is a strong contention as to whether such ‘blastula’ or ‘embryo’ can be perceived as a ‘human being’ or a ‘person’ as well as to when human life begins. Critics of ESC research argue that the use of embryos is not only immoral because it involves the destruction of human life in order to save human life, but it is also a criminal offence and tantamount to the murder of an unborn child. Debates on ESC research in many countries, especially in the United States (US), have been closely linked to debates over abortion. In fact, in 2001, President Bush, who holds strong pro-life views, allowed the federal National Institutes of Health (NIH) to fund stem cell research using embryonic stem cell lines already in existence at the time but prohibited NIH funding for the derivation or use of additional embryonic stem cell lines (Lenzer 2007). Contrary to how it is regarded by individuals with pro-life views, the human embryo is not usually considered as a data subject in ECS research.

Public Interest

301

If it were, ECS research would be contrary to research ethics that require the informed consent of the research participant since the embryo, as a vulnerable ‘being’, is incapable of understanding the consequences of the experiment being undertaken on it and, therefore, is unable to give its free and informed consent. Some people regard all embryo research to be unacceptable, while others only support some form of research; for example, a person might consider infertility research acceptable but object to research to derive stem cell lines or that might lead to patents or commercial products. On the other hand, full supporters of ESC research generally feel that using cells from surplus blastula for research and the development of medical treatments which could ultimately save people’s lives is in the public interest. In any case, if one were to argue that ESC research is not in the public interest and that, therefore, the exceptions and derogations under the GDPR are not applicable, ESC research would raise serious ethical considerations which revolve around consent. Consent is deemed crucial in research with human embryos, including informed consent from the woman or couple donating the embryo, consent from gamete donors involved in the creation of the embryo, and the confidentiality of donor information. Furthermore, obtaining informed consent for potential future uses of the donated embryo respects the diversity of views on embryo research (Lo and Parham 2009). A second illustration of the application of public interest is scientific research related to a pandemic, such as the COVID-19 pandemic. For example, the European Data Protection Board has stated that scientific research related to the COVID-19 pandemic is recognised as being in the public interest for the purposes of the transfer of health data (EDPB 2020, p. 13). In October 2020, the French Administrative Court (Conseil d’Etat) delivered an important judgement in this regard (Conseil d’Etat, 2020, Case No. 444937). The parties in this case asked the Conseil d’Etat to suspend the centralisation and data processing of personal data relating to Covid-19 on the health data platform of the data controller ‘Health Data Hub’. The EU subsidiary of the American corporation Microsoft, which is established in Ireland, has access to personal data on this hub as it licences the software necessary to operate it. The parties highlighted that although the condition of urgency was met due to the nature of the COVID-19 pandemic, there was a serious violation of the right to privacy and to protection of personal data given that the company in charge of the hub’s technical aspects, Microsoft, is subject to US law. The risk that this posed was outlined in the Schrems II decision of the Court of Justice of the EU (CJEU, 2020, Case C-311/18).2 The main question was whether the contract between the French

2 In July 2020, the CJEU ruled against the European Commission’s Privacy Shield Decision that provided for the possibility of lawful transfer of personal data from the EU to the US, holding that it was invalid on account of invasive US surveillance programmes, thereby making transfers of personal data based on this decision illegal. In this case, the CJEU stipulated stricter requirements for the transfer of personal data based on standard contract clauses (SCCs). It also held that data controllers or processors that intend to transfer data based on SCCs should ensure that the data subject is granted a level of protection essentially equivalent to that guaranteed by the GDPR and the EU Charter of Fundamental Rights. If necessary, there should be additional measures to

302

J. Dalli

data hub and Microsoft as a company subject to US surveillance law was in violation of Articles 44–49 GDPR on the basis of the Schrems II decision. The French Court decided in favour of the French hub and ruled that the risk of a GDPR violation was insufficient to suspend the Hub. The Court further outlined that the CJEU in Schrems II only discussed circumstances in which data is transferred to the US and had not pronounced itself on cases in which such data is processed in the EU by American corporations subject to US law. Specifically on the issue of public interest, the French Court noted that the CJEU held that derogations found under Article 49 may allow for such transfers when necessary for a public interest recognised by EU law or the law of a Member State. It also deemed that there was public interest in allowing the use of health data in the context of the Covid-19 crisis and, therefore, public interest in contracting with Microsoft on the technical aspects. The French Court further underlined that such measures must be proportionate to the risk posed by the public health emergency and also necessary, taking into consideration the urgency and the absence of technical alternatives. It also highlighted that it is the French Data Protection Authority which must assess any potential public interest link with the Covid-19 pandemic.

5 Who Decides What Is in the Public Interest? Linked to the question asked in Sect. 4 of what type of research is in the public interest is the question of who decides whether a particular type of research is or is not in the public interest and what criteria should be used to determine what is and what is not in the public interest. Data controllers cannot invoke the public interest at their sole discretion. It is always up to either EU or national law to specify what is in the public interest. National law, for example, may specify that certain entities are able to rely on the public interest legal basis, as is the case with public-authority research organisations in the UK, or in the case of Norway, that processing which is necessary for scientific research may rely on the public interest legal basis but with additional safeguards (Beauvais 2021). Unfortunately, there are EU Member States that have not given any consideration as to whether research is or is not in the public interest within the GDPR. Moreover, the notion of public interest is occasionally associated and used interchangeably with ‘public goods’, which raises the question of to what extent, if at all, biobanking is seen as an interest worth safeguarding and what means are used to further this interest (Slokenberga et al. 2021, pp. 25–26). Certainly as has been illustrated in relation to ESC research, the cultural values of a particular society play a significant role in the way a Member State approaches scientific research and the way it interprets specific individual rights. This, in turn, has a significant bearing on the

compensate for lacunae in protection of third country legal systems, and failing that, operators must suspend the transfer of personal data outside the EU.

Public Interest

303

interpretation and practical application of the notion of public interest. This unfortunately also means that failing a definition of public interest under EU law, the parameters of this important principle may vary across the EU.

6 Conclusion In this chapter, it has been shown that the notion of public interest is rather subjective, both in theory and in practice. This subjectivity also applies in the interpretation and application of this concept to research, including biobank research. This was illustrated with specific reference to ESC research and scientific research related to the COVID-19 pandemic. How the public interest is understood under the GDPR as a legal basis, as a derogation for the processing of genomic and health data and as a transfer mechanism has also been discussed. Although the GDPR harmonises data protection requirements for research, including for biobank research and activities, questions related to the public interest largely remain to be addressed by Member States, including whether biobank research or specific types of biobank research are to be considered in the public interest as well as who decides this issue. While this allows room for flexibility in the sense that it accommodates different standards and values, it may arguably lead to a fragmented approach regarding the interpretation and application of this notion to research, including biobank research. Therefore, there seems to be a need for a more harmonised approach deserving of public trust and confidence to avoid uncertainty and, at the same time, to ensure that scientific advances are not hindered by such a fragmented approach. A harmonised approach should further ensure that a fair balance is struck between individual rights and collective rights as well as ascertain that the enhancement of the common good should not to the extent possible jeopardise individual rights.

References Beauvais M (2021) GA4GH GDPR brief: the public interest and the GDPR. Global Alliance for Genomics & Health. https://www.ga4gh.org/news/ga4gh-gdpr-brief-the-public-interest-andthe-gdpr-february-2021/ Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak, European Data Protection Board, https:// edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing-dataconcerning-health-purpose_en (2020). Laurie G, Mallia P, Frenkel DA, Krajewska A, Moniz H, Nordal S, Pitz C, Sandor J (2010) Managing access to biobanks: How can we reconcile individual privacy and public interests in genetic research? Med Law Int 10:315–337. https://doi.org/10.1177/096853321001000404 Lenzer J (2007) Bush says he will veto stem cell funding, despite vote in favour in Congress. BMJ (Clin Res Ed) 334(7606):1243. https://doi.org/10.1136/bmj.39245.359306.DB

304

J. Dalli

Lo B, Parham L (2009) Ethical issues in stem cell research. Endocr Rev 30(3):204–213. https://doi. org/10.1210/er.2008-0031 McHarg A (1999) Reconciling human rights and the public interest: conceptual problems and doctrinal uncertainty in the jurisprudence of the European Court of Human Rights. Mod Law Rev 62:671–696 Slokenberga S, Tzortzatou O, Reichel J (2021) GDPR and biobanking: individual rights, public interest and research regulation across Europe. Springer. https://doi.org/10.1007/978-3-03049388-2 Taylor MJ, Whitton T (2020) Public interest, health research and data protection law: establishing a legitimate trade-off between individual control and research access to health data. Laws 9(1):6. https://doi.org/10.3390/laws9010006 Tranberg CB (2011) Proportionality and data protection in the case law of the European Court of Justice. Int Data Priv Law 1(4):239–248. https://doi.org/10.1093/idpl/ipr015

Rare Diseases and Data Protection (Part I) How to Enable Research on Rare Diseases While Protecting Personal Data? Petra Duhm-Harbeck and Judith Köbler

1 Introduction The General Data Protection Regulation (GDPR)1 has changed the way in which personal data are protected in the European Union (EU). It has also had a fundamental impact on research activities, especially cross-border consortia. There are some exceptions to the material scope as laid out in Art. 2 of the GDPR, such as for (a) activities falling outside the scope of Union law; (b) Member State activities according to Chap. 2 of Title V of the Treaty of the European Union (TEU), that is, border controls and immigration; (c) purely personal or household activities of natural persons; and (d) crime prevention or investigation, including threats to public security. The processing of data by the EU itself, its agencies and bodies was initially settled by Regulation (EC) No 45/2001, which was later replaced by Regulation (EU) 2018/1725. None of these exceptions apply to research. Therefore, research activities within the scope of EU law must comply with the GDPR rules. The GDPR is strict, especially when dealing with special categories of data, such as the processing of

Views expressed in this article are solely those of the authors. 1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

P. Duhm-Harbeck (✉) Section for Translational Surgical Oncology and Biobanking, Department of Surgery, University of Lübeck & University Clinical Center Schleswig-Holstein, Campus Lübeck, Lübeck, Germany J. Köbler Medical University of Innsbruck, Research Service and Innovation, Innsbruck, Austria © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_34

305

306

P. Duhm-Harbeck and J. Köbler

genetic data, biometric data for the purpose of identification or health data. Art. 9 (1) GDPR states that the processing of such data is prohibited. There are no explicit provisions in the GDPR for research on rare diseases. However, research on rare diseases is challenging to manage in terms of data protection law because of the extensive use of genetic diagnostics in this field (Baldovino et al. 2017). Anonymisation cannot be used to conceal patient information. A look at the GDPR should thus be taken in terms of how it affects this particular research or the opportunities it may offer. For instance, in Germany, there is no Biobank Act and the Gene Diagnostics Act does not apply to research (Eberbach 2010). Sections 2 and 3 of this chapter analyse the status and meaning of rare diseases in research as well as data protection issues arising in the wake of these research questions, especially due to the enactment of the GDPR. Section 4 contains conclusions.

2 Data Protection Issues in Research on Rare Diseases The GDPR brought about changes for data protection in 2018. Research operations covered by EU legislation must generally abide with GDPR regulations. The GDPR is rigorous, especially when dealing with special categories of data, including processing genetic data, biometric data used for identification, or health data. According to Article 9 (1) of the GDPR, processing of certain data is forbidden. It is necessary to examine to what extent these data categories concern research on rare diseases that mainly use genetic expressions and health information. Genetic data, biometric data and data on health are defined by Article 4 GDPR. According to Article 4 (13) GDPR, genetic data means ‘. . . personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. . .’. Recital 34 GDPR specifies that biological sample means chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA). Yet any equivalent source is included. The use of a person’s biological material to analyse their genomic characteristics in diagnosing their disease or tracing the origins of their symptoms to a genetic deviation inevitably leads to placing the resulting data under the GDPR’s definition of genetic data. Art. 4 (14) GDPR defines biometric data as ‘. . . personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data . . .’. This is a wider definition than before, and it includes any technical method; yet the key issue remains the possibility of uniquely identifying the person from whom the data has been taken. According to Art. 4 (15) GDPR, data concerning health are . . . ‘personal data related to the physical or mental health of a natural person, including provision

Rare Diseases and Data Protection (Part I)

307

of health care services, which reveal information about his or her health status. . .’. In turn, it could be argued that data that does not reveal the personal health status of a person are not protected by the GDPR. This could apply to data that counts the number of cases or the financial means attributed to the fight against a certain disease. With rare diseases, however, the problem remains that any information given could lead to a prohibited identification of the person behind the data since the variables necessary to identify a person with a rare condition are significantly less than those of other groups in society. Even if the GDPR sets the framework for any type of processing of personal data, as the definition in Art. 4 (2) states, because ‘. . . any operation or set of operations which is performed on personal data or on sets of personal data. . .’ is included, research has nonetheless been specifically addressed by the GDPR as is made clear in recital 159. This recital states that the GDPR should apply to scientific research purposes in processing personal data, and it includes a broad range of scientific activities, such as fundamental research, applied research and privately funded research. Those purposes also include public health studies conducted in the public interest and allow for specific conditions concerning the publication or disclosure of personal data in the context of scientific research purposes. Hence, scientific research is privileged. In any case, how far this privilege reaches might not be too clear. Recital 54 privileges reasons of public interest in the area of public health. Public health should be read as ‘. . . all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality’. While data on morbidity, disability, special needs or other features of public health related to rare diseases clearly fall within the description, reasons of public interest may be blurred. This was exemplified by the SARS-CoV-2 pandemic, for which the development of vaccines was intended to further both public health and individual health as stated in the exemptions from the general prohibition according to Art. 9 (2) h) and i) GDPR. Difficulties in attributing the specific purpose might also arise in determining the effectiveness of political measures fighting this new disease (Radtke 2020). Both caveats can also be applied in rare diseases, for which the individual treatment, the public awareness towards such illnesses and the measuring of how well political initiatives respond to the specific needs of persons with rare diseases might be inextricably linked. This makes it harder for scientists or groups of scientists to entirely rely on such privileges in the study of rare diseases. It is, however, crucial for there to be certainty regarding the legal aspects of collecting, storing and (re)-using data sets and biological samples. This applies twofold for research projects with public funding that are required to allow for re-use of acquired data. Since no one can transfer more rights than he or she has (‘nemo plus iuris transferre potest quam ipse habet’), rights of access and usage may be endangered for large consortia if some institutions have relied on incorrect rules for processing collected data or different national privileges

308

P. Duhm-Harbeck and J. Köbler

exist (e.g., Art. 89 GDPR, § 27 German Bundesdatenschutzgesetz—§ 2d (6) Nr. 1 Austrian Forschungsorganisationsgesetz); the application of rules of conflict are not clear (e.g., national law, international private law, use of Art. 3 or 6 GDPR) and need to be clarified by the EU concerning the GDPR (Schrader 2022). An assessment of the implementation of the GDPR has shown that while the GDPR is valued, its scattered implementation makes it difficult for healthcare administration and research (Hansen et al. 2021). The path to securing processability might also be blocked in some cases. According to the GDPR, anonymisation is the transformation into ‘. . . information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable . . .’ (recital 26 GDPR); as the ‘royal road’ to escape the dilemma of revealing enough but not too much in order to prevent traceability to one specific person, anonymisation is in itself a processing of data and, therefore, bound to legal grounds for processing of data. Anonymisation might simply not be possible when—for whatever reason—two genetic samples of one person can still be matched. Anonymisation might not even be safe, for example, in a case of eminent danger of dying from a yet undiagnosed disease that has been found by research, such as a rare type of cancer. The latter issue is addressed in Recital 159. It reads: ‘If the result of scientific research in particular in the health context gives reason for further measures in the interest of the data subject, the general rules of this Regulation should apply in view of those measures’. Yet the reference to general rules is unspecific and it also seems counterproductive in cases in which the doctor–patient relationship has been interrupted for some reason. The predecessor organisation of the European Data Protection Board, the Article 29 Working Group, established guidelines on anonymisation techniques such as aggregation, k-anonymity, randomisation or generalisation, suggesting that ‘. . . [o] bvious (e.g., rare) characteristics/quasi-identifiers should be removed from the database. . .’ (Article 29 Working Group 2014, p. 30). But such characteristics might be essential to identify causes of rare diseases. According to Art. 4 (5) GDPR, pseudonymisation is ‘. . . processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. . .’. While pseudonymisation is possible in many fields of research as a means of balancing conflicting interests, it may be impossible when dealing with rare diseases due to statistical outliers or unique shapes (e.g., in images). There are, of course, technical aspects that must be kept in mind. Cybersecurity is of the utmost importance in safeguarding sensitive data, including genetic information. To further this approach, the European Union Agency for Cybersecurity’s (ENISA) work could bring technical guidelines into play (Hansen et al. 2021). These guidelines would have to be nuanced enough to apply equally well to big businesses and small enterprises, and they would need to address the often limited resources of research units.

Rare Diseases and Data Protection (Part I)

309

Standardisation and keeping of many variables are in fact key to a harmonised European approach towards research on rare diseases. The EPIRARE Project developed a set of common data elements for the European Platform for Rare Disease patient registration that includes 41 variables These include the patient’s date of birth, the patient’s city of birth, the country of residence, participation in past trials, the willingness to be contacted for providing biological samples, information on cases in the family, the date of first symptoms, the physician referring the patient to the RD platform, current drug treatment, surgeries, transplantations, educational status and occupational status. The EPIRARE Project has naturally taken privacy issues into account and designated a level of precision (e.g., birth date only in the form of month and year) for each variable (Taruscio et al. 2014). Nevertheless, such data is very sensitive in nature, especially in combination. The curation of such data is time-consuming. Therefore, the authors of an assessment of the EU Member State rules on health data in the light of the GDPR might suggest pursuing initiatives on finding core elements of data sets and point out the advances made in developing a patient summary and e-prescriptions as well as the common formats for rare disease registries (Hansen et al. 2021). If the sample has been taken within a clinical trial, the set of rules and regulations might become even more complicated. Recital 161 references Regulation (EU) No 536/2014 for participation in scientific research activities in the context of a clinical trial. In effect as of 31 January 2022, this regulation strives for the necessary harmonisation through the Clinical Trials Information System, but the data submission on investigational medicines might be seen as complex as it requires special training (EMA, 1995–2022). While patient safety is of the utmost importance, this increases the costs of trials on rare diseases, a problem that already exists due to marketability problems/high costs for public spending on a small market. Finally, Recital 53 GDPR states: ‘Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data’. Even if the intention is not to hamper the free flow of data, different data protection laws in different Member States do not facilitate the cross-border sharing of data within research consortia consisting of institutions located in different Member States. The effort of making such data sharing secure might be close to prohibitive if applied to small institutions. Yet data sharing is essential in cases in which a patient cohort is small and research efforts must be combined to be able to address a multifactorial and multidimensional problem, such as identifying, diagnosing and treating a rare disease.

310

P. Duhm-Harbeck and J. Köbler

3 The Method to Apply the GDPR to Support Research on Rare Diseases The current way to enable research on rare diseases is by obtaining consent according to Art. 7 and Art. 9 (2) a) GDPR from patients with rare diseases because Art. 9 (2) d) GDPR only privileges the processing of data within a foundation, association or non-profit body (e.g., patient representation bodies) and not in connection with other institutions. Yet if the disease is in fact so rare that it is not known, interpreting data and matching it with known rare diseases becomes vital. This means that enough patients must be found who will give their consent to take data and samples. But consent drafting is not without pitfalls. The consent form must be designed to cover all possible research questions but must also be specific enough so that patients are able to grasp the full scope of their decision for themselves and their next of kin. It is often difficult to describe the purposes of the scientific research when drafting a detailed consent, and Recital 32 and 33 GDPR allow for some flexibility. Patients may give their consent in electronic form or otherwise for certain areas of research or parts of a research project as long as it is clear and unambiguous and freely given. According to Recital 38, the consent of parents may not be necessary for services offered to children if the children are directly counselled. Research activities may include services such as diagnosing, but mainly comprise an advance in knowledge. Furthermore, the consent must be written in plain language (Recital 42), which can be difficult when explaining genetic origins of rare diseases. In the worst case, the informed consent becomes meaningless because the research and its purpose are too complex to describe (Courbier et al. 2019). Some authors— with a common law background and bearing in mind the question on real versus informed consent—have suggested that consent should not be relied upon as a prime legal basis for some forms of research, such as genetic and genomic research, because it could devalue scientific research (Chico and Taylor 2018; Hansen et al. 2021) or might not be the most appropriate legal basis for large-scale epidemiological studies or genetic studies (Hansen et al. 2021). While this reasoning can be followed for large projects in which data is gathered in a data pool and thus protected by having more patients with the same expressions, this is difficult in very small studies of 5–10 patients. It also depends on other issues, such as the timeframe for studies. Gathering a large amount of data during long-term projects spanning over 20 years can result in enlarging the data pool and thus lead to better data protection. It can also result in in-depth descriptions of rare cases for which more and more details can become public. Sometimes researchers need to quickly publish results to distinguish themselves or to prove success to funding agencies to receive an allocation of additional financial resources. Sometimes it is of utmost importance to publish results or quickly share data to save patient lives by connecting knowledge from various cases. Waiting to gather more data in one country could be detrimental to treating a certain patient. However, in Recital 43 GDPR, the imbalance between a data subject and a controller may lead to the consequence that the consent is not a valid ground for

Rare Diseases and Data Protection (Part I)

311

processing the data. It may even be doubted that the consent has been freely given when persons suffering from a rare disease are dependent on advancement in research. The European Data Protection Supervisor stated in 2020 that while there are considerable differences in national requirements for informed consent, consent nonetheless serves as an appropriate safeguard. For example, France requires a different consent than described in the GDPR, the Health Research Authority in the United Kingdom advises against consent due to the power imbalance (Hansen et al. 2021) and Ireland requires explicit consent for primary and secondary use. Yet they did not elaborate on the circumstances (Hansen et al. 2021). Difficulties have been voiced concerning bias, retrospective reviews, re-consent and biobanking (Kirwan et al. 2021; Hansen et al. 2021). The secondary use of data obtained by consent is also intricate as the purposes must be compatible. Diagnosing and treating rare diseases may complement each other, but other purposes, such as marketing or policymaking, are not compatible with the originally intended design. Recital 50 GDPR, however, privileges objectives that are of important public interest. Whether the advancement in treating rare diseases is in the interest of the public depends on the point of view. Some will argue in favour of general public health, while others will argue against it by pointing out that the categories of data processed are highly sensitive and thus have to safeguarded more closely—even in health-related settings—with a higher degree of restrictions as Recital 53 allows for Member State restrictions when dealing with genetic, biometric or health data. Finally, the consent given may also be withdrawn by any of the data subjects. The right to be forgotten has high ground within the EU as can be seen from Recital 65 GDPR, and thus, the controller of data must ensure that other controllers that process such data erase any link to it. This may be difficult in a setting in which cases are unique and researchers around the globe have legally used them. While some researchers have claimed that broad consent is used in most studies and this could serve as a European standard (Hallinan and Gellert 2020; Hansen et al. 2021), others would argue against it due to legal restrictions opted for by certain member states (e.g., Austria) in implementing the GDPR. Some researchers have put this to the test. For rare disease patients, different models have been identified including broad consent, dynamic consent and opt-in consent (Courbier et al. 2019). While opt-in consent is regarded as a valued method (Karampela et al. 2019; Hansen et al. 2021), opt-out models could also work as long as there is compliance with certain conditions (Skovgaard and Hoyer 2022; Hansen et al. 2021). As background, implied consent is deemed sufficient in Denmark for simple genetic testing, whereas more extensive testing requires written consent (Skovgaard and Hoyer 2022). This pre-condition may not apply to all jurisdictions in the same way. Distinguishing between data that has already been collected and data that will be collected in the future, some researchers have concluded that a broad research purpose with updates for patients would be best for new data (Courbier et al. 2019; Gainotti et al. 2016). This has also been suggested in cases concerning children because they could make their own choices upon reaching maturity (Taylor et al.

312

P. Duhm-Harbeck and J. Köbler

2018). Others stress the fact that consent is a ‘social agreement’, which explains the need for re-consent if the purpose of the research changes (Courbier et al. 2019; McCormack et al. 2016). The results of a 2018 survey among patients suffering from rare diseases showed that such patients are willing to share their data, but they request certain conditions. They stress the need for control (1% opted for no control, 47% for full control) (Courbier et al. 2019, p. 183), trust in their doctors and researchers (89%, 79%) and show a mixed picture of the kind of data they perceive as the most sensitive (disability, genetic information, physiological data, name of the disease, symptoms) (Courbier et al. 2019, p. 182ff). In contrast, they have less trust in commercial entities or the government using their data (Hansen et al. 2021; Courbier et al. 2019, p. 184). From an overall view, person-centred approaches combined with digital solutions for a dynamic system that enables regular updates to be provided to patients on the purpose and outcomes and allows for scaling, for the selection of preferences as to who can use the data and for amendments over time seems to be the most promising (Courbier et al. 2019; Budin-Ljøsne et al. 2017; Spencer et al. 2016). There is another reason that promotes the usage of dynamic systems. Once the system architecture has been approved by committees, such as ethics committees, data trust centres or data clearing committees, the individual transfer of data does not have to be re-evaluated from scratch if the system has been cleverly designed (various safeguards are in place, such as technical minimal standards, legal usage terms and conditions, scientific approval, trusted partners, enough information gathered through request forms). This type of design must meet certain needs and must be closely developed among the stakeholders of a research organisation. One could even develop trust seals for certain architectures like the ones used for data repositories. This would also make it easier to share data when data collection takes place in one organisation and its use in research occurs in another organisation, as it might overcome certain organisational obstacles and maintain the trust patients place in their clinicians. Finally, one area that needs further development is better defining the transitions from research to development (Hansen et al. 2021), especially for designing consent forms. Data gathered for research may not be used for research and development if the consent is not designed with foresight (Courbier et al. 2019; Gainotti et al. 2016). Yet it is not always clear from the start whether data can be used for further technical development, which in many cases, needs financial assistance from third parties. More often than not, only after some data has been gathered does the potential for technical advancement become clear. However, non-profit organisations may not be able to invest in technologies with unclear potential on the market. Third parties with greater financial resources (e.g., pharmaceutical companies) require the inclusion of their interests, which in many cases do not overlap with those of researchers or patients. If public funding is available, the conditions for research change again. Ultimately, a consensus has to be found among the third-party interest in costefficient and exclusive technical development for costly markets, broadening the knowledge of certain diseases by first allowing publication for researchers and bringing about benefits for society by publicly-funded institutions while making

Rare Diseases and Data Protection (Part I)

313

the most of taxpayer investment in research. And finally, the overarching aim that must be followed is the wellbeing of the patient, who contributes extensively to the availability of varied data.

4 Conclusion To answer the main question, we must recall that a) research in general must comply with the GDPR and b) research on rare diseases focuses on research with special categories of personal data, such as genetic codes of patients. The creators of the GDPR were generally aware of that area of tension, and while Art. 9 (1) GDPR prohibits the processing of genetic, biometric or health data, research is a privileged activity with respect to the processing of this data. Exemptions from Art. 9 (1) GDPR that might be called upon can be found in Art. 9 (2) h) (health care) and i) (public interest) GDPR. Also, Art. 89 GDPR allows for certain favourable deviations due to national laws on data protection (§27 BDSG for Germany; §2d FOG for Austria) that should, in turn, be kept in mind when handling multinational research projects. The application of data protection techniques is especially challenging in research on rare diseases. Anonymisation as a ‘royal road’ to data protection—which would solve the tension due to the inapplicability of the GDPR—is difficult for genetic diseases and not secure for individuals with undiagnosed diseases who depend on research for possible treatment. The tension has rather increased since the Art. 29 Working Group, the predecessor of the European Data Protection Board, recommended that obvious, for example, rare characteristics, should be removed as they could operate as quasi-identifiers, and EU projects, such as EPIRARE, demonstrated the need for standardisation of variables. Even if pseudonymisation according to Art. 4 (5) GDPR is compatible with research on rare diseases in general, some uncertainties remain (e.g., unique shapes and statistical outliers). Furthermore, the high costs of studies on rare diseases/ orphan drugs that are increased by costly data curation must be kept in mind. Upon consideration of the identified parameters, the current method of action suggested would be to draft a written consent according to Art. 7 and 9 (II) GDPR. Voluntary consent is an ethically and legally solid basis for research on rare diseases even though: • there are national differences that may make multinational databases and platforms challenging • the expression of complex medical conditions in lay terms is not easy, • there could be a perceived imbalances between controller and data subject, and • there are vulnerable groups involved such as children. This is especially true for dynamic consent that is periodically given, as is backed by a recent survey by Courbier et al. in 2019 among patients with rare diseases.

314

P. Duhm-Harbeck and J. Köbler

Dynamic consent involves good management, on the one hand, and, on the other hand, increased trust and societal cohesion.

References Baldovino S, Menegatti E, Roccatello D, Sciascia S (2017) Immunological rare diseases. In: Posada de la Paz M, Taruscio D, Groft SC (eds) Rare diseases epidemiology: update and overview, 2nd edn. Springer, pp 497–511 Budin-Ljøsne I, Teare HJA, Kaye J, Beck S, Bentzen HB, Caenazzo L, Collett C, D’Abramo F, Felzmann H, Finlay T, Javaid MK, Jones E, Katić V, Simpson A, Mascalzoni D (2017) Dynamic consent: a potential solution to some of the challenges of modern biomedical research. BMC Med Ethics 18:4. https://doi.org/10.1186/s12910-016-0162-9 Chico V, Taylor JM (2018) Using and disclosing confidential patient information and the English common law: What are the information requirements of a valid consent? Med Law Rev 26(1): 51–72. https://doi.org/10.1093/medlaw/fwx038 Courbier S, Dimond R, Bros-Facer V (2019) Share and protect our health data: an evidence based approach to rare disease patients’ perspectives on data sharing and data protection – quantitative survey and recommendations. Orphanet J Rare Dis 14:175. https://doi.org/10.1186/s13023-0191123-4 Eberbach WH (2010) Das neue Gendiagnostikgesetz. Medizinrecht 28(3):155 Gainotti S, Turner C, Woods S, Kole A, McCormack P, Lochmüller H, Riess O, Straub V, Posada M, Taruscio D, Mascalzoni D (2016) Improving the informed consent process in international collaborative rare disease research: Effective consent for effective research. Eur J Hum Genet 24:1248–1254. https://doi.org/10.1038/ejhg.2016.2 Hallinan D, Gellert R (2020) The concept of ‘information’: An invisible problem in the GDPR. SCRIPTed 17(2):269–319. https://doi.org/10.2966/scrip.170220.269 Hansen J, Wilson P, Verhoeven E, Kroneman M, Kirwan M, Verheij R, Veen EB v (2021) Assessment of the EU Member States’ rules on health data in the light of the GDPR. Publications Office of the European Union, Luxembourg. https://ec.europa.eu/health/system/files/202102/ms_rules_health-data_en_0.pdf Karampela M, Ouhbi S, Isomursu M (2019) Connected health user willingness to share personal health data: questionnaire study. J Med Internet Res 21(11):e14537. https://doi.org/10.2196/ 14537 Kirwan M, Mee B, Clarke N, Tanaka A, Manaloto L, Halpin E, Gibbons U, Cullen A, McGarrigle S, Connolly EM, Bennet K, Gaffney E, Flannagan C, Tier L, Flavin R, McElvaney NG (2021) What GDPR and the health research regulations (HRRs) mean for Ireland: “explicit consent”—a legal analysis. Ir J Med Sci 190:515–521. https://doi.org/10.1007/s11845-02002331-2 McCormack P, Kole A, Gainotti S, Mascalzoni D, Molster C, Lochmüller H, Woods S (2016) You should at least ask. The expectations, hopes and fears of rare disease patients on large-scale data and biomaterial sharing for genomics research. Eur J Hum Genet 24:1403–1408. https://doi.org/ 10.1038/ejhg.2016.30 Radtke T (2020) Dienste der Wissenschaft – Das Forschungsprivileg der DSGVO. https://www. juwiss.de/45-2020/ Schrader LF (2022) Datenverarbeitung zu medizinischen Forschungszwecken im internationalen Kontext – Neue juristische Herausforderungen unter der DSGVO. In: Richter G, Loh W, Buyx A, Graf von Kielmansegg S (eds) Datenreiche Medizin und das Problem der Einwilligung. Springer, pp 121–144. https://doi.org/10.1007/978-3-662-62987-1_7 Skovgaard LL, Hoyer K (2022) Data authority: public debate about personalized medicine in Denmark. Public Underst Sci 31(5):590–607. https://doi.org/10.1177/09636625221080535

Rare Diseases and Data Protection (Part I)

315

Spencer K, Sanders C, Whitley EA, Lund D, Kaye J, Dixon WG (2016) Patient perspectives on sharing anonymized personal health data using a digital system for dynamic consent and research feedback: a qualitative study. J Med Internet Res 18(4):e66. https://doi.org/10.2196/ jmir.5011 Taruscio D, Mollo E, Gainotti S, Posada de la Paz M, Bianchi F, Vittozzi L (2014) The EPIRARE proposal of a set of indicators and common data elements for the European platform for rare disease registration. Arch Public Health 72:35. http://www.archpublichealth.com/content/ 72/1/35 Taylor MJ, Dove ES, Laurie G, Townend D (2018) When can the child speak for herself? The limits of parental consent in data protection law for health research. Med Law Rev 26(3):369–391. https://doi.org/10.1093/medlaw/fwx052

Rare Diseases and Legal, Ethical, Technical and Societal Needs (Part II) Why Are Biobanks and Research Networks Able to Support Data Protection Issues in Rare Disease Research? Petra Duhm-Harbeck and Judith Köbler

1 Introduction The definition of rare diseases (orphan diseases) is based on the prevalence of these diseases in the respective populations in relation to the different geographical areas.1 Despite the rarity of each disease, an estimated total of 400 million people worldwide are affected by these disorders. Rare diseases are complex due to heterogeneity. Therefore, research to understand these diseases and to develop therapies to cure them is needed at national/ international levels based on coordinated high quality, interoperable and sharable data and sample (Bax 2021; Amselem et al. 2021). Rare diseases pose questions in various fields of research. No specific provision for research on rare diseases (see the chapter in this book: P. Duhm-Harbeck & J. Köbler ‘Rare Diseases and Data Protection’) is foreseen as necessary in the GDPR in order to reach possible strategies and solutions on how to approach multidisciplinary research projects, for example, arrangements between hospitals and patients to enable research on rare diseases while protecting personal data. Thus, to answer the main question, this article will analyse in Sect. 2 the relationship among rare disease needs, biobanks

Views expressed in this article are solely those of the authors. 1 For example, in the USA, a rare disease is defined as a disorder that affects less than 200,000 individuals in the population. In Europe, it is a disease that affects fewer than five people in a population of 10,000.

P. Duhm-Harbeck (✉) Section for Translational Surgical Oncology and Biobanking, Department of Surgery, University of Lübeck & University Clinical Center Schleswig-Holstein, Campus Lübeck, Lübeck, Germany J. Köbler Medical University of Innsbruck, Research Service and Innovation, Innsbruck, Austria © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_35

317

318

P. Duhm-Harbeck and J. Köbler

and networks to face the data protection issues in research on rare diseases; in Sect. 3, we reach a way forward combining legal, ethical, technical and societal needs; and Sect. 4 will conclude with an outlook on further developments for enabling research containing data on rare diseases.

2 On Rare Diseases, Sample Collections and Orphan Drugs When thinking of rare diseases, most of us will have a certain example in mind, such as brittle bone disease, Progeria or Spinal Muscular Atrophy. However, there are many more diseases that count as rare. This is due to the counting mechanisms. In the European Union (EU), a disease is considered rare if it affects no more than 5 in 10,000 people. There exist more than 6000 different such diseases, so the number of people affected is comparatively high in total. It is estimated that four million people live with a rare disease in Germany (Bundesministerium für Gesundheit, https://www. bundesgesundheitsministerium.de/themen/praevention/gesundheitsgefahren/ seltene-erkrankungen.html 2022). Offset against 83 million inhabitants, this amounts to roughly 5% of the population. In the entire EU, about 30 million people suffer from rare diseases (Bundesministerium für Gesundheit 2022). Due to their heterogeneity, rare diseases are complex. In general, they are chronic, already expose symptoms in childhood and equate with health restrictions for the affected patients. Eighty percent of rare diseases are of genetic origin (Thompson et al. 2014; Bundesministerium für Gesundheit 2022) and are seldom curable (Bundesministerium für Gesundheit 2022). This means that curing the disease might not be the main goal for such patients. Improving the quality of life is a goal to be reached for many of those affected. As the diseases are so heterogeneous, using donor material is key to finding pathways to do that. While pathology collections date as far back as the late eighteenth and early nineteenth centuries, most of them were or still are linked to a certain laboratory/ department and represent part of a long-term research objective (ELSI, https://www. bbmrieric.eu/wp-content/uploads/BBMRI-Biobanks-and-the-Public.pdf 2013). From the 1970s onwards, for example, tissue banks were established in larger hospitals due to the expanded research on cancer. This changed in the 1990s when the famous Islandic genomic database was established by a company called deCODE in a driven—and financially intended—effort to combine Iceland’s genealogical maps with medical records and genetic data to find out the origins of common diseases (ELSI 2013). The Human Genome Project for mapping the human genome succeeded in 2003 due to international collaboration, while the UK relied on its National Health Service (NHS) in order to have Genomics England fulfil the 100,000 Genomes Project on NHS patients for creating a specialised NHS genomic medical service (Courbier et al. 2019). Other projects followed, such as the EU’s 1 + Million Genomes initiative, The Human Cell Atlas and the Pan-Cancer Analysis of Whole Genomes Project (Hansen et al. 2021).

Rare Diseases and Legal, Ethical, Technical and Societal Needs (Part II)

319

Over time, different types of biobanks emerged, such as ‘research biobanks’, ‘therapeutic biobanks’ or ‘population-based biobanks’, and many biobanks developed into more ‘universal’ collections of human material, e.g., blood, cells and tissues (ELSI 2013). The emergence of technologies such as genomics or proteomics have contributed to being able to analyse large quantities of samples at reasonable cost, which is necessary to identify statistically significant commonalities in common diseases; this has increased the value of large biobanks with access to medical records and to finance large biobanks, funders have started to emphasise the necessity of common infrastructures for biobanking (ELSI 2013). As important as biobanks are in general, they are infinitely more important when samples are rare due to a limited number of cases. Therefore, biobanks for rare diseases combine features of traditional sample collections inspired by individual cases—keeping as much information as possible on those cases—with modern technologies of genomics. Even with modern technology, samples on rare diseases are—due to their human origin—sparse, and as always, sparsity might spark some interest in gaining access. This, however, is not necessarily true for rare diseases. While it is true that such samples are rare, the interest in the industry in researching rare diseases is limited due to high research costs and small markets. This has been confirmed, for example, by the German Ethics Council, which has stated that due to the rarity of most recessive hereditary diseases outside of risk groups, the expected benefits of the widespread use of preconception tests carry comparatively little weight, even if many very rare hereditary factors for genetic defects could be cost effectively detected simultaneously since the probability that both parents have these defects is extremely low (Deutscher Ethikrat, https://www. ethikrat.org/fileadmin/Publikationen/Stellungnahmen/deutsch/stellungnahmezukunft-der-genetischendiagnostik.pdf 2013). Ethical implications on reproduction, parenting decisions and pregnancy seem to outweigh the detectability of possible genetic defects. Despite this approach towards the general availability of genetic testing, Germany in 2013 adopted a National Action Plan consisting of several measures. The main element of this Action Plan is developing a centre model: expertise shall be bundled on three levels (reference, specialist and cooperation centres), and research in the field of rare diseases is to be supported. The Hospital Structure Act of 2015 opened the possibility of agreeing on surcharges for special tasks of centres and focal points, for example, a focus on rare diseases (Bundesministerium für Gesundheit 2022). This makes hospital services for patients more affordable. The Directive 2011/24/EU also fostered the idea of networking centres. Since starting the 24 European Reference Networks (ERN) in 2016, about 1000 specialised units of 300 hospitals in 25 EU countries and Norway have joined forces, four of which are coordinated from Germany (Bundesministerium für Gesundheit 2022). After a previous assessment, 620 health care providers are due to joined ERNs by 1 January 2022 (European Commission-Board of Member States on ERNs, https:// health.ec.europa.eu/system/files/2022-04/erns_20211126_mi_en.pdf 2021). These combined efforts, however, may not come fully into effect when medicaments for rare diseases are not available. The so-called orphan drugs, that is,

320

P. Duhm-Harbeck and J. Köbler

medicaments for rare diseases, are subject to Regulation (EC) No. 141/2000 on medicinal products for orphan diseases. The orphan drug regulations aim at creating incentives for research, development and marketing of medicinal products for orphan drugs. From 2005 onwards, a centralised admission procedure was installed within the EU. As of October 2021, 132 medicaments had been registered as orphan drugs in the EU (Bundesministerium für Gesundheit 2022). The availability of samples is very important to continue research on rare diseases. This is a task that would be undertaken by a centralised biobank or registry as envisioned in projects like “ Building Consensus and synergies for the EU Registration of Rare Disease Patients” (EPIRARE; Taruscio et al. 2014). Due to their increase in scope and type of samples, biobanks have become a subject of public debate, which has triggered several issues in the case of research biobanks, such as the notion of consent, legal and technical safety, re-identification, ownership, access, representation and bias, national and international governance, standardisation and—last but not least—data protection (ELSI 2013). Data protection itself has also emerged as a hot topic due to the increased interest in data and the new technical possibilities and their value on the market, not only for direct marketing activities but also more basically in influencing behavioural or personal preferences.

3 The Way Forward Research on rare diseases is difficult to handle in terms of data protection law since genetic diagnostics are used intensively here (Baldovino et al. 2017). That is, you cannot hide patients’ personal data using anonymisation. Thus, a look at the General Data Protection Regulation should be taken in terms of how it affects this particular research or the opportunities the regulation may offer. Having demonstrated in the previous chapter the various challenges in data processing of rare disease research, this section shall be dedicated to ways to tackle certain issues in the future. There are three levels that will be addressed: the national, EU and international levels. At the national level, a so-called ‘RD ecosystem’ would be a good basis to comprehensively address problems related to rare disease research (Ministry of Health of the Republic of Slovenia 2011; Stanimirovic et al. 2019). For example, problems relate to lengthy and cumbersome procedures in the diagnosis of rare diseases, underdeveloped treatments without empirical evidence and/or drugs, or the need for a legal basis for continuous monitoring of rare disease patients as well as organisational challenges (e.g., treatment coordination, screening, reporting). An RD ecosystem is comprised of a normative framework that works together with regulatory and policymaking institutions, clinics and hospitals and patients and patient associations and includes information and communications technologies (ICT), such as platforms or registries, and facilitates national and international data exchange (Ministry of Health 2011; Stanimirovic et al. 2019).

Rare Diseases and Legal, Ethical, Technical and Societal Needs (Part II)

321

European projects that have built an international, multidisciplinary community, such as RD-Connect (2012–2018), have already paved the way for specialised (limited) registries. They are working on issues such as making data rapidly available to other researchers (e.g., via the European Genome Phenome Archive at the European Bioinformatics Institute), or adapting knowledge sources and analysis methods to whole-exome and whole-genome sequencing and the simultaneous characterisation of thousands of transcripts and proteins, or the use and extension of phenotype ontologies like the Human Phenotype Ontology. Furthermore, work is being done on legal and ethical aspects, such as standardisation of templates for consent forms and EPIRARE (2011–2014), that have been or are being established in European countries, including France, Spain, Italy, Slovakia, Belgium, Bulgaria and Sweden. In other countries, there are neither national nor regional registries. But for certain diseases (e.g., CML, echinococcosis, Behcet’s disease, cancer predisposition, haemophilia, ALL, T-cell lymphoma, mastocytosis, alternating hemiplegia and rare epilepsies), measures have been taken, such as clinically managed registries, nationwide mapping of expertise or integration of rare disease coding into the Austrian health information system, a procedure for designation as a centre of expertise, or a working group on laboratory diagnostics (RD Action, https://www. rd-action.eu/ 2016). In Germany, work on a comprehensive data collection in registries among specific networks monitoring certain diseases had already begun more than a decade ago, the level of voluntary participation based on informed consent had been good and research networks were underway (Pommerening et al. 2008). The German national action plan (NAMSE, https://www.namse.de/fileadmin/ user_upload/downloads/Nationaler_Aktionsplan.pdf 2013) includes several measures, including a steering committee for registries on rare diseases (measure 28), a meta-registry with minimal information (29) and a web portal for registries (27). The joint action ‘677,024 / RD-ACTION’ funded by the European Union Health Programme (2014–2020) facilitates information sharing on data and policies regarding rare diseases by establishing a standard common language for health and research by continuing the Orphanet nomenclature in nine languages, setting up a reliable database for decision making and maintaining a user-friendly website containing information (RD Action, https://www.rd-action.eu/ 2020). Various other national, EU and global projects work on establishing environments for registries (e.g., PARENT-JA, Global Rare Diseases Patient Registry and Data Repository, EXPAND, OSSE-Open Source Registry System for Rare Diseases, TMF-Technologie- und Methodenplattform für die vernetzte medizinische Forschung e.V., Deutsches Netzwerk Versorgungsforschung, Europäische Referenznetzwerke) (Storf et al. 2020). An important element of facilitating research on rare diseases is covered by the project OSSE as it develops a toolbox for disease specific registers. It distributes to patient organisations, doctors, scientists and other users (e.g., data protection officers) open-source software for implementing their own registries or connecting to existing ones and provides a general register for diseases so rare that an individual registry would not be feasible (Storf et al. 2020). Apart from many other aspects, such as pharmacovigilance or interoperability, data protection is at the heart of

322

P. Duhm-Harbeck and J. Köbler

registry setup. Without a specific statutory basis, informed consent is the rule to be followed as a basis for processing health data. Gaps in patient consent can only be closed afterward by contacting the participants, but the contact by the responsible body needs to be taken into account in the initial declaration of consent (Storf et al. 2020). As it is necessary to separate identifying information from other information to pseudonymise health data, a register has two technically and organisationally separate databases, one containing identifying data (IDAT) and another containing medical data (MDAT) (Storf et al. 2020). The EU Joint Research Centre located in Ispra, Italy, drew on the existing suggestions on data sets on rare diseases and established a minimal data scheme consisting of only 16 elements (European Platform on Rare Diseases Registration, 1995–2022; Storf et al., 2020). Limiting the variables to the very minimum adds to data security and corresponds to the principle of data minimisation. As an alternative to collecting data, the input of data by the patients themselves is possible (Storf et al. 2020); however, this does not liberate data users from adherence to data protection laws as this is still a case of Art. 9 (2) a) and not Art. 9 (2) e) GDPR, in which the data subject has made its data ‘manifestly’ public. Changes to national laws on genetics or data protection, are not only difficult as many ethical questions must be tackled, such as discrimination or misuse of data, but are also ineffective since EU law applicable to a matter will override national law. Therefore, any solution must be harmonised on an EU level. On the European level, the European Health Data Space (Hansen et al. 2021) shall be installed to allow for cross-border secondary use of health data. The joint action‚ Towards the European Health Data Space’ (TEHDAS 202 https://tehdas.eu) is currently supporting the European Commission to build such space through the development of principles for the secondary use of health data in which the data space will form the legal bases. Eight recommendations have been drawn from the Rare 2030 Foresight Study (Rare 2030 2021): • • • • • • • •

Long-term, integrated European and National Plans should be adopted Earlier, faster, more accurate diagnoses shall be enabled Access to high-quality health care should be provided Integrated and person-centred care should be established Partnerships with patients should be established Innovative and needs-led research and development should be fostered Data should be optimised with benefits for patients and society Treatments should be made available, accessible and affordable

These recommendations should be integrated and intertwined with the more technical aspects of providing a safe space for data exchange. Other legal areas should also be taken into consideration, such as changing the EU legislation on pharmaceuticals. Rare Disease Europe (EURORDIS), a non-governmental patient-driven alliance of patient organisations representing 988 rare disease patient organisations in 74 countries (Courbier et al. 2019), tries

Rare Diseases and Legal, Ethical, Technical and Societal Needs (Part II)

323

to give patients with rare diseases a voice with initiatives such as the Rare Barometer programme. It has provided several key inputs for the amendment of EU law such as coordinating addressing unmet medical needs, accessibility of gene, cell and tissue or cooperation in pricing and negotiations (EURORDIS, https://www.eurordis.org/ towards-a-revisedeus-general-pharmaceuticals-legislation-emerging-perspectivesfor-improving-the-treatment-of-rare-diseases/ 2022). There are many more recommendations and initiatives by EURORDIS, which facilitates direct contact with patients. The European Parliament has adopted the Strengthening Europe in the fight against cancer Resolution specifically concerning cancer because 24% of cancer diagnoses are rare forms and pose a public health challenge.2 The Strengthening Europe in the fight against cancer Resolution includes several areas of action, such as cancer prevention in all European Policies, calls for member States to harmonise data and national immunisation data systems (no. 35), encouragement of breast feeding as a means of reducing the risk of breast cancer (no. 39), highlighting the availability of methods to detect genetic mutations (no. 40), encouragement of harmonisation of cancer screening data collections (no. 53), calls on the Member States and the Commission to establish centres for rare cancers (no.77) and the extension for joint procurement of novel cancer medicines for ultra-rare cancers (no. 87). On an international level, Germany and Austria, for example, have not yet signed the Oviedo Convention.3 The United Nations (UN) adopted its first resolution on ‘Addressing the challenges of persons living with a rare disease and their families’ on 16 December 2021.4 This resolution called, inter alia, on Member States to strengthen health systems, provide universal access to a wide range of health care services, adopt gender sensitive approaches, address the root causes of discrimination, take into account cultural, religious and family reasonings in treating persons with rare diseases, foster expert hubs, implement national measures to ensure that persons with rare diseases are not left behind (e.g., in terms of employment) and eliminate barriers to water, sanitary and hygiene for persons with rare diseases. Notably, in no. 5, it encourages ‘. . . (to) collect, analyse and disseminate disaggregated data on persons living with a rare disease, including by income, sex, age, race, ethnicity, migration status, disability, geographical location and other characteristics relevant in national contexts, where applicable, to identify discrimination and to assess progress towards the improvement of the status of persons living

2

European Parliament, European Parliament resolution of 16 February 2022 on strengthening Europe in the fight against cancer—towards a comprehensive and coordinated strategy (2020/ 2267(INI)). https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?refer ence=2020/2267(INI)&l=en. 3 Council of Europe (1999). Convention on Human Rights and Biomedicine (ETS No 164). https:// www.coe.int/en/web/bioethics/oviedo-convention. 4 UN (2021). UN Resolution Adopted by the General Assembly on 16 December 2021. Addressing the challenges of persons living with a rare disease and their families. https://digitallibrary.un.org/ record/3953765?ln=en.

324

P. Duhm-Harbeck and J. Köbler

with a rare disease’. In no. 6, it encourages member states ‘... to increase support for research, by strengthening international collaboration and coordination of research efforts and the sharing of data, while respecting its protection and privacy’. While UN law is part of international law and, as such, differs substantially in its development and implementation from the supranational law of the EU governing the development of the GDPR, these developments on the international scene should be carefully considered and should give further impetus to the European debate. On a more practical level, the recommendations by Courbier et al. in 2019 should be taken into consideration to strengthen comprehensive approaches, enable wider data sharing and gain trust, especially within patient communities. These statements recommend: • Ensure implementation of appropriate legislation through policymakers • Use appropriate governing structures for data sharing (e.g., develop robust standards for secure, ethical and responsible data sharing, involve patient organisations) • Develop and implement dynamic systems for setting different attitudes and preferences and to update information on research outcomes • Allocate resources to educational means to help patients make informed choices • Allocate financial resources to communication improvement and transparency by funders and sponsors of data-sharing activities • Emphasise potential health benefits of research studies by funders, clinicians and researchers for future generations and other diseases.

4 Conclusion Despite these huge and concerted efforts in battling rare diseases, much remains to be done in terms of reducing the time between the first symptoms and stable living conditions (if curing is out of the question) for people with rare diseases. This is evidenced by a study commissioned by the Rare Disease Unit of the Finnish Association of the Disabled. The questionnaire included 52 items and was sent to 2197 persons, with 380 retuned. The survey concluded that it may take decades to get a diagnosis and only about half of those with rare diseases had regular monitoring of their illnesses (Valo, https://www.theseus.fi/bitstream/handle/10024/349299/ Valo_Petri.pdf?sequence=2&isAllowed=y 2020). In addition, the relevant industry states that global clinical studies are important in developing safe and innovative treatments and products, especially concerning rare diseases and conditions.5 There will be legal developments by courts that refer to market and market prices and may

5 MedTech Europe (2020). Response to European Data Protection Board (EDPB) Consultation on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. https://edpb.europa.eu/sites/default/files/webform/public_consultation_ reply/20201221_medtech_europe_response_to_edpb_consultation_with_annex.pdf.

Rare Diseases and Legal, Ethical, Technical and Societal Needs (Part II)

325

touch upon the needs of patients such as Shire Pharmaceuticals Ireland Ltd. v EMA/EC6 as well as support by EU policymakers (Hansen et al. 2021). But the development of new and secure legal conditions that comply with data protection as well as patient needs for quicker research on their respective rare diseases must come from research projects and initiatives themselves. Yet they also have to align their work with other entities, such as national and supranational policymakers, specialised agencies like the European Data Protection Board, specific disease groups and patient organisations representing patients, health care professionals and the industry (Hansen et al. 2021). Finally, I would like to draw attention to one more group that I will call the administrators. The administrators include not only technicians and statisticians but also consent drafters, data protection officers, data stewards, jurists, the clinical trials service centres, ethics commissions, FAIR data offices and data clearing commissions. All those administrative units try to implement the laws and guidelines on an operational level and create what some have called ‘a culture of data sharing’ (Contreras & Reichman 2005; Courbier et al. 2019), while keeping it safe. Only in combining all forces and keeping a trustworthy balance will we succeed in battling rare diseases.

References Amselem S, Gueguen S, Weinbach J, Clement A, Landais P (2021) RaDiCo, the French national research program on rare disease cohorts. Orphanet J Rare Dis 16:454. https://doi.org/10.1186/ s13023-021-02089-5 Baldovino S, Menegatti E, Roccatello D, Sciascia S (2017) Immunological rare diseases. In: Posada de la Paz M, Taruscio D, Groft SC (eds) Rare diseases epidemiology: update and overview, 2nd edn. Springer, pp 497–511 Bax BE (2021) Biomarkers in rare diseases. Int J Mol Sci 22(2):673. https://doi.org/10.3390/ ijms22020673 Contreras JL, Reichman J (2005) Sharing by design: data and decentralized commons. Science 350(6266):1312 Courbier S, Dimond R, Bros-Facer V (2019) Share and protect our health data: an evidence based approach to rare disease patients’ perspectives on data sharing and data protection – quantitative survey and recommendations. Orphanet J Rare Dis 14:175. https://doi.org/10.1186/s13023-0191123-4 Hansen J, Wilson P, Verhoeven E, Kroneman M, Kirwan M, Verheij R, Veen EB v, DG Health & Food Safety (2021) Assessment of the EU Member States’ rules on health data in the light of the GDPR. Publications Office of the European Union, Luxembourg. https://ec.europa.eu/health/ system/files/2021-02/ms_rules_health-data_en_0.pdf Ministry of Health of the Republic of Slovenia (2011) Work plan in the field of rare diseases in the Republic of Slovenia. Ministry of Health of the Republic of Slovenia, Ljubljana Pommerening K, Debling D, Kaatsch P, Blettner M (2008) Register zu seltenen Krankheiten. Bundesgesundheitsbatt 51:491. https://doi.org/10.1007/s00103-008-0520-y Rare 2030 (2021) Foresight in the rare disease policy. http://www.rare2030.eu

6

European Court of Justice (ECJ) (2018). Case T-80/16, Shire Pharmaceuticals Ireland Ltd. v EMA/EC, Judgment of the General Court (Seventh Chamber), 22 March 2018[2018] ECLI 165.

326

P. Duhm-Harbeck and J. Köbler

Stanimirovic D, Murko E, Battelino T, Groselj U (2019) Development of a pilot rare disease registry: a focus group study of initial steps towards the establishment of a rare disease ecosystem in Slovenia. Orphanet J Rare Dis 14:172. https://doi.org/10.1186/s13023-0191146-x Storf H, Stausberg J, Kindle G, Quadder B, Schlangen M, Walter MC, Ückert F, Wagner TOF, NAMSE-Register-Strategiegruppe (2020) Patientenregister für Seltene Erkrankungen in Deutschland: Konzeptpapier der Strategiegruppe “Register” des Nationalen Aktionsbündnisses für Menschen mit Seltenen Erkrankungen (NAMSE). Bundesgesundheitsblatt 63:761. https:// doi.org/10.1007/s00103-020-03151-6 Taruscio D, Mollo E, Gainotti S, Posada de la Paz M, Bianchi F, Vittozzi L (2014) The EPIRARE proposal of a set of indicators and common data elements for the European platform for rare disease registration. Arch Public Health 72:35. http://www.archpublichealth.com/content/ 72/1/35 Thompson, R., Johnston, L., Taruscio, D., Monaco, L., Béroud, C., Gut, I.G., Hansson, M.G., 't Hoen, P.-B. A., Patrinos, G.P., Dawkins, H., Ensini, M., Zatloukal, K., Koubi, D., Heslop, E., Paschall, J.E., Posada, M., Robinson, P.N., Bushby, K., & Lochmüller H., (2014). RD-connect: an integrated platform connecting databases, registries, biobanks and clinical bioinformatics for rare disease research. J Gen Intern Med 29 (Suppl 3), 780. doi:https://doi.org/10.1007/s11606014-2908-8

Rare Paediatric Diseases Does the GDPR Support Dynamic Consent/Assent Strategies for Rare Paediatric Diseases? Sabrina Brizioli

1 Introduction Although many international and European instruments recognise children’s selfdetermination and best interests in their decision-making capacity,1 their competence to give consent is still a challenging issue. It is not just a matter of having decisionmaking capacity, but rather being decision-making competent, with sufficient cognitive development, and therefore this depends on the growing ability of the child to think and reason (Grootens-Wiegers et al. 2017). Systematic studies on cognitive development have supported the idea that informed consent2 and assent can be given and decisions made by children on the

1

See UN Convention on the Rights of the Child, 20 November 1989, New York, UNTS vol. 1577 (p.3), arts 3, 12; UN Committee on the Rights of the Child, General comment No. 15(2013) on the right of the child to the enjoyment of the highest attainable standard of health (art. 24), 17 April 2013, CRC/C/GC/15; Charter of Fundamental Rights of the European Union, OJ 18.12.2000 C 364/1, art. 24; Directive 2001/20/Ec of the European Parliament and of the Council of 4 April 2001 On the Approximation of the Laws, Regulations and Administrative Provisions of the Member States Relating to the Implementation of Good Clinical Practice in the Conduct of Clinical Trials on Medicinal Products for Human Use, OJ 1.5.2001 L.121, Art. 4. 2 For the purposes of this study, we recall the legal definition of informed consent as ‘free and voluntary expression of his or her willingness to participate in a particular clinical trial, after having been informed of all aspects of the clinical trial that are relevant to the subject’s decision to participate or, in case of minors and of incapacitated subjects, an authorisation or agreement from their legally designated representative to include them in the clinical trial’, art. 2, Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medical products for human use, and repealing Directive 2001/20/EC, OJ, 27.5.2014, L. 158/1. S. Brizioli (✉) Department of Law, University of Perugia, Perugia, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_36

327

328

S. Brizioli

basis of the knowledge they have acquired and their social interactions (Piaget 1964; Bodrova and Leong 2015). While minors may be capable of mastering some of the multiple cognitive processes leading to decisions, they may fail to master others, especially during childhood and adolescence (Betsch 2018). This is even more difficult for minors who are diagnosed with rare diseases: in these cases the search for an inclusive and participatory strategy for informed consent3 has to be accompanied by the constant scrutiny of the child’s cognitive development throughout the course of the disease. When feasible, the main goal from an ethical point of view would be to engage children in consent/assent: while consent means approval given by a competent child or legal representative for involvement following appropriate information, assent essentially indicates ‘an affirmative agreement to participate in research’ (Rossi et al. 2003). Indeed, this ensures that they can make truly informed choices and relieve their feelings of frustration and discomfort (Llubes-Arrià et al. 2021). The free and voluntary expression of consent in the field of rare paediatric diseases not only is legally desirable to safeguard personal autonomy and the rights to privacy and selfdetermination, but also represents a way to avoid undue harm (Nguyen et al. 2019). Novel approaches to consent would allow children to express preferences about the life they want and would temper the traditional paradigm according to which the more serious the disease and treatment are, the less the minor is involved in decisionmaking. The use of ‘dynamic channels’ to consent across the diagnostic journey (Geng et al. 2019) would be supported by the need both to improve data and resource sharing and to ameliorate and promote patient-centred research. However, advances in data sharing policies have rarely resulted in procedural and practical tools for consent and it has been stated that ‘model consent clauses in paediatric rare disease research are currently lacking’.4 Furthermore, when rare paediatric diseases occur, the safeguarding of dignity and the protection of privacy extend to the family unit, requiring parental consent and an effective and continuous engagement with the family members. In fact, when a child diagnosed with a rare disease cannot communicate, the parents are those most closely involved with the promotion and protection of his/her health (Frantantoni et al. 2022).

3

The term consent is also used in this work to include dissent and refusal. IRDIRC, Model consent clauses for rare disease research (MCC). https://irdirc.org/activities/taskforces/model-consent-clauses-for-rare-disease-research-task-force/.

4

Rare Paediatric Diseases

329

2 The Challenges to Consent/Assent in Rare Paediatric Diseases As clearly described in other chapters of this handbook and in general terms, rare diseases are those having a low incidence in the population. As a subset of rare diseases, rare paediatric diseases are serious or life-threatening diseases with serious or life-threatening manifestations that primarily affect individuals from the ages of 0–18.5 They mainly concern the neonate, infant, child and adolescent age groups, and pose extraordinary and additional challenges when compared to other chronic diseases that are not rare or to other vulnerabilities in the medical context (Matthews et al. 2021). As a matter of fact, rare paediatric diseases are characterised by difficulties in early therapies; mis-representation and mis-diagnosis6 (Faviez et al. 2020); the fact that they arise in childhood; and the need for multidisciplinary approaches because these diseases are generally multisystemic dysfunctions. As far as consent capacity and the decision-making process are concerned, children suffering from rare diseases are a heterogeneous group: some of them may be capable of providing consent, while others may be severely disabled and affected by neurological deficiencies. Those whose neurodevelopmental functions are compromised so that they cannot be expected to have the ability to understand information about a study will lack the capacity to make informed and voluntary decisions about participating in research activities. Thus, the parents who care for their children’s welfare are assumed to make parental decisions that promote the child’s best interests. Family contact and re-identification are often necessary to promote research and obtain a full data set. As a consequence, children and family members should be informed of the benefits and risks of re-identification (Gainotti et al. 2016). On the one hand, absolute privacy is unrealistic and so could affect parental autonomy and family privacy, while on the other hand re-identification could be desirable for the patients in order to receive results (Nguyen et al. 2019). Furthermore, providing accurate information is paramount, as it is directly linked to consent and to the improvement of the quality of children’s and parents’ decisionmaking: while altruistic reasons are supposed to justify the enrolment of children into clinical research,7 the duty to inform about the potential benefits and risks is a pre-requisite to informed decisions. Accurate information also avoids children and

5 See https://www.fda.gov/news-events/fda-brief/fda-brief-fda-updates-draft-guidance-rare-pediat ric-disease-priority-review-voucher-program. 6 This is the case because the rarity of the disease does not reflect the number of children affected (mis-representation), and because there is a wide range of symptoms that overlap for many rare diseases (mis-diagnosis). 7 The use of health records and specimens in rare disease research could be considered as an intersubjective responsibility for the purposes of solidarity. Otherwise, a refusal could affect the quality of research in rare diseases and in turn affect society as a whole.

330

S. Brizioli

parents refusing to participate in beneficial research before they have understood the specificities of a research programme (Anderson 2006). Research on rare paediatric diseases is also linked to the need to conduct research on paediatric biological samples by means of paediatric biobanks; such research has a positive impact by improving knowledge of genetic diseases, paediatric-specific disease markers and hereditary conditions (Cannovo et al. 2020). Research into rare diseases strongly relies on the sharing of data, and the quality and usefulness of the data mainly depend on how they are used: the application of certain rules on consent (specific or broad consent) could be detrimental and jeopardise genomic research. When it comes to the participation of minors in biobanks, there are questions concerning how to balance the intangible rights of the minors and the development of scientific research. In general, minors must be informed when they provide samples, taking account of their degree of maturity and their capacity to understand. Usually, parental permission gradually fades as minors progress towards maturity, and the minor’s refusal prevails over permission given by their parents or legal representatives. However, in the field of rare paediatric diseases, questions of the minor’s capacity to consent/assent and re-consent, and of parental permission, pose extraordinary concerns,8 and special safeguards should be established to avoid significant risks to the rights and freedoms of the minors involved and to respect their dignity.

3 Processing Data and Consent Models: The GDPR and Beyond Among the many issues in the debate on consent/assent for rare paediatric diseases, privacy is central. A child’s continuous participation in scientific activities (the collection and storage of data and samples) has significant implications for their personal privacy, underscoring the need for informed consent strategies, appropriate and detailed information, and clear communication. Looking closely at these aspects, it is relevant to consider how the General Data Protection Regulation (hereinafter referred to as the GDPR)9 tackles the ‘privacy issue’ vis-à-vis research purposes, and how it provides insights to support more engaged strategies for informed consent in the context of rare paediatric diseases. In the field of rare paediatric diseases, many complex issues may arise, such as the possibility of considering it to be valid if the parents choose to use the child’s biological samples when the child (although mature) is not able to consent. 9 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119. 8

Rare Paediatric Diseases

331

The preamble to the GDPR introduces the capacity for minors to give consent, and sets certain rules for the processing of minors’ personal data. First, Recital 38, while taking into account minors in the processing of personal data, emphasises the need for specific protection as minors are considered to be very vulnerable and to be less aware of the consequences and risks of their personal data being processed. Secondly, Recital 58 states that ‘any information and communication where processing is addressed to a child should be in such a clear and plain language that the child can easily understand’. Article 8(1) establishes operational rules for the processing of personal data in relation to the offer of information society services directly to a child. This processing is lawful for a child aged over 16 years. Below the age of 16 years, the processing is lawful when the consent is given or authorized by the holder of parental responsibility over the child. Against this background it must be stressed that Art. 8 of the GDPR refers only to information society services10 being offered, and that the legitimate treatment is based on the consent of the minor or of the legal representative, depending on the age of the child11 (Persano 2020). There can be a derogation from this general rule by Member States, who may establish a lower age for these purposes provided that such lower age is not below 13 years (Art. 8(2)). Moreover, another exception to the consent being given by the holder of parental responsibility is introduced in Recital 38, which states that ‘the consent of the holder of parental responsibility should not be necessary in the context of prevention or counselling services offered directly to the child’. The essential elements of the special protection mentioned in Article 8 are transparency, simplification and clarity. In fact, the data controller is tasked with guaranteeing transparency in the processing of minors’ data in the same way as for any other interested party. Indeed, it has been rightly underlined that children do not lose their rights to transparency even in cases in which consent was given by their legal representative (Persano 2020, p. 36). These safeguards seem to function to support the ‘cognitive empowerment of the child’, with the aim of making consent given by children significant (Persano 2020). From this perspective, it would be useful to ensure continuous information on the basis of the child’s stage of development, the progress of the disease and their emotional state. Indeed, an adequate communication information strategy involving children would ameliorate the impact of the rare disease on the child’s emotional development (Brothers et al. 2020).

10 See Directive (EU) 2015/1535 of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on information society services OJ17.09.2015 L.241/1. Pursuant to Art. 1(1)(b) the term ‘service’ means ‘Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services’. 11 GDPR and children rights in EU data protection law. European Journal of Privacy Law & Technologies, special issue, pp. 32–42.

332

S. Brizioli

This would go hand in hand with an evaluation of the ‘ethical appropriateness of research with children’ and ‘in particular, consent for paediatric research’ (Brothers et al. 2020, p. 129). That said, art. 8 and its allied principles cannot be read in isolation, and other provisions of the GDPR must be taken into account to define effective standards for data processing and forms of consent suitable for rare paediatric diseases, In order to avoid unfair practices and the unnecessary collection of data in relation to a specific purpose, principles of fairness, necessity, proportionality and data quality (art. 5 GDPR) must be observed. Article 5(1)(b) GDPR should also be analysed in accordance with art. 89(1) GDPR, which sets out that further processing must involve appropriate safeguards to freedom and the data subject’s rights (data minimisation; pseudonymisation). This would support a minimum data set to facilitate health data exchange, as in the current initiatives to develop common formats for disease registries for rare diseases.12 As many rare paediatric diseases have genetic origins, art. 9 of the GDPR on the processing of special categories of personal data should be taken into account, considering the exceptions to paragraph 1 as rooted in the different legal bases listed in paragraph 2. Indeed, the exceptions to art. 9 are of particular importance for rare paediatric diseases as they would allow the processing and sharing of data in order to safeguard vital interests or make advances in scientific research (Courbier et al. 2019). A joint reading of GDPR provisions, namely art. 6(1)(d), art. 9(c) and Recital 46 not only helps to give an understanding of the relevance of the term ‘vital interest’ in processing genetic data for children in vulnerable mental states, but also reveals that processing personal health data to safeguard one’s own or others’ vital interests prevails over the rights to confidentiality of data. As a matter of fact, it may be in the vital interests of children and/or of their family members to process genetic data to obtain a more accurate and less time-consuming diagnosis. In this sense, the necessity emerges for the vital interest derogation to be used as a legal basis because of it being reasonable and proportionate to a specified purpose. Considering scientific purposes, the derogation in art. 9(2)(j) is aimed at fostering advances in health research and is central to studies comparing genetic risks and optimising treatments. The processing of data and the sharing of data for scientific purposes are therefore important when considering the possibility of applying findings from different international studies to well-identified European populations with particular genetic compositions and traits (Bentzen et al. 2021). When directly involved as the subject of research, non-autonomous paediatric patients and their families need the up-to-date and immediate ability to access healthrelated data, and monitor the return of results and the reuse of information. As a

12 European Commission (2021), Assessment of the EU Member States’ rules on health data in the light of GDPR. https://health.ec.europa.eu/system/files/2021-02/ms_rules_health-data_en_0.pdf.

Rare Paediatric Diseases

333

consequence, static and broad manifestations of informed consent may be inappropriate. The possibility of customising preferences or expressing consent for specific research projects or areas of scientific research is rooted in Recitals 33 and 43 of the GDPR, which allow granular decisions. Granularity is particularly relevant in multiple processing operations and purposes when the data subject faces a bundle of processing activities: in order to ensure valid and freely given consent,13 granularity requires consent for each purpose.14

3.1

The Dynamic Consent Option

Different models of consent have been envisaged in order to both address the legal and ethical challenges to the best interests of the child and safeguard the family members. Sometimes even if patients accept broadly described purposes, additional safeguards and consent options are added to ensure clarity about the governance of the data and samples, with re-contact strategies and commitments to inform the participants if major changes occur (Gainotti et al. 2016, p. 1249). The validity of informed consent also depends on ensuring that there is no undue pressure, and that the information given to the patient is accurate and does not contain excessive expectations regarding the potential benefits of the treatment or the risks. The onset of rare diseases at birth or in childhood requires the specific characteristics of the child and their maturity and vulnerability to be taken into account in order to evaluate their attitude to assent and their capacity to consent. It has been said that ‘in the case of children, in addition to the informed consent of the legal guardians, the assent of the minor must be also obtained as applicable based on their ability, always respecting the will of the child’ (Farnós and Bezhold 2020, p. 220). Some scholars have stressed that the debate on informed consent and the engagement of patients should look closely at the dynamic consent option (Mascalzoni et al. 2014). Mascalzoni et al. framed this model of consent in situations in which the involvement of children and family members is crucial in research activities, especially for rare diseases (e.g. Genetic Alliance), (Mascalzoni et al. 2014, p. 28) They focused on the fact that applying the traditional concepts of privacy and consent in the sphere of rare diseases would be risky and a barrier to research and development. 13

Recital 43 specifies that consent is freely given if the process and procedure allow data subjects to give separate consents for each operation. 14 Article 29 Working Party, Guidelines on consent under Regulation 2016/679, adopted on 28 November 2017; European Data Protection Board (2020). Guidelines 05/2020 on consent under Regulation 2016/679, p.12. https://edpb.europa.eu/sites/default/files/files/file1/edpb_guide lines_202005_consent_en.pdf.

334

S. Brizioli

Dynamic consent appears preferable because of its potential to build relationships between patients and researchers based on two-way and ongoing communication. The dynamic consent model is useful as it would include patients and their family members in the development of diagnosis and treatments, so as to create the trust in research that is precious in studies of rare diseases. Furthermore, the flexibility and granularity of dynamic consent would allow special options to tailor consent in cases in which self-determination is limited and incapacity arises: dynamic consent offers the possibility that consent options can be changed over time, with re-contact and opt-out procedures. In order to safeguard children’s right to be listened to and informed, they should be given the amount of information that they are able to understand, with a correct explanation of what will happen later in the course of the research or as the diagnosis evolves. Studies have underlined the potential of dynamic consent platforms in research projects, and have confirmed that they are particularly useful in rare disease research involving low numbers of cases and geographically scattered patients (Budin-Ljøsne et al. 2017). What would make dynamic consent helpful for rare paediatric diseases is its use of technological solutions and devices that allow for more immediate communication and a continuous relationship between the researcher and the research participants. Furthermore, establishing a better dialogue using dynamic consent would be of special importance for the secondary use of biological samples and data (see the chapter in this book: C. Barbosa & A. da Costa Andrade: ‘Secondary Use’). Given the specificity and scarcity of biospecimens in rare diseases, dynamic consent would ensure steady control over these specimens and in turn would maximise and preserve their use in future (Gainotti et al. 2016, p. 1251). Although there have been prototypes of dynamic consent platforms in research projects, their functioning is still under development and their implementation needs further adjustments. First, dynamic consent needs to be customised to the specificity of rare paediatric diseases, and researchers need to be aware of the pros and cons of dynamic consent strategies. More precisely: (a) consent and assent capacities should depend on the age, the disease, and the personal attitudes of the child; (b) a dynamic double consent mechanism (child–parent) would be more efficient as the disease develops; (c) it would be necessary to set up clear disclosure of information (futility/utility of the treatment, significant harm, quality of life, best interests of the child); and (d) dynamic consent tools should allow the simplification of choices and avoidance of consent fatigue, that is a situation in which ‘participants become disengaged and their consent rendered less meaningful’ (Kaye et al. 2015). As dynamic consent relies strongly on new technologies, relevant aspects to considered in the design of tools and devices applying to rare paediatric diseases would be: (a) an evaluation of minors’ behaviour and attitudes in online multimedia

Rare Paediatric Diseases

335

virtual environments, in comparison with other contexts15; (b) the customization of on-line settings (platforms, social networks, and websites) to remove shocking images and ensure the use of appropriate ways to convey information16; (c) an estimation of minors’ capacity to consent and assent according to their cognitive development; (d) a consideration of the downsides of profiling, automated decisions, cognitive bias, and algorithmic discrimination (in the case of the use of artificial intelligence). In the context of rare paediatric diseases, user-friendly web applications for dynamic consent would foster a therapeutic alliance but would also simplify interdisciplinary approaches (ethics, neuro-sciences, law, and psychology). In conclusion, efforts should be made to validate tools that guarantee reproducibility and interoperability for advances of research in the field, and their safe legal and ethical use in biobanking and clinical settings (Faviez et al. 2020).

4 Conclusion Special protections for consent by minors, and the need for transparency and clear communication, should be contextualised in the framework of the GDPR, looking closely at its principles and exemptions. Indeed, the safeguarding of vital interests, and the scientific research purposes, turn out to be of particular relevance when dealing with rare paediatric diseases. These derogations tackle the hurdles of privacy and justify altruistic choices, taking into account both the best interests of the child and solidarity. Furthermore, the GDPR does not only endorse the significance of a minor giving a manifestation of their consent, but is also able to support novel options for consent or re-consent. The GDPR leaves considerable room for further investigation into consent/assent strategies for rare paediatric diseases and, among the many informed consent formulae, the dynamic consent approach would provide a good balance between the privacy of individuals and health practices in the context of rare diseases. Because of its interactive communication flow and strong reliance on technologies, dynamic consent would be of great help in managing certain sensitive aspects in the field of rare paediatric diseases, such as the return of incidental findings, the involvement of family members, the future use of data and samples, and the right to withdraw from data sharing.

15

European Commission (2016). Study on the impact of marketing through social media, online games and mobile applications on children’s behaviour. https://commission.europa.eu/publications/ study-impact-marketing-through-social-media-online-games-and-mobile-applications-childrensbehaviour_en. 16 AGCOM (2018), Libro Bianco media e minori. https://www.agcom.it/documents/10179/928534 9/Documento+generico+16-01-2018/17e4f243-daa2-435f-a78f-b1e30755edbc?version=1.0.

336

S. Brizioli

However, dynamic consent settings would need adjustments to deal with the particular legal and ethical concerns in rare paediatric diseases and also an effective pragmatic application of patient-friendly and interoperable tools (webpages, platforms etc.) for the sharing of information across diseases.

References Anderson EE (2006) Parental consent for pediatric research. Virtual Mentor. AMA J Ethics 8:667– 671. https://doi.org/10.1001/virtualmentor.2006.8.10jdscl-0610 Bentzen HB, Castro R, Fears R, Griffin G, Meulen VT, Ursin G (2021) Remove obstacles to sharing health data with researchers outside of the European Union. Nat Med 27(8):1329–1337. https:// doi.org/10.1038/s41591-021-01460-0 Betsch T (2018) What children can and cannot do in decision making. Scientia. https://www. scientia.global/dr-tilmann-betsch-what-children-can-and-cannot-do-in-decision-making/ Bodrova E, Leong DJ (2015) Vygotskian and post-Vygotskian views on children’s play. Am J Play 7(3):371–388 Brothers KB, Clayton EW, Goldenberg AJ (2020) Online pediatric research: addressing consent, assent, and parental permission. J Law Med Ethics 48(S1):129–137. https://doi.org/10.1177/ 1073110520917038 Budin-Ljøsne I, Teare HJ, Kaye J, Beck S, Bentzen HB, Caenazzo L, Collett C, D’Abramo F, Felzmann H, Finlay T, Javaid MK, Jones E, Katić V, Simpson A, Mascalzoni D (2017) Dynamic consent: a potential solution to some of the challenges of modern biomedical research. BMC Med Ethics 18(1):1–10. https://doi.org/10.1186/s12910-016-0162-9 Cannovo N, Guarino R, Fedeli P (2020) Ethical and deontological aspects of pediatric biobanks: the situation in Italy. Cell Tissue Bank 21:469–477. https://doi.org/10.1007/s10561-020-09833-4 Courbier S, Dimond R, Bros-Facer V (2019) Share and protect our health data: an evidence based approach to rare disease patients’ perspectives on data sharing and data protection. Quantitative survey and recommendations. Orphanet J Rare Dis 14:175. https://doi.org/10.1186/s13023-0191123-4 Farnós IA, Bezhold GA (2020) Clinical research in rare diseases: new challenges, opportunities and ethical issues. An Pediatr 93(4):219–221. https://doi.org/10.1016/j.anpede.2020.06.001 Faviez C, Chen X, Garcelon N, Neuraz A, Knebelmann B, Salomon R, Lyonnet S, Saunier S, Burgun A (2020) Diagnosis support systems for rare diseases: a scoping review. Orphanet J Rare Dis 15(94):1–16. https://doi.org/10.1186/s13023-020-01374-z Frantantoni K, Livingston J, Schellinger SE, Aoun SM, Lyon ME (2022) Family-centered advance care planning: What matters most for parents of children with rare diseases. Children 9:445. https://doi.org/10.3390/children9030445 Gainotti S, Turner C, Woods S, Kole A, McCormack P, Lochmüller H, Riess O, Straub V, Posada M, Taruscio D, Mascalzoni D (2016) Improving the informed consent process in international collaborative rare disease research: Effective consent for effective research. Eur J Hum Genet 24(9):1248–1254. https://doi.org/10.1038/ejhg.2016.2 Geng LN, Sum-Ping O, Geng Y-J (2019) Phases of the diagnostic journey: a framework. Int Arch Inter Med 3:13. https://doi.org/10.23937/2643-4466/1710013 Grootens-Wiegers P, Hein IM, Van den Broek JM, de Vries MC (2017) Medical decision-making in children and adolescents: Developmental and neuroscientific aspects. BMC Pediatr 17:120. https://doi.org/10.1186/s12887-017-0869-x Kaye J, Whitley EA, Lund D, Morrison M, Teare H, Melham K (2015) Dynamic consent: a patient interface for twenty-first century research networks. Eur J Hum Genet 23:141–146. https://doi. org/10.1038/ejhg.2014.71

Rare Paediatric Diseases

337

Llubes-Arrià L, Sanromà-Ortíz M, Torné-Ruiz A, Carillo-Álvarez E, García-Expósito J, Roca J (2021) Emotional experience of the diagnostic process of a rare disease and the perception of support systems: a scoping review. J Clin Nurs 31:20–31. https://doi.org/10.1111/jocn.15922 Mascalzoni D, Paradiso A, Hansson M (2014) Rare disease research: breaking the privacy barrier. Appl Transl Genom 3(2):23–29. https://doi.org/10.1016/j.atg.2014.04.003 Matthews L, Chin V, Taliangis M, Samanek A, Baynam G (2021) Childhood rare diseases and the UN convention on the rights of the child. Orphanet J Rare Dis 16:523. https://doi.org/10.1186/ s13023-021-02153-0 Nguyen MT, Goldblatt J, Isasi R, Jagut M, Jonker AH, Kaufmann P, Ouillade L, Molnar-Gabor F, Shabani M, Sid E, Tassé AM, Wong-Rieger D, Knoppers BM, on behalf of the IRDiRCGA4GH Model Consent Clauses Task Force (2019) Model consent clauses for rare disease research. BMC Med Ethics 20:1–7. https://doi.org/10.1186/s12910-019-0390-x Persano F (2020) GDPR and children rights in EU data protection law. Eur J Priv Law Technol special issue:32–42 Piaget J (1964) Cognitive development in children: Piaget development and learning. J Res Sci Teach 2:176–186. https://doi.org/10.1002/tea.3660020306 Rossi WC, Reynolds W, Nelson RM (2003) Child assent and parental permission in pediatric research. Theor Med 24(2):131–148. https://doi.org/10.1023/a:1024690712019

Residual Material What Applies to the Processing of Residual Material with Its Associated Data? Is Explicit Consent Required for This? Sabrina Brizioli

1 Introduction The term ‘residual material’ indicates biological tissue (e.g., blood, urine, skin, mouth swabs, fluids) that was used for biochemical, DNA or chromosomal research for a particular disease and was not destroyed after the completion of the diagnostic procedures. This material was instead stored and collected. The sources of these materials could be patients who undergo diagnostic or therapeutic procedures, autopsies, specimens, donations of organs or tissues from living or dead humans, body waste or abandoned tissue.1 The burning question catches the ethical dilemma concerning the accumulation, storage and use of residual biological material (and associated data) and the need for donors’ consent for its (further) processing. For a decade, there has been tension between processing and the ‘sacralisation’ of human tissues and/or accompanying data (Knoppers and Laberge 1995). However, the increasing relevance of informed and unambiguous consent has weakened the certainties of such an ethical dispute. The main concerns are privacy, efficient sample utilisation and access to information generated from biological materials (Klingstrom et al. 2018). In managing biological materials, the quantity and quality of data involved is immense, for example, data which researchers take from a medical record and/or a health-related registry (such as a cancer registry) or new data created by performing medical research and/or by analysing the biological materials of human origin (van Veen et al. 2006).

1

The significance of biological material varies among individuals and groups as well as based on its use or conservation. It may also be sought from individuals for use in a specific research project and, once collected, it may be held in biobanks to serve as a research resource reservoir for many years.

S. Brizioli (✉) Department of Law, University of Perugia, Perugia, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_37

339

340

S. Brizioli

Some authors have also distinguished between primary research and secondary biomedical research using data and samples, stating that ‘while lawful basis of primary research could be consent based, [it] might not necessarily be so for secondary use of personal data and research using residual biological material’ (Staunton et al. 2019). The question that should be asked with respect to the expression of consent to the use of personal data is whether human biological materials should be considered personal data per se or as a ‘vehicle’ to convey information which is derived from testing or research activity (van Veen 2006; van Veen et al. 2006). The very complex problem is to determine whether samples can be body parts/bodily substances or data (Worku Gedefa 2016). The question of the status of biological material is far from being solved, and within the European framework, Western countries do not consider biological materials as personal data whereas Eastern countries do. Outside Europe, biological samples are included in the definition of personal data, they raise issues of privacy, and they are regulated by information legislation. As emerged from the Marper v United Kingdom case,2 cellular tissues and samples constitute personal data within the meaning of the Data Protection Convention, and the European Court of Human Rights noted the three kinds of personal information that were retained by the authorities in that case: fingerprints, DNA profiles and cellular samples. The European Court underlined the linkage to Article 8 (respect for private life) and did not base its judgement upon whether data or information was processed, but on the plausible interference with privacy. Indeed, according to the decision, these materials are not kept for their intrinsic value as mouth swabs, etc. but because they contain information about that person and, therefore, the extraction of information from samples would mean the collection of personal data.

2 Principles and Safeguards In the handling of residual material and its associated data, relevant safeguards and principles are at stake: the primary goal is to protect the rights and fundamental freedoms of those whose biological materials could be (re-)used. On the one hand, integrity and private life must be guaranteed; on the other hand, the benefits of research should be ensured by providing researchers with access to biological materials with appropriate data. On the donor side, the analysis of biological material and allied data raises ethical questions in those cases in which: (1) the right to respect private life is concerned; (2) when no information on further use of biological materials was given at the time of its collection, and (3) no consent was required. Thus, the possibility to link residual biological material to the person from which it was taken leads to the consideration of important aspects of the processing of

2

ECtHr, Marper v United Kingdom, App n 30562/04 and 30566/4 [4 December 2008], para 8.

Residual Material

341

samples and related data, that is, identifiability, rectius the possibility to identify with reasonable efforts, the moment when the material is labelled with the identifiers or the removal of non-identifiable materials (Fullerton and Lee 2011). To scrutinise the linkage between ‘samples–donors’, there are some relevant principles to be mentioned: the data minimisation principle and its anonymisation and pseudonymisation procedures, confidentiality and information. Minimising data essentially means limitations on collecting, using and sharing data; in other words, it implies the collection of only the data that is needed, the use of data only as necessary and minimal sharing of data. This principle requires users to process only adequate, relevant and limited personal data,3 that is, data which are necessary in relation to the purposes for processing. This implies that a controller or processor should never hold more data than is needed to achieve the purposes of processing.4 Of all measures to ensure the respect of the minimisation principle, the anonymisation5 and pseudonymisation6 processes are particularly useful in situations in which residual material is used. The application of anonymisation and pseudonymisation could reduce the risks of identification. Despite this, some authors have envisaged a way in which such procedures may render data useless and impede further clinical trials (Quinn 2017). Confidentiality (jointly with integrity) refers to the way in which data are processed and implies security of personal data; avoidance of unauthorised or unlawful processing, accidental loss, destruction or damage; and demanding appropriate technical or organisational measures.7 Lastly, the right to be informed, which states that everyone is entitled to know any information that has been collected about his/her health, could be effectively guaranteed through proper exercise of the right to consent. It is customary to address this issue before the start of the research, at the time consent is required. But information could also refer to unexpected findings relevant to the health of the donor that occur during research using residual material of human origin and personal data.

3

GDPR, art. 5, (1) of the, article 4, (1) lett. c) of the Regulation (EU) 2018/1725. Thus, the necessity test should be applied to use the derogations of art. 49. 5 Anonymisation is the process of removing personal identifiers, both direct and indirect, that may lead to an individual being identified. 6 GDPR, art 4 (5). 7 GDPR, art. 5. 4

342

S. Brizioli

3 The Helsinki Declaration, the Council of Europe Recommendation on Research on Biological Materials of Human Origin and the GDPR It is important to frame the burning question within a regulatory discourse, bearing in mind that no (international) regulation exists to sufficiently cover all the complexities of this issue. Consequently, it is essential to first analyse the provisions and wording of relevant documents, and then to cast attention on the commonest practice. The Declaration of Helsinki8 expressly refers to research using identifiable human material or data or research on material or data contained in biobanks or similar repositories, explaining that informed consent must always be sought for collection, storage and/or reuse (Fullerton and Lee 2011). When exceptional situations make it difficult to express consent or it is impossible or impracticable to obtain consent, consideration and approval by an ethics committee is necessary for the research to be conducted. More useful insights are specified in the Recommendation of the Council of Europe9 (hereinafter referred to as Recommendation), which has provisions that tackle biomedical research using biological materials of human origin (organs, tissues, cells) and personal data.10 In its preamble, the Recommendation recognises that every person has the right to accept or refuse to contribute to biomedical research. Moreover, it is necessary to ensure both an appropriate and transparent governance of biological materials as well as adequate systems for the storage of biological materials for scientific purposes. Considering the burning question, an appropriate reference to this issue can be found within the wording of art. 2 of the Recommendation, in which it is stated that ‘the use of biological material of human origin may be accompanied by the use of associated personal data’ (art. 2). In accordance with this provision, the use of biological materials in combination with associated data could imply the identification of the persons concerned either directly or by means of a code, and in this case, the user could or could not have access to the code.

8

World Medical Association Declaration of Helsinki, Ethical principles for medical research involving human subjects, June 1964. https://www.wma.net/policies-post/wma-declaration-ofhelsinki-ethical-principles-for-medical-research-involving-human-subjects/. 9 Council of Europe, Committee of Ministers, Recommendation Rec(2006)4of the Committee of Ministers to Member States on research on biological materials of human origin and its Explanatory Memorandum, 15 March 2006 https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=0 9000016805d84f0. 10 The Recommendation builds on the principles of the Convention for the Protection of Human Rights and Dignity of the Human Beings with regard to the Applications of Biology and Medicine (ETS NO. 164, 1997, Convention on Human Rights and Biomedicine) and its Additional Protocol concerning biomedical research (CETS no. 195, 2005).

Residual Material

343

To protect privacy, biological materials and associated data should be anonymised, and any use of biological material and its associated data should be justified by the researcher. With respect to residual biological material, art. 12 specifies that such materials should only be made available with appropriate consent and authorisation according to the discipline expressed in art. 22.11 This latter provision gives relevance to the identifiability of biological materials, recalling the need for prior consent.12 When this is not possible, few derogations are allowed.13 In any case, when the right to medical care occurs, the donor may freely withdraw consent or refuse the use of his/her identifiable biological materials14 in a research project. Differently, anonymised biological materials may be used provided that the use does not violate restrictions placed by the person concerned prior to the anonymisation of the materials.15 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as GDPR) does not expressly mention the use, reuse and processing of residual biological material and data derived therefrom.16 Recital 34 of the Preamble to the GDPR deals with genetic data, which is defined as ‘personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question [. . .]’.17 The Preamble then highlights that personal data includes «information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples».18 Thus, it seems that the GDPR does not consider biological material to per se be personal data, and its application only covers data derived from analysis of biological (even residual) samples at the later stage of research when information is processed. However, with due regard to the evolving jurisprudence, the exclusion of biological residual materials as sources of information or personal data appears to be questionable, and there are many other issues to consider to create room for

11

Council of Europe, Committee of Ministers, Recommendation Rec(2006)4 of the Committee of Ministers to Member States on research on biological materials of human origin and its Explanatory Memorandum, cit. art. 12. 12 Ibid., art. 22, i). 13 Ibid., art. 22, ii). 14 Ibid., art. 22, par. 2. 15 Ibid., art. 23. 16 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. (L 119) (following GDPR). 17 GDPR, Preamble, art. 34. 18 Ibid., Recital 35.

344

S. Brizioli

biological materials and associated data that jointly constitute information about a human being.19

4 Practising or Non-Practising Consent There are divergent practices and various consent options related to the storage of samples and their associated data (Wendler 2006, p. 544). The goal of using the residual material and associated data can be achieved by considering at least three different formulae of consent that may occur during the collection of materials: broad consent, precautionary consent and presumed consent. Additionally, as practice demonstrates, it is also possible that consent for the research use of human biological materials is skipped entirely. The discipline of broad consent in prospective research collection seems to secure consent before or during the process of collecting residual materials. Biobanks are best placed in adopting such a model of consent; therefore, they often require broad consent from donors to facilitate research involving their samples and data over time (Caulfield et al. 2003; Knoppers 2005). Despite this, the Report on Consent by UNESCO considers that it is «not acceptable to ask participant in a research project to give overall prior consent (so-called blank consent) to the effect that they would agree to any study that can be carried out with the data/material they provided, unless the data/material be irretrievably unlinked to the participants».20 Even though it is not possible to foresee the future circumstances in which the residual material would be reused, specific and circumstantiated consent seems to be desirable (Petrini 2010). Albeit not expressly referred to as ‘precautionary’, precautionary consent is also envisaged by the Council of Europe Explanatory Memorandum, which recommends that ‘When biological materials of human origin and personal data are collected it is best practice to ask sources for their consent to future use, even in cases where the specifics of the future research projects are unknown’.21 Some authors have noted that precautionary consent, which relates to the collection of residual material for future research, should not be deemed as unrestricted consent but rather as information on the specific uses, and the research project could allow the donor to choose the breadth of consent (Gefenas et al. 2011).

19 It is worth noting that the research activities using data derived from biological samples may fall under the scope of art. 89 of the GDPR, and for this, it could be subject to national derogations by Member State law. Also see HBM4EU, Legal and Ethics Policy Paper, August 2018. https://www. hbm4eu.eu/mdocs-posts/hbm4eu-legal-and-ethics-policy-document/. 20 UNESCO.2008. Report of the international bioethics committee of UNESCO (IBC) ON CONSENT, Sec. 157. https://unesdoc.unesco.org/ark:/48223/pf0000178124?posInSet=2&queryId=NEXPLORE-c391161a-cee3-42ce-b4fe-b8a6ba22e382. 21 Council of Europe, Committee of Ministers, Recommendation Rec(2006)4 of the Committee of Ministers to Member States on research on biological materials of human origin and its Explanatory Memorandum, art. 12, par. 48.

Residual Material

345

In some countries, identifiable biological materials may be retained without an expression of consent for research use, and some general opt-out schemes for the use of residual tissues have been introduced: the rationale behind the opt-out option is that the population is not opposed to research using residual material and that when sufficient and proper information is given, research may occur (Gefenas et al. 2011). Despite this, it is also possible that the absence of consent operates as a viable way to use biological materials. More precisely, no consent for storage and research use of residual tissues is needed when they are fully anonymous. In this sense, there is not a waiver of consent (Tarini et al. 2008), but rather, there is no consent at all (Gefenas et al. 2011). Explicit consent for the use of human biological materials for future research purposes is still required by most of the international documents, and the practice underlines schemes giving birth to a variety of options for consent. Trends certainly indicate a preference to seek informed and voluntary consent from donors, but the mentioned practices risk jeopardising the discipline for residual material and hampering the protection of donors’ interests, especially the respect for private life and the right to be informed.

5 Conclusion Obtaining consent for processing residual material and associated data is both a very complex task for researchers and a safeguard measure for donors, and it implies ethical concerns. To obtain improvements in human health, it is of great importance to collect biological samples, especially in those cases in which donors are also willing to provide further information and data about themselves. But the need to protect some relevant spaces of autonomy and privacy is compelling. Even if the wording of the GDPR seems to exclude biological samples, simply considering the later stage of research when data are processed from the material, this analysis supports the idea that it is good practice to inform and seek consent before processing residual material for research purposes and to obtain donor permission to use associated data. The maintenance of the divide between different types of privacy protection based on the source involved may be problematic. On the contrary, the development of a model to register consent, body templates or records are blurring the distinction between personal information and its sources, such as residual material and allied data, rendering the concept of privacy, control over the body and willingness inherently interrelated.

346

S. Brizioli

References Caulfield T, Upshur REG, Daar A (2003) DNA databanks and consent: a suggested policy option involving an authorization model. BMC Med Ethics 4:E1. https://doi.org/10.1186/1472-69394-1 Fullerton SM, Lee SS-J (2011) Secondary uses and the governance of de-identified data: Lessons from the human genome diversity panel. BMC Med Ethics 12:16 Gefenas E, Dranseika V, Cekanauskaite A, Serepkaite J (2011) Research on human biological materials: what consent is needed, and when. In: Lenk C, Sándor J, Gordijn B (eds) Biobanks and tissue research, the international library of ethics, law and technology. Springer, pp 95–108 Klingstrom T, Rudloff-Bongcam E, Reichel J (2018) Legal & ethical compliance when sharing biospecimen. Brief Funct Genomics 17:1–7. https://doi.org/10.1093/bfgp/elx008 Knoppers BM (2005) Consent revisited: points to consider. Health Law Rev 12:33–38 Knoppers BM, Laberge CM (1995) Research and stored tissues: persons as sources, samples as persons? J Am Med Assoc 274:1806–1807 Petrini C (2010) “Broad” consent, exceptions to consent and the question of using biological samples for research purposes different from the initial collection purpose. Soc Sci Med 70: 217–220. https://doi.org/10.1016/j.socscimed.2009.10.004 Quinn P (2017) The anonymisation of research data – a pyric victory for privacy that should not be pushed too hard by the EU data protection framework? Eur J Health Law 24:1–21 Staunton C, Slokenberga S, Mascalzoni D (2019) The GDPR and the research exemption: Considerations on the necessary safeguards for research biobanks. Eur J Hum Genet 27:1159–1167. https://doi.org/10.1038/s41431-019-0386-5 Tarini BA, Burke W, Scott CR, Wilfond BS (2008) Waiving informed consent in newborn screening research: Balancing social value and respect. Am J Med Genet C Semin Med Genet 148:23–30. https://doi.org/10.1002/ajmg.c.30164 van Veen BE (2006) Human tissue bank regulations. Nat Biotechnol 24:496–497. https://doi.org/ 10.1038/nbt0506-496 van Veen EB, Riegman PH, Dinjens WN, Lam KH, Oomen MH, Spatz A, Mager R, Ratcliffe C, Knox K, Kerr D, van Damme B, van de Vijver M, van Boven H, Morente MM, Alonso S, Kerjaschki D, Pammer J, Lopez-Guerrero JA, Llombart Bosch A, Carbone A, Oosterhuis JW (2006) TuBaFrost 3: regulatory and ethical issues on the exchange of residual tissue for research across Europe. Eur J Cancer 42(17):2914–2923. https://doi.org/10.1016/j.ejca.2006.04.028 Wendler D (2006) One-time general consent for research on biological samples. Br Med J 332:544– 547. https://doi.org/10.1136/bmj.332.7540.544 Worku Gedefa U (2016) The feasibility of applying EU data protection law to biological materials: challenging ‘data’ as exclusively informational. JIPITEC 96, para 1

Retention Time: Conservation of Personal Data (Part I) How Long Can Personal Data Be Stored in a Biobank? Dario Farace

1 Introduction: Biobanks and Personal Data There is such a close relationship between biobanks and personal data that the latter form part of the definition of the former. As stated in the doctrine, biobanks are generally not mere collections of biological materials, but consist of ‘biological samples and information/data (individual and collective) related to them’ (Palazzani 2017, p. 317). As with human tissue, the question therefore arises as to how long a biobank can, or should, store the personal data it collects. Compared to tissues, however, there is a fundamental difference. Tissues have an ineradicable characteristic of materiality, so their preservation requires a dedicated space, certain modalities (which can also be very specific: think, for example, of the need to maintain particular temperatures), sometimes even imposed by the nature of the sample (think of substances that alter or deteriorate after a certain period has elapsed). Tissue cannot be devoid of materiality; this is not true for personal data, where regulatory provisions are of particular importance in regulating a preservation that could even be perpetual. To answer the question about the retention time of personal data, we need to start with the definition of ‘personal data’ under European law.

D. Farace (✉) Faculty of Medicine and Surgery, Università di Roma “Tor Vergata”, Rome, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_38

347

348

D. Farace

2 The Legal Framework: Personal Data Protection in European Law and in the Legal Systems of Member Countries The regulatory framework on personal data protection sees the concurrence of several sources. On the one hand, European legislation has chosen to directly regulate, and with binding effect for all countries of the Union, a plurality of aspects that define the general principles of the matter. Of particular relevance in this regard is the General Data Protection Regulation1 (GDPR) (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. On the other hand, a significant part of the regulatory framework remains the responsibility of individual states, which, after the GDPR came into force, may have updated existing legislative texts or issued new measures to replace previous ones. The first case, for example, occurred in Italy, where Legislative Decree No. 196 of June 30, 2003 (Personal Data Protection Code) was extensively amended by Legislative Decree No. 101 of August 10, 2018 (Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)). The second case, for example, occurred in Spain, where the Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales, replaced the Ley Orgánica of 1999 (as the Disposición adicional decimocuarta states, ‘Las normas dictadas en aplicación del artículo 13 de la Directiva 95/46/CE del Parlamento Europeo y del Consejo, de 24 de octubre de 1995, relativa a la protección de las personas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos, que hubiesen entrado en vigor con anterioridad a 25 de mayo de 2018, y en particular los artículos 23 y 24 de la Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal, siguen vigentes en tanto no sean expresamente modificadas, sustituidas o derogadas’). Let us start with the European definition of ‘personal data’. According to Art. 4, no. 1, GDPR, ‘personal data’ means ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

Retention Time: Conservation of Personal Data (Part I)

349

more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. At this point, it is appropriate to keep the semantic valence of the terms ‘data’ and ‘information’ distinct, as suggested in the doctrine. In the doctrine, an appropriate distinction is made between data as a material element that can be derived from a certain substance, and information, which is the result of an elaboration carried out on the data itself (Finocchiaro 2012, p. 33: ‘the data is the source of the information, in which it is contained, and from the single data or set of data the information can be extracted or inferred. But information, strictly speaking, does not coincide with the data itself. Information is processing of the data’). From a human biological sample, it is possible to derive a plurality of data and information over time, even those that could not have been foreseen at the time the material was taken and stored. Indeed, the relentless progress of science makes it possible to derive and process data that, just a few decades ago, no one would have thought possible to consider. It is worth mentioning that personal data and information, in addition to not overlapping, do not coincide with the sample, of which, first of all, they do not share the object (they are intangible and therefore do not constitute biological material) and, secondly, they have already, in whole or in part, implemented the purpose (their collection, regardless of the use that will later be made of them). In general, a biobank may store personal data according to six categories of subjects: (a) personal data disclosed directly by the individuals from whom the biological samples were taken (so-called donors); (b) personal data disclosed by subjects who assist/represent incapacitated donors; (c) personal data relating to individuals who are in a special relationship with donors (e.g., family members of donors with respect to genetic data); (d) personal data of individuals who wish to be in contact with a biobank and who might benefit from sharing certain information (e.g., those with the same disease as the donors); (e) personal data of individuals who wish to enter into contact with a biobank for the purpose of receiving donor information; (f) personal data of deceased individuals. According to the GDPR, any activity that can be done with personal data constitutes ‘processing’. Specifically, according to Article 4(2) GDPR, ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, be it by automated means or manual, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Of all the activities listed, storage, to which this section of the report is devoted, obviously comes into special prominence.

350

D. Farace

3 Data Retention Time: Four Key Guidelines Let us start with the meaning of the term ‘preservation’. No specific definition is devoted to it, however, this term is commonly used to indicate the activity of maintaining information stored on any medium. As far as the retention time is concerned, the European legislator has developed a discipline that would seem to run along four basic lines: 1. Principle of storage limitation: European standards require that data be kept for the minimum time necessary, and therefore as short a time as possible, considering the purposes that need to be achieved. We find such an indication expressed not only in No. 39 (according to which ‘The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review’), but especially in Article 5 GDPR, which – among the principles relating to the processing of personal data – states (par. 1, e) the principle of storage limitation, according to which ‘Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’. 2. Storage for longer periods: Article 5(1)(e) goes on to state that specific purposes (such as scientific research) may require longer retention periods. Specifically, the provision previously quoted provides that ‘personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (par. 1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject’. 3. Traceability: European law devotes great importance to the traceability of tissues and cells stored in biobanks and, consequently, to the storage of the necessary personal data. Article 8(4) of Directive 2004/23/EC of the European Parliament and of the Council of 31 March 2004 on setting standards of quality and safety for the donation, procurement, testing, processing, preservation, storage and distribution of human tissues and cells states that ‘Tissue establishments shall keep the data necessary to ensure traceability at all stages. Data required for full traceability shall be kept for a minimum of 30 years after clinical use. Data storage may also be in electronic form’. 4. Consent of the data subject: Subject to the different assumptions in the regulatory framework, the data retention period is an important part of the information that the controller must provide to the data subject, who is required to provide consent to the data processing. This point is expressed both in Articles 13 and 14 GDPR (according to which the controller shall provide the data subject with

Retention Time: Conservation of Personal Data (Part I)

351

information regarding the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period), and in Art. 15(1) (d) GDPR (according to which the data subject shall have the right to obtain confirmation from the controller as to whether or not personal data concerning that individual are being processed, and, where that is the case, access to the personal data and, where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period).

4 Conclusions In conclusion, summarising as best we can, we can draw the following picture: where there is a specific regulatory framework for the retention of data and information in biobanks, the interpreter will certainly apply it. For example, we have seen the 30-year time limit indicated in Art. 8(4) of Directive 2004/23/EC. Where this is not the case, it will be necessary to reconstruct the discipline applicable to individual cases by making use of all available sources (such as European recommendations, guidelines, measures issued by Supervisory Authorities and so on). For example, with reference to the case of Italy, two Measures of the Italian Data Protection Authority (AGPDP) can be mentioned. With the Provision of March 7, 2019 (Register of Provisions no. 55), where the retention periods for specific health records: ‘non siano stabiliti da una disposizione normativa, il titolare del trattamento, in virtù del principio di responsabilizzazione, dovrà individuare tale periodo in modo che i dati siano conservati, in una forma che consenta l’identificazione degli interessati, per un arco di tempo non superiore al conseguimento delle finalità per le quali i dati sono trattati (. . .) e indicare tale periodo (o i criteri per determinarlo) tra le informazioni da rendere all’interessato’ (p. 6).

In addition, as the Provision lays down the requirements for the processing of special categories of data, pursuant to Article 21, Paragraph 1 of Legislative Decree No. 101 of August 10, 2018 (Register of Provisions no. 146 of June 5, 2019), the AGPDP stated that: ‘i dati e i campioni biologici utilizzati per l’esecuzione della ricerca sono conservati mediante tecniche di cifratura o l’utilizzazione di codici identificativi oppure di altre soluzioni che, considerato il numero dei dati e dei campioni conservati, non li rendono direttamente riconducibili agli interessati, per un periodo di tempo non superiore a quello necessario agli scopi per i quali essi sono stati raccolti o successivamente trattati. A tal fine, è indicato nel progetto di ricerca il periodo di conservazione, successivo alla conclusione dello studio, al termine del quale i predetti dati e campioni sono anonimizzati’

References Finocchiaro G (2012) Privacy e protezione dei dati personali. Disciplina e strumenti operative. Zanichelli, Bologna Palazzani L (2017) Dalla bio-etica alla tecno-etica: nuove sfide al diritto. Giappichelli, Torino

Retention Time: Conservation of Tissues (Part II) ‘How Long Can Tissues Be Stored in a Biobank?’ Dario Farace

1 Introduction How long can, or should, a biobank store a sample of human biological tissue? This question cannot be answered uniquely or easily; the issue is highly complex and raises further questions at secondary levels. Indeed, we have a common but partial European regulatory framework, which the interpreter of the law must supplement from time to time by distinguishing between various specific hypotheses and on the basis of particular criteria. It would be desirable for homogeneous and detailed general rules to be issued, which would regulate the phenomenon in a more analytical manner than is the case today. The absence of an organic discipline, in fact, increases the risk of causing gaps, for some aspects and antinomies; for others, considering that the preservation of human biological tissues may involve more than one legal system, it poses further problems of possible conflicts between sources. In order to answer the question about the time of preservation of human biological tissues, it is necessary to start from the definition of ‘tissue’ under European law.

D. Farace (✉) Faculty of Medicine and Surgery, Università di Roma “Tor Vergata”, Rome, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_39

353

354

D. Farace

2 Biological Substances of Human Origin: The Regulatory Framework Today, there is still no unified or homogeneous regulatory framework either concerning biological substances of human origin or the places in which they are collected and stored. This discipline must therefore be reconstructed by resorting to general principles, multiple international, supranational and national sources and so-called soft law acts (Cippitani et al. 2020, pp. 59–60). European law considers biological substances of human origin in a number of sources. For the purposes of this paper, we can start from two definitions contained in a 1998 Directive and a 2016 Recommendation, both of which are specifically dedicated to research on biological materials of human origin. According to the Directive 98/44/EC of the European Parliament and of the Council of 6 July 1998 on the legal protection of biotechnological inventions,1 biological material means ‘any material containing genetic information and capable of reproducing itself or being reproduced in a biological system’ (art. 2, par. 1, lett. a). More recently, Recommendation CM/Rec(2016)6 of the Committee of Ministers to Member States on Research on Biological Materials of Human Origin (adopted by the Committee of Ministers on May 11, 2016 at the 1256th Meeting of Deputies of Ministers) provides in Article 2(1) that it applies to the following research activities: – the obtaining of biological materials of human origin for storage for future research purposes; – the storage of biological materials of human origin for future research purposes; and – the use in a research project of biological materials of human origin that are stored or were previously obtained for another purpose, including a previous research project. On the other hand (art. 2, par. 2), the Recommendation does not apply to embryonic and foetal biological materials or to the use of biological materials of human origin in a specific research project removed for the sole purpose of that project (because this is within the scope of the Additional Protocol concerning Biomedical Research). Trying to bring together the indications contained in the various European normative sources, we can say that the expression “biological material”, in a general sense, indicates any substance taken from or emitted by a human being and lacking its own ontological autonomy, which instead characterises, for example, a foetus or an embryo (Pezzati and Graziani 2008, p. 188). Biological materials may include (Novelli and Pietrangeli 2011, p. 1028) subcellular components (such as DNA, RNA or proteins), cells or tissues (such as blood, lymphocytes or stem cells), whole organs

1

Directive 98/44/Ec of the European Parliament and of the Council of 6 July 1998 on the legal protection of biotechnological inventions, OJ 30.7.98 L 213/13.

Retention Time: Conservation of Tissues (Part II)

355

(such as livers, placentas or kidneys) or excreted or secreted substances (such as exhaled air, tears or urine). It should also be borne in mind that specific provisions are dedicated to certain biological materials; we can mention, for example, Directive 2002/98/EC of the European Parliament and of the Council of 27 January 2003 setting standards of quality and safety for the collection, testing, processing, storage and distribution of human blood and blood components and amending Directive 2001/83/EC of the Commission Directive 2004/33/EC of 22 March 2004 implementing Directive 2002/ 98/EC of the European Parliament and of the Council as regards certain technical requirements for blood and blood components.

3 Tissues of Human Origin as Biological Materials Human biological tissue receives a specific definition in Art. 3(b) of Directive 2004/ 23/EC of the European Parliament and of the Council of 31 March 2004 on setting standards of quality and safety for the donation, procurement, testing, processing, preservation, storage and distribution of human tissues and cells. According to this definition, tissue means ‘all constituent parts of the human body formed by cells’. The Directive inserts the definition of tissue between that of cells (“individual human cells or a collection of human cells when not bound by any form of connective tissue”: art. 3(a)) and the one of organs (‘a differentiated and vital part of the human body, formed by different tissues, that maintains its structure, vascularization and capacity to develop physiological functions with an important level of autonomy’: art. 3(e)). The text of the Directive takes care to point out that although the use of organs raises to some extent the same issues as the use of tissues and cells, there are nevertheless profound differences, which is why the two issues should not be the subject of the same directive (Whereas 9). Tissues of human origin, as parts of the human body formed by cells, can therefore be counted among biological materials. In defining the applicable regulatory framework, three European Directives assume particular relevance: – the aforementioned Directive of the European Parliament and of the Council 2004/23/EC of March 31, 2004; – Commission Directive 2006/17/EC of 8 February 2006 implementing Directive 2004/23/EC of the European Parliament and of the Council as regards certain technical requirements for the donation, procurement and testing of human tissues and cells; – Commission Directive 2006/86/EC of 24 October 2006 implementing Directive 2004/23/EC of the European Parliament and of the Council as regards traceability requirements, notification of serious adverse reactions and events and certain technical requirements for the coding, processing, preservation, storage and distribution of human tissues and cells.

356

D. Farace

The European framework takes into account a number of personal rights, including those of fundamental importance, which may come into conflict with each other; these include the public health of the community of consociates, the individual right to health of individuals, minors of age, scientific research, human dignity, the protection of personal data relating to individuals and respect for the deceased. In this regard, mention should be made of at least Articles 2(8) and (9) of Directive 2006/17/EC (according to which ‘Procurement of tissues and cells from living donors shall take place in an environment that ensures their health, safety and privacy. Where appropriate, the staff and equipment necessary for body reconstruction of deceased donors shall be provided. Such reconstruction shall be completed effectively’), Section 2.2.1. of Annex 1 to the same Directive (which states ‘For any donation, the collection process must not interfere with or compromise the health or care of the donor. In the case of cord blood or amniotic membrane donation, this applies to both mother and baby’) and art.1 of Recommendation CM/Rec(2016)6, according to which ‘Member States should protect the dignity and identity of all human beings and guarantee everyone, without discrimination, respect for their integrity, the right to respect for private life and other rights and fundamental freedoms with regard to any research activity governed by this recommendation’. The need to balance the fundamental rights involved is thus brought to the fore. The European discipline clearly indicates that some interests must prevail over others. More specifically, we can highlight five cornerstones of the framework, around which the system of protection called upon to guarantee the fundamental rights at stake revolves: – activities that are performed on biological tissues of human origin involve a plurality of fundamental rights and interests, subjective and individual in nature but also collective and public; – such protected fundamental rights and interests do not have identical importance and relevance; – such rights and interests may be in harmony with each other as well as in conflict; – in case of conflict, a balancing act will be necessary to give prevalence to one or the other; this can be done expressly in general by the legislature, or on a situation-by-situation basis by the interpreter who has to resolve a concrete case; – the fundamental rights and interests at stake, both in terms of their recognition and their relevance, are not established and defined once and for all, but may change over time.

4 Biobanks Human tissues, like other biological materials, are preserved and kept in special collections. It is well known that such collections of biological materials can be defined in various ways and grouped under different categories.

Retention Time: Conservation of Tissues (Part II)

357

The use of the term ‘biobanks’ is commonly seen in the literature, an expression by which, as stated in the doctrine, we generally denote the institutions or operational and service units responsible for collecting, preserving, classifying, managing and distributing human biological materials, biological specimens or parts of the human body, donated by individuals or groups of healthy or sick individuals, for biomedical purposes (for research, prevention, diagnosis or therapy) within hospital departments or research centres. Biobanks also involve the collection of information (i.e., a set of biographical, genealogical and clinical data) and the storage of the data in a computer to make it possible to quickly find, correlate and compare them, as well as update them (thus Palazzani 2017, pp. 316–317). The legal regulation of biobanks is predominantly left to national legislators (Montanari Vergallo 2021, p. 181), although the issue is frequently seen in the minds of European legislators. Indeed, the European Union has dedicated several directives and recommendations to biobanks. Moreover, it is a constantly evolving subject in which the Union takes a special interest: art. 24 of Recommendation CM/Rec(2016)6 states that ‘This recommendation should be regularly re-examined after its adoption, notably in the light of new developments in the field and the experience acquired in the implementation of its guidelines’, while the Preamble stresses the importance of ‘taking into account the current and planned development of collections of biological materials of human origin at national level and the existence of collections set up for clinical purpose’. According to Directive 2004/23/CE art. 3(o), ‘tissue establishment’ means ‘a tissue bank or a unit of a hospital or another body where activities of processing, preservation, storage or distribution of human tissues and cells are undertaken. It may also be responsible for procurement or testing of tissues and cells’. A biobank thus appears to consist of two complexes of elements: biological samples on the one hand, and information/data (individual and collective) related to them on the other (Palazzani 2017, p. 317). In tissue collection, both profiles come to the fore, also with reference to the problem of preservation and custody. In fact, it is a matter of preserving and guarding both material elements (the collected tissues), acquired at a given time, and intangible elements (data and information referring to them), which can receive continuous updates. From the tissues, nucleic acids (DNA and RNA) can be extracted, with the related genetic data (Cippitani et al. 2020, p. 80). In this regard, Palazzani writes that ‘Biological sample is any sample of human biological material (e.g., blood, skin, bone marrow cells or plasma) in which nucleic acids are present and which contains the genetic characteristics of an individual’ (Palazzani 2017, p. 316, nt. 18). The European framework is also concerned with guaranteeing the fundamental rights of the people involved with specific reference to biobanks. Indeed, Article 20(2) of Recommendation CM/Rec(2016)6 provides that ‘Each collection should be subject to independent oversight which is proportionate to the risks involved for the persons whose biological materials are stored in the collection. Such oversight should aim in particular at safeguarding the rights and interests of the persons concerned in the context of the activities of the collection’.

358

D. Farace

5 A Reconstructive Proposal: Biological Materials and Biological Samples Often, the expression ‘biological material’ appears to be employed as a synonym for ‘biological sample’ or ‘sample of biological material’, but it is necessary to ask whether, for such categories, a distinction, which moves from an observation, might be useful (Farace 2017, p. 216). The expression ‘biological material’ of human origin seems to allude to substances taken or emitted when considered from the perspective of their physical consistency. In other words, these are the substances that come into prominence only from the objective point of view of their materiality. Evidently, biological samples, from the objective point of view, also consist of substances taken or emitted from the human body (Novelli and Pietrangeli 2011). However, in the biological sample, that is, in the sample of biological material, the purpose for which a certain substance is taken or emitted assumes an essential role, in addition to the objective materiality, meaning its purpose is the treatment to which it is intended to be subjected (Farace 2017, p. 216). A biological sample is material collected to fulfil a certain function (clinical-diagnostic analysis, scientific research, court investigation, etc.). These are biological materials in nature, rather than biological samples: thus, between the two categories there would seem to be a relationship akin to the one between genus and species. Biological materials taken or issued in function of a specific purpose become biological samples (i.e., samples of biological material, according to the expression used, for example, by Palazzani and Valle (Palazzani 2017, p. 316, nt. 18; Valle 2020, p. 210). A conclusion follows from this; purpose is an essential element of the biological sample. There can be no sample without a definite and determined function, for then we would be dealing with mere biological material.

6 Tripartition of Biological Samples Continuing the discussion examining the purposes for which a biological sample is taken or issued, we could assume a breakdown into three categories, based on the source: normative; judicial; voluntary. In some cases, the sampling finds its source directly in European regulatory acts or those of the member countries of the Union. This is the case, for example, under Articles 9(1) and (2) of Italian Law No. 85 of June 30, 2009, by which the Italian Republic acceded to the Treaty of Prum (Treaty concluded on May 27, 2005 between the Kingdom of Belgium, the Federal Republic of Germany, the Kingdom of Spain, the French Republic, the Grand Duchy of Luxembourg, the Kingdom of the Netherlands and the Republic of Austria, on the enhancement of cross-border cooperation, particularly for the purpose of combating terrorism, cross-border crime and illegal migration). According to the two aforementioned paragraphs, ‘For the

Retention Time: Conservation of Tissues (Part II)

359

purpose of entering the DNA profile into the national DNA database, biological samples shall be taken from: (a) subjects to whom the measure of pre-trial detention in prison or the measure of house arrest is applied; (b) subjects who are arrested in flagrante delicto or placed under suspicion of a crime; (c) subjects detained or interned following a final judgement, for a non-negligent crime; (d) subjects against whom an alternative measure to detention is applied following a final judgement, for a non negligent crime; and (e) persons against whom a custodial security measure is provisionally or permanently applied. The withdrawal referred to in paragraph 1 may be made only if proceedings are conducted against the persons referred to in paragraph 1 for crimes, not culpable, for which optional arrest in flagrante delicto is permitted (. . .)’. In other cases, the withdrawal is ordered by a court order. This is the case, for example, according to Article 224-bis, paragraph 1, Italian Code of Criminal Procedure, according to which: Quando si procede per delitto non colposo, consumato o tentato, per il quale la legge stabilisce la pena dell’ergastolo o della reclusione superiore nel massimo a tre anni, per i delitti di cui agli articoli 589-bis e 590-bis del codice penale e negli altri casi espressamente previsti dalla legge, se per l’esecuzione della perizia è necessario compiere atti idonei ad incidere sulla libertà personale, quali il prelievo di capelli, di peli o di mucosa del cavo orale su persone viventi ai fini della determinazione del profilo del DNA o accertamenti medici, e non vi è il consenso della persona da sottoporre all'esame del perito, il giudice, anche d’ufficio, ne dispone con ordinanza motivata l’esecuzione coattiva, se essa risulta assolutamente indispensabile per la prova dei fatti.

Finally, the withdrawal may be done on a voluntary basis. This occurs when, for example, for the purpose of scientific research, a person decides to donate biological materials so that the studies carried out on them can contribute to the progress of science. In this hypothesis, the consent of the donor or the person entitled to give it assumes fundamental importance. In this regard, Article 13 of Directive 2004/23/EC states ‘The procurement of human tissues or cells shall be authorised only after all mandatory consent or authorization requirements in force in the Member State concerned have been met. Member States shall, in keeping with their national legislation, take all necessary measures to ensure that donors, their relatives or any persons granting authorisation on behalf of the donors are provided with all appropriate information as referred to in the Annex’, while art. 21, par. 5 states that Member States ‘shall ensure that tissue establishments have agreements and procedures in place to ensure that, in the event of termination of activities for whatever reason, stored tissues and cells shall be transferred to other tissue establishment or establishments accredited, designated, authorised or licensed in accordance with Article 6, without prejudice to Member States’ legislation concerning the disposal of donated tissues or cells, according to the consent pertaining to them’.

360

D. Farace

In addition, Recommendation CM/Rec(2016)6 distinguishes based on whether the subject is able or unable to consent. In the case of the former, Article 11(1) provides that ‘Biological materials should only be removed for storage for future research with the prior, free, express and documented consent of the person concerned that is: i. specific to the intervention carried out to remove the materials; and ii. as precise as possible with regard to the envisaged research use’. In the second case, according to Articles 12(1) and (2), ‘Biological materials from a person who, according to law, is not able to consent should only be obtained or stored for future research having the potential to produce, in the absence of direct benefit to the person concerned, benefit to other persons in the same age category or afflicted with the same disease or disorder or having the same condition, and if the aims of the research could not reasonably be achieved using biological materials from persons able to consent. Biological materials should only be removed for storage for future research from a person not able to consent under the following conditions: a. the removal only entails minimal risk and minimal burden; and b. written authorisation for such removal has been given by the representative or an authority, person or body provided for by law (. . .)’. In the case of voluntary removal, it will be necessary to consider whether the act performed by the person concerned does not collide with the numerous imperative norms that protect the fundamental rights of the human being and that bestow a number of prohibitions and specific obligations; for example, with reference to gratuitousness or the validity of the consent given by the donor subject. In addition, the donor may have given consent to use the tissue only to conduct specific research, i.e., for a given period of time. To summarise these findings, biological material is considered in its physical essence, while biological samples always presuppose a processing aimed at performing a function. In biological material only the object is relevant, while in the biological sample both the object and purpose are relevant. The distinction between the categories considered leads to relevant differences in discipline, including with reference to tissue retrieval and preservation.

7 The Retention Time of Tissues The preservation and custody of human biological tissues is a notoriously sensitive and problematic issue. Various profiles and interests come into play, such as the characteristics of the preserved tissue and the manner of preservation or the purposes for which the tissue sample was taken (e.g., the tissue might have been donated for the purpose of specific research, at the end of which the destruction of the sample is expressly provided for). One must also consider the circumstance, reported in the

Retention Time: Conservation of Tissues (Part II)

361

doctrine, that many working groups choose not to establish precise time limits for the preservation of samples, instead preferring to identify a guiding criterion: the likelihood that preserved samples have of generating scientifically useful information (thus Novelli and Pietrangeli 2011, p. 1048). Let us start with the meaning of the term preservation: Directive 2004/23/EC uses this word to define (art. 3(h)) ‘the use of chemical agents, alterations in environmental conditions or other means during processing to prevent or retard biological or physical deterioration of cells or tissues’. This definition must be linked with the previous definition of storage, which ‘means maintaining the product under appropriate controlled conditions until distribution’ (art. 3 (j)). However, the duration of preservation is considered piecemeal. Article 15 of Recommendation CM/Rec(2016)6 dictates a general rule regarding the preservation of biological materials within biobanks: ‘Biological materials intended to be used for future research should only be stored in a structured manner and in accordance with the principles of governance laid down in this chapter’. We can therefore paint the following picture: Where there is a specific regulatory framework for the preservation of tissue, and data and information relating to it, the interpreter will undoubtedly apply it. Where this is not the case, it will be necessary to reconstruct the discipline applicable to individual cases by making use of all available sources (such as European recommendations and regulatory acts of EU Member States), including— where they exist—the statutes of individual biobanks. In this regard, the categories suggested in the preceding paragraphs may be of help. In particular, with regard to preservation times, a distinction can be made between times related to the biological material, which depend on the specific characteristics of the tissue under consideration, and times related to the biological specimen, which are linked instead to legal availability or usability. Regarding the first aspect, a given tissue might be unusable, for example, after the passage of a certain number of years, or after it has undergone a certain treatment. According to art. 2(r) of Directive 2006/86/EC, ‘expiry date’ means ‘the date by which the tissues and cells can be applied’ (as defined in Annex VII to the Directive). With reference to the second aspect, the storage time could have been determined by the donor subject, who had from the outset foreseen a certain period or use, after which it would no longer be possible to store or use the tissue. On the other hand, there could have been a revocation of the consent initially given, as provided for in Article 13 of the Recommendation CM/Rec(2016)6, according to which: When a person has provided consent to storage of identifiable biological materials for future research, the person should, without being subject to any form of discrimination, in particular regarding the right to medical care, retain the right to withdraw consent at any time, and, where possible, should also be able to alter the scope of that consent. When identifiable biological materials are stored for research purposes only, the person who has withdrawn consent should have the right to have, in the manner foreseen by law, the materials and associated data either destroyed or rendered non-identifiable. The person who is considering withdrawing consent should be made aware of any limitations on withdrawal of his or her biological materials. The representative, authority, person or body

362

D. Farace

provided for by law having given authorisation for storage for future research of identifiable biological materials removed from a person who, according to law, is not able to consent, should have the rights referred to in paragraph 1 without any form of discrimination for the person from whom the material has been removed, in particular regarding the right to medical care. Where the person from whom biological materials have been removed attains or regains the capacity to give consent, that person should have the rights referred to in paragraph 1.

In addition, it will be necessary to identify whether more specific rules are in place within member States. For example, according to ‘Linee guida su tracciabilità, raccolta, trasporto, conservazione e archiviazione di cellule e tessuti per indagini diagnostiche di anatomia patologica’,2 issued in May 2015 by the Italian Consiglio Superiore di Sanità (Sect. I): Per quanto concerne il materiale campionato (blocchetti in paraffina e vetrini), la previsione di un termine minimo di conservazione appare più complessa e richiede, almeno in astratto, di esaminare una pluralità di fattori concorrenti. Ciò premesso e come già precisato, la fissazione di un termine di durata minimo comporta che alla sua scadenza non si riscontra alcun obbligo di distruzione o di smaltimento del materiale, ma la sola estinzione dell’obbligazione avente a oggetto la conservazione del materiale. La struttura sanitaria potrà, pertanto, continuare a detenere il materiale per un periodo più lungo rispetto a quello indicato (. . .). Posta pertanto la necessità di porre un termine minimo di durata dell’obbligo di conservazione, segnalandosi l’esigenza di un intervento normativo sul punto, si ritiene che tale termine possa, congruamente, essere determinato in dieci anni (pp. 32–33).

References Cippitani R, Colcelli V, Langella A, Mirabile A, Maierà A (2020) L’istituzione di una biobanca di ricerca: questioni etico-giuridiche. Il caso della biobanca dell’Umbria. Diritto e processo:53–96 Farace D (2017) Campioni biologici - Diritto civile. Enc. ital. Treccani, IX Appendice. Rist. agg. Ist. Enc. Ital., Roma, pp 215–218 Ministero della Salute-Consiglio Superiore di Sanità (2015) Linee guida su tracciabilità, raccolta, trasporto, conservazione e archiviazione di cellule e tessuti per indagini diagnostiche di anatomia patologica. https://www.salute.gov.it/imgs/C_17_pubblicazioni_2369_allegato.pdf. Montanari Vergallo G (2021) Campioni biologici da vivente capace e biobanche di ricerca: raccolta, utilizzo e circolazione. Eur J Priv Law Technol:180–198 Novelli G, Pietrangeli I (2011) I campioni biologici. In: Canestrari S, Ferrando G, Mazzoni CM, Rodotà S, Zatti P (eds) Il governo del corpo, in Trattato di biodiritto Rodotà-Zatti, 1. Giuffrè, Milano, pp 1027–1061 Palazzani L (2017) Dalla bio-etica alla tecno-etica: nuove sfide al diritto. Giappichelli, Torino Pezzati P, Graziani MS (2008) Bioetica ed uso dei campioni biologici umani. Biochimica clinica 32: 186–191 Valle L (2020) Il contratto e la realizzazione dei diritti della persona. Giappichelli, Torino

2

Ministero della Salute-Consiglio Superiore di Sanità (2015).

Retrospective Research ‘Is the Use of Broad Consent for Retrospective Research on Data and Tissue Possible in the Framework of GDPR?’ Balázs Hohmann and Gergő Kollár

1 Introduction Compared to all previous ages, there is a greater demand today for the exploration of already recorded and stored health data and, thus, personal health data with scientific research (Tang et al. 2006, p. 123). This need is easy to understand because it allows medicine to meet rapidly changing challenges and to move as soon as possible in line with expectations (Widmer et al. 2018, pp. 630–632). In the context of today’s coronavirus epidemic, this may not need to be further substantiated in our argument. It is the general experience of society that a rapid response to critical health situations can be key, and this requires sound scientific research and credible and complete data (Del Rio and Malani 2020, pp. 1339–1340). In this environment, retrospective research that uses data, including personal health data, previously provided for other purposes (e.g., for the provision of health services, fulfilment of a contract, identification of samples) to achieve later research goals becomes extremely important (Sim and Wright 2000, p. 36). However, this has created significant data protection compliance risks: if the data subject originally gave a broad consent to the processing of his or her personal data, the emerging research goal will undermine the legitimacy and purpose of the European data protection legal regime. All of this could ultimately lead to the research being based on illegal data management, which is, of course, not a viable alternative (Wendler 2006, pp. 544–547). In the present study and in trying to answer the main question, the authors attempt to prove that the data subject’s consent as a legal basis for data management can initially be unconditionally used for prospective research as well as for retrospective research. Indeed, a legal approach based on balancing interests or performing a B. Hohmann (✉) · G. Kollár Faculty of Law, University of Pécs, Pécs, Hungary e-mail: [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_40

363

364

B. Hohmann and G. Kollár

public task is much more advantageous. This can lead to more predictable data processing if the data is processed from the outset based on point (e) or (f) of Article 6 (1) of the GDPR1 (in case of withdrawal of consent, they either change the legal basis or delete the data). According to the ethical rules, sampling is subject to authorisation; if the data subject has already agreed to it, it is not necessary to consent to the data processing (the use of sampling is necessarily accompanied by the processing of the data, and this must be clear to the data subject as well; Steinsbekk et al. 2013, pp. 897–902). According to Article 9 (1) of the GDPR, the processing of genetic and biometric data and health data for the unique identification of natural persons is prohibited. This prohibition shall not apply in the event of any of the exception rules set out in paragraph 2 applies. Paragraph 2 does not include a legal basis like Article 6 (b) (or similar), therefore in the performance of a contract, it is not possible to process personal data solely under Article 6(b), so some other exception must be met. In this respect, the legal basis governing the performance of the contract will not be applicable to these relations. The following sections take a closer look at the professional and legal arguments and counterarguments about the applicability of broad consent.

2 Link Between Broad Consent and Secondary Use of Health Data The incompleteness of the topic is well indicated by the fact that the European Commission has also perceived the lack of data protection issues in scientific research: intensive communication with the European Data Protection Board resulted in a guideline in 2020 in line with COVID-19 research (Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak). This raises, inter alia, the legal basis and a suitable purpose. The dilemmas are mainly caused by the fact that one of the most important principles of data protection that permeates the entire regulatory logic is the purpose limitation principle, which is enshrined in Article 5 (1) (b) of the GDPR and means that the data may be ‘collected only for specified, explicit and legitimate purposes’. The closely-related principle of data saving (Article 5 (1) (c)) states that the data must be ‘appropriate, relevant and limited to what is necessary for the purposes of the processing’. Defining the purpose defines and limits the entire data processing, including what data the data controller collects and for how long it can be retained.

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

Retrospective Research

365

According to recital 159 of the GDPR, ‘the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research’. According to Article 29, ‘scientific research’ means a research project established in accordance with methodological and ethical standards relevant to the appropriate sector and in accordance with good practice. Recital 33 of the GDPR is somewhat more permissive as regards the accuracy of the definition of the research purpose: ‘It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose’. This is a justified approach since during research, it is often possible to determine additional research directions based on the knowledge of the partial results. However, this by no means suggests that when defining the purpose, it would be sufficient to refer to it in only a very general way (e.g., ‘we process your personal data for research purposes’); rather, the provision of information should seek to ensure that the purpose of the research is as precise as is known at the time the data processing begins. Naturally, an altruistic attitude towards the data management concerned may arise, which is also approached in the literature as ‘data altruism’. The essence of the concept is that the data subject in exercising his/her right to information selfdetermination may decide to transfer the data provided during the use of health care to the data controller without any further restrictions in order to carry out scientific research, to achieve research results based on the data and to add the above contribution to the progress and development of humanity and society (Gefen et al. 2020, pp. 552–556). This phenomenon is more common than it first appears, but it must also be maintained that despite the information provided, the data subject does not necessarily first see the potential effects of full, wide-ranging consent. This is the reason regulatory solutions to protect the rights of stakeholders, which are built into the regulatory logic of the GDPR, are important to prevent abusive uses. Regarding secondary use, a special regulatory situation may arise during the use of health data for research purposes or for the further use of data collected for other research purposes. The exception to Article 89 (1) of the GDPR appears in several places in relation to the compatible purpose and limited storage capacity, all of which could constitute a ‘simplified’ secondary use option. In this case, if the purpose of data management is scientific research and anonymisation is not objectively possible—because, for example, the data subject always remains identifiable on the basis of genetic data (if possible, it must be anonymised to achieve compliance) but the data have been anonymised—the lawfulness of the purpose cannot be called into question and the rules on ‘deletion time’ (limited storage life) do not have to be taken into account. In practice, the lawfulness of the previous data processing is the

366

B. Hohmann and G. Kollár

only requirement for the further use of the data for research purposes (research cannot be legally carried out using a database affected by abuse). Ultimately, deletion accompanied by withdrawal of consent does not necessarily have to be complied with as it is also a ‘manifestation’ of limited storage (the intended cancellation time in the case of consent is either a specific date or an unspecified moment of withdrawal). Taking also into account recital 50 of the GDPR, which states that compatible objectives do not require a new legal basis and that scientific research constitutes a compatible objective (both here and under Article 5 (1) (b)), it is ultimately not an objective, and neither the retention period nor the legal basis need to be re-examined for legality (if the data come from a legitimate source). This issue leads to the issue of compatibility, the different European view of which necessitates a closer examination.

3 Assessment of Compatibility of the Purposes of Data Processing If previously recorded personal data is to be used for another purpose at a later date, the current legislation requires an examination of the compatibility between the original purpose and the new purpose, which in our case, will be used for scientific research. In that regard, Recital 50 of the GDPR states: The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful.

In this respect, the GDPR lays down lighter requirements than the previous Data Protection Directive,2 which did not necessarily allow compatibility to be examined in this area. This is evidenced by WP 203 Opinion 03/2013, in which the advisory board explains that ‘the previous Directive Article 6(1)(b) and recital 28 of the Directive that the purposes of processing must be specified prior to, and in any event, not later than, the time when the collection of personal data occurs’, and at the same time, emphasises that deviation from the purpose is prohibited during data processing. But we can already see in this opinion that ‘a change of purpose may be permissible, and further processing may be considered not incompatible,

2

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Retrospective Research

367

provided that the compatibility test is satisfied’, even if the regulatory background for this was not available in the light of the requirements of the Directive and, in these cases, re-consent or another new legal basis could have been considered. The stakes are huge: the most important consequence of a positive compatibility assessment is that there is no need to find a new legal basis for handling the data. Since the GDPR itself stipulates that scientific research is a compatible objective, it can be said that there is no need to define a new legal basis for the processing of data for research purposes under the current rules. This position is confirmed by the GDPR, which also provides compatibility criteria for individual cases [Article 6 (1)] but considers certain purposes to be compatible from the outset: in accordance with Article 89 (1), further processing for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes shall not be considered incompatible with the original purpose. These ‘ex lege compatible’ purposes do not require a separate examination of compatibility but should be considered as compatible, lawful data processing operations provided that the conditions set out in Article 89 (1) (appropriate safeguards and measures) are met. It should be noted that the practice may differ from one EU Member State to another because Member States may have different rules on research issues, creating a possibility of a public interest-based legal basis which in this case, facilitates the verification of the lawfulness of such processing.

4 The Assessment of the Issue Is Related to the Activities of Biobanks If we try to judge the issue in relation to the activities of biobanks, it can be stated that the authorisation of the data subject to store biological samples under the current regulations alone will not be enough to conduct scientific research on them without further consent. The main reason for this is that the objectives will differ to such an extent that they will not be compatible based on the described compatibility assessment. It is important to note that research consent does not equate to data processing consent; regarding the data protection aspects of research, the purposeful statement already outlined can be used to obtain the data subject’s lawful consent to data processing (Staunton et al. 2019, pp. 1160–1164). The European Commission’s 2012 report on the activities of Biobanks also points out that broad consent is not well received by stakeholders and that it would be better to use a dynamic consent solution (with web 2.0 tools) that would allow data subjects to give their consent to data processing in a proactive way using more flexible methods (European Commission 2012, p. 58). The Commission also cites a lack of accurate knowledge and awareness of the functioning of biobanks as a general problem (EC Report 2012, p. 58).

368

B. Hohmann and G. Kollár

Nevertheless, for most applications, consent is the basic legal basis for biobanks (Kaye et al. 2016, pp. 195–200) because the contractual legal basis cannot be used for the previously stated reasons and public interest-based processing is only granted if allowed by Member State legislation. In this connection, it can be said that the problem can be solved with the legal logic of the GDPR. Assuming that according to the recitals of the GDPR, it is possible to formulate the objectives more broadly in the case of scientific research and that they may even change in part over time, this analysis in fact concludes that data processing will be lawful if the data subject also contributes to related data management (i.e., not only to participate in the research but also to the data collection necessary for the conduct of subsequent research).

5 Conclusion In the light of the findings of the study, consent can be an excellent legal basis for the data management of research activities in the case of prospective research, while in the case of retrospective research, widespread consent may in some cases raise more concerns than it dissolves about the lawfulness of data processing. In these cases in which research is carried out on already obtained personal health data, the public interest or legitimate interests pursued by the controller may be the appropriate legal basis in the first place, provided that the conditions are met. This makes data processing more predictable and independent of the data subject’s consent, while, of course, maintaining the rights of other data subjects. Nevertheless, in the case of biobanks, consent has typically been the legal basis used when personal data were originally collected—in this respect, research activities would remain feasible for compatible data management purposes if the data subject had agreed not only to store samples but also to carry out research activities. Again, the goals should be set in as much detail as possible. It is also important to prepare the system for an erasure request from a potentially affected party. Due to the nature of the consent, it is necessary to provide and prove the voluntary nature, so a situation may arise in which the data subject agrees to the sampling but does not consent to the processing. This results in problematic practice because in the absence of other data, the person concerned can be identified based on genetic data. Regardless of the choice of the appropriate legal basis, a breach of the obligation to provide information could potentially cause problems in this case as well. Due to the nature of data management, complex and difficult-to-understand relationships need to be brought to the attention of the data subject, indicating their changes, so this can be a similarly large task in developing transparent information methods, especially for data processing based on broad consent. This can be formulated as a proposal, both in the case of consent and in the case of data processing based on public interest/legitimate interest, that allows dynamic solutions to protest. This could include raising awareness, informing about new research goals/methods and offering the opportunity to protest here instead of

Retrospective Research

369

actively asking for consent—failing which, data management could continue; thus, user ‘fails’ (e.g., forgets to give consent) can be reduced. This would allow for more predictable data management without the prior consent of stakeholders by using a non-consent-based approach.

References Del Rio C, Malani PN (2020) COVID-19—new insights on a rapidly changing epidemic. Jama 323: 1339–1340. https://doi.org/10.1001/jama.2020.3072 European Commission (2012) Biobanks for Europe – a challenge for governance. Report of the Expert Group on Dealing with Ethical and Regulatory Challenges of International Biobank Research European Data Protection Board (2020) Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak Gefen G, Ben-Porat O, Tennenholtz M, Yom-Tov E (2020) Privacy, altruism, and experience: estimating the perceived value of Internet data for medical uses. In: Seghrouchni et al (eds) Companion proceedings of the web conference 2020. Association for Computing Machinery, New York, pp 552–556 Kaye J, Briceño Moraia L, Curren L, Bell J, Mitchell C, Soini S, Hoppe N, Øien M, Rial-Sebbag E (2016) Consent for biobanking: the legal frameworks of countries in the BioSHaRE-EU Project. Biopreserv Biobank 14:195–200 Sim J, Wright C (2000) Research in health care: concepts, designs and methods. Nelson Thornes, Cheltenham Staunton C, Slokenberga S, Mascalzoni D (2019) The GDPR and the research exemption: considerations on the necessary safeguards for research biobanks. Eur J Hum Genet 27:1159–1167 Steinsbekk KS, Kåre Myskja B, Solberg B (2013) Broad consent versus dynamic consent in biobank research: is passive participation an ethical problem? Eur J Hum Genet 21:897–902. https://doi.org/10.1038/ejhg.2012.282 Tang PC, Ash JS, Bates DW, Overhage JM, Sands DZ (2006) Personal health records: definitions, benefits, and strategies for overcoming barriers to adoption. J Am Med Inform Assoc 13:121– 126 Wendler D (2006) One-time general consent for research on biological samples. BMJ 332(7540): 544–547. https://doi.org/10.1136/bmj.332.7540.544 Widmer MA, Swanson RC, Zink BJ, Pines JM (2018) Complex systems thinking in emergency medicine: a novel paradigm for a rapidly changing and interconnected health care landscape. J Eval Clin Pract 24:629–634. https://doi.org/10.1111/jep.12862

Scientific Research and the Biomedical Sector. Requirements and Methods for Planning and Managing a “Data Protection by Design” Project ‘How Can a Scientific Research Project Be Planned and Managed to Comply “By Design” with GDPR?’ Paolo Guarda and Giorgia Bincoletto

1 The GDPR Regime on Scientific Research and the Biomedical Sector Scientific research in the healthcare sector is characterised by a high level of complexity, and it is necessary to achieve a correct balance between the rights and interests involved (von Bogdandy and Bast 2020). In particular, data sharing and collaborative research have become imperative in contemporary science, and the development of this research depends inextricably on opportunities for accessing and using data, on possibilities for sharing practices and methods, and on crosschecking of information in different disciplinary sectors. If properly managed, this sharing allows the costs of scientific research to be reduced, and unnecessary duplication avoided. Biobanks are institutions that have acquired great relevance and represent essential organisational structures for biomedical research. Unlike traditional collections of biological samples, biobanks are characterised by their own features in both quantitative terms (the systematic nature of the collection), and qualitative terms (the standards adopted to preserve the genetic-molecular integrity of the biomaterials stored there). The data collected may be considered personal data, and natural persons have individual interests in safeguarding them. The processing of personal data for biomedical research purposes is subject to European Union (EU) and national data protection requirements. Many rules have been introduced to safeguard natural persons with regard to the processing of their health data. Thus, data protection law imposes conditions that limit the processing of

P. Guarda authored Sect. 1; G. Bincoletto authored Sects. 2 and 3. P. Guarda (✉) · G. Bincoletto Faculty of Law, University of Trento, Trento, Italy e-mail: [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_41

371

372

P. Guarda and G. Bincoletto

information for scientific purposes and determine the lawful point of contact between the interests involved (Ducato 2020). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC (the General Data Protection Regulation; hereinafter: the GDPR)1 confirms European legislators’ preference for processing for research purposes, whether “secondary” or carried out for a primary purpose, following the approach of the former Directive 95/46/EC (Manis 2017). Thus, a special and privileged regime on data processing related to research activities is provided in the GDPR. To enhance scientific research, the GDPR provides an exception to the cornerstone purpose limitation principle. Article 5(1)(b) states: ‘further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)’. A scientific research purpose is a priori considered compatible. Article 89 is the pivotal regulatory provision with reference to scientific research. Addressing the guarantees required by its paragraph 1, it allows derogation from some principles of the processing of personal data (Article 5(1)(b) limitation of purposes and (e) limitation to conservation, and Article 9(2)(j) of the GDPR on research with particular data) and from the exercise of a series of rights of the interested party (Articles 14, 15, 16, 18, 21 GDPR: right to receive information, right of access, right of rectification, right of limitation and right to object to processing) (Duguet and Herveg 2021). In addition to technical and organisational measures, research should follow ‘recognised ethical standards’, as recommended by Recital 33 GDPR. Turning to the particular type of data generally processed in the medical and scientific context, we define data concerning health to be ‘personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status’ (Article 4, point 15, GDPR). These data are included in the list of special categories of personal data referred to in Article 9 GDPR and are, therefore, subject to the general prohibition on processing that is laid down in the first paragraph (Georgieva and Kuner 2020). There are, however, some exceptions to this prohibition, and these can be divided into three groups (Schneider 2020): (1) the data subject has given consent to the processing pursuant to Article 9(2)(a) or, closely related to this, there is a need to protect a vital interest of the data subject (Art. 9(2)(c)) or the personal data have been manifestly made public by the data subject (Art. 9(2)(e)); (2) processing needed for reasons of substantial public interest (Art. 9(2)(g)), for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care or

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

Scientific Research and the Biomedical Sector. Requirements and. . .

373

treatment or management of health or social care and systems and services referred to in Article 9(2)(h) (hereinafter: ‘healthcare exception’), and for reasons of public interest in the field of public health pursuant to Article 9(2)(i); and (3) processing necessary for scientific or historical research purposes or for statistical purposes pursuant to Article 9(2)(j) (hereinafter: ‘research exception’). This discipline is complementary to the general requirements for lawful data processing pursuant to Article 6 GDPR. Some critical profiles of ‘failed harmonisation’ may emerge from the provisions of Article 9(4) GDPR, which allows Member States to decide whether or not to maintain the legal bases provided by the EU regulation or to introduce additional conditions and limitations with regard to the processing of special categories of personal data, such as biometric, genetic, or health-related data (Guarda 2021; TIPIK Legal 2021). Derogations and different national regimes may create barriers to research activities. The ‘Preliminary opinion on data protection and scientific research’, adopted on 6 January 2020 by the European Data Protection Supervisor (EDPS 2020) and the ‘EDPB Document on response to the request from the European Commission for clarification on the consistent application of the GDPR, focusing on health research’ by the European Data Protection Board (the EDPB), of 2 February 2021,2 complete the main regulatory framework. In the first document the EDPS reviews the ethical standards applicable to scientific research and analyses selected issues in the data protection framework. The right to information and the nature of informed consent play pivotal roles. The authority specifies that the presumption of compatibility requires a careful analysis by the controller, and that it even requires the implementation of the safeguards of Article 89, such as a data protection impact assessment (EDPS 2020, p. 21). The second document highlights the existence of legal grounds other than the explicit consent of the data subjects, since this basis may be inappropriate in research studies where there is an imbalance of power between the controller and the individuals. Moreover, the EDPB clarifies that when personal health data are collected for a primary purpose based on the ‘healthcare exception’, and the controller relies on the presumption of compatibility for a secondary scientific research purpose, the conditions and safeguards of Article 9 still apply, meaning that an exception based on EU or Member State law must be found. EU law does not define the safeguards under Article 9(2)(j), meaning that different conditions may be established by the law in different Member States for scientific research in the medical field. The EDPS reported that Member States’ laws ‘generally require prior informed consent from the participant in a research project for the processing of health data’ unless exceptional situations apply (EDPS 2020, p. 14).3 It should be

2

https://edpb.europa.eu/sites/default/files/files/file1/edpb_replyec_questionnaireresearch_final.pdf. See also EDPB, ‘Opinion 3/2019 concerning the Questions and Answers on the Interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR)’, European Commission, 2019.

3

374

P. Guarda and G. Bincoletto

stressed here that this consent is different from informed consent as a human participant in a scientific research study, which is also an ethical requirement. As regards the biobanking sector, the material dimension of DNA appears to be governed by the data protection field because of its informational dimension, and it is therefore subject to the requirements mentioned above (Penasa and Tomasi 2021; Taylor 2012). The GDPR also dedicates a specific and pivotal definition to genetic data in Art. 4(13) (Slokenberga et al. 2021): ‘“genetic data” means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question’. This type of data consists of information extracted from the biological samples of a person and contains hereditary genetic characteristics. The applications of biotechnology to humans have posed increasingly important ethical and legal questions, in particular about the possible effects of the indiscriminate use of such information on the fundamental rights of individuals and on the freedom of scientific research (Gerards 2005). This contribution is organised as follows. After this analysis of the data protection framework applicable to scientific research in the biomedical sector, Sect. 2 discusses the data protection by design obligation established by the GDPR and Sect. 3 provides brief guidance on the technical and organisational measures that must be implemented in a scientific project if it is to be compliant with data protection law.

2 The Data Protection by Design Requirement The data protection regime represents a challenging issue when a scientific project is being planned in the biomedical sector. All the data processing operations, meaning all the activities involving personal data, must guarantee the data protection of the data subjects and comply with the requirements established by the GDPR and the national law.4 One of the most commonly discussed and complex obligations of the legal framework is the ‘data protection by design’ (DPbD) provision of Article 25(1) GDPR. This ambitious and binding requirement plays a central role in the governance of any scientific research project. The DPbD provision derives from the “privacy by design” (PbD) approach that proposes that privacy principles and legal values should be built into the design and architecture of Information and Communication Technologies (ICT) and business practices to improve compliance with the legal system (Bincoletto 2021). PbD was first discussed by Ann Cavoukian, the Privacy Commissioner of Ontario (Canada), and it was later recognised as an essential component of fundamental privacy protection at international level in the “Resolution on privacy by design” of 2010,

4

As mentioned, Member States may provide different rules on personal health data. Therefore, the following investigation only considers the European level.

Scientific Research and the Biomedical Sector. Requirements and. . .

375

approved during the 32nd International Conference of Data Protection Authorities and Privacy Commissioners (Cavoukian 2010). This concept requires a comprehensive rethinking of the way personal data is handled, in a change from a static perspective to a proactive and dynamic approach that implements both technical and organisational measures. As argued by Klitou, PbD entails an ongoing process that needs continuous advancement and re-assessment (Klitou 2014). While at international level the approach is based on the Principles of Fair Information Practices (e.g. the OECD Guidelines5), at European level the principle of DPbD stands in the framework of the GDPR and its general obligations. Article 25(1) GDPR establishes that, in order to demonstrate compliance with the legal requirements, the data controller should implement appropriate technical and organisational measures that are designed to comply with data protection principles in an effective manner and to integrate the necessary safeguards into the processing, both at the time of the determination of the means for processing and at the time of the processing itself. In addition, the data controller should take into account the following criteria: the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, and the risks, of varying likelihood and severity, to the rights and freedoms of natural persons posed by every processing operation. The evaluation and assessment of the possible risks should be carried out in advance and very carefully, and this should be done in addition to the security and data protection impact assessments (Arts. 32 and 35 GDPR). Compliance with Article 25 can be demonstrated by the use of an approved certification mechanism (Art. 42 GDPR). Therefore, data protection by design requires that GDPR principles and rules are incorporated into the design of the data processing, both at the level of practices and processes and, more importantly, at the level of technical solutions. Complying with this obligation is complex: the requirement does not provide fixed solutions and tools, and the language of the text is vague (Bygrave 2020; Rubinstein and Good 2019). The subject that should implement the DPbD measures is the data controller, meaning the ‘natural or legal person, public authority, agency or other body’ who determines the purposes and means of the data processing (Art. 4(7) GDPR). During a research project the controller frequently, under Article 28 GDPR, delegates some processing operations to a data processor (e.g. the developer of the technology, a service provider, a cloud provider, etc.). This subject should support the controller in fulfilling the DPbD obligation, and implement appropriate technical and organisational measures. However, the controller remains responsible and may be found liable and accountable for violations of the requirement. The measures to be implemented should be both technical and organisational. Article 25 and Recital 78 of the GDPR mention, as appropriate measures, minimisation, measures to enhance transparency and control, measures to create

5

OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, in the form of a Recommendation by the Council of the OECD, 1980.

376

P. Guarda and G. Bincoletto

and improve security during processing, and pseudonymisation. The implemented measures should be documented and described in detail. When determining the measures, the data controller can take into account the ‘state of the art’, meaning the existing, newest and available knowledge in a specific field that is the most effective in achieving the legal protection. As a result, the measures can be chosen from what is currently available in the market. However, the controller should keep the measures up-to-date. In addition to the state of the art, the controller can consider the ‘cost of implementation’ of the measures. The cost has been defined as economic feasibility and should include time, business costs and human resources (EDPB 2019). A cost–benefit analysis should be performed. Moreover, the data controller should evaluate and take into account the ‘nature, scope, context and purposes’ of the processing, which can be explained as the characteristics of the data processing operations; these are frequently determined during the data protection impact assessment (Bygrave 2020). This criterion concerns: the type of activities on the data and the categories of data; the way the processing is carried out (e.g. whether or not automated means will be used); the size and range of the data processing; the circumstances of the processing, including the place; and the purposes of each processing operation (Bincoletto 2021; EDPB 2019; Jasmontaite et al. 2018). As regards the evaluation of the risks associated with the data processing, Article 25 requires a data protection risk assessment to be carried out independently of the application of Article 35 GDPR (EDPB 2019). This assessment should consider both the magnitude of a risk and the possibility of its occurring. The data controller must put in place internal policies and implement technical measures that effectively meet all the data protection principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability (Art. 5 GDPR). For example, the controller should minimise the processing of personal data by applying pseudonymisation techniques as early as possible, and providing effective transparency regarding the purposes of the processing operations. In the Guidelines on Article 25 Data Protection by Design and by Default, the EDPB provides examples of implementation for each principle (EDPB 2019). In addition to the principles, the controller should protect the rights of data subjects (Arts. 12–22 GDPR) by integrating safeguards. DPbD must be adopted both ex ante and while processing is pending and until its conclusion, meaning data deletion or effective anonymisation. The approach should also be coordinated with the other rules of the GDPR, including the security obligations (Art. 32 GDPR) and the requirement for data protection by default according to Article 25(2). It should be noted that Article 25 is an enforceable obligation. A violation of this provision may be punished by the national supervisory authority according to Articles 82 and 83 of the GDPR. If a scientific project does not comply with the DPbD requirement, there is a risk of administrative sanctions being incurred. Before that, the competent ethical committee that evaluates the project may postpone the beginning of the activities until more measures are implemented, or

Scientific Research and the Biomedical Sector. Requirements and. . .

377

may stop the planned activities when data protection is not sufficiently and effectively taken into account. Selecting and interpreting the applicable data protection rules and principles to determine the measures is a challenging activity even for legal scholars and practitioners. Researchers are usually in charge of a scientific project, and the involvement of legal experts (e.g. the data protection officer) frequently follows the drafting of the scientific protocol. However, the team for the DPbD implementation must be interdisciplinary, and both biomedical/technical and legal experts should be included in the planning and management of the project. This is necessary to take into account, simultaneously, the state of the art of the technology adopted for the data processing and the related engineering methodologies and approaches, the management of processing activities at the organisational level, and the applicable legal requirements in the data protection framework (Bincoletto and Guarda 2021). The rules grant flexibility to data controllers. As pointed out by Tamò-Larrieux, stakeholders require tangible guidance on designing for privacy in a given sector (Tamò-Larrieux 2018).

3 Guidance for a Compliant Biobank-Based Research Project The implementation of DPbD is sector- and case-specific (Tamò-Larrieux 2018). Nonetheless, this section attempts to provide brief guidance on how to plan and manage scientific projects in the biomedical sector to achieve data protection by design compliance. In general, a biobank-based research project uses genetic, genomic and proteomic databases, or other types of databases, such as clinical records. Therefore, such research processes particular categories of personal data (Art. 9 GDPR), but common data may also be included. The project may plan to use different types of processing operations, including the collection, use, storage, disclosure and sharing of personal data. The purpose of the processing is to carry out the research, which has its own goals and outputs. The place of the processing may be in a specific Member State, but cross-border biomedical research should address the legal requirements of all the countries involved. First of all, the controller should have knowledge of the flow of personal data in the research project and of the characteristics of the data processing activities. According to Tamò-Larrieux, the data protection life cycle can be divided into four phases: data collection, data analysis, use of data, and data erasure or deletion (Tamò-Larrieux 2018). When analysing the characteristics of the data processing in each phase, particular attention should be paid to the categories of data (e.g., genetic data or data concerning health, or common data) and of the data subjects (e.g., children or adults), and the place of the processing (e.g. in a Member State, or in more than one Member State, or with international transfers of data). In addition, an

378

P. Guarda and G. Bincoletto

important aspect is whether the project will collect data (primary processing) or re-use data that are already available (secondary processing). A preliminary map of all these elements and the data flow may also take into account the technical infrastructures, the organisational setting and the means the project will use. This map may be drafted with the research protocol. The data controller, the researchers and the legal experts should perform a gap analysis on the applicable legal requirements under EU and national law. It has also been suggested that they should collect a complete set of the legal requirements and guidelines of data protection authorities and stakeholders that are relevant to the project development (Bincoletto 2021). The Norwegian Data Protection Authority suggests that the legal requirements are expressed as a checklist (Datatilsynet 2017). Given the increase in the legislative activity on data in recent times, it may be necessary to monitor new regulations and directives, and national laws.6 The data controller should evaluate all the criteria mentioned in Article 25(1) GDPR, define a budget plan for data protection compliance, and perform a risk assessment to determine which of the technical and organisational measures available in the market could be implemented. At the organisational level of a biobank-based research project, a first recommendation would be to determine whether all the activities fall under the scope of the GDPR (Arts. 2 and 3 GDPR). As an example, the use of anonymous data is outside this scope. Until effective and irreversible anonymisation, the rules apply, but afterwards they do not. In the presence of multiple subjects involved in the research it is necessary to define their roles in the data processing (controller, joint-controllers, processor). According to Nordberg, the controller may be the entity that decides on substantial issues pertaining to the data processing such as “decisions on the legal basis for processing (e.g. consent or an exception), length of time a biological sample and related data are to be stored and who has access to the personal data processed” (Nordberg 2021). If some activities are delegated to a processor, a specific contractual agreement should set out the delegated operations and duties (Art. 28 GDPR). Joint controllers should define their particular responsibilities (Art. 26 GDPR). Essential organisational instruments that may be used in a biobank-based research project are ‘Data Access Agreements’ (DAAs), ‘Data Transfer Agreements’ (DTAs) and ‘Confidential Data Agreements’ (CDAs) (Shabani et al. 2021). The data controller should then carry out a data protection impact assessment, because particular categories of data are being processed during the research project (Art. 35 GDPR). When required, it may also be necessary to consult with the national data protection authority (Art. 36 and national law). Identifying a data protection officer to support the controller during the DPbD implementation and for the other legal issues (Art. 37 GDPR), including the creation and maintenance of

6 As regards the EU, see the website on the European strategy on data. https://digital-strategy.ec. europa.eu/en/policies/strategy-data.

Scientific Research and the Biomedical Sector. Requirements and. . .

379

the records of the processing activities (Art. 30 GDPR, simplified examples are often provided by national data protection authorities7), is recommended. Drafting data protection materials and documentation and providing data protection training for researchers and staff are pivotal organisational measures to ensure the application of the accountability principle. As regards documentation, the recommended policies are: a privacy policy to provide information to the data subjects in a transparent and easily accessible form, using clear and plain language (Arts. 12, 13 and 14 GDPR); a policy on data accuracy; a policy on data retention (defining the time of retention); a policy on data sharing, identifying to whom data can be disclosed (in accordance with the data agreements); and a policy on communication with and notification to the data subjects (e.g. for data breaches) and the data protection authority (Arts. 31, 33, 34 GDPR). Specific policies may also define how to handle the data protection rights. In biobanking, the key rights of data subjects are: the right to receive information (Arts. 12–14 GDPR), the right to access data (Art. 15), the right to rectification (Art. 16), the right to erasure (Art. 17), the right to data portability (Art. 20) and the right to object (Art. 21) (Staunton et al. 2019). Templates and forms for all the documentation may be drawn up beforehand to simplify the work for the specific research protocol. However, every processing is independent and attention should be paid to the details. The training of the researchers and staff is highly advisable, to stress the importance of protecting personal data that is guaranteed by a fundamental right. Confidentiality clauses are frequently added to their employment contracts. Internal guidelines and instructions on security, access, and authorisation are other key organisational measures. A security policy, a breach response plan and a disaster recovery plan should be drafted to ensure that the principles of integrity and confidentiality are met and also to comply with Article 32 GDPR. A certification mechanism may also be useful (Art. 42 GDPR). In the biobanking context, Hansson recommends the adoption of codes of conduct (Hansson 2021). In fact, the European Data Protection Supervisor stated that “specialised codes might be particularly relevant for fields such as biobanking, genomic research or social networks research” (EDPS 2020, p. 25). The Biobanking and Biomolecular Resources Research Infrastructure-European Research Infrastructure Consortium (BBMRI-ERIC) and GÉANT, the pan-European data network for the research and education community, are developing specific codes in this sector.8 When determining the means of the processing, the purpose of the data processing and thus of the type and scope of research should be framed as specifically as possible, in the light of the purpose limitation principle. When collecting data for the first time (primary processing) the data controller should identify the

Se e.g. the template of the French Data Protection Authority – Commission Nationale de l’Informatique et des Libertés. https://www.cnil.fr/en/record-processing-activities; or the Italian template of the Garante per la protezione de dati personali. https://www.garanteprivacy.it/home/ faq/registro-delle-attivita-di-trattamento. 8 See the official websites. https://www.bbmri-eric.eu/elsi/ and https://network.geant.org/. 7

380

P. Guarda and G. Bincoletto

applicable legal ground (Arts. 6 and 9 GDPR). Data that are collected can be processed only as long as they are accurate, relevant, necessary and not excessive in relation to the purposes of the data processing. In the biobanking sector, consent is the typical legal basis, and it must be freely given, specific, informed and unambiguous (EDPS 2020).9 When re-using data that are already available, the controller should check the compatibility of the secondary processing and verify whether the consent or another legal ground covers the new research project. If not, a new basis should be defined (e.g. through the re-collection of the consent). As pointed out by Hansson, the data controller should also be sure that the informed consent that has been collected and/or the ethical approval covers all the planned use of the data (Hansson 2021). The data controller should then provide the privacy policy to the data subject. During the data processing activities, all the documentation should be kept up-todate and, as mentioned above, a periodical gap analysis on the applicable legal requirements may be performed. If an incident or a breach occurs, the specific plan and notifications will follow. An internal audit on compliance carried out by the data protection officer helps in monitoring the implementation of DPbD. When data are shared, the data controller should consider carefully whether the recipient can have legitimate access to it within the research project (under a data sharing agreement). Data should be shared only when necessary and when technical and organisational safeguards are in place. When there is a data transfer to a third country, meaning a country outside the European Economic Area, a legal ground for this processing activity should be found in accordance with Chapter ‘Applying National Law in Cross-Border Research Activity’. At a technical level, various privacy engineering approaches have been developed in recent years (Gürses et al. 2015; Hoepman 2014; Notario et al. 2015). When the scientific project involves the development of new technologies, these methodologies are useful for defining the functional and non-functional system requirements by taking into account data protection rules and principles. If the project uses external technologies, the controller should verify the compliance of these tools with the data protection framework. As stated above, a biobank-based research project uses databases containing personal health data and genetic data. The data controller should implement measures to pseudonymise or encrypt the databases and thus the personal data while they are being stored and while in use. These appropriate measures ensure the confidentiality, integrity (i.e., security) and availability of the systems. The consent of the data subject may be collected and stored through digital tools that should be secure (e.g., electronic consent). The controller should also implement back-up and recovery mechanisms, intrusion controls, and prevention systems to protect the source systems and the data they retain against breaches, incidents and external attacks. Moreover, audit and log systems can be employed to implement the accountability principle during the data use: every operation and

9

As regards the notion of broad and dynamic consent, see the chapters in the book: A. Maierà ‘Broad Consent’ and S. Brizioli ‘Dynamic Consent’.

Scientific Research and the Biomedical Sector. Requirements and. . .

381

access to the personal data will then be technically recorded (e.g. consultation and transmission). As regards the data processing, technical measures for the identification, authentication and authorisation (e.g., system and application access, identity control) of those who have access to the biobank (and to the databases) will safeguard the data protection principles of fairness, integrity and confidentiality, and transparency. Access to personal data, especially genetic data, should be limited to those who are directly involved in the biobank-based research project. In the event of any data sharing, the network for transmission should be secured. Both the organisational and the technical measures should periodically be verified until the end of the scientific project. The state of the art may change over time; therefore, some measures may need to change when a long piece of research is in progress. Research results can be disseminated only in aggregated and anonymised form using techniques that ensure the non-identification of the data subjects. Data controllers of the research project must apply DPbD on a case-by-case basis, since Article 25 GDPR does not provide a “one-size-fits-all” approach. Despite that, this contribution has provided a brief legal analysis of the data protection rules on scientific research, and some guidance on the implementation of the DPbD requirement in a biobank-based research project.

References Bincoletto G (2021) Data protection by design in the E-health care sector: theoretical and applied perspectives. Nomos Verlagsgesellschaft mbH & Co. KG. https://doi.org/10.5771/ 9783748929895 Bincoletto G, Guarda P (2021) A proactive GDPR-compliant solution for fostering medical scientific research as a secondary use of personal health data. Opinio Iuris in Comparatione 1: 43–76 Bygrave LA (2020) Chapter IV Controller and Processor (Articles 24–43). Article 25. Data protection by design and by default. In: Kuner C, Bygrave LA, Docksey C, Drechsler L (eds) The EU General Data Protection Regulation (GDPR): a commentary. Oxford University Press, pp 571–581 Cavoukian A (2010) Privacy by design: the definitive workshop. A foreword by Ann Cavoukian, PhD. Identity Inf Soc 3(2):247–251. https://doi.org/10.1007/s12394-010-0062-y Ducato R (2020) Data protection, scientific research and the role of information. Comput Law Secur Rev 37. https://www.sciencedirect.com/science/Article/pii/S0267364920300170 Duguet AM, Herveg J (2021) Safeguards and derogations relating to processing for scientific purposes: Article 89 analysis for biobank research. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Individual rights, public interest and research regulation across Europe. Springer, pp 105–129. https://doi.org/10.1007/978-3-030-49388-2 EDPB (2019) Opinion 3/2019 concerning the Questions and Answers on the Interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR). https:// edpb.europa.eu/our-work-tools/ourdocuments/opinion-art-70/opinion-32019-concerning-ques tions-and-answers_en EDPS (2020) A preliminary opinion on data protection and scientific research. https://edps.europa. eu/data-protection/our-work/publications/opinions/preliminary-opinion-data-protection-and-sci entific_en

382

P. Guarda and G. Bincoletto

Georgieva L, Kuner C (2020) Art. 9 processing of special categories of personal data. In: Kuner C et al (eds) The EU General Data Protection Regulation (GDPR). A commentary. Oxford University Press, pp 365–384 Gerards JH (2005) General issues concerning genetic information. In: Gerards JH, Heringa AW, Janssen HL (eds) Genetic discrimination and genetic privacy in a comparative perspective. Intersentia, Antwerp/New York, pp 5–26 Guarda P (2021) Il regime giuridico dei dati della ricerca scientifica. Editoriale Scientifica, Napoli Gürses S, Troncoso C, Diaz C (2015) Engineering privacy by design. Amsterdam Privacy Conference 2015 Privacy Management Technology. https://www.esat.kuleuven.be/cosic/publications/ article-2589.pdf Hansson MG (2021) Striking a balance between personalised genetics and privacy protection from the perspective of GDPR. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Individual rights, public interest and research regulation across Europe. Springer, pp 31–42. https://doi.org/10.1007/978-3-030-49388-2 Hoepman JH (2014) Privacy design strategies. In: Cuppens-Boulahia N, Cuppens F, Jajodia S, Abou El Kalam A, Sans T (eds) ICT systems security and privacy protection. Springer, pp 446–459. https://doi.org/10.1007/978-3-642-55415-5_38 Jasmontaite L, Kamara I, Zanfir-Fortuna G, Leucci S (2018) Data protection by design and by default. Eur Data Prot Law Rev 4(2):168–189. https://doi.org/10.21552/edpl/2018/2/7 Klitou D (2014) Privacy-invading technologies and privacy by design: safeguarding privacy, liberty and security in the 21st century. Asser Press, Springer Manis ML (2017) The processing of personal data in the context of scientific research. The new regime under the EU-GDPR. BioLaw J 3:325–354 Nordberg A (2021) Biobank and biomedical research: responsibilities of controllers and processors under the EU General Data Protection Regulation. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Springer, pp 61–89 Notario N, Crespo A, Martin Y-S, Del Alamo JM, Le Metayer D, Antignac T, Kung A, Kroener I, Wright D (2015) PRIPARE: integrating privacy best practices into a privacy engineering methodology. In: 2015 IEEE Security and Privacy Workshops. IEEE, pp 151–158 Penasa S, Tomasi M (2021) The Italian way for research biobanks after GDPR: hybrid normative solutions to balance the protection of individuals and freedom of research. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Springer, pp 309–322 Rubinstein IS, Good N (2019) The trouble with Article 25 (and how to fix it): the future of data protection by design and default. Int Data Priv Law 10:1–20. https://doi.org/10.1093/idpl/ ipz019 Schneider G (2020) Health data pools under European policy and data protection law: research as a new efficiency defence. JIPITEC 11:49–67 Shabani M, Chassang G, Marelli L (2021) The impact of the GDPR on the governance of biobank research. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Springer. https://doi-org.ezp.biblio.unitn.it/10.1007/978-3-030-49388-2_4 Slokenberga S, Tzortzatou O, Reichel J (eds) (2021) GDPR and biobanking. Springer Staunton C, Slokenberga S, Mascalzoni D (2019) The GDPR and the research exemption: considerations on the necessary safeguards for research biobanks. Eur J Hum Genet 27(8):1159–1167. https://doi.org/10.1038/s41431-019-0386-5 Tamò-Larrieux A (2018) Designing for privacy and its legal framework: data protection by design and default for the internet of things. Springer Taylor M (2012) Genetic data and the law. A critical perspective on privacy protection. Cambridge University Press von Bogdandy A, Bast J (2020) Principles of European constitutional law. Hart Publishing

Secondary Use (Part I) ‘What Does Secondary Use Mean for Research Using Tissue Specimens Obtained in a Diagnostic or Therapeutic Setting, in the Light of the GDPR?’ Carla Barbosa and Andreia da Costa Andrade

1 Introduction Various synonyms are used today, such as ‘biological repository’ or ‘biological collection’. The term ‘biobank’ can be used to mean ‘an individual collection, which is stored in a private refrigerator of a particular research group within a specific project’, but it usually refers to ‘a large, organized collection of well-characterized tissue samples’. The term ‘biobanking’ also refers to the whole range of social, legal, and ethical problems that must be resolved as biobanks develop. For example, any biobank is interested in the fact that a citizen—voluntarily and having given informed consent—may donate their material to the biobank without strictly determining the purpose for which the material is to be used. However, research is not always the main purpose when such biological samples are collected. The (research) purpose may arise at a later stage. The permission for this secondary use optimizes the use of these biological samples (and data), as it allows research to be carried out with existing ‘material’ (which generates savings in terms of time and costs). The question that arises is whether it is possible to use a biological sample, collected for the purpose of providing care, for research purposes, in a way that, on the one hand, allows the development of research and, on the other hand, preserves the rights of participants/patients. Is secondary use or ‘secondary research’ (Peloquin et al. 2020) possible under the General Data Protection Regulation (hereinafter referred to as GDPR)1?

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free

C. Barbosa (*) · A. da Costa Andrade Centre for Biomedical Law, Faculty of Law, University of Coimbra, Coimbra, Portugal e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_42

383

384

C. Barbosa and A. da Costa Andrade

2 Secondary Use Biobanks can be classified into two major groups, based on the purpose for which they store samples: those with samples collected mainly for research purposes, and those with samples collected within the healthcare system mainly for healthcare purposes. Human tissue remaining after diagnostic procedures is important for scientific research. This “secondary use” of tissue is not yet regulated.2 It is to be hoped that future regulation will not prevent secondary uses that are essential for research using personal health data but are impossible to anticipate. The secondary use of archived tissue specimens for research purposes happens when tissue biopsies have been obtained for clinical diagnostic purposes that have already been satisfied and the healthcare unit is then willing to provide some of the remaining biopsy specimens to an researcher who will perform research assays. This may be done in two different ways: (a) the specimens may be provided with identifiers such that the researcher can readily ascertain the identity of the subjects, or (b) the specimens may be coded such that the researcher is not easily able to ascertain the identity of individuals. The GDPR does not deal with the secondary use of personal data for research purposes (which, as already mentioned, refers to the use of data/samples originally collected for a purpose different from the current purpose). It is an aspect on which the GDPR is silent. It is to be hoped that this fact does not preclude secondary use that was impossible to anticipate but is essential for research that uses personal health data. Often, a new purpose is only known after the initial processing of personal health data, and the reality is that all data derived from studies associated with the genome and from broad population studies that increasingly use electronic health records (EHRs) and/or electronic medical records3 will fall under this legislation. Additionally, there is no doubt that data sharing and the possibility of accessing secondary data can have a profoundly beneficial impact on the progress of biomedicine and health sciences (Burton et al. 2017). The future regulation of the European Health Data Space will bring this regulation, but the great difficulty will be to articulate what is intended with the rules already established in the GDPR. Finally, the GDPR does not specifically address the processing of personal data in the context of research carried out using biological samples. However, the movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 2 Secondary use may become regulated with the approval of the Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space published on May 3, 2022. This draft dedicates several rules to the secondary use of health data collected primarily for the provision of health care or for research. This could be the legislative instrument that will establish harmonized and clear rules with regard to secondary use. From the outset, it has the merit of recognizing the importance of this research ‘instrument’. 3 Salvaterra, E., Philosophy of science, philosophy of mind, University eCampus, Novedrate, Italy, http://www.biostorage.com/blog-posts/2015-eu-data-protection-regulation/.

Secondary Use (Part I)

385

Regulation necessarily applies to research carried out using samples deposited in biobanks when it is possible for researchers to relate these biological samples to personal data (the GDPR expressly defines personal data relating to health to include information obtained from the analysis or examination of a body part or body substance, including from genetic data and biological samples4). With regard to research using biobanks, the requirements of the GDPR could hinder or suspend various medical research, including retrospective and prospective studies. However, biological banks may be exempt from the application of several of the general principles, obligations and rights of the holders of personal data under the GDPR, if they are processing personal data for the purpose of scientific research. For example, the principle of limiting data storage can be modified, and personal data can be stored for longer periods, as long as they are processed exclusively for the purpose of scientific research in accordance with the provisions of article 89(1) of the GDPR and subject to the implementation of technical and organizational measures required by the GDPR.5 In choosing, in the final version of the GDPR, not to regulate secondary use, we ended up facing several difficulties: the way in which consent should be interpreted, the definition of anonymization and pseudo-anonymization techniques, and the consequent rules and derogations for this.

3 The Consent Scenarios The first question we must ask is whether, in these scenarios, informed consent of the subjects should be obtained (either study-specific or ‘broad consent’). Informed consent is one of the most commonly discussed topics in the context of biobank research. The goal of informed consent is to enable a person to decide whether or not to participate in a research programme. Informed consent is considered to be an ethical and legal agreement that protects the rights of the participant and/or patient and maintains public trust. As far as consent is concerned, we agree with David Townend that the difficulty in this problematic debate is that informed consent and open consent are presented as if they are opposed to each other. However, informed consent and open consent are not opposed. In reality, they deal with different issues within the consent. Informed consent concerns the quality of the consent, while open consent concerns the subject of the consent (Townend 2012). The interpretation of consent, as Maria Knoppers says, is significant; over the past decade we have witnessed both the recognition of the need to accelerate the harmonization in Europe of regulatory frameworks for health-related research and data sharing, and the acceptance of open consent for future unspecified

4 5

This was not the case with the former Directive on personal data treatment. BBMRI-ERIC Common Service ELSI (2017).

386

C. Barbosa and A. da Costa Andrade

investigations, as long as there is adequate governance. Although the GDPR still contains very demanding requirements and requires specific consent “for one or more specific purposes”—in accordance with Article 6(1)(a)—the truth is that Recital 33 leaves the door open for approval of the circumstances in which data subjects give their consent to certain areas of scientific research carried out in accordance with recognized ethical standards. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects, to the extent permitted by the purpose for which they are intended (Knoppers 2014). For the sake of research, and provided that adequate protection measures are taken to safeguard the rights of the holders of personal health data, we advocate a relaxation of the requirements regarding consent (whether we are dealing with data only or with biological samples and consequently the data taken from them). For example, in Portugal in exceptional cases (when there is retrospective use of samples, or in special situations in which the consent of the persons concerned cannot be obtained because of the quantity of data or the number of individuals, or their age or other comparable reasons), the tissue remaining (and the associated data) can be processed, but only for scientific research purposes or the collection of epidemiological or statistical data (Article 19 /6 of Law 12/2005).

4 Rules for Pseudo-anonymous Data The second difficulty is related to the fact that it is necessary to apply the rules of personal data to pseudo-anonymous data. In fact, we must not forget that pseudoanonymous information remains, under the terms of the GDPR, personally identifiable data (personal data), since someone has an encrypted key that would allow the process to be reversed. In 2014, the Article 29 Working Group warned that pseudonymization was a partial and reversible measure that ‘only reduces the ability to link a data set with the original identity of a data subject’.6 Pseudonymization is ‘the process of transposing identifiers (such as names and date of birth) into a new designation, preferably by encryption, so that the recipient of the information cannot identify the person concerned’.7 As for the treatment of health data resulting from biological samples, the mechanism for anonymizing personal health data is rarely viable since, with technological advances, data that we thought had been anonymized were ‘reversed’, making it possible to identify the actual carriers.8

6

Article 29 Working Party (2014). Opinion 05/2014 on Anonymisation Techniques, p. 21. https:// ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf. 7 29 Working Party. http://ec.europa.eu/justice/data-protection/article-29/index_en.htm. 8 As concluded by the Grupo de Opinión del Observatori de Bioètica i Dret de la Universitat de Barcelona ‘es crucial señalar que, hasta ahora, la premisa de la anonimización del dato ha

Secondary Use (Part I)

387

In addition, there are several reasons for preserving the potential for data to be identifiable, whether for scientific research, or to contextualize the results obtained from the study, or to integrate the data into new studies, or for other purposes. The holders of personal data themselves can obtain benefits from non-anonymization, which can translate, for example, into incidental findings relevant to their health. The more complete and rich are the data stored and processed, the greater is their potential and the more accurate the results of the research. We are, however, perfectly aware of the risks that this may involve. Researchers and data controllers often choose to use a pseudo-anonymous data set—a tool that simplifies research based on encrypted data, ensuring the highest possible level of protection for the personal rights of those involved. However, this fact means that these data obtained from biological samples continue to fall under the GDPR regime and to that extent may suffer from some difficulties regarding secondary use. Finally, and directly related to the point just mentioned, we cannot fail to highlight here a derogation, since under the terms of the GDPR further processing for scientific research, statistical or historical purposes can be considered to be purposes that are ‘not incompatible’. However, in order to benefit from this presumption, specific safeguards must be fulfilled (the safeguards are set out in Article 89 and Recital 156, as well as in Article 9 when data concerning health are processed). It is important to highlight the fact that the final version of the GDPR is the result of negotiations and that the first draft was very strict regarding secondary uses.

5 Conclusion The diversity in the regulation of biobanking remains, and it is difficult to ascertain what the legal requirements are in each country across Europe, especially when it comes to the “secondary use” of tissue. ‘GDPR presents several significant difficulties for biobanking and databanking, including failing to provide a clear basis for processing personal data for secondary research purposes. The few regulatory pathways that GDPR provides lead to complex variations among EU member states, and these variations add significant

representado la garantía que permitía cumplir con las regulaciones de protección de datos personales existentes. Se ha venido entendiendo que un conjunto de datos personales, al ser anonimizados, dejan de contener datos de carácter personal, perdiendo así el amparo de la normativa de protección de datos personales, que se pretende rigurosa tanto en la Unión Europea como en España pero que, con el avance de las tecnologías informáticas, tras casi veinte años ha devenido en buena medida obsoleta. El problema radica en que, actualmente, está acreditado que la anonimización no garantiza la privacidad de los datos personales, puesto que mediante técnicas de ingeniería informática es posible volver a conectar los datos con la persona a quien pertenecen’, Llàcer et al. (2015), p. 33.

388

C. Barbosa and A. da Costa Andrade

transaction costs and barriers to secondary research uses of data and biospecimens’ (Peloquin et al. 2020). We hope that European legislation that specifically regulates the use of biobanks for research purposes can soon be discussed and approved, and that the issue of secondary use is addressed in this way, thus creating a standardization of procedures at least in the territory corresponding to the countries that are part of the European Union. The direct answer to our burning question is that secondary use or “secondary research” means a use subordinate to the principal or primary use, and that this may exist only when a principal or primary use exists for the same item. In the GDPR we do not find an express reference to secondary use, but this does not mean that it is not possible.

References BBMRI-ERIC Common Service ELSI (2017) The EU General Data Protection Regulation. http:// www.bbmri-eric.eu/wp-content/uploads/2017/03/BBMRI-ERIC_FAQs_on_the_GDPR_ V2.0.pdf Burton PR, Banner N, Elliot MJ, Knoppers BM, Banks J (2017) Policies and strategies to facilitate secondary use of research data in the health sciences. Int J Epidemiol 46:1729–1733. https://doi. org/10.1093/ije/dyx195 Knoppers BM (2014) Framework for responsible sharing of genomic and health-related data. Hugo J 8:3. https://doi.org/10.1186/s11568-014-0003-1 Llàcer MR, Casado M, Buisan L (eds) (2015) Documento sobre bioética y Big Data de salud: explotación y comercialización de los datos de los usuarios de la sanidad pública. Universitat di Barcelona Publicacions i Edicions, Observatori bi Bioética i Dret, Barcelona Peloquin D, DiMaio M, Bierer B, Barnes M (2020) Disruptive and avoidable: GDPR challenges to secondary research uses of data. Eur J Hum Genet 28:697–705. https://doi.org/10.1038/s41431020-0596-x Townend DMR (2012) The politeness of data protection. Exploring a legal instrument to regulate medical research using genetic information and biobanking. PhD thesis, Maastricht University

Secondary Use and Dual Use of Biomaterial Samples (Part II) ‘Does Broad Consent Include the Reuse and Dual Use of Biomaterial Samples and Their Associated Personal Data?’ Carla Barbosa and Andreia da Costa Andrade

1 Introduction When you merge the revolution in infotech with the revolution in biotech, you get the ability to hack humans (Harari, 21 Lessons for the 21st Century, 2018).

In recent decades, science has undergone a rapid transformation as a result of a biotechnological evolution, and this has brought with it several benefits for humanity. What would medicine be without this evolution, without research and the discovery of new technologies, new medicines, and so on? However, this transformation that presents us with various benefits can also bring with it dangers. ‘In many cases (. . .) the same discoveries that promote advancement of medicine could also facilitate production of biological weapons of mass destruction’ (Selgelid 2009). It is in response to this problem of a new discovery that may have beneficial but also harmful consequences that the concept of ‘dual use’ arises. Dual-use research ‘encompasses biological research with legitimate scientific purpose, the results of which may be misused to pose a biologic threat to public health and/or national security’.1 Many authors add to the expression ‘dual use’ the words ‘of concern’. ‘Dual-use research of concern’ is the type of research that could be misused directly and whereby such misuse would have major consequences.2 The possibility of dual-use research brings us, however, to what is called the ‘dual-use dilemma’, which “arises in the context of research in the biological and other sciences as a

1

The NSABB definition of dual-use research www.biosecurityboard.gov/faq.asp#14. Rijksinstituut voor Volksgezondheid en MilieuMinisterie van Volksgezondheid, Welzijn en Sport. https://www.bureaubiosecurity.nl/en/policy/dual-use-research.

2

C. Barbosa (✉) · A. da Costa Andrade Centre for Biomedical Law, Faculty of Law, University of Coimbra, Coimbra, Portugal e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_43

389

390

C. Barbosa and A. da Costa Andrade

consequence of the fact that one and the same piece of scientific research sometimes has the potential to be used for harm as well as for good” (Miller and Selgelid 2007).

2 Secondary Use and Dual Use of Biomaterial Samples Secondary use means a use subordinate to the principal or primary use, and it may exist only when a principal or primary use exists for the same item. In the draft of the European Health Data Space Regulation ‘secondary use of electronic health data’ means the processing of electronic health data for the purposes set out in Chapter IV of the Regulation. The data used may include personal electronic health data initially collected in the context of a primary use, but also electronic health data collected for the purpose of the secondary use. Dual-use research is defined as research conducted for legitimate purposes that generates knowledge, information, technologies, and/or products that could be used for both benevolent and harmful purposes. Dual-use research of concern (DURC) is a subset of dual-use research and is defined as life sciences research that, based on current understanding, can reasonably be anticipated to provide knowledge, information, products, or technologies that could be directly misapplied to pose a significant threat with broad potential consequences to public health and safety, agricultural crops and other plants, animals, the environment, material, or national security. This means that a dual use can exist when there is a secondary use, but a dual use can also be present for a primary use. Secondary use and dual use are therefore different and non-overlapping concepts. The last two years have shown the relevance of this theme, through the doubts raised in the context of the pandemic and the news related to the war we are experiencing in Europe. DURC poses unique ethical–legal and governance problems because of its complexity, breadth and scope. The broad definition of dual-use research of concern shows that there are a number of issues, such as: (a) It emphasizes the ostensibly beneficial nature of research in the life sciences, but also the risks of misuse. Such risks could have at least three sources: information generated by well-intended research; methods and technologies developed and used in such research; and the products of such research. (b) The additional risks stem from accidents (biosafety) and possible malicious use (biosecurity). (c) Questions addressing biosecurity risks can in some cases address biosafety risks, and vice versa. For example, research on novel infectious pathogens such as SARS-CoV-2 requires careful attention to biosafety and biosecurity. An influx of funding for research on gain-of-function to elucidate such mechanisms may facilitate the development of better countermeasures for the virus, but also the discovery of more virulent strains.

Secondary Use and Dual Use of Biomaterial Samples (Part II)

391

The availability of such strains creates risks of both accidental release and hostile use. The tremendous health, social, and economic disruption occasioned by COVID19 have already led to calls for gain-of-function research to be rethought. Another example is pharmaceutical research and development. Scientists researching asthma have developed aerosol methods that help deliver drugs deeper into the lungs. While this research may hold great benefits for people with asthma and other respiratory issues, it could also be used to increase the damage caused by biological weapons such as anthrax. The possibility that research might be misused, either intentionally or accidentally, is a long-standing concern of science. It can have implications in ethics and wider societal issues, and involves not only research communities and public health, but also donors, scientific publishing and public communication. From an ethical point of view we must immediately affirm that the control of this type of use must be managed, in a generic way, by society. For example, the United States government Policy for Oversight of Life Sciences Dual Use Research of Concern establishes regular reviews by US federal agencies of research into certain high-consequence pathogens and toxins because of the potential of such research to be dual-use research of concern.3 Institutions and researchers must conduct risk assessments, develop risk mitigation plans and apply any necessary and appropriate risk mitigation measures to ensure the research is properly conducted and communicated. In Europe we have the EU Dual-use Regulation (Regulation (EC) No 428/2009)4 which sets up a regime for the control of the export, transfer, brokering and transit of dual-use items, and also, for example, the EU compliance guidance for research involving dual-use items. However, when speaking of health, we cannot avoid also questioning the role of research ethics committees and the necessary prior assessments that they must make. The World Medical Association states that a research protocol must be submitted to the relevant research ethics committee for consideration, comment, guidance and approval before a study begins (WMA Declaration of Helsinki 2013). According to the World Health Organisation (2009), the main responsibility of a research ethics committee is to protect the potential participants in the research, but it must also take into account the potential risks and benefits for the community in which the research will be carried out.

3

United States Government Policy for Oversight of Life Sciences Dual Use Research of Concern. https://www.phe.gov/s3/dualuse/Documents/us-policy-durc-032812.pdf. 4 Council Regulation (EC) No 428/2009 of 5 May 2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items, O.J. 29.5.2009 L134/1.

392

C. Barbosa and A. da Costa Andrade

3 Informed Consent Issues The emergence of biobanks as a vital research tool in the medical sciences has led to a widespread debate in the literature about how to best handle the informed consent procedures governing the enrolment of participants in research, and the subsequent use of participant samples and data in other studies. When the broad consent model is applied, general consent is gathered at the time of enrolment (subject to a set of limitations and restrictions that are formulated by the biobank and/or a regulatory authority and stated in the consent form). Subsequently, samples stored in the biobank can be used for new studies that fall within the scope of the consent, without a new consent being obtained from the participants. Medical researchers defend the broad model by arguing that it is the best way to make largescale biobank research feasible (Hofmann 2009). The truth is that, at the time of enrolment, the ways in which samples deposited in a biobank may be used in future research is normally not known, and it would seem that, for consent to be informed consent, this kind of knowledge is required. Broad consent is a type of consent in which a participant expresses their general consent to the use of their own personal information, including biomedical or healthrelated information and/or tissue samples, in further research, without their further explicit consent being needed. That said, it is worth questioning whether broad consent includes the dual use of biomaterial samples and their associated personal data. In order to understand the criteria for broad consent, it is possible to use the Electronic Code of Federal Regulations, which establishes a set of requirements for broad consent. Broad consent involves most of the general features of study-specific informed consent, which are the following: obtaining the legally effective informed consent of the subject or the subject’s legally authorized representative; seeking informed consent under circumstances that provide an opportunity to discuss and consider whether or not to participate, thus minimizing the possibility of coercion or undue influence; providing information in understandable language; providing information that a reasonable person would want to have in order to make an informed decision about whether to participate, and providing an opportunity to discuss that information; and avoiding exculpatory language. Exculpatory language either waives or appears to waive the subject’s legal rights, or it releases or appears to release the investigator, the sponsor, the institution, or its agents from liability for negligence. From a legal perspective, broad consent requires four of the basic elements of study-specific informed consent listed above: a description of any reasonably foreseeable risks or discomforts to the subject; a description of any benefits to the subject or to others that may reasonably be expected from the research; a statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained; and a statement that participation is voluntary and that the subject

Secondary Use and Dual Use of Biomaterial Samples (Part II)

393

may choose not to participate or to discontinue participation at any time without penalty or loss of the benefits to which the subject would otherwise be entitled.5 If any of these requirements is not met, broad consent has not been obtained. This means that broad consent, although understood as ‘general’, always requires specificity. As a matter of fact, one of these requirements implies that the participants must be provided with sufficient information to enable them to decide whether or not to participate. Thus, when the use of biological samples or information taken from them may ‘pose a biologic threat to public health and/or national security’6 (NSABB at www.biosecurityboard.gov/faq.asp#14), this information has to be provided to the participants. Otherwise, the consent is not valid, because essential information has been omitted when the decision is being made. As stated above, the consequence is that, unless the participants consent to it, dual use cannot be possible. However, a different solution is feasible when it comes to meta consent. In fact, ‘traditional accounts of informed consent make a person the locus of a request to consent to participation in research’ (Mikkelsen et al. 2019). In the case of meta consent it ‘should be asked how and when they would like to be presented with a request for consent. That is, people should be asked to design how they in the future would like to provide consent to the use of their personal health data and biological material. By expressing a preference for how and when to provide consent, people can be said to provide consent on a meta level. This is the defining idea in the model of meta consent’ (Mikkelsen et al. 2019). This means that, when dealing with research using biological samples and information taken from them, a research subject might decide that she wants to give study-specific consent to all future research that falls within the tier of ‘dualuse’ (i.e. research with additional military applications), but that she is also happy to provide a single broad consent to all future publicly funded public health research. Meta-consent does not only allow participants to provide consent preferences regarding different categories of research. It also enables them to tailor their consent preferences to specific categories of data—as they may wish to do, for example, if they have special concerns about genomic data. Participants can therefore design consent portfolios which require them to make specific decisions only about certain types of research.’ (Mikkelsen et al. 2019, p. 71).

5

US Department of Health and Human Services, General requirements for informed consent. 45 CFR §46.116. www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SID=83cd09e1c0f5c693 7cd9d7513160fc3f&pitd=20180719&n=pt45.1.46&r=PART&ty=HTML#se45.1.46_1116. 6 The NSABB definition of dual-use research. www.biosecurityboard.gov/faq.asp#14.

394

C. Barbosa and A. da Costa Andrade

4 Conclusion Ideally, if all ethical–legal principles that guide scientific research were satisfied, research would only lead to solutions that are beneficial to humanity. However, this is not the reality in which we live, and the same scientific discoveries can be used for purposes that benefit but also harm the human being. In this sense, “dual-use research of concern”, as a type of research, “could be misused directly and whereby such misuse would have major consequences”.7 This analysis argues that the consent to be given by donors of biological material and data should be open consent, in order to make research less bureaucratic. Even in cases of broad consent to research, it is necessary to respect certain requirements. For this reason, and as a direct answer to our burning question: broad consent may not allow the reuse and dual use of biomaterial samples and their associated personal data. The position is different when it comes to so-called meta-consent, which implies the donor’s authorization for all possible future research.

References Hofmann B (2009) Broadening consent—and diluting ethics? J Med Ethics 35:125–129. https://doi. org/10.1136/jme.2008.024851 Mikkelsen RB, Gjerris M, Waldemar G, Sandøe P (2019) Broad consent for biobanks is best – provided it is also deep. BMC Med Ethics 20:71. https://doi.org/10.1186/s12910-019-0414-6 Miller S, Selgelid MJ (2007) Ethical and philosophical consideration of the dual-use dilemma in the biological sciences. Sci Eng Ethics 13:523–580. https://doi.org/10.1007/s11948-007-9043-4 Selgelid MJ (2009) Governance of dual-use research: an ethical dilemma. Bull World Health Organ 87:720–723. https://doi.org/10.2471/blt.08.051383

7

Rijksinstituut voor Volksgezondheid en MilieuMinisterie van Volksgezondheid, Welzijn en Sport. https://www.bureaubiosecurity.nl/en/policy/dual-use-research.

Transfer of the Personal Data for Research Purposes Towards Non-EU Countries ‘How Is It Possible to Transfer Personal Data for Research Purposes to Non-EU Countries?’ Roberto Cippitani

1 Introduction The transfer of data within the EU is always allowed, including for research purposes (Cippitani 2021, p. 8). However, when data transfer involves ‘third countries’ (i.e., countries which are not EU Member States) or international organisations, the Regulation (EU) 2016/ 6791 (hereinafter referred to as ‘GDPR’) provides several restrictions, which also apply in cases of scientific activities. Pursuant to the GDPR regulation, the transfer of data to third countries is subject to an adequacy test, that is, the European Commission considers the legal system of those countries or organisations as providing an ‘adequate’ level of personal data protection.2 Article 45, paragraph 1, of the GDPR states that ‘a transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization’. This implies that personal data may be transferred from the EU (and Norway, Liechtenstein and Iceland) to the third countries concerned without limitation and under the same conditions as they were transferred within the EU. 1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 2 GDPR, Recital 103. R. Cippitani (✉) Institute CNR-IFAC, National Research Council of Italy, Florence Research Area, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_44

395

396

R. Cippitani

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection.3 More recently, an adequacy decision also involved the Republic of Korea.4 It is also the Commission’s responsibility to review at least every four years the implemented act5 for the sake of reporting the development in the third country or international organisation.

2 The Case of the United States The transfer of personal data to the United States of America needs further consideration because of the important and strict cultural and scientific relationships with the EU. In accordance with Directive 95/46/EC, the European Commission adopted Decision 2000/520/EC of 26 July 2000 (known as the ‘Safe Harbour’ decision), stating the adequacy of the US legislation in guaranteeing a level of protection appropriate to European standards.6 In 2015, the Court of Justice declared the ‘Safe Harbour’ illegal in the Schrems case.7 Indeed, the US legislation, namely the so-called ‘Patriot Act’, ensured the primacy of the requirements of national security, allowing massive access by the intelligence agencies to personal data. This occurred for non-US citizens, for example, European citizens, without judicial control. According to the Court of Justice, such a regulatory framework was contrary to the principles and fundamental rights of EU law and, in particular, breached the protection of personal data (Article 8 of the EU Charter) and the ‘right to an effective remedy and to a fair trial’ (Article 47 of the EU Charter; see paragraphs 86 and 95). To face the consequences of the Schrems decision, the European Commission adopted the so-called ‘Privacy Shield’ Decision on 12 July 2016 grounded on the

3

For details about adequacy decisions concerning the above mentioned third countries, see https:// ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/ade quacy-decisions_en. 4 European Commission, Decision of 17.12.2021 pursuant to Regulation (EU) 2016/679 of the Europea Parliament and of the Council on the adequate protection of personal data by the Republic of Korea under the Personal Information Protection Act, Brussels 17.12.2021 C(2021) 9316 final. https://ec.europa.eu/info/sites/default/files/1_1_180366_dec_ade_kor_new_en.pdf. 5 GDPR, Article 45(3). 6 Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, Official Journal of the European Communities, 25.08.2000, L 215/7. 7 Court of Justice, judg. 6 December 2015, C-362/14, Schrems, ECLI:EU:C:2015:650.

Transfer of the Personal Data for Research Purposes Towards Non-EU Countries

397

basis of a new agreement with US authorities.8 The ‘Privacy Shield’ entered into force on 1 August 2016 and proscribed a self-certification mechanism for companies established in the US that intended to receive personal data from the EU. Companies are requested to comply with its principles and to provide data subjects (i.e., all persons whose personal data have been transferred from the EU) with adequate safeguards. Failing these requirements would mean removal from the ‘Privacy Shield List’ by the US Department of Commerce and sanctions by the Federal Trade Commission. Despite the fact that the European Commission estimated as adequate the level of protection for personal data transferred from an individual in the EU to a company established in the US, the Court of Justice declared the Privacy Shield contrary to EU law in its judgement of 16 July 2020 (called ‘Schrems II’).9 According to this judgement, the EU–US Privacy Shield was no longer a valid mechanism for the transfer of personal data from the EU to the US. Further negotiations between the European Commission and the US government followed to set a successor arrangement compliant with the judgement of the Court of Justice.10 Negotiations were animated by the shared commitment to privacy, data protection, the rule of law and the mutual recognition of the importance of transatlantic data flows. On 25 March 2022, a new Trans-Atlantic Data Privacy Framework11 was announced by the European Commission and the US government Subsequently, on 10 July 2023 the European Commission adopted a new adequacy decision concerning the EU-US Data Privacy Framework.12

8

Commission implementing decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/ EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU–U.S. Privacy Shield, Official Journal of the European Union, 1.8.2016, L 207/1. 9 Court of Justice, judg. 16 July 2020 Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems. 10 For the details of the negotiations on transatlantic data privacy flows, see https://ec.europa.eu/ commission/presscorner/detail/en/STATEMENT_21_1443. 11 Relevant insights about the Trans-Atlantic Data Privacy Framework: https://ec.europa.eu/ commission/presscorner/detail/en/ip_22_2087. 12 Commission Implementing Decision of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, C(2023) 4745 final). On the basis of such a decision, personal data can be transferred from the EU to the US companies which adhere to the ‘Data Privacy Framework’ as provided by the decision. The decision of adequacy is expected to solve, although in a very limited manner to the transfer of data to above mentioned companies, the questions posed by the case law of the Court of Justice in particular with respect to the power of access to data of U.S. intelligence agencies (which should be carried out only to the extent the access is necessary and proportionate) and establishing an independent mechanism to decide on the complaints of EU citizens concerning the collection of data for national security purposes.

398

R. Cippitani

3 The Case of the United Kingdom Due to its withdrawal from EU, EU law is no longer applicable in the United Kingdom. This also involves the legislation concerning the protection of personal data, starting from 1 January 2021. Although the case of the United Kingdom (UK) will be deeply analysed in the UK National Report in this Handbook, it is worth mentioning here that the European Commission has adopted two adequacy decisions concerning the UK and, more precisely, the General Data Protection Regulation (GDPR)13 and the Law Enforcement Directive.14 Pursuant to these adequacy decisions, personal data can now flow freely from the EU to the UK, assuming the essentially equivalent level of protection as that guaranteed by EU law. It is important to consider that both adequacy decisions include safeguards in case of future divergence and represent means to facilitate the implementation of the EU– UK Trade and Cooperation Agreement that tackles the exchange of personal information.

4 Transfer of Personal Data Without a Commission’s Adequacy Decision In the case of an absence of a Commission’s decision ‘a controller or processor may transfer personal data to a third country or an International Organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subject are available’.15 Legitimisation of the transfer of personal data outside the EU might come from agreements between public institutions, namely the European Commission, non-EU members and international organisations or from agreements between private corporations and organisations. The European Commission can decide that standard contractual clauses offer sufficient safeguards on data protection for the data to be transferred internationally. The European Commission has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU or the European Economic Area (EEA).

13

European Commission, Commission implementing decision of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, Brussels, 28.6.2021 C(2021) 4800 final. 14 European Commission, Commission implementing decision of 28.06.2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, Brussels, 28.06.2021 C(2021) 4801 final. 15 GDPR, Article 46(1).

Transfer of the Personal Data for Research Purposes Towards Non-EU Countries

399

The European Commission has also issued a set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or EEA.16 Article 46 GDPR distinguishes the contractual instruments that do not require any specific authorisation from a supervisory authority and those that are subject to the authorisation of the competent supervisory authority.17 An authorisation is not required in case of contractual instruments, as follows:18 (a) a legally binding and enforceable instrument between public authorities or bodies; (b) binding corporate rules; (c) standard data protection contractual clauses, which might be adopted by the Commission19 or adopted by a supervisory authority and approved by the Commission;20 (d) codes of conduct;21 (e) certificate mechanism.22 Concerning the contractual clauses subject to authorisation, the following are provided:23 (a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or (b) provisions to be inserted into administrative arrangements between public authorities of bodies which include enforceable and effective data subject rights.

5 Transfer of Personal Data for Research Purposes Towards Non-EU Countries Research purposes (e.g., research projects in the biomedical field and other disciplines) are among the most relevant scopes for the international transfer of personal data.

16

European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/data-transfersoutside-eu/model-contracts-transfer-personal-data-third-countries_en. On 4 June 2021, the European Commission adopted two sets of standard contractual clauses, one for the use between controllers and processors within the European Economic Area1 (EEA) and one for the transfer of personal data to countries outside of the EEA. 17 GDPR, Article 46(2 and 3). 18 GDPR, Article 46(2). 19 GDPR, Article 46 (2c). 20 GDPR, Article 46 (2d). 21 GDPR, Article 46 (2e). 22 GDPR, Article 46 (2f). 23 GDPR, Article 46 (3).

400

R. Cippitani

When an adequacy decision lacks the personal data flow to third countries for research purposes, data flow may have its rationale in Article 46, paragraph 2, GDPR. In particular, public research bodies may transfer personal data using standard clauses and codes of conduct. Article 46, paragraph 2 also requires ‘(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or (b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights’. Even the last ones must be approved by the supervisory authorities. In addition, the transfer for research activities may be considered as ‘necessary for important reasons of public interest’ (Article 49, para. 1, let. d). This occurs even in the absence of instruments provided by Article 46 GDPR. This excludes other hypotheses provided under Article 49, para. 1, for example, the transfer for vital interests of the data subject in the case of medical treatment is not allowed ‘to carry out general medical research that will not yield results until sometime in the future’ (see WP 114, paragraph 2.5). Moreover, it is essential that: ‘the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data’ (Article 49, paragraph 1, last part). The controller shall inform both the supervisory authority and the data subject of the transfer, mentioning the compelling legitimate interests pursued. While the consent of the data subject is not required in the cases of control ensured by the supervising authority, consent is necessary when it comes to the transfer to non-EU countries (i.e., when Article 46 is applicable). As a matter of fact, the extra-EU transfer of the personal data is subject to the informed consent of the data subject. According to Article 13, paragraph 1, let. f) GDPR, the data subject must be informed of the existence of the adequacy decision or ‘the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available’. In addition, if the personal data have not been obtained directly by the data subject, the controller must inform the data subject (the Article 14, paragraph 1, let. f)). The data subject is entitled to authorise the transfer of personal data when an adequacy decision has been not adopted ‘after having been informed of the possible risks of such transfers’ (see Article 49, paragraph 1, let. a). The Working Party Article 29 in its Opinion 15 of 2011 (on the definition of consent) referred to Article 26.1 of the previous Directive and argued that the consent must be explicit and unambiguous (see paragraph III.A.4). This interpretation is still valid today. The WP 114 of 2005 (on common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995) points out that consent does not always protect the

Transfer of the Personal Data for Research Purposes Towards Non-EU Countries

401

person. When the data subject withdraws his/her consent and the personal data has already been transferred to a third country, the controller might lose any control. ‘Strictly speaking, the data relating to a person who had withdrawn his consent could no longer be transferred; failing this, the transfer would continue to be partially based on the data subject’s consent, but an alternative solution (a contract, BCR, etc.) would have to be found for data relating to subjects who had withdrawn their consent. Relying on consent may therefore prove to be a “false good solution”, simple at first glance but in reality complex and cumbersome’. The GDPR requires unambiguous and explicit consent, especially for special categories of data and when the data are transferred to third countries (see paragraph 4 of Article 29 Working Party, Guidelines on consent under Regulation 2016/679, of 28 November 2017, rev. 10 April 2018). The main question concerns whether and how (if any) to apply (and justify) the derogations to the rights concerning the data subject when the transfer of personal data takes place.

6 Conclusion The transfer of personal data outside EU, including in research activities, is subject to the limitation of the GDPR to ensure the protection of the data subject and to the responsibility of the controller. The EU university and research centres may proceed to the transfer personal data toward third countries, which are not covered by an adequacy decision by the Commission, by means agreements imposing obligations consistent with the GDPR. It is advisable that those agreement are drown-up on the ground of the template adopted by the European Commission according to the Article 46 GDPR. The receiving non-EU partner should have internal procedures ensuring the protection of personal data, as it usually happens in case of universities or research bodies. In any case, it would be advisable to put in place organisational and technical measures implying anonymisation or pseudonymisation of data, when the transfer of personal data it is not strictly necessary.

Reference Cippitani R (2021) La protección de datos personales y el Derecho de la integración. In: Pizzolo C (Coord) Integración regional y Derechos humanos. Puntos de convergencia. Astrea, pp 175–209

Users ‘Who Are the Users in the Context of Biobanks? What Are the Factors to Consider When Dealing with the Human Component?’ Laura Burzagli

1 Introduction When we speak of data, this does not exclude the consideration of the human beings involved, who always influence or are influenced by the data collection itself. As a matter of fact, there is a human component of the process in every case. In the collection of data relating to a human being, that person always remains the reference point from which to start any activity. The collection of information and its processing often focuses on the application of the specific technologies, tools and systems required by the context: these are considered the most appropriate way to achieve certain results. Consequently, we fail to adopt a holistic approach that first contextualises the information, its origin and its use; indeed, the characteristics of the people involved in the process get sidelined. This represents a missing point in the structuring and management of collections, since human variables are key elements to be taken into account. In fact, the diversity of the physical, cognitive, emotional and cultural characteristics of people, together with the different roles they assume in each particular context, risk affecting the final results of the processing.

2 The Concept of End-Users The distinction between the roles of the people who are involved in the management of information and those who are involved in its processing is highlighted in a number of contexts, such as, for example, ethics in artificial intelligence. A L. Burzagli (✉) National Research Council, IFAC Institute, Florence, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_45

403

404

L. Burzagli

Fig. 1 Roles of user

document produced by the European Commission and entitled Ethics Guidelines for Trustworthy AI 1 presents this distinction as we depict it below (see Fig. 1): Different groups of stakeholders have different roles to play in ensuring that the requirements are met:

a. Developers should implement and apply the requirements to design and development processes; b. Deployers should ensure that the systems they use and the products and services they offer meet the requirements; c. End-users and the broader society should be informed about these requirements and able to request that they are upheld. In this European Commission document, an instructive distinction of roles is presented: – People who develop the requirements, – People who use the systems, and – End-users; in healthcare, for example, end-users can be patients who receive treatment based on results produced by Artificial Intelligence tools. The term “end-user” can then assume an even broader meaning, since patients have both a private dimension and a social dimension. The patient is often represented as an individual, but he/she lives in a social dimension. The social sphere includes the community of people who generally use the output of the processing of data contained in biobanks. The European Commission document cited above highlights the different role of developers, users and end-users with respect to Artificial Intelligence applications. However, the same roles can also be found in the context of biobanks. The developers are those who structure the data collection. In this context, the users

1

HLEGAI (8 April 2019). Ethics guidelines for trustworthy AI. https://ec.europa.eu/digital-singlemarket/en/news/ethics-guidelines-trustworthy-ai.

Users

405

Fig. 2 Roles of human beings

are those who use the collection as a whole, and the end-users are those who receive applications based on the collection of such data. On a closer look, the context of biobanks is even more complex, since these infrastructures are involved in the collection, processing and distribution of human biological samples and related data for research and diagnosis. Furthermore, within the specific context of biobanks, a further feature is added to the classification expressed above: the difference between the provider and the user (see Fig. 2). The provider is the person who allows his own information, both physical and non-material, to be collected. In fact, each sample, even a physical sample, corresponds to the profile of the person to whom that sample belongs. The user or final user is the person who takes advantage of the processing of data stored in the biobank. For both these individuals, knowledge of the profile is decisive to optimise the result of the application that uses the data from the biobank. Therefore, if the aspects relating to the person are considered only from a limited perspective, the results obtained can be discriminatory or partial. Alternatively, they can only allow a limited scope in relation to the evaluation of the results obtained from the collection of information and its subsequent processing. A recent and interesting specific study on the potential users of biobanks has been reported in the literature (Klingler et al. 2021). The survey focuses on the approach adopted by researchers from both academia and industry towards biobanks. A basic problem appears in the sustainability of biobanks if their percentage of use is limited. Other documents present a more general analysis of the concept of human involvement. The report of the Expert Group on Dealing with Ethical and Regulatory Challenges of International Biobank Research entitled Biobanks for Europe: A challenge for governance2 includes important notes for the involvement of patients. On page 33 of this document, three principles, which are considered by the patient representatives to be the key principles, are listed: Inclusion, Engagement and Communication. A list of good practices explains how to put these principles into practice.

2

European Commission, Directorate-General for Research and Innovation (2012). Biobanks for Europe: A challenge for governance. Publications Office. https://data.europa.eu/doi/10.2777/68942 .

406

L. Burzagli

This aspect is of particular importance when information is processed in a healthcare setting, where the resulting information takes on a decisive value for the health of the person. If we introduce a further step in the process of the analysis of the human component, and we move from the concept of user to the more general concept of stakeholder, the literature (Bjugn and Casati 2012) highlights the importance at the project level of the analysis of all the human elements that are involved in the process. The example given is of a colorectal biobank, in which all components, from the hospital managers (hospital owners), through the biobank’s logistic organisers, general practitioners, political bodies, patients and relatives, to public bodies, are considered. Among these, it is evident that priority must be given to their management and involvement (engagement). Consequently a different ethical and legal assessment is also required for the different roles. The focus on stakeholders is also seen as a step in the evolution of the concept of biobank. The authors identify a first level, where the number of biospecimens and data represents the focus, and introduce a second level, where the quality of the samples and data represents the most significant element. They also identify a third and recent level that focuses on the services provided by the biobank, which relates to the stakeholders. This last level also aims ‘to achieve long term financial sustainability of biobank infrastructures’ (Simeon-Dubach and Watson 2014, p. 300). Therefore, in the information process regarding biobanks, the various figures involved must also be identified and their specific characteristics outlined, in order to optimise the result. The process of connecting biological material and people is limited by the lack of information itself, and the lack of interfaces to users. In this sense, the type of activity described by Marinho et al. is interesting: it deals with the creation of a system that allows the use of interfaces by different organisations and from different devices (Marinho et al. 2019). With particular reference to medical images, which we discuss here by way of example, and based on an analysis of the existing literature on the subject, we consider some of the factors that must be taken into consideration. These factors relate to people’s characteristics (during the collection and structuring of the data) in terms of gender, social attributes, and geographical origin. Another important element in this field may be, in terms of physical characteristics, the possible presence of diseases, which can introduce elements of difficulty in interpreting the information. A series of questions arise, including the following (Geis et al. 2019): • how is the presence of certain characteristics relating to the persons whose data are acquired characterised? • who carries out this labelling operation? • what elements can influence the results obtainable from the biobank? • what are the possible steps to take to gain awareness and compensate for this bias? These elements must also be presented to those who use the biobank data, so that the processing that is carried out can immediately be set within in a correct view of the influence of people’s characteristics.

Users

407

Finally, the context in which this information will be managed must be identified, to understand whether and how people will have the necessary skills to report general information in the specific context. This may vary from an important research centre to a centre that is not so extensive and for which some kind of preventive training may be necessary.

3 Conclusion The correct and complete identification of the people engaged in the process of creating and using biobanks is essential. In addition, their specific roles must be considered to allow the legal aspects (rights and duties) that must be followed and respected in this field to be correctly defined. The interplay of factors that give relevance to the human component may result in a feasible and efficient process structured on the basis of the needs, attitudes and expectations of the subjects involved.

References Bjugn R, Casati B (2012) Stakeholder analysis: a useful tool for biobank planning. Biopreserv Biobank 10:239–244. https://doi.org/10.1089/bio.2011.0047 Geis JR, Brady AP, Wu CC, Spencer J, Ranschaert E, Jaremko JL, Langer SG, Kitts AB, Birch J, Shields WF, van den Hoven van Genderen R, Kotter E, Gichoya JW, Cook TS, Morgan MB, Tang A, Safdar NM, Kohli M (2019) Ethics of artificial intelligence in radiology: Summary of the Joint European and North American Multisociety Statement. J Am Coll Radiol 16:1516– 1521. https://doi.org/10.1016/j.jacr.2019.07.028 Klingler C, von Jagwitz-Biegnitz M, Baber R, Becker KF, Dahl E, Eibner C, Fuchs J, Groenewold MK, Hartung ML, Hummel M, Jahns R, Kirsten R, Kopfnagel V, Maushagen R, Nussbeck SY, Schoneberg A, Winter T, Specht C (2021) Stakeholder engagement to ensure the sustainability of biobanks: a survey of potential users of biobank services. Eur J Hum Genet 24. https://doi. org/10.1038/s41431-021-00905-x Marinho LL, da Nóbrega ICP, Sanchez Pi NS, Moreira da Costa RME, Werneck VMB (2019) Increasing availability control of human biological samples using a mobile management system. In: Duffy V (ed) Digital human modelling and applications in health, safety, ergonomics and risk management. Springer, pp 63–74. https://doi.org/10.1007/978-3-030-22219-2_5 Simeon-Dubach D, Watson P (2014) Biobanking 3.0: evidence based and customer focused biobanking. Clin Biochem 47(4–5):300–308. ISSN 0009-9120

Part II

Biobanking Legal and Ethical Requirements Across Europe: National Reports (in Alphabetic Order)

Towards Regulation for the European Health Data Research: A Comparative Analysis Ricard Martínez Martínez

1 Introduction ‘Biobanking legal and ethical requirements across Europe: National reports’, as explained in the introduction, will analyse how the national legislatures of the 27 Member States and the United Kingdom implemented Articles 9(2)(J) and 89 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC (General Data Protection Regulation or GDPR),1 and will also look at the present regulation of the United Kingdom. As a matter of fact, the GDPR is a European Regulation which, by its nature, is a source of law with general efficacy and is directly applicable in the Member States, provided the Member States have implemented and adapted it internally (for example, by adapting Article 89 regarding exceptions in the field of scientific research). From the point of view of data protection, the application of the General Data Protection Regulation arises in a context of technological transition that is addressed by the Regulation in a relatively high-level manner. During the past decade we have witnessed a major digital transformation of healthcare systems. This transition is having a major impact on the way we think about how health systems are managed, how we approach care as a service, day-today patient care, and even how we conceive of research activities. A graphic image is 1

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ 4.5.2016 L 119/1.

R. M. Martínez (✉) Faculty of Law, University of Valencia, Valencia, Spain e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_46

411

412

R. M. Martínez

often used to describe the future of health systems: ‘4 P’ medicine. This description suggests that the defining characteristics of medicine will be participation, prediction, personalisation (customisation), prevention and we could add population-based medicine. For this model, data analytics takes on meaning and has a profound impact on research processes and on the definition of healthcare services for the patient. Population medicine is based on the handling of enormous amounts of data, which may well amount to petabytes or exabytes, and combining data from medical records with non-personal data relating to pollution, climate, mobility or socioeconomic aspects, among others. From the point of view of preventive and predictive medicine, data analytics adds the correlation to causation. In areas such as comorbidity, it can offer opportunities for the doctor and the patient themselves to design strategies, adapting their behaviour to make it possible to prevent and avoid not only the exacerbation of their diseases, but also the appearance of concurrent or successive pathologies in the case of comorbidity. Personalisation is another possibility offered by data analytics. Using data analytics, lessons learned from a population perspective in the treatment of a disease can help to fine-tune and personalise therapeutic targets. In its most applied dimension, this type of approach is effective in cases of poly-medicated patients when it is necessary to adjust their medication. Finally, the evolution of the internet of things (IoT) and mobile applications enable the design of digital environments in which patient engagement can be particularly relevant. Wearables and connected objects, such as glucometers and blood pressure monitors, that help to monitor patients’ heart rates, diabetes and physical activity, are available on the market. Alongside these, there is a huge range of products that can create patient interaction environments. These can provide new ways of collaboration and participation that involve a new understanding of the patient’s relationship with the healthcare system. The scenario we have just described is clearly leading to a connected health environment. The COVID-19 disease highlighted the extent to which connected medicine, telemedicine and remote patient care may be critical for the future of healthcare, and this emerging model cannot be confused with a regular system of patient checkups via telephone conversations. In fact, these are monitoring, interaction and participation scenarios that require the development of particularly complex information systems. In these systems, data analytics and decision-making processes assisted by specific-purpose artificial intelligence will transform the way in which healthcare is delivered to the population. From a technological point of view, this implies an increase in the complexity of information systems, and necessarily requires appropriate design in terms of data quality, robustness and reliability. On the other hand, the above scenario defines a context of data use that is developing new perspectives from the point of view of purpose. In the past, health research approaches were focused on clinical trial methodologies. The scope of research was limited, in terms of both the object pursued and the volume of patients involved. In this model, the legal framework regulating data processing was fully consistent and appropriate. Thus, access to data was based on the patient’s informed consent and was permitted for very specific purposes limited to specific research.

Towards Regulation for the European Health Data Research: A. . .

413

However, this is not the reality that is pointed to by the use of data analytics methodologies in retrospective and prospective studies. The first difference between these models is the volume of data used. For example, completely unlike traditional clinical trials, a retrospective study with data in the field of comorbidity could include millions of medical records. The second appreciable difference results from the gap between correlation and causality. Traditionally, scientific research sought to establish a cause–effect relationship, whereas one of the results of using data analytics is the drawing of inferences from correlations. It is obvious that from a scientific point of view not every correlation implies a causal relationship. Moreover, it is not desirable to treat correlations as sacred. However, it is no less true that, thanks to this methodology, the researcher can obtain inferences and results that were previously unsuspected and that must now be verified. However, this has a particularly strong effect from a legal point of view in relation to aspects such as determining the purpose. This type of research is particularly open to incidental findings and results whose interest may need to be validated. On the other hand, the combination of strictly clinical sources with datasets from other areas may generate new data and new models of analysis. In practice, the new data, conceptual models or inferences that are generated, far from being situated in the framework of a specific investigation, can be open, from a conceptual point of view to nearby or related areas, and in theory to any dimension of patient health or to additional dimensions (social, economic, or public policy). There are thus significant differences between the scenario that was regulated in the past and the current scenario. The background experience of the legislator, the law enforcer and the data protection authorities has focused on the clinical trial model that defines a very precise patient target, with a limited volume of subjects and data and in the context of a specific research study. In contrast, the use of data analytics, by its very nature, tends towards a holistic approach to the patient in the context of a population. Finally, in a description that by no means pretends to be exhaustive, there is a second contribution made by the new data analytics tools to health research models. These tools provide a dimension that adds to the traditional objectives and approaches of the fundamental research elements that are clearly oriented towards the care dimension of health. Thus, we can add to the secondary uses of data for basic research purposes, a primary use specifically aimed at improving the quality of care and the management of the health system.

2 General Data Protection Regulation and Health Research The GDPR has designed a regulatory framework for health data research, and the limits of this framework may in practice pose problems for the future development of research in the European Union. The regulatory framework, despite underlining and highlighting the existing public interest in the development of research activities

414

R. M. Martínez

with data, defines a model that in practice may be limiting for the development of cross-border research and may reproduce the asymmetries that were already produced by the transposition of Directive 95/46/EC. On the other hand, the systematic interpretation of Articles 9(2)(J) and 89 of the GDPR may create significant barriers in relation to research, because of the legislative actions of the Member States of the European Union. Briefly considered, the following are the features and drawbacks of the model designed by the European legislator. First, it modifies the approach to consent as a basis of legitimising the processing of personal data in the field of research. Recital 33 of the GDPR understands that the scope of consent can be somewhat broader and go beyond a specific piece of research. However, both its literal wording and the approach of the European Data Protection Board (EDPB) to the matter raise doubts as to its true potential. In practice, the GDPR seems to admit this consent with a broader and more variable content only when the circumstances of the research itself have a certain degree of indefiniteness that will be specified in the future. For this reason, the EDPB states in its Guidelines 05/2020 on consent under Regulation 2016/679 that consent should preferably be narrowly defined in terms of its purpose.2 However, this conception of consent can significantly limit data donor programmes. In all Member States’ legal systems where data processing is made to depend on the consent of individual patients, the collection of significant volumes of data requires the design of specific policies aimed at obtaining consent on a massive scale. For these policies to be efficient, it is essential to design open-minded systems that obtain patients’ consent in advance for research that does not yet exist. In very simple terms, the health system would need to know which patients would be willing to consent to the processing of their personal data for research on hepatic diseases, but they would not be able to specify such research in advance. Can we imagine how many repeated requests for consent for a specific research study a patient might receive from the more than 700 hospitals in Spain? The scope of consent would be even wider when, for example, it is intended to carry out longitudinal studies that cover a considerable period of a patient’s life, or even his or her entire life. We are referring, for example, to cases in which the object of the research focuses on specific patients and at the same time reaches a high volume of

2

EDPB (4 May 2020). Guidelines 05/2020 on consent under Regulation 2016/679. Version 1.1. The EDPB states: ‘156. First, it should be noted that Recital 33 does not disapply the obligations with regard to the requirement of specific consent. This means that, in principle, scientific research projects can only include personal data on the basis of consent if they have a well-described purpose. For the cases where purposes for data processing within a scientific research project cannot be specified at the outset, Recital 33 allows as an exception that the purpose may be described at a more general level. (. . .) 159. When research purposes cannot be fully specified, a controller must seek other ways to ensure the essence of the consent requirements are served best, for example, to allow data subjects to consent for a research purpose in more general terms and for specific stages of a research project that are already known to take place at the outset. As the research advances, consent for subsequent steps in the project can be obtained before that next stage begins. Yet, such a consent should still be in line with the applicable ethical standards for scientific research’.

Towards Regulation for the European Health Data Research: A. . .

415

Table 1 EU country report Country Austria

Health data Personal data Pseudonymised/Anonymised data

Belgium

Personal data Anonymisation or pseudonymisation directly after collection Personal data Personal data

Finland Germany

Anonymisation Spain

Personal data

Pseudonymisation Anonymisation

Legal basis/safeguards Explicit consent Public interest/organisational and information security measures Explicit consent Public interest Informed consent: opting out Exemptions to consent + additional legal basis Explicit consent Public interest/organisational and information security measures Exemptions to consent + additional legal basis Explicit consent Public interest/organisational and information security measures Public interest

the population on a huge scale, over long periods of time or with a broad coverage from the point of view of diseases. From this point of view, the application of the current legal regime would force a significant repetition of the processes of obtaining consent from each patient, leading to the well-known fatigue with cookie policies, although in this case it could produce precisely the opposite effect to the one expected. Cookie policies have ended up exhausting users so significantly that they simply accept the cookies, but it is highly doubtful that this would happen in the field of health, where the natural thing to do would be to refuse to give the data. The practical result is an inability to reach a middle ground in which the system can collect data donations through agile and flexible procedures while ensuring the patient’s own empowerment and permanent control. The second relevant dimension of the GDPR is the recognition of health research purposes as public interest purposes and as compatible purposes (Art. 5 GDPR). However, this recognition does not imply an automatic authorisation to process data. First, in the case of health data, and, in our opinion, in all other cases too, a legal basis in an EU or national regulation is necessary, which should also include adequate safeguards (Art. 89 GDPR). Given that the GDPR in its Article 89 has conferred on states the ability to legislate on research data, this has meant the development of national laws and the definition of criteria by data protection authorities (soft law) which do not necessarily coincide but instead diverge (Table 1). Thus, we are facing a variety of national laws and interpretation criteria that introduce a significant risk of inconsistencies, incongruities, or even contradictions

416

R. M. Martínez

and incompatibilities between the different national legal systems. In practice, this has condemned cross-border research using health data to seek technological solutions for data processing based on ‘anonymisation’. A preference for the anonymised use of data can easily be inferred from the GDPR, and specifically from Article 89. This requires a systematic interpretation of the meaning and consequences of anonymisation. To summarise, it should be noted that there is a significant divergence between the approach of the GDPR and the interpretation of the different data protection authorities. In this regard, the Regulation addresses the risk of re-identification by taking into account the means that may ‘reasonably’ be used by the controller or any other person directly or indirectly to identify the natural person. In determining whether there is a reasonable likelihood, all objective factors, such as the costs and time required for identification, must be taken into account, together with both the technology available at the time of processing, and technological developments. However, in the Opinion 5/2014 the Article 29 Working Party, whose role is now played by the European Data Protection Board, conceives of anonymisation as irreversible or equivalent to erasure.3 On the other hand, the anonymisation methodologies imposed by some data protection authorities, and significantly the Spanish one, entail the use of a set of technical, human and organisational resources that are quite often beyond the economic capacities of research teams. The aforementioned Opinion rightly considers anonymisation as a processing operation subject to the GDPR. This implies, at least, the guarantee of the legitimate origin of the data, their processing in accordance with the GDPR and a reasonable expectation of transparency that allows for the presumption that the patient understood at the time of the data collection that his or her duly anonymised data could be used for research purposes. The above-described situation has inevitably led health researchers to follow different strategies based on anonymisation, and to the emergence of peculiar concepts. Thus, in scientific and legal literature and in research projects, we can find the word ‘de-identification’ instead of the word ‘anonymisation’. The concept of de-identification is situated somewhere between pseudonymisation and irreversible anonymisation and it has an ambivalent meaning. It is used when absolutely irreversible anonymisation cannot be assured but the procedure has reached a sufficiently strong degree of anonymisation to offer guarantees from the point of view of data protection officers and those who have to apply the law. In practice, research projects use particularly costly and demanding design strategies for information systems and data processing operations. Federated processing systems, differential privacy techniques, or multi-party computation are applied to data processing in cross-border projects. In practice, each and every one of these systems facilitates the analysis of data in environments segmented by

3

ARTICLE 29 DATA PROTECTION WORKING PARTY. Opinion 05/2014 on Anonymisation Techniques, adopted on 10 April 2014 (0829/14/EN WP216).

Towards Regulation for the European Health Data Research: A. . .

417

nationality in such a way that the analysis of the data complies with the applicable national rules and the inferences drawn from each analysis are transferred to the research and can then be compared with each other.

3 Conclusion. Requirements for the Processing of Health Data in the Data Governance Act Scenario and the Regulatory Future of the European Health Data Space The first lesson learned is that it is obvious that the current regulatory framework for health data research poses significant difficulties in building data spaces. We can clearly identify the following barriers: 1. Asymmetries in the regulations of Member States hinder the definition of common research models. 2. Regulatory differences lead to anonymisation being the only possible methodology for data research. This in turn raises further difficulties: • There is no common consensus on a concept of reliable anonymisation, except for irreversible anonymisation. • Anonymisation thus conceived may imply that relevant data would not be processed. • Highly costly methods based on different strategies (synthetic identities, differential privacy, multi-party computation) have been deployed. 3. In practice, ‘trans-European research’ may consist of what could be defined as ‘comparative research on the inferences drawn from data analytics at national level through federated and independent data spaces’. 4. The definition of public interest does not go so far as legitimising the processing of patients’ data without explicit consent, except in cases of serious risk to public health or in retrospective studies under certain conditions. In addition to this scenario: 1. Healthcare systems have not implemented data altruism programmes. 2. Adequate patient empowerment tools have not been deployed, from the point of view of information, from the point of view of valuing and encouraging patients’ collaboration, or from the point of view of managing permissions and consents.

418

R. M. Martínez

However, building trans-European research collaboration spaces is an urgent task. It is also a mission that is consistent with the objectives that both the European Health Data Space4 and the Data Governance Act seem to be pursuing. The European Health Data Space is likely to have a specific regulation, if the leaks published by some of the media are true. Data governance already has a draft regulation that allows us to draw preliminary conclusions. The DGA proposes, in practice, the emergence of secure intermediation spaces for data analytics. This would imply the emergence of dedicated data sharing agents from the public and private sectors, and bring together the cooperation of data donors in secure environments that allow for research with a full guarantee of the fundamental right to data protection. However, in view of the difficulties outlined above, the practice can only lead to federations of national data processing spaces. This issue seeks to be addressed by the Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space. However, it is a work in progress that in our view will not solve the problems for a number of reasons: 1. It is a clear commitment to anonymisation, although it recognises the difficulty of anonymising when conducting research in the context of specific diseases. 2. The use of pseudonymised data is only allowed as an alternative. 3. It defines a highly complex system for managing data authorisations. 4. It does not solve the essential problem: regulating research with personal data. Under the current conditions, cross-border EU research spaces could only be built on the condition that the data could not leave the sphere of control of compliance with national law, in both a legal and even a physical sense. Such a scenario seems unmanageable both from the point of view of its design and implementation and from the perspective of its governance. It is urgent and necessary to make the same journey that we once made with the GDPR. We need harmonised legislation that guarantees homogeneous conditions for research with health data in a context open to all European Union Member States, and that also allows for significant transnational cooperation with third countries.

4

Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A197%3 AFIN&qid=1651653740334.

Austria Joanna Osiejewicz

1 Introduction The European General Data Protection Regulation1 (hereinafter referred to as GDPR) required several adjustments to Austrian law. The changes were undertaken with the Data Protection Amendment Act 2018— Science and Research—WFDSAG 2018 (68 d.B.). The new regulations were developed in consultation with stakeholders and were also intended to ensure an increase in data quality and the removal of bureaucratic obstacles to science, research and statistics. The adjustments in the field of science and research came into force along with the so-called Material Data Protection Amendment Act 2018 (65 d.B.)2 and an associated Data Protection Deregulation Act (189/A) on 25 May 2018.3 An internal evaluation is planned for 2023.4 The new regulations of the Amendment Act are intended to promote positive development in Austria for science, research and innovation. Thus, the law provides for rules on pseudonymisation and registration of research for archiving purposes in the public interest, scientific or historical research purposes and statistical purposes.

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 2 Materien-Datenschutz-Anpassungsgesetz 2018 (65 d.B.), Bundesgesetzblatt, Nr. 32/2018. 3 Datenschutz-Deregulierungs-Gesetz 2018 (189/A), Bundesgesetzblatt I Nr. 24/2018. 4 Parliament correspondence N. 378, 10.04.2018. Parlamentskorrespondenz Nr. 378 vom 10.04.2018, Neu im Forschungsausschuss. Sammelgesetz mit Anpassungen und Maßnahmen für Wissenschaft und Forschung in Hinblick auf die Datenschutz-Grundverordnung. J. Osiejewicz (✉) University of Warsaw, Warsaw, Poland e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_47

419

420

J. Osiejewicz

Existing registers can now be opened for scientific institutions if this is useful for the purposes of science and research in the field of life and social sciences. A major goal is to create legal certainty for existing sample and data collections, especially biobanks, as well as for other scientific archives. The possibility of unlimited storage periods for certain data is provided. Science and research should also not be hindered by the fact that personal data may not be processed for scientific research purposes. The legal framework ought to ensure appropriate freedom of movement and clear liability rules for science and research so that clear distinctions between illegal and legally compliant behaviour are possible.

2 Freedom of Science In Austria, the absolute fundamental right to freedom of science is anchored in Art 17(1) StGG. Absolute means that it is a fundamental right that exists unless there is explicit legal reservation (Gamper and Kastelitz 2018, p. 102). According to the case law of the Austrian Constitutional Court, anyone who researches and teaches scientifically is entitled to scientific freedom.5 The object of freedom of research is to seek out new knowledge or to consolidate older knowledge in a certain field of knowledge.6 Even if the state may not subject the researcher to any specific, intentional restrictions on this freedom,7 the absolute fundamental rights are only guaranteed within the limits of general laws, that is, within the immanent fundamental rights barriers.8 An encroachment on the freedom of science and teaching that prevents scientific activity9 or even restricts it10 is only permissible if it is necessary and proportionate to protect another legal interest.11 Therefore, it is always necessary to weigh the freedom of science against the legal interest protected from interference.12 Fundamental rights clashes and conflicts that can arise in scientific research with personal data must be resolved by achieving a balance between data protection and academic freedom, which is the legal norm that has so far formed the most important data protection framework under simple law for scientific research and statistics (Gamper and Kastelitz 2018, p. 104).

5

Decision of the Austrian Constitutional Court (VfSlg ) 8136/1977-13978/1994. Decision of the Austrian Constitutional Court (VfSlg) 3191/1957. 7 Decision of the Austrian Constitutional Court (VfSlg) 8136/1977. 8 Decision of the Austrian Constitutional Court (VfSlg): 1777/1949, 4732/1964, 11737/1988, 13978/1994. 9 Decision of the Austrian Constitutional Court (VfSlg) 4881/1964. 10 Decision of the Austrian Constitutional Court (VfSlg) 2823/1955. 11 Ibidem. 12 Decision of the Austrian Constitutional Court (VfSlg) 13978/1994. 6

Austria

421

3 Organisation of Research 3.1

General Conditions

The GDPR offers so-called multiple opening clauses, that is, areas that can be regulated separately by the Member States. This adjustment was made for Austria with the Data Protection Act13 (BGBl. I Nr. 165/1999), the Research Organisation Act14 (BGBL I Nr. 31/2018) and some other laws. Article 7 of the Data Protection Act (hereinafter DPA) contains specific provisions for archival purposes in the public interest, scientific or historical research purposes or statistical purposes. It is clear from the wording of § 7 (1) DPA that the standard regulates research purposes. However, only research projects that are legally based on Article 6 (1) (c) or (e) GDPR are covered by Art. 7 DSG, while research purposes predominantly or exclusively based on private (commercial) interest are not covered (Gamper and Kastelitz 2018, p. 121). From a practical standpoint, however, it is likely more important that Art. 7 (1) DSG apparently only refers to specific research projects that also have no personal results as their goal. This is the reason data collections that initially have indefinite purposes or projects with personal results are subject to Art. 7 (2) DSG. Due to the indefinite term ‘determine’ in Art. 7 (1) (2) DSG, there are also uncertainties as to whether the further processing of personal results from completed research projects is included if these have not been published. The Research Organisation Act (hereinafter: ROA) regulates the general conditions for the processing of personal data for archival purposes in the public interest, scientific or historical research purposes and for statistical purposes. This law creates clarity about what is to be understood as a ‘public body’ within the meaning of the GDPR. Further definitions for ‘open access’, ‘open data’, ‘big data’, ‘research material’ and so forth can be found in Art. 2b (1)–(13) ROA. Article 2c ROA opened the possibility of using area-specific personal identifiers for purposes of science and research. The use of these area-specific personal identifiers represents a pseudonymisation within the meaning of Art. 4 (5) GDPR and can therefore be applied to the processing of special categories of personal data in the field of science and research. Article 2d contains the basic provisions for the protection of personal data. It requires specific measures to be taken. First, access to personal data that is processed with automation support based on Section 1 of the ROA must be logged without gaps. Second, responsible persons and processors who process personal data on the basis of Section 1 of the ROA and their employees have to keep personal data secret without prejudice to other statutory confidentiality obligations if the data has

13

Bundesgesetz zum Schutz natürlicher Personen bei der Verarbeitung personenbezogener Daten (Datenschutzgesetz – DSG). StF:BGBl. I Nr. 165/1999 (NR: GP XX RV 1613 AB 2028 S. 179. BR:5992 AB 6034S. 657.) [CELEX-Nr.:395L0046]. 14 Datenschutz-Anpassungsgesetz 2018 – Wissenschaft und Forschung – WFDSAG 2018 (68 d.B.), Bundesgesetzblatt Nr. 31/2018.

422

J. Osiejewicz

been entrusted to them exclusively on the basis of this section or if it has become accessible, unless there is a legally permissible reason for the transfer of the entrusted or accessible personal data (data secrecy). Third, personal data that are processed with automated support based on Section 1 of the ROA may only be processed for the purposes of the ROA. Natural persons whose personal data are processed based on Section 1 of the ROA may not suffer any disadvantages from the processing, whereby the processing in accordance with this section does not constitute a disadvantage. Fourth, those responsible for carrying out processing on the basis of Art. 2d (2), that is, who use area-specific personal identifiers, are obliged: (a) to make information on the use of this legal basis publicly available on the Internet; (b) if data is provided with area-specific personal identifiers, to delete the name information in any case; (c) to appoint a data protection officer (Art. 37 GDPR) in any case before using registers; (d) to expressly define the distribution of tasks in the processing of data (§ 2b (5)) between the organisational units and between employees; (e) to bind the processing of data to the existence of valid orders from the organisational units and employees authorised to issue orders; (f) to instruct every employee on their duties under this federal law and internal data protection regulations, including data security regulations; (g) to regulate access authorisation to the rooms in which the processing of the data (§ 2b (5)) actually takes place; (h) to regulate access authorisation to data (§ 2b (5)) and programmes and the protection of the data carrier against inspection and use by unauthorised persons; (i) to determine the authorisation to operate the data processing equipment and to secure each device against unauthorised start-up by taking precautions with the machines or programmes used; (j) to provide documentation on measures taken according to lit. (d) to (i) in order to facilitate control and preservation of evidence; (k) to attach to their request for the provision of data pursuant to Art. 2 (3) a declaration signed by the person authorised to dispose of the databases from which the personal data is to be determined. The declaration should state that they have provided the data to the person responsible for the investigation. Instead of this declaration, an enforcement title replacing this declaration (Section 367 (1) of the Enforcement Order15 RGBl. No. 79/1896) can be submitted; (l) to assure when processing data provided in accordance with Art. 2 (3) (Section 2b (5)) that only the natural persons named in the application may access the data provided in accordance with Art. 2 (3); and 15 Gesetz vom 27. Mai 1896, über das Exekutions- und Sicherungsverfahren Exekutionsordnung – EO). StF: RGBl. Nr. 79/1896.

Austria

423

(m) if name details are transmitted in accordance with Art. 2 (3), to delete them after the purposes in accordance with Art. 89 (1) GDPR have been achieved.

3.2

Obligations of Research Institutions

According to § 2d (2.1) letter (a) to (d), research institutions may process all personal data in any case, in particular in the context of big data, personalised medicine, biomedical research, biobanks and the transmission to other scientific institutions and contract processors, if: (a) instead of the name, area-specific personal identifiers for the area of activity ‘research’ or other unique identifiers are used for allocation; (b) the processing takes place in pseudonymised form (Art. 4 (5) GDPR); (c) publications take place (aa) not or (bb) only in anonymised or pseudonymised form or (cc) without names, addresses or photos; or (d) the processing takes place exclusively for the purpose of anonymisation or pseudonymisation, and there is no disclosure of directly personal data to third parties (Art. 4 (10) GDPR). It must, therefore, be ensured that direct personal data is not published under any circumstances. Article 2d (2.3) is intended to place register-based research, which is expressly mentioned in Recital 157 of the GDPR, on a secure legal basis within Austria. Better research results can be obtained using registers because they are based on a larger segment of the population. With this provision, all registers set up or operated by public bodies and authorities should be open to scientific institutions in the future. In this context, registers do not only mean publicly accessible registers within the meaning of Art. 3 (18) of the Federal Statistics Act 200016 (BGBl. I Nr. 163/1999), but all directories, databases or similar applications or processing platforms that are provided for by federal law. Public prosecution and criminal court registers as well as registers related to courts, lawyers and notaries are excluded from this regulation. Costs must be reimbursed for the provision of register data (these costs are reimbursed to the public sector). The right to research registers exists regardless of whether the register in question contains personal data or not17 (68 der Beilagen XXVI. GP, 2018, p. 34). In the application of the ROA (Art. 2d (2.3.3.), research institutions may process special categories of personal data if the person to whom the data relates voluntarily, in an informed manner and unequivocally declares his or her agreement to the processing of their personal data in the form of a declaration or other unambiguous confirmatory act. The purpose of the processing can be specified by providing a research area or several research areas or a research project or parts of research projects (‘broad consent’). The achievement of purposes under Art. 89 (1) GDPR 16

Bundesgesetz über die Bundesstatistik (Bundesstatistikgesetz 2000) StF: BGBl. I Nr. 163/1999 (NR: GP XX RV 1830 AB 2027 S. 179. BR: AB 6036 S. 657). 17 68 der Beilagen XXVI. GP - Regierungsvorlage - Erläuterungen, https://www.parlament.gv.at/ PAKT/VHG/XXVI/I/I_00068/fname_686447.pdf, 34.

424

J. Osiejewicz

will probably be made impossible if the exercise of these rights would subsequently change research results (Rudiger 2020, p. 41). A serious impairment exists if the fulfilment of the obligations would involve a disproportionate effort for the person responsible (§ 2e ROA). For quality management purposes in research institutions, the person responsible may process the following data directly on a personal basis but may only publish them in pseudonymised or anonymised form. First, with regard to the persons who were or are active in teaching or research, publication may occur of all data according to Art. 2g (1–4) ROA (all data that is relevant for the processing of funding); socio-biographical and socio-economic information; qualitative data, in particular regarding the relevance of the course for employment, professional advancement and satisfaction, or the perception of the quality and relevance of their educational and training experience; and quantitative data, in particular regarding entry into professional life and further (training) education, income, type of contract, employment status, occupation, occupational status and activity (during the course), information on geographical and sectoral mobility (§ 2b (7)) and all academic functions, publications, third-party fundraising and activities relating to technology transfer. Second, with regard to the persons who were or will be supervised within the framework of the teaching, publication may occur of the information mentioned as well as quantitative data, in particular regarding study intensity, study method, qualification(s), obtained credit points and subject of study. To increase the transparency of processing in accordance with Art. 89 GDPR, scientific institutions (Art. 2b (12)) are allowed to list scientific staff who are in an upright employment relationship with the respective scientific institution, including a photo and a list of their publications, on a website of the scientific institution or in the context of publicly accessible reports of the scientific institution, unless the publication is likely to violate public safety, criminal justice, comprehensive national defence, foreign relations or a legitimate private or business interest, whereby an objection to the publication of a photo according to lit. a can be made at any time. Alternatively, the scientific institutions are allowed to enlist scientific staff who are no longer in a regular employment relationship with the respective scientific institution as well as students by name on a website of the scientific institution or in the context of publicly accessible reports from the scientific institution unless the publication is likely to harm public safety, the administration of justice, comprehensive national defence, foreign relations or a legitimate private or business interest. Recipients of funding from federal funds, research contracts and the like can be stored for at least 10 years for the purpose of establishing contact, including names, personal characteristics, address and contact details, information on project partners, information on training and information on funds received and mobility (Art. 9 (1) ROA). Key research areas and information on publications of former academic staff and students are allowed to be processed as well (Art. 2g (1.3.) ROA). Apart from this, scientific institutions are allowed to process names, personal characteristics and information on curriculum vitae of scientists and persons close to them (Art. 2g (1.4.) ROA). Regarding knowledge and technology transfer, Art. 2i stipulates that irrespective of any patent law provisions, processing, particularly within the meaning of Art. 2d

Austria

425

(8), or the transmission of personal data is permitted for technology transfer if this processing is necessary to maintain the functionality of the technology to be transferred. A cumulative condition is to ensure through technology design in accordance with Art. 25 GDPR that third parties (Art. 4 (10) GDPR) have no actual knowledge of the transmitted data. Under these conditions, the rights of the data subject do not apply. Knowledge transfer is permitted under the conditions that area-specific personal identifiers are used in place of the name; or that processing is carried out in pseudonymised form; or there are no publications or publications take place only in anonymised or pseudonymised form without name, address or photo; or processing is carried out solely for the purpose of anonymisation or pseudonymisation, and there is no direct disclosure of personal data to third parties.

4 Conclusion In data protection law, the so-called prohibition with reservation of permission applies. Accordingly, the processing of personal data is fundamentally prohibited and only permitted in those cases that are expressly mentioned in the law. It is well known that the fundamental right to the protection of personal data is not an unrestricted right. Even though the processing of personal data is only permitted if one of the permissions applies, the data protection requirements that have been described must also be complied with. Austrian legislation provides for clear legal basis of processing the personal data for research purposes, including special provisions on the processing of genetic data, biometric data, or data concerning health. Clear governance procedures and policies are established referring to the use and re-use of personal data. However, guidance regarding the reuse and the conservation of health data as well as the DNA and RNA information obtainable from the tissues ought to be derived from general rules. Also, no specific regulations on biohacking activity are provided.

References Gamper L, Kastelitz M (2018) Auswirkungen der Datenschutzgrundverordnung auf die Wissenschaftliche Forschung in Österreich. In: Schweighofer E, Kummer F, Saarenpää A, Schafer B (eds) Datenschutz/LegalTech – Tagungsband des 21. Internationalen Rechtsinformatik Symposions IRIS 2018 (Data Protection/LegalTech – Proceedings of the 21st International Legal Informatics Symposium, IRIS, Jusletter IT, 2018). Nova MD, Vachendorf, pp 101–124 Rudiger M (2020) Datenschutz-Handbuch der TU Wien. https://www.tuwien.at/index.php?eID= dms&s=4&path=Dokumente/Handlungsanleitungen%20und%20FAQs/Datenschutz%20 Handbuch%20der%20TU%20Wien.pdf

Belgium Alessandra Langella

1 Introduction The GDPR provides wide scope for national-level specifications in several areas, including scientific research (Dove 2018; Staunton et al. 2019). Belgium supplemented the GDPR with its national Law of 30 July 20181 on the protection of natural persons with regard to the processing of personal data (hereafter ‘the Law’), which repealed in full the previous legislation. The first Data Protection Act had been enacted on 8 December 1992.2 Following the European Directive 46/95, some significant modifications were made to the Act of 1992. This Act, which was changed several times, was replaced by the new Belgian Law of July 2018, entered into force on 5 September 2018. Contrary to the advice of the Council of State,3 the Belgian government divided the legislative process between the substantive and procedural provisions for data protection and the administrative provisions dealing with the creation of a national supervisory authority (the Data Protection Authority Act of 3 December 20174). As far as the discipline for the protection of personal data is concerned, the Belgian regulatory framework not only provides for the required implementation

1 [C – 2018/40581], Belgian Official Journal 5 September 2018. https://www. dataprotectionauthority.be/publications/act-of-30-july-2018.pdf. 2 Act of 8 December 1992 on the protection of privacy in relation to the processing of personal data, Belgian Official Journal, 18 March 1993. https://www.icann.org/en/system/files/files/belgianprivacy-act-08jul13-en.pdf. 3 State Council of 27 June 2017, DOC. Parl., Ch., 2016-2017, n° 54-2648/001, pp. 130–132. 4 Act of 3 December 2017 establishing the Data Protection Authority [C – 2017/31916]. https:// www.ejustice.just.fgov.be/mopdf/2018/01/10_1.pdf#Page67.

A. Langella (✉) Department of Law, University of Perugia, Perugia, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_48

427

428

A. Langella

of the GDPR provisions but also regulates certain aspects that are not taken into account within the European system. Indeed, Belgium is among the few countries to deal with the processing of personal data by the intelligence and security services (Title 3). Among the relevant provisions covered by this new Law, it is important to focus attention on the special conditions regarding processing for scientific research purposes (Title 4) and the rules for genetic and biometric data as well as data concerning health (Title 1, Chapter 1, Art. 9). In this context, the rules for the activities of biobanks, which are the major resource for health-related research, involve the processing of health data and rely on the derogations and safeguards for archiving in the interests of scientific research. As is well known, research activities rely heavily on health data, information resulting from tests and information obtained from biobank activities (in this sense see Recital 35 of the GDPR). The following paragraphs aim to describe the Belgian provisions on healthrelated data, and to take a closer look at the derogations granted in the European regulation for scientific research activity.

2 The Protection of Natural Persons in the Processing of Special Categories of Personal Data for Archiving Purposes in the Public Interest and for Scientific Research Purposes Despite the general rule expressed in Art. 9, the GDPR lists several exemptions for the processing of special categories of personal data. When it comes to the necessary treatment for archiving purposes in the public interest and for scientific research purposes (Art. 9(2)(j)), the prohibition in the first paragraph of Art. 9 does not apply and Member States may introduce ‘further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health’ (Art. 9(4) GDPR). Moreover, as scholars underline, genetic and health data are strongly connected to the individual sphere of the subject, and in an even more intrusive way have the potential to convey information about family members (Cippitani 2018). The Belgian Law, while implementing Article 9(4) GDPR, also imposes further conditions and requires additional measures for the processing of genetic, biometric and health-related data (Art. 9 Law): (1) the controller or, as appropriate, the processor, shall designate the categories of persons who have access to the personal data, and shall meticulously describe their capacity with regard to the processing of the data concerned; (2) the controller or, as appropriate, the processor, shall keep a list of the designated categories of persons at the disposal of the competent

Belgium

429

supervisory authority;5 and (3) the controller shall ensure that the designated persons are bound by a legal or legal obligation or by an equivalent contractual provision to respect the confidential nature of the data concerned. Having due regard to the activities of biobanks, this means that the staff must demonstrate that they have capacity for the processing of the data concerned, and the controller must ensure that only individuals working under his/her authority have access to and make use of the data in order to ensure confidentiality. As required by ethical or contractual obligations, medical personnel or researchers who have access to the biobank data are required to respect the confidential nature of the data processed. This is line with the professional ethical standards that regulate health science, medical research, and clinical trials.6 In compliance with these additional requirements, the Law allows genetic and health-related data to be processed for archiving purposes in the public interest and for scientific research purposes. The provisions implementing the European rules for the processing of personal data for scientific research purposes are contained in Title IV of the Law. The previous Act of 1992 allowed scientific research as legal basis for processing personal data linked to the health status of a person. The purpose of scientific research was considered to be a valid reason for derogating from the prohibition on processing data in the category of health, under the conditions laid down by the King in the Royal Decree (Act of 1992, Art. 7(2)(k)). Moreover, scientific research purposes or population surveys carried out with the aim of protecting or promoting public health were also considered to give a valid exemption to the data controller from the requirement to provide certain information to the data subject (Art. 9, Act of 1992).7 In effect, each person had the right to obtain information on personal data processed in relation to his/her health. However, without prejudice to the patient’s rights,8 the data controller could postpone this duty until, at the latest, the moment the research was concluded and, when personal data concerning health were processed for medical or scientific research, only to the extent that the provision of the information would seriously undermine that research (Art. 10, Act of 1992). A special regime for scientific research was confirmed in the Law of 2018. In addition to the requirement to appoint a data protection officer (DPO) if the processing is likely to result in a high risk to the rights and freedoms of natural persons as referred to in Article 35 of the Regulation (Art. 190 Law), the controller

Privacy Commission, ‘Reference measures for the security of any personal data processing operation’. www.dataprotectionauthority.be (‘Information security’ section). 6 European Data Protection Supervisor. (2020). A preliminary opinion on data protection and scientific research, 6 January 2020. https://edps.europa.eu/sites/edp/files/publication/20-01-06_ opinion_research_en.pdf. 7 If the provision of such information proves impossible or would involve a disproportionate effort (Art. 9(2)(a)). 8 Article 9(2) of the Act of 22 August 2002, Law on Patients’ Rights. https://www.ejustice.just.fgov. be/mopdf/2002/09/26_2.pdf#. See also the brochure for healthcare practitioners and patients. It provides information on the current content of the Law. https://www.health.belgium.be/sites/ default/files/uploads/fields/fpshealth_theme_file/booklet_patients_rights.pdf. 5

430

A. Langella

must add further information to the record of the processing activities (Art. 191): ‘1) a justification for the use of the data, whether pseudonymised or not; 2) reasons why the data subject’s rights threaten to render impossible or seriously impair the achievement of the relevant purposes; and 3) where appropriate, a data protection impact assessment if the controller is processing sensitive data for scientific or historical research or statistical purposes.’ In accordance with the third condition of the aforementioned provision, the biobank, as a controller which processes ‘sensitive data’, must add the data protection impact assessment to the record of processing activities. Since it is engaged in the large-scale processing of special categories of data, such as health and genetic data, the biobank should carry out a data protection impact assessment to evaluate the origin and severity of the risk connected with the research operations. In relation to this, and pursuant to Article 35(4) of the GDPR, the national authority adopted a list of processing operations that are subject to the requirement for a data protection impact assessment.9 Among the other circumstances, number 5 on the list in this Decision establishes the necessity to prepare a data protection impact assessment when personal data belonging to a special category (Art. 9 GDPR) are subject to systematic exchange between multiple controllers (which may be the case with a biobank). Without prejudice to Articles 24 and 30 of the Regulation, the Law standardises the obligation of the data controller to both ensure protection and apply the accountability principle realistically. In order to demonstrate compliance with Article 89 of the Regulation, the data controller of a biobank must justify any derogations to the exercise of the data subject’s rights. Furthermore, the Law of 2018 specifies that a controller who process data for research must use anonymous data, and that non-pseudonymised data may be used only in limited circumstances, when it is not possible to perform the research by processing anonymous and pseudonymised data (Art. 197).10 The Law prescribes anonymisation or pseudonymisation after collection (Art. 198) and allows re-identification only where necessary to achieve the purposes of the research or the statistical purposes, and after consulting the data protection officer (Art. 200). When several data controllers are involved, as is the case with clinical trials, transnational research, or multidisciplinary activity, the first data controller (the one who collects the data) must anonymise or pseudonymise the data before transferring them to the controller tasked with the further processing. Access to the

9 Decision no. 1 of 16 January 2019 contains a list of processing operations subject to the requirement for a data protection impact assessment. https://edpb.europa.eu/sites/default/files/ decisions/be_list_of_the_types_of_processing_operations_for_which_a_dpia_shall_be_required. pdf. 10 The option to use one of three levels of preference ((1) anonymous, (2) pseudonymised and (3) non-pseudonymised data), was already included in the Royal Decree of 2001. The Royal Decree of 2001 was adopted to add further details to the Act of 8 December 1992, and to harmonise the Belgian system to Recommendation 97/18 of the Committee of Ministers to Member States concerning the protection of personal data collected and processed for statistical purposes.

Belgium

431

pseudonymisation key can be denied to prevent the reversing process from being carried out (Art. 201). Therefore, the first data controller of a biobank must anonymise data before making them available to other researchers. However, a closer look at this method, which has value for the protection of privacy interests, reveals inherent limitations: (Laurie et al. 2010, p. 318) anonymisation makes it impossible to communicate with the data subject to provide feedback on the research results or to ask for follow-up information, and also limits certain kinds of research (longitudinal research). Moreover, the use of genetic and health data in research means that anonymisation can only be relative since it could be possible to identify an individual from their genetic data. The Belgian Data Protection Law provides a specific regime for the special category of personal data defined in Article 9(1) GDPR for the purpose referred to in Article 89 GDPR. More precisely, the Law distinguishes between the ‘communication’ and the ‘dissemination’ of data.11 When it comes to communication, this means that the personal data are transferred to a third identified person. Non-pseudonymised data can be communicated for the purposes referred to in Article 89 of the Regulation, but the controller has the duty to ensure that the identified third party is unable to reproduce the data communicated except in a handwritten form, in cases where (1) it concerns personal data as referred to in Article 9(1) GDPR; (2) the agreement between the controller of the original processing and the controller of the further processing forbids it; or any such reproduction may compromise the safety of the data subject (Art. 207 of the Law). Dissemination means the disclosure of data without identifying the third party. In this case, the controller shall not disseminate any non-pseudonymised data (Art. 205); the limitation remains for the data referred to in Article 9(1) of the Regulation even in the case of pseudonymisation. The rationale behind this is that the more ‘sensitive’ the data are, the greater the precautions that have to be taken. However, these limits are overcome by the consent of the data subject.

11 Art. 188, 2°, ‘communication of data’ means communication of data to identified third parties; 3° ‘dissemination of data’ means the disclosure of data without identifying the third parties.

432

A. Langella

3 The Specific Law on Biobank Activities After a decade, Belgium adopted the New Royal Decree on biobanks12 which on 1 November 2018 brought into force the provisions of the Act of 200813 on the obtaining and use of human body material for human application or for scientific research14 (the ‘Act on HBM’) (Sterckx and Van Assche 2011). Moreover, a compendium was provided in July 2018 (Federal Agency for Medicines and Health Products (FAMHP) 2018). This compendium ‘was built after consultation with stakeholders from various sectors, impacted by the legal provisions on biobanks’ (Federal Agency for Medicines and Health Products (FAMHP) 2018, p. 2) with the aim of providing valuable guidance on the rules, access procedures and requirements for Belgian biobanks. A biobank is defined as a ‘structure which, for the purposes of scientific research, with the exception of research with human medical applications, carries out the obtaining, processing, storage or provision of human body material, as well as, where applicable, related human body material and donor data’ (Article 2 °27 of the Act of 200815,16). A biobank is different from a ‘bank of human material’, which processes and stores human material for medical applications.17

New Royal Decree on biobanks, 2018, [C – 2018/30209]. https://www.afmps.be/sites/default/ files/content/kb_ar_2018-02-05.pdf. 13 19 December 2008 — Act on the obtaining and use of human body material for human medical applications or for scientific research purposes [C – 2008/18385] (‘Act on HBM’). https://www. afmps.be/sites/default/files/downloads/Loi%202008%2012%2019%20mat%C3%A9riel%20 corporel%20humain.pdf. The Act on HBM was last amended by the Law of 23 February 2022 laying down provisions regarding human body material and embryos and gametes. https://www. ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&table_name=loi& cn=2022022304 and by the Law of 18 May 2022, concerning urgent provisions in the field of health (dossier no. 2022-05-18/08). https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?lan guage=fr&la=F&table_name=loi&cn=2022051808. Consolidated version http://www.ejustice. just.fgov.be/eli/loi/2008/12/19/2008018385/justel. 14 Art. 2 32° of the Act on HBM: ‘scientific research: any use of human body material for the development of knowledge relevant to the exercise of the health care professions as referred to in the Act on the exercise of the health care professions, coordinated on 10 May 2015’. (Original version: ‘recherche scientifique: toute usage de matériel corporel humain en vue du développement des connaissances propres à l’exercice des professions des soins de santé telles que visées dans la loi relative à l’exercice des professions des soins de santé, coordonnée le 10 mai 2015)’. 15 Art. 2, 27° Act on HBM. The original reads as follows: ‘biobanque: la structure qui, à des fins de recherche scientifique, à l’exception de la recherche avec des applications médicales humaines, effectue l’obtention, le traitement, le stockage ou la mise à disposition du matériel corporel humain, ainsi que, le cas échéant, les données relatives au matériel corporel humain et au donneur qui y sont liées.’ 16 This definition was modified by the Law of 23 February 2022. 17 Article 2 °24 of the Act on HBM. 12

Belgium

433

For Belgian biobanks a notification to the Federal Agency for Medicines and Health Products (FAMHP)18 is required.19,20,21 If a biobank has not given the notification, its activities must be suspended, and the human body material has to be destroyed or transferred to another biobank.22 A positive opinion of an ethical committee (as referred to in Article 11(3)(2) of the Law of 7 May 2004 relating to experiments on human people) concerning the objectives, purposes, and activities of the biobank is required. If those objectives or activities change, a new opinion is needed.23 Moreover, the biobank must keep a register of the nature of the human body material it stores and makes available, as well as the origin and destination of that material.24 There are certain provisions dealing with the codification, traceability, and identification of the donor. The traceability or otherwise of the human body material depends on the consent of the donor.25 Furthermore, the position of the person who is responsible for handling the material depends on whether or not the material is traceable.26 Responsibilities in terms of traceability must be one of the aspects27 of the written agreement with a person or institution to whom the biobank can make the material available.28 The supply of existing samples for research requires a contract with the end user, in the same way as for newly collected samples. This agreement is the basis upon which the biobank makes samples available to researchers or to other biobanks. It also rules the transfer of human body material within Belgium and abroad.

18

The list of notified biobanks is available on the FAMHP website. www.famhp.be. See Annex 1 of the Royal Decree for the biobank notification form. https://www.ejustice.just. fgov.be/doc/rech_f.htm. 20 BBMRI, Biobanking and Biomolecular Resources Research Infrastructure of Belgium https:// www.bbmri.be/help-needed-with-the-notification-of-your-biobank/. 21 The Royal Decree (Art. 3) determines the procedure for giving notifications to the FAMHP and the required contents of the notification dossier. 22 Until 1 May 2019, an ‘existing’ biobank that had not yet provided notification could still supply human body material. 23 Art. 22(1) Act on HBM. This opinion shall have the same effect as a favourable opinion as referred to in Article 21 of the Act on HBM provided that the intended secondary use for scientific research falls within the scope of the objectives, purposes and activities of the biobank referred to in the opinion. 24 Art. 22(2), Act on HBM. The record may be inspected by the subjects indicated into Art. 23 and by the FAMHP. 25 Art. 22(4) Act on HBM. 26 Art. 22(3) Act on HBM. If the biobank only obtains, stores, or makes available untraceable body material, the manager of HBM within the biobank may also be a pharmacist. 27 See Art. 10 Royal Decree of 2018. 28 Art. 22 (2), (3) Act on HBM. 19

434

A. Langella

The agreement regulates the treatment of the donor’s personal data by the person or institution to whom the material is made available, in accordance with the provisions of the law of 8 December 1992 relating to protection of personal data.29 According to Art. 10 of the Act on HBM, the biobank acts as the controller, within the meaning of Article 4(7) of the GDPR, for processing carried out by the biobank or on its behalf. The purpose of this processing is to guarantee traceability; to demonstrate that informed consent has been obtained or that the conditions for the application of the presumption of consent are fulfilled; to ensure the quality and safety of the equipment; and to provide data necessary for the performance of scientific research to other institutions or third parties.30 A biobank may process personal data relating to the donor’s identity and contact details; medical, clinical, and other relevant data for the biobank’s activities; the place of collection, identity, and contact details of the company or person who has carried out the collection. Those data may only be transferred in pseudonymised form to establishments and/or hospitals or persons carrying out activities with biomaterials in the context of human applications31 or scientific research.32 The regulatory framework establishes further provisions to protect the donor’s right of physical integrity. To protect the integrity of the human person during the sampling and collection of human body material, only certain categories of professionals are authorised to perform the operation. The rules are applicable to all human samples.

4 The Secondary Use of Personal Data The purpose limitation principle states that personal data can be collected for specified, explicit and legitimate purposes. Processing is lawful only if the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Art. 6 GDPR). However, when the processing is for a purpose other than that for which the personal data have been collected and is not based on the data subject’s consent, the controller must verify whether the original and the further processing are compatible. When the processing is compatible with the purposes for which the personal data were initially collected, no legal basis, other than that which allowed the original collection of the personal data, is required (Recital 50). In order to ascertain this compatibility, the controller should take into account, inter alia: any link between those first purposes and the purposes of the intended further processing (Art. 6(4)(a) GDPR); the context in which the personal

29

Art. 22(2) Act on HBM. Art. 10(7) Act on HBM, as introduced by the Law 2022-05-18/08 (Art. 18). 31 Art. 2 20° Act on HBM, ‘application médicale humaine: l’utilisation de matériel corporel humain sur ou dans un receveur humain, y compris l’application extracorporelle’. 32 Art. 10(7) Act on HBM, as introduced by the Law 2022-05-18/08 (Art. 18). 30

Belgium

435

data have been collected, and in particular the reasonable expectations of the data subjects, based on their relationship with the controller, as to their further use (Art. 6(4)(b)); the nature of the personal data (Art. 6(4)(c)); the consequences of the intended further processing for data subjects (Art. 6(4)(d)); and the existence of appropriate safeguards, which may include encryption or pseudonymisation (Art. 6(4)(e)). The Belgian Law does not contain criteria in addition to those listed in the GDPR to determine whether the processing for a new purpose is compatible with the purpose for which the data were initially collected. However, the Belgium Law foresees measures and safeguards when using data for secondary research. The national data law states (Art. 194) that when a controller processes personal data for scientific research purposes which the controller did not collect directly from the data subjects, the controller should conclude an agreement with the original controller (except in the cases indicated in the second paragraph). This agreement shall contain (Art. 195) details of the original controller and of the controller of the further processing (§1) and the reasons why the exercise of the rights by the data subject is likely to make the achievement of the purpose of the further processing impossible or to seriously hinder it (§2). The agreement must be appended to the record of processing activities (Art. 196). When the processing of data for research purposes is carried out by a controller of the further processing which is the same as the controller of the original processing, the controller shall anonymise or pseudonymise the data before the further processing. Moreover, personal data must be pseudonymised or anonymised before the data are communicated to the controller tasked with the further processing (Arts. 199, 201). The controller is only entitled to de-pseudonymise the data if this is necessary for the research or statistical purposes and, where applicable, after consulting the data protection officer (Art. 200). Lastly, the national regulatory framework provides that personal data stored in a biobank can be kept for a maximum of fifty years after obtaining the human body material.33

5 Secondary Use and Residual Human Tissues According to the definition given in the Act on HBM, ‘secondary use’ means any use of human body material other than that for which the donor has given consent in the context of collection.34 For any secondary use, the donor must be informed, and his/her explicit and written consent must be obtained. When it is not possible to obtain consent, or when such a request would be exceptionally inappropriate,

33 34

Art. 22(8) Act on HBM. Art. 2, 30° Act on HBM.

436

A. Langella

secondary use may be carried out after an ethics committee has issued a positive opinion.35 In general terms, any secondary use must be approved by an ethics committee, which must express its opinion on the relevance of the secondary use and its purpose and on the adequacy of the information provided and the specificity of the consent, but also on the impossibility of obtaining the donor’s consent or on the exceptionally inappropriate nature of such a request.36 However, the general rule that any form of secondary use of human material requires a prior favourable opinion of an ethics committee that must be obtained by the person in charge of the human body material in the notified biobank before the material is made available for such secondary use, can be waived. By way of derogation, scientific research without human application may be undertaken provided that the following conditions are met: (1) only artificialised and extracted material is used;37 (2) the research project has been submitted to an ethics committee; (3) the ethics committee has not objected within 28 calendar days of receipt of the research project; and (4) the material is not used for or in the context of genetic research.38 The use of residual/diagnostic samples can also be crucial for biomedical research. The residual materials collected in a hospital may offer the optimal opportunity to perform research on the development and progression of disease, as well as on the behaviour of disease susceptibility markers in different disease stages (Riegman and van Veen 2011, p. 358). For the use of residual material in Belgium,39 consent is presumed unless, prior to any operation performed with such residual body material, the donor has declared that he or she does not agree to it. The doctors referred to in Article 4 of the Act on HBM or the head physician of the hospital where the sample was taken are competent to collect the refusal.40 In the event of a refusal, the doctor must immediately notify the human body material manager of the biobank concerned. The biobank must demonstrate that the conditions for application of the presumption of consent referred to in Article 20(2) have been fulfilled.41

35

Art. 20(1) Act on HBM. Art. 21(1) Act on HBM. 37 ‘Artificialised material’ means human body material manufactured or grown outside the human body. ‘Extracted material’ means material extracted from human body material which no longer contains cells. 38 Art. 21(2) Act on HBM. 39 Art. 2, 33° Act on HBM. In the French version this is defined as follows: ‘matériel corporel humain résiduel: la partie du matériel corporel prélevée en vue de l’établissement d’un diagnostic ou d’un traitement du donneur qui, après qu’une partie suffisante et pertinente a été conservée pour établir, parfaire ou compléter le diagnostic ou le traitement du donneur sur la base de nouvelles données scientifiques, est redondante par rapport à ces objectifs et qui pourrait dès lors être détruite’. 40 Art. 20(2) Act on HBM. 41 Art. 10(7) of Act on HBM, as modified by the Art. 18 of Law of 18 May. 36

Belgium

437

6 Conclusion The national regulatory framework is unique within the European context since Belgium is one of the few countries that has specific legislation or regulations concerning biobanks. The first reference point is the Act on HBM, which was amended several times42 during the ten years before it came into force. The Act on HBM entered into force with the Royal Decree of 2018, but further amendments have recently been made. This legislation applies only to human material and not to images of that material. Certain provisions of the Act on HBM (including Art. 22 (2)) do not apply to operations carried out with the use of artificialised and extracted material insofar as they are intended for scientific research without medical or human applications. However, the exemption does not apply when the material is intended or used for the purpose of or in the context of both primary and secondary genetic research.43,44 As an exception to the general rule that biological material intended for scientific research purposes must come from biobanks (Art. 8, (2)), artificialised or extracted samples may also come from a subject or institution other than a biobank (Art. 8, (2) (3)). However, this exception does not apply when the sample is to be used in the context of genetic research.45 The national system ensures the protection of biobanking participants through the provisions of the specific legislation on human body material and the personal data protection law. The intertwining of the data protection rules, and the principles set out in the legislation governing biobanking is central: collecting information is fundamental for conducting biomedical research and achieving the most promising innovations in modern medicine. Biobanks process personal data to ensure traceability of the material, to provide third parties with materials and medical information, and to re-contact donors. Belgian biobanks must process data in accordance with the GDPR and store personal information for no more than 50 years. National data protection provisions implementing the GDPR prescribe additional obligations for the data controller when the processing involves genetic or healthrelated data (Art. 9 National Law). Safeguards are provided when the data are used for secondary research, and Article 191 lists some additional information that the controller must add to the record of processing activities if the data are processed for

42

The latest changes were made by the Law of 23 February 2022 and the Law of 18 May 2022. Art. 2 37/2° Act on HBM: ‘Genetic research means scientific research, without application to humans, that is carried out on genetic material such as DNA, RNA, regardless of whether the genetic material has been isolated from other body material or not’. 44 Art. 3(5) of Act on HBM, as introduced by the Law of 23 February 2022. The Law of 2022 exempts ‘artificialised material’ and ‘extracted material’ from specific requirements of the Law of 2008. 45 Act on HBM (amendment made by Law of 23 February 2022). 43

438

A. Langella

scientific purposes. Moreover, the Act on HBM requires biobanks to keep a register that describes the nature, origin, and destination of human samples. Biobanking is a collaborative process in which donor participation is central. This participation must be informed and conscious. Moreover, Art. 6 of the national law on biobanking states that donation of tissues for scientific purposes must be free of economic interests and respond to solidarity-based logic. Consent is the legal basis for the processing of personal data and human materials, since it is an ethical cornerstone to guarantee that participation in research respects personal dignity and self-determination. Consent to the collection and use of samples must be informed, conscious, and freely given (Art. 10(5) Act on HBM). Recital 32 of the GDPR states that consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her. However, exceptions to the rule of consent are provided by the national system in the procedures for the secondary use of biomaterial and the re-use of diagnostic tissues. Secondary use may be carried out following receipt of a positive ethics committee opinion when it is not possible to obtain consent or if such a request would be exceptionally inappropriate. For residual material the consent is presumed. Moreover, the Act on HBM allows a donor to withdraw consent before the material has undergone its first operation. Otherwise, the GDPR states that the data subject has the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before the consent was withdrawn (Art. 7(3) GDPR). By way of conclusion, it has emerged that the procedural and substantive requirements that the Belgian system imposes on biobank activities to protect donors are numerous. The discipline applying to Belgian biobanks implies respect for the GDPR principles and the national data protection law, the biobanking sectoral references and soft law instruments, and the rules on patients’ rights,46 and the interplay between these numerous sources results in a very dense regulatory framework.

References Cippitani R (2018) Genetic research and exceptions to the protection of personal data. In: Arnold R, Cippitani R, Colcelli V (eds) Genetic information and individual rights. Series ‘Law & Science’, vol 1. Universität Regensburg, Regensburg, pp 54–79. https://doi.org/10.5283/epub.36785 Dove ES (2018) The EU General Data Protection Regulation: implications for international scientific research in the digital era. J Law Med Ethics 46:1013–1030. https://doi.org/10.1177/ 1073110518822003

46

Law of 22 August 2002 on patients’ rights. https://www.ejustice.just.fgov.be/mopdf/2002/09/2 6_2.pdf#Page22.

Belgium

439

Federal Agency for Medicines and Health Products (FAMHP) (2018) Compendium Biobanken – Biobanques–Biobanks. https://www.afmps.be/sites/default/files/content/compendium_200 72018.pdf Laurie G, Mallia P, Frenkel DA, Krajewska A, Moniz H, Nordal S, Pitz C, Sandor J (2010) Managing access to biobanks: how can we reconcile individual privacy and public interests in genetic research? Med Law Int 10(4):315–337. https://doi.org/10.1177/096853321001000404 Riegman PHJ, van Veen E-B (2011) Biobanking residual tissues. Hum Genet 130(3):357–368. https://doi.org/10.1007/s00439-011-1074-x Staunton C, Slokenberga S, Mascalzoni D (2019) The GDPR and the research exemption: considerations on the necessary safeguards for research biobanks. Eur J Hum Genet 27(8):1159–1167. https://doi.org/10.1038/s41431-019-0386-5 Sterckx S, Van Assche K (2011) The new Belgian law on biobanks: some comments from an ethical perspective. Health Care Anal 19(3):247–258. https://doi.org/10.1007/s10728-011-0181-0

Bulgaria Martin Margitin and Milen Rusev

1 Introduction This study addresses the national regulations in Bulgaria on the obtainment and processing of personal health data for research purposes. The specific regulations issued by the state of Bulgaria for the processing of such personal data for the purpose of medical research, which are per se part of the national regulations, as well as the specific requirements and terms are illustrated in a more detailed manner. Subsequently, an excursus on the law of organ, tissue and cell transplants is presented. To tackle these issues, it is necessary to introduce the meaning and roles of biobanks within the Bulgarian context. Biobanks are collections of samples of human body substances (e.g., tissue, cells, blood or other bodily fluids [urine, blood serum, plasma, etc.]). These samples can be kept refrigerated for many years. Biobanks have a key role in the further development of modern medicine. They are sources for research into the causes of diseases and their courses. They can also make a significant contribution to the development of new diagnostic procedures and therapies. The aim is to improve the diagnosis of and treatment options for a disease. Bodily substances can qualify as personal data because they contain a great deal of information about the body and health of the respective carrier. If the bodily substances allow for genetic analysis, the components must in any case be considered personal data (genetic data, see Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons M. Margitin (✉) Law Firm Margitin, Nuremberg, Germany e-mail: [email protected] M. Rusev Law Firm, Rusev, Dacev & Popov, Sofia, Bulgaria e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_49

441

442

M. Margitin and M. Rusev

with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as GDPR)1 (Article 4 No. 13, Article 9 (1)) (Koch et al. 2017). The regulations of the GDPR must be applied to biobanks; in particular, protection of data against unauthorised access must be required in accordance with the state of the art (Article 32), and there must be an appropriate roles and rights concept that describes who may access what data, when, under what circumstances and for what reasons. In accordance with the requirements of the GDPR, the life cycle of the data must also be described. A description must be provided of how long the data is stored and on what legal basis; after what period of time the data will be deleted (Koch et al. 2017). There is no definition of biobanks, genetic data or genetic information in Bulgarian legislation (Velikova 2018, p. 31; Popov 2012, p. 31). The Bulgarian Data Protection Act (Закон за личните данни – ЗЗЛД; hereinafter BG-DPA) refers to the definition of ‘genetic data’ in the sense of Article 4 No. 13 GDPR.2 According to this definition, genetic data are personal data related to the inherited or acquired genetic characteristics of a natural person that provide unique information about the physiology or health of that natural person and which have been obtained, in particular, from the analysis of a biological sample from that natural person. Article 141 (4) of the Health Act in Bulgaria (Закон за здравето – ЗЗ; hereinafter HA) clarifies that genetic information is personal data and that it may not be provided to employers, insurance companies or insurance organisations.

2 National Regulations Related to the Processing of Personal Data for Research Purposes 2.1

The Bulgarian Data Protection Act3 (BG-DPA)

In Bulgaria, national legislation provides a legal basis for the processing of personal data for research purposes. The processing of health data and genetic data, including biobanks, is regulated by various laws and regulations that are not only found in the Bulgarian Data Protection Act but also in the Bulgarian Health Act.

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 2 See additional provisions pursuant to § 1 No. 11 BG-DPA. 3 https://www.cpdp.bg/?p=element&aid=1194.

Bulgaria

443

In this respect, the Bulgarian legislature has made use of the legislative competence in Article 9 (4) of the GDPR.4 The processing of genetic, biometric and health data, is initially regulated in Article 51 (1) BG-DPA. According to this, the processing of special categories of personal data is allowed if the processing is necessary, there are adequate measures to safeguard the fundamental rights and interests of the data subject and the processing is provided for on the basis of European Union law or the law of the Member State of Bulgaria. If the processing pursuant to Article 51 (1) is not provided for by the law of the European Union or the law of the Republic of Bulgaria, the data referred to in (1) may be processed pursuant to Article 51 (2) BG-DPA if this is necessary, appropriate measures exist to safeguard the fundamental rights and interests of the data subject, and (a) the processing serves to protect the vital interests of the data subject or another natural person or (b) the processing relates to data that have been manifestly made public by the data subject. In addition, according to Article 51 (3), appropriate measures and safeguards must be applied when processing data within the meaning of Article 51 (1) BG-DPA to ensure that natural persons are not discriminated against as a result of the processing.

3 The Bulgarian Health Act5 (HA) In Bulgaria, there is a special regulation for data processing for research purposes in the field of health, especially in relation to health data, genetic information and genetic data. The main legal framework regulating the collection and processing of such data is found in the Health Act. The purpose of the Act is to protect citizens from unlawful collection and processing of such data. The main regulations are contained in Section IV of the Health Act (genetic health and genetic research) and in the ‘Ethical Principles for the Conduct of Genetic Research’ adopted by the Research Ethics Committee at Sofia Medical University.6 According to the Health Act, genetic research and the collection of biological material for medical or scientific purposes may only be carried out after written consent (Kaneva 2013, p. 564; Velikova 2018) has been obtained. Genetic research on children or persons with mental disorders or persons under guardianship is carried out after approval by the medical ethics committee

4

Article 9 (4) of the GDPR gives Member States legislative competence to adopt or maintain additional conditions and restrictions for the processing of genetic biometric and health data. 5 https://www.mh.government.bg/bg/normativni-aktove/zakoni/zakon-za-zdraveto/. 6 http://www.mu-sofia.bg/wp-content/uploads/2020/09/SOP-eksp-otsenka.pdf.

444

M. Margitin and M. Rusev

(Vodenicharov and Popova 2010, pp. 125 et seq.) of the respective medical institution.7 Genetic examinations for medical or scientific purposes can only be carried out by accredited genetic laboratories.8 The government institution that should exercise methodological guidance and control over these laboratories is the National Genetic Laboratory. It has a National DNA Bank and a National Genetic Registry.

3.1

Health Data

According to Article 27 of the Health Act, ‘health data’ means personal data related to the state of health and the physical and psychological development of individuals as well as any other information contained in medical prescriptions, instructions, protocols, certificates and other medical records. According to the wording of this provision, the definition of health information is twofold and includes: (a) personal data related to the health status and physical and psychological development of individuals; 2) all other information contained in medical documentation. The HA does not give a clear definition of ‘medical documentation’.9 Despite the lack of a clear definition of ‘health documentation’, such documentation would virtually always contain information that identifies or makes identifiable the natural person to whom it relates.10 According to Article 27 (2) HA, health information is collected, processed, used and stored by health and medical institutions, regional health inspectorates, doctors, dentists, pharmacists and other medical professionals as well as by non-medical professionals with higher non-medical education who work in the national health system.11 7

On medical institutions in Bulgaria, see the Law on Medical Institutions. https://www.mh. government.bg/media/filer_public/2018/10/25/zlz.pdf. 8 The law expressly provides that the results of genetic testing and screening shall not be the basis for discrimination against the persons tested. There is an explicit prohibition on sharing this data with employers, health insurance companies and insurers. 9 It obviously includes medical prescriptions, instructions, protocols and certificates (examples of medical documentation listed in Article 27 (1) HA). It may also include ‘health documentation’, which is defined in Article 1 No. 1 of the Supplementary Provisions of the HA as ‘all forms for the registration and storage of health information’. 10 In view of this, health information falls within the scope of the Data Protection Act. Therefore, the general data protection regime is applicable to health information as are the specific rules of the Health Act that develop and complement it. 11 The persons who process health information pursuant to Article 27 para. 2 HA are obliged to take security precautions by protecting this information from unauthorised access (Article 28 para. 3 HA). In addition, they are prohibited from disclosing patient information obtained in the course of their official duties (Article 28 (‘v’) HA, corresponds to Article 28 (‘в’) HA).

Bulgaria

445

The patient has the right to receive the health information pertaining to him or her from a health care institution, including copies of his or her medical documents (Article 28 (‘b’) para. 1 HA, corresponding to Article 28 (‘б’) para. 1 HA). The patient also has the right to authorise in writing a third person to inspect and copy his/her medical documents (Article 28 (‘b’) para. 2 HA, corresponding to Article 28 (‘б’) para. 2 HA). Furthermore, according to Article 86 para. 1, No. 5 HA, every patient has the right to the protection of data related to his or her health.

3.2 3.2.1

Medical Research on Humans and Genetic Research Medical Research on Humans

For medical research on humans and the human genome, the HA contains some further special provisions. Medical research shall be conducted with the greatest possible safety for the health of the patient and with due regard for the confidentiality of his or her personal data (Article 197 para. 4 HA). According to Article 199 HA, medical research on humans may only be conducted after the head of the research has informed the participating persons in writing about the nature, significance, scope and possible risks of the study and the participating persons have given their written informed consent (Article 199 para. 1 HA). This consent can only be given by a person with legal capacity who understands the nature, significance, scope and possible risks of the study (Article 199 para. 2 HA). Written consent may be revoked at any time (Article 199 para. 3 HA).

3.2.2

Genetic Research

According to Article 141 para. 1 HA, genetic research for medical and scientific purposes is only conducted if the persons undergoing the research examinations have given written informed consent. Genetic research on children, mentally ill persons and persons under guardianship may also be carried out after the Medical Ethics Committee has given its approval to the respective medical institution (Article 141 para. 2 HA). The results from the research investigations and screenings may not lead to discrimination against the persons examined (Article 141 para. 3 HA). Article 141 para. 4 HA specifies that data on the human genome is personal data and may not be disclosed to employers, health insurance funds and insurance companies. According to Article 142 para. 1 HA, genetic examinations for medical and scientific purposes are carried out by accredited genetic laboratories affiliated with

446

M. Margitin and M. Rusev

inpatient and outpatient medical care facilities and by independent accredited laboratories. Article 142 para. 2 HA further stipulates that the Minister of Health shall by order designate a National Genetic Laboratory. The National Genetic Laboratory that supervises, controls and administers the activities of the aforementioned laboratories shall maintain a national genetic register (cf. Article 142 para. 3 and 4 HA). Pursuant to Article 143 para. 1 HA, the medical institutions shall inform the National Genetic Laboratory monthly of the genetic examinations performed and their results. The medical institutions must establish and maintain an official register of the tests they have performed (Article 143 para. 2 HA). Pursuant to Article 143 para. 3 HA, the laboratory facilities are regulated by means of an ordinance issued by the Minister of Health. Their activities as well as the procedures of registration, storage, processing and access to the information in the register are regulated by the ordinance referred to in Article 142 para. 5 HA. It should also be borne in mind that genetic laboratories affiliated with medical institutions may set up DNA banks for the collection and storage of genetic material for scientific and medical purposes (cf. Article 144 para. 1 HA). These medical institutions register the DNA banks they have established with the Ministry of Health within seven days under the conditions and according to the procedure laid down in the ordinance referred to in Article 142, para. 5 HA (cf. Article 144, para. 2 HA). Finally, Article 144а HA stipulates that a national registry of rare disease patients shall be established for the purpose of identifying the nature and frequency of rare diseases and for the purpose of planning and providing prevention, diagnosis and treatment measures related to rare diseases. The conditions and procedure for the registration of rare diseases are established by means of an ordinance of the Minister of Health. This regulation shall also establish the conditions and criteria for medical institutions that want to participate in European Reference Networks and the procedure for the establishment, designation and operation of centres of expertise and reference networks for rare diseases.

4 Other Regulations 4.1

Regulation No. 1 of 27.02.2013

Regulation No. 1 of 27.02.201312 on the provision of medical statistical information and information on medical activity by health care institutions regulates the provision, collection, processing, storage, use, distribution and exchange of medical

12 https://www.mh.government.bg/media/filer_public/2015/04/17/naredba1-ot-27-02-2013gmediko-statisticheska-informatsia-deinost-lechebni-zavedenia.pdf.

Bulgaria

447

statistical information and information on medical activity by health care institutions. Public health institutions shall collect, process, use, store and transmit the said information and related documentation for the purpose of developing, producing and distributing official national or European statistical information for reporting, control and analysis needs and for the preparation of national health policy. The organisation and control of activities related to medical and statistical information shall be the responsibility of the National Statistical Office. Statistical information is under the authority of the National Centre for Public Health and Analysis (Националния център по обществено здраве и анализи [НЦОЗА]) and the regional health inspections (Регионалните здравни инспекции [РЗИ]).13

4.2

Regulation No. 1 of 30.01.2013

Regulation No. 1 of 30.01.2013 on the minimum technical and organisational measures and the permitted manner of protection of personal data regulates the obligations of data controllers in relation to the technical and organisational measures to be implemented based on the level of impact and the level of protection of personal data required in each case. Regulation No. 1 was officially repealed effective 25 May 2018.

4.3

Regulation No. 41 of 21.12.2005

Regulation No. 41 of 21.12.200514 establishing medical standards for general medical practice, issued by the Ministry of Health. Decree No. 41 establishes the standards that must be met by all health care institutions that carry out general medical practice.

13 This Regulation controls the rights and obligations of health care institutions and national health care system bodies and does not apply to the processing of health information by third parties. It mainly concerns medical, statistical and health information. When information is provided, the data identifying the patient must be deleted unless there is a legal basis for the use of this information and provided that the rights of individuals are protected, and the information is protected from unauthorised access. 14 https://www.mh.government.bg/media/filer_public/2015/11/18/obshta-med-praktika.pdf.

448

4.4

M. Margitin and M. Rusev

Regulation No. 31 of 12.08.2007

Regulation No. 31 of 12.08.200715 establishing the rules of good clinical practice (Добрата клинична практика [ДКП]), issued by the Ministry of Health, regulates the principles and guidelines of good clinical practice in relation to pharmaceutical products for human use intended for research.

4.5

Regulation Establishing the Conditions and Procedure for Conducting Medical–Scientific Research as a Project

In 2011, a project was drafted for the Ordinance Establishing the Conditions and Procedure for Conducting Medical–Scientific Research. Although a draft ordinance is publicly available, the ordinance has not yet been adopted. The draft ordinance in its current version contains, among other things, provisions on the persons who may participate in medical research, on the ethics committee for scientific research, on the conditions and content of written consent from the persons involved (see Article 26 et seq. of the draft ordinance of 2011 on the conditions and procedure for conducting medical research).16

4.6

Code of Professional Ethics of Doctors in Bulgaria

Code of Professional Ethics of Doctors in Bulgaria (hereinafter Code of Professional Ethics17) contains, among other things, the definition of medical confidentiality. According to Article 51 para. 1 Code of Professional Ethics, medical confidentiality includes all information that the patient has communicated to the doctor about his or her condition, facts established during the medical examination conducted by the doctor and all information that the doctor has learned in relation to the patient during the exercise of the medical profession. Medical confidentiality is also respected regarding the patient's family members (Article 51 para. 2 Code of Professional Ethics). The secrets communicated by the patient to the doctor shall be kept by the doctor after the patient's death (Article 51 para. 3 Code of Professional Ethics). Article 52 Code of Professional Ethics clarifies that medical confidentiality extends to all medical documentation and visual material as well as to the data and conclusions derived from consultations. 15

https://www.mh.government.bg/media/filer_public/2015/04/17/naredba31-ot-2007g-pravilaklinichna-praktika.pdf. 16 https://www.mh.government.bg/media/filer_public/2015/04/14/proekt-naredba-za-usloviata-ireda-za-provezhdane-na-meditsinski-nauchni-izsledvania.pdf. 17 https://www.lex.bg/laws/ldoc/1598070784.

Bulgaria

4.7

449

Decree No. 38 of 20.08.2010

Decree No. 38 of 20.08.201018 on the approval of the medical standard for ‘medical genetics’ must also be observed when processing and using special categories of data in databases, such as DNA banks and genetic information. Like the Health Act, this decree aims to protect citizens in Bulgaria from the unlawful collection and processing of their personal health data. Primarily regulated are the specific requirements for conducting molecular genetic and biochemical diagnostics, DNA banks and screening examinations. The regulation refers in several places to the storage of the information and the biological product (material) as well as the DNA banks/biobanks. There is even the possibility of establishing DNA banks for the storage of isolated DNA for future research— diagnostic and scientific (cf. Part IV of the Regulation).

5 Organ, Tissue and Cell Transplantation Act (Закон за трансплантация на органи, тъкани и клетки – ЗТОТК)19 In connection with biobanks, the following law and regulations must be observed in addition to those already presented: the Organ, Tissue and Cell Transplantation Act (OTCTA); Regulation No. 12 of 04.04.2007 on the Procedure for Determining and Certifying the Circumstances under which the Procurement of Organs, Tissues and Cells from a Deceased Person may Take Place; and Regulation No. 8 of 08.05.2014 on the Conditions and Procedures for the Import, Export and Exchange of Organs, Tissues and Cells. The OTCTA regulates the requirements and procedures for performing transplantation of organs, tissues and cells in human medicine. The purpose of this law is to establish rules to ensure quality and safety standards for organs, tissues and cells intended for transplantation in human medicine and to ensure a high level of protection for human health. In the Republic of Bulgaria, the express written consent of both the living donor and one of the relatives of the deceased person is a sine qua non for the implementation of the procedure for procuring organs, tissues and cells regulated by the OTCTA. However, the Act does not cover the use of organs for research purposes unless the organs are intended for transplantation in human medicine (cf. Article 1 para. 3 No. 5 OTCTA). 18

https://www.mh.government.bg/media/filer_public/67/28/67287d1f-8901-42aa-8ca8-f75f681 b999c/meditsinski-standart_meditsinska-genetika.pdf. 19 https://www.mh.government.bg/media/filer_public/2020/10/07/zakon_za_transplantaciq_na_ organi_tykani_i_kletki.pdf.

450

M. Margitin and M. Rusev

However, Article 7 OTCTA states that organs, tissues and cells which cannot be used for transplantation purposes for medical reasons may be made available for other therapeutic, diagnostic and scientific–medical purposes under the conditions and according to the procedures laid down in an ordinance of the Minister of Health. Amniotic tissue,20 umbilical cord tissue and placental cells are collected for the purpose of allogeneic and autologous transplantation after the pregnant woman or woman in labour has given her consent (Article 28 OTCTA). In terms of § 1 Supplementary Provisions to the OTCTA No. 13, informed consent is a voluntary consent given in writing to the performance of a specific medical activity. The removal of organs, tissues and cells from a donor may only be carried out if two conditions are cumulatively met in accordance with Article 24 et seq. OTCTA: the procurement of organs, tissues and cells does not endanger the life of the donor; and the written consent of the donor certified by a notary is obtained after the donor has been informed in advance in comprehensible language about the risks assumed. The notarisation of the consent is carried out by a notary public in whose jurisdiction the medical facility that will perform the removal of organs, tissues and/or cells is located. The donor is informed of his or her rights, the medical procedures and the safety measures under the OTCTA by a doctor who is not part of the team performing the retrieval or transplantation. The donor may withdraw consent at any time before the removal of organs, tissues and cells has taken place. The donor’s physical and mental health status is determined by a committee appointed by the head of the institution performing the procurement of organs, tissues and cells. The committee consists of at least three physicians who are not members of the procurement or transplantation team, and it prepares a report signed by all members of the committee. The law provides for a prohibition on offering material benefits to a donor of organs, tissues and cells and on accepting material benefits from the donor. Living organ donors can only receive compensation if it is strictly limited to reimbursement of donation-related expenses and loss of income. Any medical facility that will undertake the procurement of organs, tissues and cells from a living donor must inform the Transplant Executive Agency. The facility must register the procedure with the Transplant Executive Agency within seven days of the procurement of organs, tissues and cells from a living donor. The Executive Director of the Executive Agency for Medical Supervision is responsible for issuing authorisations regarding the import and export of organs, tissues and cells.

20 ‘Amniotic tissue means a membrane composed of epithelial and connective tissue cells which surrounds the embryo and forms the amniotic chamber’.

Bulgaria

451

6 Conclusion In Bulgaria, there is no separate law or regulation(s) governing the conditions and procedures for the processing of biobanks and their storage. Although a regulation has been drafted to determine the conditions and procedures as well as the conduct of medical–scientific research as a project, it has not yet entered into force. More precise definitions of the terms ‘biobanks’ and ‘genetic data’ are also missing in Bulgarian legislation. In such cases, the Bulgarian legislature refers to European regulations, in particular, the GDPR. The general conditions, principles and procedures for the processing of personal health data and special categories of data, including genetic information and DNA, which also includes biobanks, are instead laid down in various national laws and regulation. Thus, the Bulgarian legislature has made use of Article 9 (4) GDPR, and it can be concluded that there is no research exemption in Bulgaria. The most important legal frameworks in this legal area in Bulgaria are the Data Protection Act and the Health Act. In addition, there is a National Genetic Laboratory that supervises, controls and administers the activities of the laboratories and maintains a national genetic register and a National DNA Bank. Genetic laboratories in medical institutions may establish DNA banks to collect and store genetic material for scientific and medical purposes. However, they must register the established DNA banks with the Ministry of Health within seven days. The conditions and procedure for this are regulated by means of a decree issued by the Minister of Health. In addition, the genetic results must not be used to discriminate against the persons examined or participating in research. The prohibition on discrimination as well as the principles for processing personal data for the protection of natural persons, especially regarding the storage/ retention of special categories of data, access authorisation, etc., are also anchored in and derived from the Data Protection Act. In this context, it is essential to apply appropriate measures and guarantees for the protection of natural persons (cf. Article 51 (3) Bulgarian Data Protection Act). Such regulations can also be found at a secondary level, such as in Decree No. 38 of 20.08.2010, which applies in relation to research using genetic data, for example, DNA banks. Among other things, this Decree also lays down the legal framework (for example, in the case of the taking of biological material for research purposes) in which the consent of the ethics committee is required for storage and retention by biobanks, transmission of the results, etc.

References Kaneva R (2013) Ethic and legal aspects of genetic research. In: Marinova E, Popova S (eds) European ethical standards and Bulgarian medicine (a collection of essays). Bulgarian Medical Association, Sofia

452

M. Margitin and M. Rusev

Koch H, Schütze B, Spyra G, Wefer M (2017) Datenschutzrechtliche Anforderungen an die medizinische Forschung unter Berucksichtigung der EU Datenschutz Grundverordnung (DS-GVO) [Data protection requirements for medical research in consideration of the EU General Data Protection Regulation (GDPR)] 49:1–71. https://www.gdd.de/arbeitskreise/ datenschutz-und-datensicherheit-im-gesundheits-und-sozialwesen/materialien-und-links/ datenschutzrechtliche-anforderungen-an-die-medizinische-forschung-unter-beru-cksichtigungder-eu-datenschutz-grundverordnung/datenschutzrechtliche-anforderungen-an-diemedizinische-forschung-unter-beru-cksichtigung-der-eu-datenschutz-grundverordnung/ Popov B (2012) Genetic testing and insurance. In: Popov B, Georgieva S, Lalchev S (eds) Medical review, vol 48, no 4. Central Medical Library, Sofia, pp 27–31 Velikova C (2018) Legal regulation of genetic research and access to information from genetic results in Bulgaria and the European Union. In: Medical Management and Health Policy, vol 1. Central Medical Library, Sofia, pp 31–43 Vodenicharov C, Popova S (2010) Medical ethics. EkoPrint, Sofia

Croatia Dunja Duić

1 Introduction This paper examines Croatian legislation on the processing of health data for research purposes, specifically the lack of dedicated national regulation governing such processing as well as biobanking in general. For the purposes of this analysis, it is worth questioning whether the Croatian national legislation provides for a legal basis for the processing of personal data for research purposes. To answer this, the following paragraphs focus on the existing national laws and a review of governance procedures and policies on the use and re-use of personal data for medical research.

2 Biobanks in Croatia European biobanks vary from country to country, depending on the collection methods and purposes of the biological material (cells, tissues, blood, DNA) that builds the biobanks’ databases. The process of obtaining informed consent for collection depends on the type and use of the collected biological material and whether the material is irreversibly anonymised or not. In Croatia, there is no centralised system of biobanks (Borovečki et al. 2014, p. 418). Moreover, biobanks are not regulated by a dedicated law, but are indirectly subject to laws regulating other medical fields. Croatia has a number of biobanks, among them the Croatian Bone Marrow Donor Registry (CB-MDR) at the University Hospital Centre Zagreb (UHC Zagreb) (Čečuk-Jeličić et al. 2004, pp. 433–434) and the Ana Rukavina Foundation, which D. Duić (✉) Faculty of Law Osijek, Josip Juraj Strossmayer - University of Osijek, Osijek, Croatia e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_50

453

454

D. Duić

holds a registry of potential allogeneic bone marrow donors and a public allogeneic cord blood bank. The Croatian Institute for Transfusion Medicine has its own blood bank (with a regional organisational structure) that is based on the general population’s voluntary donation of blood (Vuk et al. 2012). UHC Zagreb also keeps a private cord blood bank for autologous use (Mazic et al. 2013). Additional biobanks include the Croatian Lions Eye Bank at the Sveti Duh Clinical Hospital in Zagreb and the UHC Zagreb Eye Bank (Borovečki et al. 2014, p. 419; Dekaris et al. 2007). The UHC Zagreb also boasts the Human Milk Bank.1 Quality standards, protocols for the international exchange of samples and procurement, and informed consent procedures of biobanks in Croatia are based on the Act on Blood and Blood Derivatives (Act on Blood and Blood Derivatives2) and the Act on Transplantation of Human Body Parts for the Purpose of Therapeutic Procedures (Act on Transplantation of Human Body Parts the Purpose of Therapeutic Procedures3). These acts have yet to be harmonised with European Union (EU) legislation. To exemplify, the Act on Blood and Blood Derivatives, last updated in 2012, only states that it is in line with the EU legal framework (namely, EU Directives 2004/23/EZ, 2006/17/EZ, 2006/17/EZ and 2010/453/EU), but no part of that framework is directly discernible in the Croatian body of law. Moreover, certain directives have undergone revisions (e.g., Commission Directive 2014/110/ EU of 17 December 2014 amending Directive 2004/33/EC as regards temporary deferral criteria for donors of allogeneic blood donations and Commission Directive (EU) 2016-1214 of 25 July 2016 amending Directive 2005/62/EC as regards quality system standards and specifications for blood establishments), none of which have been introduced in Croatian legislation. The relevant EU legal framework, that is, relevant EU directives that have not been introduced in Croatian legislation, may thus be considered directly applicable in this area between the individual and the state. Croatia also has a population biobank called the 10,001 Dalmatians Biobank, which focuses on the genetic basis of complex diseases with a target sample of 10,001 individuals. As of now, the biobank holds samples from about 4500 individuals from six Croatian islands and the city of Split. This biobank collects over 800 phenotypic measurements (blood, sera and urine samples coupled with dried blood spots, anthropometrical and clinical measurements, etc.), a wide set of biochemical measurements, extensive survey information and cognition-based traits (Polasek 2013, p. 496). According to the biobank’s project lead, Croatia’s poor legal regulation narrows the range of potential activities, while the limiting nature of the EU General Data Protection Regulation (GDPR) 2016/679 decreases research opportunities. In Croatia, private DNA laboratories also exist that are involved in

1

The Human Milk Bank Opened in Croatia. https://www.unicef.org/croatia/en/press-releases/ human-milk-bank-opened-croatia-0. 2 Act on Blood and Blood Derivatives of 5 July 2006 (Official Gazette nos. 79/06, 124/11). 3 Act on Transplantation of Human Body Parts the Purpose of Therapeutic Procedures of 19 December 2012 (Official Gazette no. 144/12).

Croatia

455

DNA diagnostics and research and hold small DNA collections. As with population and research biobanks (public or private) and all other biobanks, Croatia should prescribe an established set of standards on the organisation, management, quality control and conditions for international exchange of samples and procurement and informed consent (Borovečki et al. 2014, p. 420). The activity of Croatian sperm banks and embryo banks is regulated by the Act on Medically Assisted Procreation (Act on Medically Assisted Procreation4). Of note as well are the Croatian health care system’s diagnostic archives kept at pathology departments in various health care institutions. They are regulated by legal provisions based on the Act on Application of Human Tissues and Cells (Act on Application of Human Tissues and Cells5).

3 Croatian Legislation on Collection of Tissues and Samples and Processing of Data for Research The major legislation applicable to the processing of health data for research purposes and biobanks in Croatia includes: the Act on Procurement and Transplantation of Human Body Parts; the Act on Transplantation of Human Body Parts for the Purpose of Therapeutic Procedures; the Act on Medically Assisted Procreation; and the Act on Application of Human Tissues and Cells. All these acts contain somewhat similar provisions on the protection of personal data. However, per Article 2 of the Regulation on the Method of Storing Personal Data of Donors and Recipients of Human Body Parts for the Purpose of Treatment (Official Gazette no. 141/05), personal data within the meaning of this Regulation are to be collected, stored and communicated in accordance with special regulations governing the protection of professional secrecy and the protection of personal data. In effect, this might mean that the provisions of the acts are subject to the GDPR. However, it must also be noted that while the identified acts refer to this Regulation, none of them refers to Directive 95/46/EC (the Data Protection Directive) that was in force at the time of their adoption. Biobanks’ research activities are also not governed by a dedicated regulation. However, Croatia has been applying the Oviedo Convention on Human Rights and Biomedicine (ETS No 164; hereinafter Oviedo Convention) since ratifying it in 2003. The Oviedo Convention is the sole legally binding international instrument on the protection of human rights in biomedicine. The Additional Protocol to the Convention on Human Rights and Biomedicine concerning Biomedical Research (Additional Protocol to the Convention on Human Rights and Biomedicine

4

Act on Medically Assisted Procreation of 18 July 2012 (Official Gazette no. 86/2012). Act on Application of Human Tissues and Cells of 19 December 2012 (Official Gazette no. 144/2012). 5

456

D. Duić

concerning Biomedical Research) that was adopted in 2005 has yet to be ratified in Croatia. The Oviedo Convention requires that patients be informed of and then opt via a written consent form in or out of: (a) therapeutic or diagnostic procedures that entail the collection of biological material and medical documentation data and (b) participation in scientific research. For the latter, the Oviedo Convention does not prescribe in detail the mandatory actions regarding the storage and possibility of later use of biological material and medical documentation for new scientific research (Borovečki et al. 2016, p. 466). Under Article 26 of the Act on Transplantation of Human Body Parts for the Purpose of Therapeutic Procedures (Act on Transplantation of Human Body Parts for the Purpose of Therapeutic Procedures), a part of a human body taken during an operation may be stored and used for a purpose other than that for which it was taken if carried out in accordance with the appropriate information and consent procedure prescribed by the Act. In practical terms, a biobank that is subject to this Act due to the absence of dedicated legal regulation may re-use historical archives of health data or a stored human body part for purposes other than that for which they were originally collected. It is precisely this provision that many of the medical practitioners who were interviewed found debatable and to be hampering research processes. Lastly, it must be noted that scientific research in Croatia, whether on humans or patient biological material and medical data, is approved by the ethics committees of university hospitals and medical schools. Although the National Bioethics Committee for Medicine was established in 2001 (Decision on the Establishment of the National Bioethics Committee for Medicine6) for the purpose of considering ethical and legal issues related to the development and application of biomedical science on humans, the elemental scientific research decisions are still adopted by the ethics committees of university hospitals.

4 Conclusion In Croatia, there is no centralised system of biobanks. Moreover, biobanks are not regulated by a dedicated law but rather are indirectly subject to the law regulating other medical fields. There also is no dedicated law on the processing of health data for research purposes. As such, Croatian national legislation does not provide an adequate legal basis for such processing nor clear governance procedures and policies on the use and re-use of personal data. In Croatia, there is no dedicated act on biohacking either. Due to the lack of a centralised biobank system or a dedicated biobanking law, there were difficulties in distributing the survey carried out for the purpose of this paper. Of the biobanks to which the survey was sent, only

6

Decision on the Establishment of the National Bioethics Committee for Medicine of 12 April 2001 (Official Gazette no. 35/2001).

Croatia

457

one completed it. The rest declined to participate, citing their irrelevance to this research. In Croatia it is hard to use Historical archives of health data and the procedure on the use and re-use of personal data is not clear. There is no specific law on biohacking activities, and it is not clear how many times the tissues could be used. Croatia needs to legislate biobanking activity as well as ratify the Additional Protocol to the Convention on Human Rights and Biomedicine concerning Biomedical Research. Furthermore, in accordance with the GDPR, patients, that is, data subjects, should be able to consent to certain areas of scientific research in keeping with recognised ethical standards for this type of research. Data subjects should be able to opt in or out of certain areas of research or parts of research projects as is reasonably allowed by the research purpose. Specifically, in the absence of national legal regulation, it would be sensible to amend the informed consent template provided to patients/potential data subjects to include information on areas of research or parts of research projects to the extent allowed by the intended purpose. Researchers should be allowed access to all previously collected material (e.g., material collected for diagnostic purposes) subject to the approval of a research ethics committee.

References Borovečki A, Caenazzo L, Ježek D, Karija-Vlahović M, Golubić B (2014) Croatian National Centre for Biobanking – a new perspective in biobanks governance? Croatian Med J 55(4):416–422. https://doi.org/10.3325/cmj.2014.55.416 Borovečki A, Bradamante V, Šimunović D (2016) Etički pristup znanstvenim istraživanjima u kojima se koriste pohranjeni biološki materijali pacijenata i njihovi medicinski podaci. In: Hrestomatija hrvatskog medicinskog prava. Zagreb Faculty of Law, Zagreb, pp 455–468 Čečuk-Jeličić E, Grubić Z, Žunec R, Humar I, Labar B, Kerhin-Brkljacic V (2004) The bone marrow transplantation program in Croatia – twenty years’ experience. Transplantation 78(2): 433–434. https://doi.org/10.1097/00007890-200407271-01162 Dekaris I, Gabrić N, Karaman-Martinović Z, Bosnar D, Barisić A, Predović J (2007) Deset godina rada Lions Hrvatske ocne banke [Ten years of work of Lions Croatian Eye Bank]. Acta Medica Croatica 61:473–477 Mazic S, Bojanic I, Golubic Cepulic B (2013) Joint public and private banking of cord blood – Croatian Model. In: Calenazzo L (ed) New insights of biobanks. Cleup, Padova, pp 41–53 Polasek O (2013) Future of biobanks – bigger, longer, and more dimensional. Croatian Med J 28(54):496–500. https://doi.org/10.3325/cmj.2013.54.496 Vuk T, Barišić M, Očić T, Mihaljević I, Sarlija D, Jukić I (2012) Error management in blood establishments: results of eight years of experience (2003–2010) at the Croatian Institute of Transfusion Medicine. Blood Transfus 10:311–320. https://doi.org/10.2450/2012.0075-11

Cyprus Sabrina Brizioli

1 Introduction The regulatory framework for the processing of personal data for scientific research and the management of biobanking is complex and fragmented in Cyprus. In the absence of a dedicated set of rules, the discipline of data protection and biobanking activities relies on the interplay of international conventions, constitutional provisions, national sectoral laws and soft law instruments. Cyprus adopted guidelines issued by ethics committees to comply with the ethical and scientific standards for carrying out biomedical research on human subjects as set by the Declaration of Helsinki,1 the Council for International Organizations of Medical Sciences (CIOMS)–WHO International Ethical Guidelines for Biomedical Research involving Humans2 and the ICH Guidelines for Good Clinical Practice.3 Cyprus also ratified the Oviedo Convention on Human Rights and Biomedicine and adopted Law No. 1(I) of 2005 providing for the safeguarding and protection of

1

World Medical Association Declaration of Helsinki on the Ethical Principles for Medical Research Involving Human Subjects, 18th WMA General Assembly, Helsinki, Finland, June 1964. https:// www.wma.net/policies-post/wma-declaration-of-helsinki-ethical-principles-for-medical-researchinvolving-human-subjects/. 2 CIOMS–WHO, International Ethical Guidelines for Health-related Research Involving Humans, Geneva 2016. https://cioms.ch/wp-content/uploads/2017/01/WEB-CIOMS-EthicalGuidelines.pdf. 3 European Medicines Agency, ICH Guideline for Good Clinical Practice, (last updated 2016). https://www.ema.europa.eu/en/documents/scientific-guideline/ich-e-6-r2-guideline-good-clinicalpractice-step-5_en.pdf. S. Brizioli (✉) Department of Law, University of Perugia, Perugia, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_51

459

460

S. Brizioli

patient rights and for related matters,4 which links the protection of health to individual dignity and rights. Cyprus has also transposed the acquis communautaire on quality and safety of tissues and cells throughout the transplantation process by enacting national laws and implementing European directives such as Directive 2004/23/EC and Directive 2006/17/EC 5 (Sándor and Bárd 2009). One of the most significant legal instruments dealing with the management of biological material and personal data (including health and genetic data) is the Protection of Personal Data Law which has safeguards that guarantee the fundamental rights stated in the Cypriot Constitution (see Art. 11 ‘right to liberty and security of person’ and Art. 15 ‘right to respect of private and family life’). The current law on processing of data in Cyprus is Law 2018 125 (1)/20186 (Data Protection Law) that repeals Law 138 (I)/2001.7 This latter law was adopted for the harmonisation of national law with Directive 95/46/EC.8 The normative context for data privacy is completed by Law 44 (I)/2019 on the protection of natural persons with regard to the processing of personal data by competent authorities for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and for the free movement of such data,9 enacted in 2019 to harmonise with EU Directive 2016/680.10

4 The Safeguarding and Protection of the Patients’ Right Law, No. 1 (I) of 2005. http://www. bioethics.gov.cy/Moh/cnbc/cnbc.nsf/All/745717D26F068582C2257CCA003B350F/$file/Patients %20Rights%20Law-English%20translation.pdf. 5 See National transposition: Ο περί Πρoτύπων Πoιóτητας και Ασφάλειας (Δωρεά, Πρoμήθεια, Έλεγχoς, Επεξεργασία, Συντήρηρση, Απoθήκευση και Διανoμή) Ανθρω
πινων Iστω
ν, Kυττάρων και Παράγωγων Πρoι__óντων Νóμoς τoυ 2007. English translation Official publication: Cyprus Gazette; Number: 4154; Publication date: 31/12/2007; Page number: 01621-01714. https://eurlex.europa.eu/legal-content/EN/TXT/?uri=NIM:153085. 6 Law 125(I) of 2018, Law providing for the protection of natural persons with regard to the processing of personal data and for the free movement of such data (entered into force on 31 July 2018). http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/2B53605103DCE4A4 C225826300362211/$file/Law%20125(I)%20of%202018%20ENG%20final.pdf (unofficial translation). 7 Law 138(I) of 2001, Law on the processing of personal data (protection of individuals). https:// www.ilo.org/dyn/natlex/docs/ELECTRONIC/77454/82089/F29416754/CYP.77454.pdf. 8 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995 OJ L 281/31. 9 Law 44(I) 2019, Law Providing for the Protection of Natural Persons with Regard to the Processing of Personal Data by the Competent Authorities for the Purpose of Prevention, Investigation, Detection or Prosecution of Criminal Offenses or the Enforcement of Criminal Penalties and for the Free Movement of Such Data. Original version and official publication: Cyprus Gazette; Number 4694; Publication date 2019-03-27; p. 267. https://eur-lex.europa.eu/legal-content/EN/ NIM/?uri=celex:32016L0680. 10 Directive (EU) 2016/680 of the European Parliament and of the Council and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of

Cyprus

461

The Data Protection Law repeats some of the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as GDPR)11 with certain adjustments: the Data Protection Law embodies the definitions in Article 4 of the GDPR, but it also includes terms which relate more precisely to Cyprus (e.g., the Cyprus Organisation for the Promotion of Quality).12 Moreover, the discipline on the processing of personal data and special categories of data reproduces some of the provisions of the GDPR, but some specific processing situations are included according to Articles 85–87 and 89 of the GDPR (Laulhé Shaelou and Kalaitzaki 2020).

2 The Data Protection Law in Cyprus: Exceptions and Safeguards The GDPR is directly applicable in Cyprus and the European regulatory framework represents the lawful basis for the processing of personal data in general (Art. 6 of the GDPR) as well as the processing of special categories of personal data (Art. 9 GDPR).

criminal offences or the execution of criminal penalties, and of the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, 2016 OJ L119/89. 11 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ L 119 (following GDPR). 12 Data Protection Law, Part I General Provisions, art. 2 (2). It is specified that ‘any terms contained in this Law that are not specifically defined by this Law, shall have the meaning attributed to them by the Regulation’ (i.e., the GDPR).

462

S. Brizioli

Pursuant to Art. 6 of the GDPR, the first condition to be met to guarantee the lawful processing13 of personal data14 is the acquisition of the data subject’s consent15 to the processing of his/her data for one or more specific purposes. The processing of personal data should comply with the key principles of the GDPR, and data should be processed in a lawful, transparent and fair manner.16 A comprehensive reading of the Data Protection Law reveals that at the time of the collection, the specific and legitimate purpose shall be determined as well as the adequacy, relevance and limitations of the processing.17 Without prejudice to the provisions of Article 6 of the GDPR, the Data Protection Law states that ‘the processing of personal data is permitted and is lawful when carried out by: (a) Courts acting in their judicial capacity for purposes of delivering justice, including the processing of personal data necessary for the publication and adoption of decisions of any court, and (b) The House of Representatives within its power’.18 Pursuant to Article 9 of the GDPR, the processing of special categories of data is permitted and lawful when: (a) it is carried out for the publishing or issuing of a decision by judicial bodies and when it is necessary for the purpose of delivering justice; (b) the processing is vested by virtue of a Decision of the Council of Ministers in a public authority or body for the performance of the public interest or in the exercise of official authority; and (c) the processing of personal data is authorised by the holder of parental responsibility over a child.19 In Cyprus, the Data Protection Law explains that ‘the processing which is carried out by a controller or a processor for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be used

Data Protection Law, art. 2 (1). ‘Processing’ means ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’. 14 Ibid., ‘Personal data’ means ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. 15 Ibid., ‘Consent’ means ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement of by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. 16 Ibid., art. 5, 6, 7. 17 In this sense, provisions concerning the processing of personal data in certain operations mention that all activities are performed ‘lawfully and fairly, in a clear, precise and transparent manner in relation to the data subject’. Ibidem, art 7. 18 Ibid., Part II Lawfulness of certain processing operations, art 5. 19 Ibid., art. 6, 7, 8. 13

Cyprus

463

for taking a decision which produced legal effects concerning the data subject or similarly significantly affects him or her’.20 The processing of genetic and biometric data21 is prohibited for the purposes of life and health insurance.22 Without prejudice to Article 5, par. 1 b) of the GDPR, if the processing of genetic and biometric data is based on a subject’s consent, the further processing of such data requires the separate consent of the data subject.23 This wording seems to indicate the respect of the purpose limitation and granularity in obtaining consent from the data subject. The Data Protection Law allows a controller to implement measures in whole or in part that restrict the rights of the data subject set out in Art. 12, 18, 19 and 20 GDPR,24 but an impact assessment and consultation with the Commissioner is required prior to their implementation.25 The controller must notify the data subject of the restrictive measures applied, and the Commissioner may impose terms and conditions for the implementation of restrictive measures and notification to the data subject.26

3 An Example of Ethical Institutionalisation: The Cyprus National Bioethics Committee Cyprus represents a successful example of soft law regulation of biobank research (European Group on Ethics in Science and New Technologies to the European Commission 2008) thanks to the intense activity of its National Bioethics Committee (Cyprus National Bioethics Committee, hereinafter referred to as CNBC), which was established in 2001 by Law No. 150(I)/2001.27 As an independent body, the CNBC exercises the powers conferred by current and future legislation. Its mandate is to constantly monitor and systematically analyse issues and problems associated with scientific research and advances in

20 Ibid., Part. IX Processing of personal data in specific situations, art. 31. The terms ‘historical’, ‘statistical’ and ‘scientific’ are not further defined in the Data Protection Law. 21 Ibid., art. 2 (1) ‘Genetic data’ means ‘personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question’. 22 Ibid., art. 9 (1). 23 Ibid., art. 9 (2). 24 Ibid., Part III Restrictions of Rights and Obligations, art. 11 (1). 25 Ibid., art. 11 (2). 26 Ibid., art. 11 (4–5). 27 Law No. 150(I)/2001 providing for the establishment and function of the National Bioethics Committee. http://www.bioethics.gov.cy/Moh/cnbc/cnbc.nsf/All/98250101CC184B0BC22 57CCA003B6288/$file/The%20Bioethics%20Establishment%20and%20Function%20of%20the %20National%20Bioethics%20Committee%20Law%20-%20English%20Translation.pdf.

464

S. Brizioli

the sciences (such as biotechnology, biology, medicine, genetics and pharmaceutics). The CNBC also investigates the moral, deontological and legal dimensions of scientific activities, especially those characterised by human intervention in biological processes and human genotypes.28 Law No. 150(I)/2001 gives the Committee the power to issue codes of practice, which comprise principles and directions that the Committee considers useful and necessary for any issue that falls into its competencies.29 Even though the failure of any person to conform to any code provision does not constitute a criminal offence,30 and in case of a civil officer, such an omission constitutes a disciplinary offence,31 Law No. 150(I)/2001 specifies that failure to conform to the provisions of the code constitutes evidence in any procedure related to actions in violation of the provisions of the law itself and any other relevant laws.32 In accordance with international guidelines33 and with the authority conferred by law, the CNBC created three bioethics review committees with protocols that relate to: biomedical research on human beings and their biological substances; clinical trials on medicinal products for human use; and medical devices applied to human beings. Such an institutionalisation and soft law regulation should contribute to safeguarding the dignity, safety of rights and the well-being of all actual or potential research participants; provide independent, competent and timely review of the ethical aspects of proposed studies; and review research proposals before research begins.34 The relevant and essential role of the CNBC is also demonstrated by the opinions it has released through time, such as those concerning predictive health information in the concluding of health and life insurance contracts, human organ donor registries, cord blood banking, the transplantation of biological substances of human origin; and biobanks (Pegoraro et al. 2011). As a very active ethical institution, the CNBC, in collaboration with the European Commission Directorate General for Research and Innovation, organised the 18th National Ethics Councils Forum (Nicosia 4-5 October 2012) with the participation of 70 experts from the national ethics councils of the European Union’s Member States

28

Ibid., Part II Establishment and structure of National Bioethics Committee, art. 3 (1); Part III, Powers of the Committee, art. 15. 29 Ibid., Part IV, Issue of codes and regulations, art. 18 (1). 30 Ibid., art. 19 (1). 31 Ibid., art. 19 (2). 32 Ibid., art. 19 (3). 33 The CNBC adopted the operational guidelines for Ethics Committees that review Biomedical Research formulated by the World Health Organization that represent the basis of the operational guidelines for the establishment of ethics committees in reviewing biomedical research involving subjects in Cyprus. 34 See Cyprus National Bioethics Committee, Research Ethics Committee. http://www.bioethics. gov.cy/moh/cnbc/cnbc.nsf/dmlrec_en/dmlrec_en?OpenDocument.

Cyprus

465

and from associated countries.35 The main topics were information communication technology and ethics, the relationship between ethics and education and responsible research and innovation (European Group on Ethics in Science and New Technologies to the European Commission 2013).

4 Biobanking: The Legal State of the Art and the Cyprus Human Genome Project Only a minority of European Union Member States have specific legislation on biobanks. The majority lack domestic legislation or rely on non-specific existing law, often accompanied by soft law instruments, such as ethical guidelines, to regulate biobanks. This group includes Cyprus (Nordberg 2021, p. 63). This is the reason biobanks, their establishment and their management are not covered by special laws. In Cyprus, the discipline for biobank research, which stems from soft law regulation and ethical recommendations, operates alongside legal provisions (Beier and Lenk 2015). From the ethical point of view, the Opinion on the Establishment and Use of Biobanks and Registries of Human Biological Samples for Research Purposes realised by the CNBC makes a distinction between biobanks and biobanking and sample collection and sample databasing (Bernardi et al. 2011, p. 64). The State recognises the purpose and role of biobanks, which are considered as repositories of human biological samples and /or substances with or without personal data and other relevant information. The operability of the biobank is reported to the Data Protection Commissioner, and the proper functioning of the biobank is guaranteed by an official accreditation of the biobank and quality assurance procedures (Bernardi et al. 2011, p. 64). Transparency, dissemination of the research results originating from biobank samples and data must be guaranteed as well as free and informed consent from the donors. Furthermore, individuals donating samples and/or data must be aware that biological materials and the information collected are accessed by researchers in Cyprus and abroad and are used to support present and future research activities and projects. In broad terms, biobanking activities require special attention to the free and informed consent given by individuals: they should know that their samples are placed in biobanks for present or future research projects and that access to biological material should follow established procedures (Bernardi et al. 2011, p. 67). In summary, the role of consent is central in biobanking activities, sample collections and sample databases.

Pursuant to Law No. 150(I)/2001, art. 15 (1) d), the Committee ‘cooperates with international organizations and comparable bodies and promotes the participation of Cyprus in international events related to the studies and research in the aforesaid sectors’.

35

466

S. Brizioli

According to CNBC Recommendations, individuals must freely provide consent after being informed that samples and data are stored for research purposes, and they must be informed that they have the right to withdraw their sample and data. The CNBC and its Ethics Review Committees approve the consent form. Individuals could opt for a closed or open consent for sample collections or sample databases: Closed consent means that DNA or tissue obtained from the donor will be analysed and destroyed. In this case, consent is specific to the scope of the processing and duration. In contrast, open consent implies that samples of tissue or DNA or obtained data are stored indefinitely and can be used for other further research programmes which are approved by the CBNC or the Ethics Review Committee. Open consent allows donors to declare whether they would like to be informed about what will happen to their samples/data in case collection closes and/or when the result of research affects their health. Even in this case, the consent form is approved by the CNBC or its Ethics Review Committees (Bernardi et al. 2011, pp. 67–68). As reported in the literature, CNBC Recommendations articulate the discipline of secondary use of samples when research activities diverge from the original foreseen scope for which the donor’s consent was expressed (Bernardi et al. 2011, p. 68). The temporal divide concerns samples collected before or after 2004. For those collected before 2004, use for research is allowed provided that such activities are approved by the CNBC and the samples are anonymised. Samples collected after 2004 cannot be used without the donor’s consent, and researchers must ask for consent and verify whether they provide open or closed consent (Bernardi et al. 2011, p. 68). The ‘Biobanking and the Cyprus Human Genome Project’ that has as its objective to prioritise genetic investigation of diseases and eHealth is also worth mentioning as biobanking activities have recently been at the core of projects and research initiatives at the European level. The strategy adopted by the Project is based on the creation of a Centre of Excellence (CoE) to act as an incubator for innovative ideas and as a medical and educational institute for rare monogenic disorders. The two pillars of the CoE are: a biobank research infrastructure incorporating eHealth and a state-of-the art research facility to support the project. The main partners of this initiative are the medical University of Graz, which coordinates the preparatory phase of the project, and the European Research Infrastructure Consortium BBMRIERIC that represents the community of Biobanks in Europe.36

36 More information, Biobanking and the Cyprus Human Genome Project. https://cordis.europa.eu/ project/id/857122.

Cyprus

467

5 Conclusion From a legal point of view, the national framework governing research activities and scientific purposes using samples and data from biobanks and sample databases appears complex. While the legal context represents an institutional conundrum, the ethical position of Cyprus is a prime example. The ethics issues dealing with collections of data and originated by a normative lacuna are faced with procedures and consent forms approved by the CNCB whose engagement demonstrates how ethics concerns arising from legislation (or lack of appropriate laws) could be mitigated and conflicting interests balanced. As an independent body, the Committee acts as an external observer providing a constant monitor as well as systemic analysis of issues and problems; as these issues stem from the scientific field, they could question fundamental rights and challenge the moral and legal dimensions of research activities.

References Beier K, Lenk C (2015) Biobanking strategies and regulative approaches in the EU: recent perspectives. J Biorepos Sci Appl Med 3(1):69–81 Bernardi A, Caenazzo L, Pegoraro R (2011) Procurement, storage and transfer of tissues and cells for non-clinical purposes in a legal and ethical perspective. In: Beier K, Schnorrer S, Hoppe N, Lenk C (eds) The ethical and legal regulation of biobank research in Europe, Proceedings of the Tiss.EU Project. Universitätverlag Göttingen, pp 61–75 European Group on Ethics in Science and New Technologies to the European Commission (2008) Ethically Speaking, 11. https://repository.globethics.net/bitstream/handle/20.500.12424/2064 87/ethically_speaking_11.pdf?sequence=1&isAllowed=y European Group on Ethics in Science and New Technologies to the European Commission (2013) Ethically Speaking. http://knjiznica.sabor.hr/pdf/E_publikacije/Ethicallyspeaking.pdf Laulhé Shaelou S, Kalaitzaki K (2020) National reports: Cyprus, 197-215. In: Rijpma J (ed) The new EU data protection regime: setting global standards for the right to personal data protection. The FIDE XXIX Congress in the Hague 2020: Congress publications, vol 2. Eleven International Publishing, pp 197–215. https://fide2020.eu/wp-content/uploads/2020/09/FIDE_OA_ vol_2.pdf Nordberg A (2021) Biobank and biomedical research: responsibilities of controllers and processors under the EU General Data Protection Regulation. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Individual rights, public interest and research regulation across Europe. Springer, pp 61–89. https://doi.org/10.1007/978-3-030-49388-2 Pegoraro R, Bernardi A, Turoldo F (2011) Legal and ethical aspects of biobanks for research in the European- Mediterranean area. In: Lenk C, Sándor J, Gordijn B (eds) Biobanks and tissues research: the public, the patient and the regulation. Springer, pp 185–200. https://doi.org/10. 1007/978-94-007-1673-5 Sándor J, Bárd P (2009) The legal regulation of biobanks. National Report: Cyprus. (Celab Paper Series). Center Ethics Law Biomed (CELAB) 7:3–24

Czech Republic Paula Poretti

1 Introduction The Czech Republic recognises the importance of biobanks, which allow for personalised medicine and provide human biological material, data and information necessary for current and future medical research. This is because their evolution is linked to the upgrading of new data, and sample biobanks are prone to constant change, such as the introduction of new technology and different innovative techniques. In this context, informed consent remains a relevant aspect for the collection and use of the data and biological material, and its regulation is crucial for the functioning of biobanks (Kinkorova et al. 2019). The role of biobanks has inevitably changed over time, and the main turning point in terms of regulatory framework and functioning was the adoption of the General Data Protection Regulation (GDPR)1 in 2018 (OECD Report 2020, p. 6). The GDPR sets forth new constraints on scientific research to provide a high level of protection of personal rights. Member States have introduced derogations to mitigate the effects of the GDPR provisions and balance the protection of individual rights with public interests. However, challenges remain in balancing the traditional methods for scientific research and the new European approach (Stauton 2019) towards the processing of data and samples.

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. P. Poretti (✉) Faculty of Law, Josip Juraj Strossmayer - University of Osijek, Osijek, Croatia e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_52

469

470

P. Poretti

As described in the following paragraphs, the Czech Republic has been successful in finding the best approach with which to comply with the GDPR, especially in the area of medical research and biobanks.

2 Czech Republic 2.1

Regulation on Data Processing

Act No. 110/2019 Coll. on the Processing of Personal Data (hereinafter the Act)2 implemented the GDPR and became applicable on 24 April 2019, together with Act No. 111/2019 Coll. Amending Certain Acts in Connection with the Adoption of the Act on the Processing of Personal Data3 (hereinafter the Amending Act), which further amends 39 legal acts. The Office for Personal Data Protection (Úřad pro ochranu osobních údajů; hereinafter: the Office) is the main supervisory authority responsible for the publication of opinions that contain guidelines, recommendations and other documents on the protection of personal data.4 The Office is not in charge of the processing of health data for research purposes, and it supervises general data protection in the Czech Republic (Matouš and Kučera 2018, p. 6). After entry into force of the GDPR, the registration of personal data processing has no longer been required, and the Office receives only data breach notifications from data controllers pursuant to Article 33 of the GDPR. In addition, the GDPR does not contain a notification requirement for particular data processing activities prescribed by the Act that would require registration, that is, with regard to the processing of ‘sensitive data’.5 Health-related data are a special category of protected data under the GDPR,6 and the Czech Republic has been extensively regulating their management since well before 25 May 2018. In fact, Czech legal theory has underlined that the kind of changes required by the GDPR for Czech health service providers and health professionals is not always clear (Šolc 2020, p. 52).

2

Zákon o zpracování osobních údajů. https://www.zakonyprolidi.cz/cs/2019-110. Zákon, kterým se mění některé zákony v souvislosti s přijetím zákona o zpracování osobních údajů. https://www.zakonyprolidi.cz/cs/2019-111. 4 Názory a rozhodnutí Úřadu: Úřad pro ochranu osobních údajů (uoou.cz). 5 Czech Republic - National GDPR Implementation Overview | Guidance Note | Data Guidance. 6 Article 66(6) of the Data Protection Act defines the original term ‘sensitive personal data’ used in Czech legislation. The Article includes a rule that if any Czech legislation included the term ‘sensitive personal data’, then from the effective date of the Data Protection Act, it would have to be interpreted as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation or personal data relating to criminal convictions and offences or related security measures. 3

Czech Republic

471

In this context, the main changes refer to exemptions for the rights of data subjects. The Amending Act, which repealed the provisions of the Act No. 499/2004 Coll. on Archiving and Records Management and on the Amendment of Selected Acts, established a new statutory basis for the processing of particular categories of personal data. Thus, data subjects’ right of access (Article 15 of the GDPR) is limited and other rights of data subjects are restricted (Articles 16 and 18–21 of the GDPR do not apply in this case). Act No. 372/2011 Coll. on the Provision of Healthcare Services (hereinafter the Health Services Act), among other acts, provides the rules on data processing and administration of health records (Matouš and Kučera 2018, pp. 4–5). This Act details the obligations of the healthcare provider, including the storage of and use of medical records, the quantity of patient-related information stored in the records and persons with access to the medical records. The Health Services Act also tackles the storage and further processing of data on the health status of the population, mainly for the purpose of obtaining information about the scope and quality of health services provided in the Czech Republic and for the needs of research in the field of medicine. These issues are also managed through the National Health Information System: this system provides for the transmission of certain patient-related personal data without the prior consent of the data subject for its further processing in the Registers.

2.2

Specific Issues of Health Data Processing

In accordance with Article 6 (1) (e) of the GDPR, personal data can be processed without the subject’s consent when the medical research is carried out in the public interest. The GDPR explicitly mentions processing carried out with the purpose of public health protection or the management of health care services by subjects such as professional associations. However, the doctrine questions whether medical research that is carried out by private and public research institutions should be included in the category. This is especially important when it comes to clinical studies of new medicinal products or medical devices that combine a mixture of public and private interests (Šolc 2020, pp. 57–58). Scholars argue that ‘legitimate interest’ is undoubtedly one of the most flexible of the legal grounds for data processing, but it is not unlimited. They further highlight that it should not be applicable to processing by public authorities in the performance of their tasks. In the case of other controllers, the legitimate interest can be recognised, especially if ‘there is a relevant and appropriate relationship between the data subject and the controller’7 (Šolc 2020, pp. 57–58). Therefore, the practice would need to clarify when the relationship between the provider of health services

7

Recital 47 of GDPR.

472

P. Poretti

and the patient justifies application of legitimate interest as a legal ground for data processing (Šolc 2020, pp. 57–58). Furthermore, the ‘legitimate interests’ criterion always entails a balance between the interests involved: processing is not allowed when the interests of the controller are overridden by the fundamental rights and freedoms of the data subject. This especially happens when ‘personal data are processed in circumstances where data subjects do not reasonably expect further processing’.8 Therefore, the processing of personal data for research purposes without consent might be possible if it constitutes a legitimate interest of the controller. Despite this, research institutions are asked to proceed carefully (Maldoff 2016). Article 9 GDPR allows for the processing of health data if there is a legal basis, such as explicit consent by the data subject. If the processing of the data is necessary for research purposes and satisfies certain criteria (Šolc 2020, p. 59), Article 9 (2) (j) GDPR is applicable. According to some scholars, this provision along with Article 6 (1) (f) GDPR represents the sufficient legal basis for the processing of health data for scientific purposes without the consent of the data subject (Šolc 2020, p. 59). The Czech Data Protection Act specifies only two exceptions that involve data processing for research purposes. The first exception refers to the duration of the processing. As a general rule, personal data may be processed for no longer than the time necessary for the purpose for which the personal data was collected. As far as research purposes are concerned, personal data may be processed for an even longer time, and the controller should anonymise the personal data without delay. Another exception deals with cases in which the data controller obtains data from sources other than the data subject and/or processes data for scientific purposes but providing information to the data subject is burdensome. In this case, the controller is under no obligation to provide the subjects with information on processing of the data.9 The Czech Republic provides no regulation of health data registers and Czech law allows the use of biological material for research purposes without the patient’s consent if during its use, there is no possibility for the patient or the deceased person to be identified (Section 81 (4) (a) of Act on Health Services). In Czech biobanks, a patient is known under a specific code to which the data are connected (clinical information, genetic data, lifestyle data, etc.). According to practice, the data in biobanks can be used to identify the person. Therefore, the legal literature does not consider these data to be anonymised. The suggested solution to overcome this pseudonymisation is the use of the data under the legitimate interest clause. This would comply with the GDPR since the data collected with consent as a part of a research biobank can be used by the biobank administrators for other forms of scientific research without additional consent (Šolc 2020, p. 59).

8 9

Recital 47 of GDPR. Czech Republic - National GDPR Implementation Overview | Guidance Note | Data Guidance.

Czech Republic

473

Since biobanks contain health material, processing of the data falls under Article 9 (2) (j) GDPR. However, the fact that biobanks contain health material means that the processing must be based on a Member State’s law as required by Article 9 (2) (j) of the GDPR. If anonymisation was required under the provision, the current practice for processing applied in Czech Republic would not be acceptable. Hence, Czech legal literature offers few arguments, all in favour of maintaining the current regime of pseudonymisation. The specific purposes for future sample processing in a biobank cannot be foreseen at the time of the consent. For this reason, the consent can hardly be specific enough to meet the GDPR standard. If interpreted extensively, anonymisation would not be possible for any human tissue since every tissue contains DNA. This is even more evident given that in their decision making, the controllers should consider the possible future development of the possibilities of identification of persons. Even the tissue samples that are relatively safe from identification today can be much more easily identified in the future with the development of science and the increasing popularity of commercial DNA testing (Šolc 2020, p. 61).

3 Conclusion Although the introduction and application of the GDPR did not dramatically influence the existing Czech regulation on biobanks, it nevertheless brought some changes and opened several questions. In the legal literature, the most discussed issue is the already mentioned national regulation under which the patient’s consent for the use of biological material for research purposes is required unless it is not possible to identify the patient from the data. Due to the nature of the processed data and the established tradition, the Czech legal theory argues that it would be appropriate to interpret the requirements under the GDPR as compliant with the pseudonymisation as provided in the Czech Republic. This would allow for the biobanks to continue operating under the existing regime, which so far has not shown any significant weaknesses towards endangering the protection of the patient’s privacy.

References Kinkorova J, Topolčan O, Kučera R (2019) Informed consent in the newly established biobank. Int J Environ Res Public Health 16(20):3943. https://doi.org/10.3390/ijerph16203943 Maldoff G (2016) How GDPR changes the rules for research? https://iapp.org/news/a/howgdprchanges- the-rules-for-research/

474

P. Poretti

Matouš M, Kučera Z (2018) Big Data analytics and the processing of health data for scientific research purposes: the Czech legal framework. Aegle OECD (2020) Report on the Recommendation of the Council on Human Biobanks and Genetic Research Databases, 109, 6–19 Šolc M (2020) Patients and privacy: GDPR compliance for healthcare organisations in the Czech Republic. Eur J Priv Law Technol (Special Issue): 51–62

Denmark Paula Poretti

1 Introduction Biobanks are large collections of biological samples and associated data for medical and scientific research and diagnostic purposes. Their management is not harmonised across the European Union (EU), and there is no single document that specifically regulates this field at the EU level. At the national level, biobanks have become institutionalised over the last two decades. However, they are currently facing both a transformation when involved in scientific research and certain regulatory policy challenges related to technological and institutional changes (OECD Report 2020). This became obvious after the adoption of the General Data Protection Regulation (GDPR)1 in 2018. The EU legislature’s idea to ensure a high level of protection for the personal data of individuals brought into question the framework for scientific research and threatened to impose constraints on it. The GDPR’s provisions might represent discontinuity vis-à-vis the research traditions in the EU. Therefore, the effects were mitigated by the availability of derogations from these rights for scientific research: first, by directly invoking provisions of the GDPR that provide that derogations be subject to safeguards that must include ‘technical and organisational measures’, and second, through the safeguards established by Member States (Stauton et al. 2019).

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016.

P. Poretti (✉) Faculty of Law, Josip Juraj Strossmayer - University of Osijek, Osijek, Croatia e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_53

475

476

P. Poretti

In order to understand the regulatory approach to biobanking in Denmark, it is necessary to point out the differences among EU Member States; in particular, some of them have introduced specific laws, while others have introduced soft law (e.g., ethical guidelines) into their multilevel regulatory framework. In certain cases, there is no domestic regulation and transnational patterns provide guidance (Beier and Lenk 2015). Denmark is among those countries characterised by a composed regulatory system of human tissue/biobank research (Beier and Lenk 2015).

2 Regulation on Biobanks in Denmark According to legal literature, biobanks in Denmark are a structured collection of human biological material that is accessible for research according to certain criteria. Biobanks contain biospecimens and other health information that can be linked to individual persons, in some cases as anonymised and in others as identifiable data. In order for the collection to be a biobank, the biospecimens or health information must be stored for a longer period of time. This period regularly exceeds the time required to merely collect and analyse the samples (Kyvik 2012, p. 161). In the 1990s, at the initial stage of Danish oversight of the appropriateness of their regulatory approach towards biobanking, the law excluded as unnecessary a specific biobank law to ensure confidentiality (and safety) of the biological material and further safeguards for citizens as donors (Kyvik 2012, p. 161). In order to ensure the application of the current legislation to other biomedical and health research, biobanks are considered as other collections of data in Denmark, for example, registries. The Danish legislative framework on biobanks (from their introduction until today) is fragmented, and biobanks fall under several Acts (Kyvik 2012, p. 161). Act no. 428 of 31 May 2000 on Processing of Personal Data2 governed the collection and processing of personal data until its replacement in 2018, and it also covered collection and processing of tissue samples that can be related to an identifiable person (Hartlev 2018, p. 5). Consolidated Act no. 191 of 28 February 2018 on Health (Health Act)3 provides a legal framework for the provision of health care services (health promotion, health prevention and treatment) at the national, regional and local levels and for the rights of patients and the obligations of the health care services, for example, with regard to informed consent to treatment and other interventions (such as abortion and organ donation). The Health Act also includes several provisions of particular importance for data processing (Hartlev 2018, p. 5). 2

Lov nr. 428 af 31. maj 2000 om behandling af personoplysninger (persondataloven). https://www. retsinformation.dk/Forms/R0710.aspx?id=828; https://www.datatilsynet.dk/english/the-act-onprocessing-of-personal-data/read-the-act-on-processing-of-personal-data/compiled-versionof-theact-on-processing-of-personal-data/. 3 Lovbekendtgørelse nr. 191 af 28. Februar 2018 om sundhed (Sundhedsloven). https://www. retsinformation.dk/forms/R0710.aspx?id=199871.

Denmark

477

Consolidated Act no. 1083 of 15 September 2017 on Research Ethics Review of Health Research Projects4 (hereinafter Act on Research Ethics Review of HRP) governs the establishment of research ethics committees at the regional and national levels and lays down rules for ethical evaluation and authorisation of health research projects. This also includes regulation of informed consent to collection and storage of data and tissue samples for scientific purposes (Articles 3–6) and the further use of previously collected tissues samples for scientific purposes (Article 10) (Hartlev 2018, p. 5). Due to the direct application of the GDPR, the Act on Processing of Personal Data was replaced by Act no. 502 of 23 May 2018 (hereinafter Data Protection Act) on supplementary provisions to the Regulation on protection of natural persons in connection with the processing of personal data and on free movement of such data and repealing directive 95/46/EF5 (General Regulation on Data Protection). The Data Protection Act contains provisions that supplement the GDPR in areas in which Member States within the framework of the GDPR are allowed to issue more detailed provisions. Some changes were also introduced into provisions of the Health Act and the Act on Research Ethics Review of HRP in order to comply with the rules under the GDPR.

3 Processing of Personal Data for Research Purposes and the GDPR As previously mentioned, the relevant legal regulation in Denmark governing the use of personal data and tissue samples for research purposes is clustered. Whereas the Data Protection Act applies to the processing of all kinds of personal data for any type of research purpose, the Health Act and the Act on Research Ethics Review of HRP specifically target data processing in the field of health purposes. However, the provisions of these Acts are complementary and overlapping, and their application depends on the specific characteristics of the research project. When the research involves participation of the research participant, different rules apply depending on whether a physical/psychological intervention is involved or whether the project only consists of surveys or interviews. If the research is exclusively based on already collected data or tissue samples, the inclusion of tissue samples is relevant. In this sense, the Data Protection Act excludes its own application in cases in which provisions in other acts set a higher level of data protection. 4

Lovbekendtgørelse nr. 1083 af 15. September 2017 om videnskabsetisk behandling af sundhedsvidenskabelige forskningsprojekter (Komiteloven). https://www.retsinformation.dk/ forms/R0710.aspx?id=192671; http://www.nvk.dk/english/act-on-research (this version does not include revisions made after 2013). 5 Act no. 502 of 23 May 2018 on supplementary provisions to the Regulation on protection of natural persons in connections with processing of personal data and on free movement of such data and on repealing directive 95/46/EF (General Regulation on Data Protection).

478

P. Poretti

For health projects involving human research subjects or human tissue in biobanks, it is necessary to obtain prior authorisation from a research ethics committee (hereinafter REC). This is a precondition to be satisfied before the project starts (arg ex Article 14 (1) of the Act on Research Ethics Review of HRP). For research that is exclusively based on personal data from health records or databases, REC authorisation is not needed and cannot be obtained (Article 14(2)). The aim of the Act on Research Ethics Review of HRP is to ensure a balance between the interests and protection of research subjects and the interests of society and science (Hartlev 2018, pp. 11–12). If the research involves participants who agree to their data being collected (health records) and tissue samples taken, the researchers must obtain informed consent. Information about the aim of the collection of data and/or tissue and the possible future use and the storage period is provided through the REC. This is a higher level of protection of the right to determine the use of data for research than in the Data Protection Act. The Data Protection Agency or the authority responsible for an umbrella notification are informed by means of a notification that the research includes the processing and further use of personal data. The Health Act provides for additional requirements if the research is conducted as a treatment for patients (Hartlev 2018, p. 12). Authorisation from the REC is also needed for research using identifiable tissue samples from a biobank. However, under Article 10 Act on Research Ethics Review of HRP, the REC can make an exception concerning informed consent if it finds the project to be risk-free or if obtaining consent or proxy consent is difficult. In this situation, the REC needs to assess the ethical aspects of the research project, including data protection concerns, to authorise it. In the case of research based on personal data stored in databases or on patient records only, the Act on Research Ethics Review of HRP is not applicable. In the latter case, the Danish Patient Safety Authority gives approval for the use of patient records (Hartlev 2018, p. 13). Article 7/1 Data Protection Act poses an exemption that allows ‘sensitive’ personal data to be processed for certain purposes regardless of the prohibition in Article 9/1 GDPR. The Act specifies some requirements for the processing of personal data: (a) the data subject has given explicit consent to the processing of the personal data for one or more specified purposes; (b) processing is necessary to protect the vital interests of the data subject or of another natural person and the data subject is physically or legally incapable of giving consent; (c) processing is carried out with appropriate safeguards in the course of the legitimate activities of a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim, and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and that the personal data are not disclosed outside that body without the consent of the data subjects; (d) processing relates to personal data which are manifestly made public by the data subject; or (e) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity or in compliance with Article 9(2) of the General Data Protection Regulation. When medical purposes are

Denmark

479

concerned, Article 7/3 Data Protection Act allows processing of data covered by Article 9(1) of the GDPR, but in this case, the processing should be necessary within the scope of preventive medicine, medical diagnosis, the provision of care or treatment or the management of medical and health care services. Moreover, these data are processed by a health professional who is subject to the professional secrecy obligation. Article 10 of the Data Protection Act allows the application of the previous legal framework for processing of personal data for scientific purposes. However, the Act does include some changes, which were introduced either to harmonise its provisions with the rules under the GDPR and/or to address other concerns or interests (Hartlev 2018, pp. 23–24). The implementation of the GDPR led to some changes, among them the further use of the personal data collected for scientific purposes if vital interests of the data subject are in question. For example, a health research project or statistical analysis reveals a specific risk of a serious disorder (including a genetic disorder) for which prevention or treatment is available as well as cases in which data is processed as support for making clinical decisions about the provision of personalised/precision medicine (Hartlev 2018, pp. 23–24). Genetic data and biometric data may be processed for the sole purpose of carrying out statistical or scientific studies of significant importance to society if such processing is necessary to carry out these studies in accordance with Article 10/1 Data Protection Act. A joint reading of Article 5(3) of the Data Protection Act and Article 23 of the GDPR allows the Minister to entitle public authorities to process data for purposes other than the purposes for which they were collected. This rule does not apply to genetic data collected for health-related purposes when their re-use and further processing are possible and on the condition that the subsequent purposes are compatible with the original one (Hartlev 2018, p. 20). Article 21 of the Archives Act concerns health data kept in databases and covered by the Data Protection Act. These data are transferred to a public archive to be kept beyond the normal time of erasure. This Act also prescribes rules for access to personal data and the time limits for such access. A general rule is that records containing an individual’s private data (affairs) can first be accessed after 75 years of the entry into the archive, but if a legitimate interest occurs, access can be allowed prior to that time. Researchers who need access to health data can get assistance from the Danish National Archive. The data can be archived under the rules laid down in the Data Protection Act. (Hartlev 2018, p. 6). The competent minister may lay down more detailed rules within the scope of Article 23 of the GDPR related to the further processing of personal data for purposes other than those for which they were originally collected, irrespective of the compatibility of the purposes. When it comes to health data and genetic data as mentioned in Article 9(1) of the GDPR that have been collected pursuant to section 7(3) of the Data Protection Act or under Danish healthcare legislation, the re-use of personal data (further use) would be possible to the extent that the purpose of the

480

P. Poretti

further use of the data is compatible with the purpose for which the personal data were originally collected.

4 Conclusion To conclude, looking closely at the regulation of biobanks after the entry into force of the GDPR in Denmark, it is possible to say that it is highly difficult to reconcile the idea of a high level of protection of personal interests of individuals and the need to provide sufficient data for scientific research conducted in the public interest, especially in the light of the previous research traditions of Member States. The recent implementation of the GDPR makes it difficult to conclude whether the measures taken are in compliance with the current legal framework to effectively establish a national biobanking system.

References Beier K, Lenk C (2015) Biobanking strategies and regulative approaches in the EU: recent perspectives. J Biorepos Sci Appl Med 3:69–81. https://doi.org/10.2147/BSAM.S64578 Hartlev M (2018) Big Data analytics and the processing of health data for scientific research purposes: the Danish legal framework. Aegle Kyvik KO (2012) Danish biobank legislation, a simple approach? Norsk Epidemiologi 21(2): 161–162. https://doi.org/10.5324/nje.v21i2.1488 OECD (2020) Report on the Recommendation of the Council on Human Biobanks and Genetic Research Databases, 109, 6–19 Stauton C, Slokenberga S, Mascalzoni D (2019) The GDPR and the research exemption: considerations on the necessary safeguards for research biobanks. Eur J Hum Genet 27:1159–1167. https://doi.org/10.1038/s41431-019-0386-5

Estonia Sabrina Brizioli

1 Introduction The Estonian data protection law and its key provisions, for example rules for the processing of special categories of data, exceptions to the data subjects’ rights and processing for certain purposes (such as academic or scientific purposes), are aligned with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as GDPR).1 Indeed, the Estonian Personal Data Protection Act addresses the regulation of personal data protection by complementing the GDPR, including matters concerning research. Since data protection rules apply to research activities that may involve the collection of personal data, the GDPR and the Personal Data Protection Act constitute the general framework for biobanking. Parallel to these regulations, specific rules refer to research institutions and biobanks, namely the Human Genes Research Act which has provisions relevant to the discipline of informed consent for the use of personal data and tissues and the oversight systems of the ethics committees. The following sections provide an overview of the impact of the GDPR on the protection of data with reference to research and biobanking activities in Estonia, with consideration as well of the role of subject consent and the safeguards on individual rights. 1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

S. Brizioli (✉) Department of Law, University of Perugia, Perugia, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_54

481

482

S. Brizioli

2 National Legal Framework for the Processing of Personal Data The GDPR is directly applicable to each EU Member State. This includes Estonia (Salumaa-Lepik et al. 2021) which enacted the Personal Data Protection Act 2 to align law with its provisions.3 The Personal Data Protection Act aims to guarantee the protection of natural persons in this field and regulates the activities undertaken by authorities in prevention, detection and proceedings of offences and execution of punishments.4 Indeed, this Act provides a complex regulatory framework for the processing of personal data. The Personal Data Protection Act embodies the fundamental principles of the GDPR in the processing of personal data, namely legality and fairness, purposefulness, quality, accuracy, retention and security,5 and it indicates the information to be made available to data subjects by the controller.6 This Act indicates specific grounds for the processing of personal data and provides exceptions to processing for certain purposes. For scientific, historical research and official statistical needs, the processing of personal data may be undertaken without the consent of the data subject.7 In particular, the Personal Data Protection Act specifies that the use of a pseudonymised format or a format which provides an equivalent level of protection is needed.8 Any activity or method (e.g. de-pseudonymisation) that enables identification of persons is only permitted for the needs of additional scientific and historical research, and the Personal Data Protection Act indicates the conditions that must be met when processing data without the consent of the data subject, which are: (1) the purposes of data processing can no longer be achieved after the removal of the data enabling identification or it would be unreasonably difficult to achieve these purposes; (2) there is overriding public interest in the data’s use; and (3) the scope of obligations of the data subject is not changed based on the processed personal data or the rights of the data subject are not excessively damaged in any other manner.9 Compliance with the terms and conditions provided by the Personal Data Protection Act is verified by the ethics committee of the area related to the scientific 2

Personal Data Protection Act, 12.12.2018. https://www.riigiteataja.ee/en/eli/523012019001/ consolide. 3 Personal Data Protection Act, Chapter 1, Section 1 (1). 4 Ibid., Section 1 (2). 5 Ibid., Section 14 (1). 6 Ibid., Sections 22–23. 7 Ibid., Section 6 (1). 8 Ibid., It is stated that ‘Prior to transmission of personal data processing for the needs of scientific and historical research or official statistics, personal data shall be replaced by pseudonymised data or data in a format which provides equivalent level of protection’. 9 Ibid., Section 6(3), n. 1–3.

Estonia

483

research which is based on special categories of personal data.10 In the absence of an ethics committee in the scientific area, compliance with the requirements of the Act is verified by the Estonian Data Protection Inspectorate or the National Archives if the personal data are retained at the National Archives.11 The Personal Data Protection Act clarifies the meaning of ‘scientific research’, which includes ‘any analyses and studies by executive power which are carried out for the purposes of policy development’12 and ‘in order to prepare these, the executive power has the rights to make queries to databases of another controller or processor and process the personal data received’.13 Moreover, the Estonian Data Protection Inspectorate verifies prior to the beginning of the specified processing of personal data that there is compliance with the terms and conditions of the processing of data as ruled by the Act ‘except in the case the objectives of the studies conducted for policy development and the scope of processing of personal data derive from legislation’14 The processing of data for special purposes implies some exceptions, and Section 6(6) reaffirms that: Where personal data are processed for the purpose of scientific and historical research or official statistics, the controller or processor may restrict the rights of data subjects provided for in Articles 15, 16, 18 and 21 of Regulation (EU) 2016/679 of the European Parliament and of the Council insofar as the exercise of these rights is likely to make the achievement of the objectives of the scientific and historical research or official statistics impossible or impedes it to a significant extent.15

3 Biobanking in Estonia The data protection rules set forth by the GDPR and the Estonian Personal Data Protection Act constitute the general framework for the processing of personal data and apply to any research involving personal data collection and use, including research undertaken by entities devoted to biobanking activities and research. Estonian Law does not clarify the term ‘biobank’ and there is no institutional definition that precisely defines the type of infrastructure that would have as its scope the collection of biological samples and associated data. This means that any entity supporting research activities that is involved in the collection, processing of data and preservation of biological samples could be considered to be a biobank (Pormeister 2021).

10

Ibid., Section 6(4). Ibid. 12 Ibid., Section 6(5). 13 Ibid. 14 Ibid. 15 Ibid., Section 6(6). 11

484

S. Brizioli

There are several sample collections in Estonia, but the national population-based biobank is the Estonian Biobank (EBB). Founded in 2002,16 it stores biological samples of participants (e.g., plasma, DNA) and health information. The Estonian Biobank also participates in the BBMRI-ERIC within the Estonian node.17 Legal and social issues linked to biobanking are governed by the Human Genes Research Act (2000) that has as its scope the establishment (and the maintenance) of a Gene Bank, the organisation of the necessary genetic research,18 the safeguarding of the voluntary nature of gene donation and the protection of the confidentiality of gene donors. Furthermore, this Act aims to protect persons from misuse of genetic data and from discrimination based on interpretation of the structure of their DNA and the genetic risks arising therefrom.19 The Human Genes Research Act expressly indicates the kind of data that are processed in the Gene Bank and specifies that the provisions regulating the processing of personal data do not apply to the processing of pseudonymised tissue samples and pseudonymised descriptions of the state of health for certain conditions.20 Chapter 2 of the Human Genes Research Act recognises the rights and faculties of the gene donors and takes into account the participation of individuals in the genetic research activities by providing some insights related to the consent of the gene donor.21 Before the granting of consent, the controller gives the person some relevant information, for example, the unpleasant characteristics and gene risks resulting from genetic research; the rights to know his/her genetic data and/or to ask for the destruction of data which enables de-pseudonymisation or for the destruction of the tissue sample.22 As far as data protection is concerned, the Human Genes Research Act states that processing of data by the Gene Bank shall be in compliance with the highest standard of data protection,23 and in order to verify the authenticity of data entered in the biobank before pseudonymisation, the controller or the processor compares the available data with data stored in other databases and then corrects them if necessary.24 There are no specific regulations for biobanking activities of other entities, and this seems to suggest that they could be subject to the provisions of the General Data Protection Act as far as genetic data and associated personal data are concerned.

16

For further details see the Estonian Biobank. https://genomics.ut.ee/en/content/estonian-biobank. See the BBMRI-ERIC Estonia. https://www.bbmri-eric.eu/national-nodes/estonia. 18 Human Genes Research Act, 13.12.2000. https://www.riigiteataja.ee/en/eli/508042019001/ consolide, Section 1 (1). 19 Ibid. 20 Ibid., Sections 6–7. 21 Ibid., Section 12. 22 Ibid., Section 12(4). 23 Ibid., Section 22 (1). 24 Ibid., Section 22 (5). 17

Estonia

485

Thus, for biobanks other than the EBB, the provisions of the data protection law are applicable, especially those that safeguard rights of donors and participants, for example, the right to access, the right to restrict processing or the right to object to the use of data.

4 Research Ethics Committees: Ethics and Research Oversight Both the Personal Data Protection Act and the Human Genes Act recognise the relevance of ethical rules in conducting research activities and that they are an integral part of the processing of data and the collection of tissue samples. In Estonia and in some countries of Eastern Europe, such as Latvia and Lithuania, an ethical review wave began in the 1980s (Dranseika et al. 2011). Ad hoc committees were created for clinical trials at different hospitals in 1989, but permanent ethics committees were established in the early 1990s by the University of Tartu and the Institute of Experimental and Clinical Medicine in Tallin. In 1998, the Estonian Council on Bioethics was established with the aim of coordinating the activities of regional research ethics committees. As previously mentioned, the Human Genes Research Act created a special research ethics committee in 2001 and provided the road map for a regulatory framework for future activities related to genetic research. The research ethics committees, which follow the generally recognised ethical rules, aim to guarantee the privacy, health and human dignity, freedoms and other fundamentals rights of individuals involved in scientific activities. In particular, these committees draw attention to those cases in which standards of research might conflict with ethical norms (Leitsalu et al. 2014). Before January 2019, the Estonian Data Protection Inspectorate was tasked with the oversight of research, but now this function is assigned to ethics committees. As underlined by scholars, ‘the DP Act [Data Protection Act] does not regulate ethics committees but merely presumes their existence’ (Pormeister 2021, p. 232). In March 2019, an amendment to Section 29 of the Human Genes Research Act introduced the function of the ethics committees, which is to review compliance with Section 6 of the Personal Data Protection Act; that is, to respect the requirements established by the Act and to evaluate the extent of ethical risks ‘by finding a balance between the protection of fundamental rights and the purposefulness of the research’.25 This section also specifies that the research ethics committee, composed of scientists and representatives of other disciplines, is to work to harmonise the principles of research to ensure the protection of fundamental rights and obliges the researchers to comply with those principles.26 25 26

Ibid., Section 29 (4). Ibid., Section 29 (2).

486

S. Brizioli

5 Conclusion Estonia recalls the general rules for data protection and informed consent established by the GDPR. Likewise, rules dealing with exemptions for determined purposes of processing or special categories of data are provided to align with the European Regulation. In general terms, it can be said that the main formula for informed consent is the open and broad one. It addresses research activities even in cases that involve biobanks. As evidence of that, the previous analysis has detailed the informed consent strategy within the EBB regulation and the provisions of the Personal Data Protection Act that articulate donor’s consent through channels that facilitate research activities. Ethics reviews and pseudonymisation measures might be considered as safeguards pursuant to art. 89 of the GDPR for the rights and freedoms of the data subject and to verify whether research complies with ethical norms.

References Dranseika V, Gefenas E, Cekanauskaite A, Hug K, Mezinska S, Peicius E, Silis V, Soosaar A, Strosberg M (2011) Twenty years of human research ethics committees in the Baltic States. Dev World Bioeth 11(1):48–54. https://doi.org/10.1111/j.1471-8847.2010.00288.x Leitsalu L, Haller T, Esko T, Tammesoo M-L, Alavere H, Snieder H, Perola M, Ng CP, Mägi R, Milani L, Fischer K, Metspalu A (2014) Cohort profile: Estonian Biobank of the Estonian Genome Center, University of Tartu. Int J Epidemiol 44(4):1137–1147. https://doi.org/10.1093/ ije/dyt268 Pormeister K (2021) Regulatory environment for biobanking in Estonia. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Individual rights, public interest and research regulation across Europe. Springer, pp 227–242. https://doi.org/10.1007/978-3-03049388-2 Salumaa-Lepik K, Kerikmäe T, Nisu N (2021) Data protection in Estonia. In: Cortez EK (ed) Data protection around the world: privacy laws in action. Springer, pp 23–57. https://doi.org/10. 1007/978-94-6265-407-5

Finland Alessandra Langella and Sabrina Brizioli

1 Biobanking in Finland: Reference Texts, Requirements and Legal Obligations The Finnish biobanking system has been promoted as one of the more advanced biobanking systems in the world (Salokannel et al. 2019; Government Report 2018, p. 10). The Biobank Act 688/2012 (hereinafter referred to as the Biobank Act)1 took a period of seven years before entering into force and is the most significant piece of Finnish legislation dealing with biobanks. The Finnish Medicines Agency Fimea2 is responsible for verifying that biobanks not only comply with the rules of this Act but also observe other regulations and operate in accordance with their quality systems (until the end of 2019, the direction and monitoring tasks belonged to the National Supervisory Authority for Welfare and Health [Valvira]). The aim of the Biobank Act, which went into effect on 1 September 2013, is to improve the prerequisites for performing biobank research (Forsberg and Soini 2014). According to its wording, the scope of the law is ‘to support research using human biological samples, to promote openness in the use of these samples and to ensure the protection of privacy and self-determination during the processing of these samples’ (see Section 1, Objectives). To meet these aims, the Biobank Act contains provisions on:

1 2

https://www.finlex.fi/en/laki/kaannokset/2012/en20120688.pdf (unofficial translation). https://thl.fi/en/web/thl-biobank/biobank-info/supervision-of-biobanks

A. Langella (✉) · S. Brizioli Department of Law, University of Perugia, Perugia, Italy e-mail: [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_55

487

488

A. Langella and S. Brizioli

(1) the establishment of a biobank, conditions for practising biobanking activities and requirements to be met by such activities; (2) the collection of samples and information about the samples or attached to the samples and the use and other processing of these samples; (3) supervision of storage and processing of the samples; (4) the rights of registered individuals and arrangements necessary to protect information; and (5) registers established for the purposes of biobank research (Section 2, Scope of application). Furthermore, the Biobank Act sets the requirements and the decision-making process related to the activities of the biobanks. The law also specifies the obligation of the biobank to notify the National Welfare and Health Authority for the purposes of the national register of biobanks. Such a duty occurs before the beginning of the operations and implies that the information must be specific so as to assess the legality of the operations (Section 9). Section 6 of the Biobank Act contains several conditions for establishing a biobank. Among these are first, that those involved in the establishment of a biobank (i.e., individuals, public institutions, the community, a foundation or other corporations) are required to have the financial and operational resources (personnel, facilities and equipment) to meet the legal and research-related conditions for maintaining a biobank and for the processing of samples. Second, it is necessary to obtain a positive assessment by the National Committee on Medical Research Ethics (Tukija).3 This Committee has the mandate to verify that the conditions for the protection of privacy and self-determination laid down in the Biobank Act and other relevant law are met, and to present a justifiable view on the ethicality of the activities. In order to gain a positive evaluation from the committee, it is essential to provide a description of the biobank’s area(s) of research and to take into account the principles and terms that will be applied to the collection. It is also necessary to grant access rights in accordance with the purposes of the biobank and to determine the research and the processing of samples and information associated with samples. Restrictions concerning the use of samples must be considered (Section 6, para. 2 [4]). The Biobank Act applies to both clinical and research biobanks. For research biobanks, Section 26 (Principles for granting access to samples and information) states that a biobank is permitted to grant access to, study, or otherwise process the samples and information it stores, provided that: (a) the intended use corresponds to the research area defined for the biobank and the criteria and conditions established for the processing of the sample; (b) terms and restrictions provided in this act or other applicable laws and those determined by the biobank are observed in the research; and (c) the person who is given access to the samples or

3

https://www.tukija.fi/web/tukija-englanti/frontpage

Finland

489

information has the necessary professional and academic credentials to process the samples or information, and the access is being given in line with the recipient’s obligations. The possibility of exchanging biological samples, for example, between hospitals and research centres, is very important, and circulation and access to samples and data must be considered. In Finland, it is required that a written agreement sets the conditions for granting access to samples and information. This agreement must also include as attachments the research plan, a statement by a competent ethics committee referred to in the Medical Research Act or other statement necessary to assess the fulfilment of the conditions for granting access to the samples and information, and an account of the processing of the samples and information. Furthermore, it is established that those who have access to the samples or information must publish the research results that are based on the samples or information received from the biobank. According to the Biobank Act, access to samples and information could also be limited when justified, considering: (a) the biobank’s research area and other restrictions concerning the granting of access to the samples and information associated with them referred to in section 6(2)(4); (b) the securing of intellectual property rights related to research; (c) data protection; and (d) reasons related to research ethics. A close look at the legal framework for biobanking in Finland shows that there are other Finnish acts that supplement the practices and principles governing biobank activities for medical research. Other relevant sources are the Medical Research Act (488/1999)4 and the Act on the Medical Use of Human Organs and Tissues (101/2001),5 which regulate the transfer of organs, tissues and cells removed for the diagnosis and treatment of human diseases or injuries and their use in biobank research. Other relevant legal instruments are the Data Protection Act (1050/2018) and the Act on the Openness of Government Activities (621/1999),6 which contain provisions on the right of access to official documents in the public domain, officials’ duty of non-disclosure, document secrecy and any other restrictions of access that are necessary for the protection of public and private interests. Biobanks that are not government bodies are also subject to the provisions of the Act on the Openness of Government Activities respecting proper information management practises (Section 17, Biobank Act).

4

https://www.finlex.fi/fi/laki/kaannokset/1999/en19990488.pdf (unofficial translation). https://www.finlex.fi/en/laki/kaannokset/2001/en20010101_20130277.pdf (unofficial translation). 6 https://www.finlex.fi/en/laki/kaannokset/1999/en19990621_20150907.pdf 5

490

A. Langella and S. Brizioli

Lastly, the Act on the Secondary Use of Social and Health Data (552/2019)7 and the General Data Protection Regulation (EU) 2016/6798 (hereafter GDPR) were both passed after the current Biobank Act went into effect. For this reason, a proposal to amend the law on biobanks has been moved to ensure compliance with the GDPR. After all, the Finnish legislation on biobanks has been under revision almost since the day it went into effect (Salokannel et al. 2019). The principal aim of the reform is to protect the right to self-determination of the subjects involved. Once amended, the law should include provisions on the right to self-determination of donors, which should establish different protections depending on whether donor consent is used by the biobank for the taking of samples or for the processing of samples and personal data. The legislative amendments would enter into force on 1 January 2024 but would not apply to samples taken before this effective date (Ministry of Social Affairs and Health 2022).9

2 The Protection of Personal Data and the Exceptions for Scientific Research Purposes In Finland, the right to privacy is guaranteed by Article 10.1 of the Finnish Constitution, implying that legislation related to data protection can be inserted into a specific law.10 The Data Protection Act (Section 6) states that Article 9(1) of the GDPR, which prohibits the processing of special categories of data, does not apply when the processing concerns scientific or historical research purposes and that the controller, and the processor shall take suitable and specific measures to safeguard the rights of the data subject. Some derogations relating to processing of personal data for scientific research purposes are provided by Section 31, which specifies that ‘where personal data are processed for scientific or historical research purposes, the rights of the data subject laid down in Articles 15, 16, 18 and 21 of the Data Protection Regulation may be derogated from, where necessary, provided that: 1) the processing is based on an

7

https://stm.fi/documents/1271139/1365571/The+Act+on+the+Secondary+Use+of+Health+and +Social+Data/a2bca08c-d067-3e54-45d1-18096de0ed76/The+Act+on+the+Secondary+Use+of +Health+and+Social+Data.pdf?t=1559641328000 8 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4. 5. 2016 L 119/1. 9 https://stm.fi/en/-/biobank-act-to-be-updated-to-meet-requirements-of-eu-general-data-protectionregulation 10 ‘Everyone’s private life, honour and the sanctity of the home are guaranteed. More detailed provisions on the protection of personal data are laid down by an Act’. https://www.finlex.fi/en/laki/ kaannokset/1999/en19990731.pdf.

Finland

491

appropriate research plan; 2) a person or group responsible for the research has been designated; and 3) the personal data are used and disclosed only for scientific or historical research purposes or for other compatible purposes, and the procedure followed is also otherwise such that data concerning a given individual are not revealed to outsiders’. In general, these provisions concern the protection of personal data when research activities are carried out, and the Biobank Act must be recalled to scrutinise the discipline for the protection of those involved in biobanking activities. In some cases, the Biobank Act expressly refers to the regulation on privacy and asks for further requirements or fulfilments. For example, when processing samples with identifiers and the information associated with them, some due diligence obligations are added by the Biobank Act to the provisions of Articles 5 and 6 of the Data Protection Act. The Biobank Act explains that when processing samples with the identifiers and the information associated with them, it must be ensured that: (1) the sample and the information associated with it are accompanied by a code issued by the biobank for the purposes of storage, archiving, analysis, study and use of the sample and information; (2) the samples and the information associated with them are stored separately from the code key; (3) information systems ensure the safe storage, use and monitoring of samples and personnel information stored in a biobank and the verification of individual identification events (Section 16). The Biobank Act establishes that a biobank may process samples of a person and his or her information obtained in relation to the samples to the extent required by the biobank research with the written consent of the data subject. This consent also provides for adding complementary information about, for example, donor’s disease history (Section 14). It is necessary that the expression of consent states that the data subjects’ personal data may be disclosed or be linked to register data and that a sample stored in a biobank as well as information obtained based on a sample or associated with a sample may be analysed, studied, and used or otherwise processed in ‘broad terms’ if the processing is in accordance with the research area of the biobank. This means that the person giving consent must be provided with a sufficient clarification of the nature of biobank research, and any possible drawbacks, the objective of collecting and storing samples, the owner of the samples and the biobank storing the samples must be communicated to the donor. However, the donor may withdraw the consent or restrict the use of the sample at any time without giving any reason (Section 11, Biobank Act). In this case or when changing consent or denying the use, a notification must be made to the custodian of the biobank (Section 12). The withdrawal of consent is documented in the biobank’s consent register (Section 22).

492

A. Langella and S. Brizioli

3 The Re-use of Old Samples As scholars have pointed out, at the time biobanking operations officially started in Finland in 2013 as the Biobanking Act came into force, the main corpus of biobank samples consisted of around 10 million ‘legacy samples’ (samples collected prior to biobank legislation). Those old diagnostic or research samples have been transferred to biobanks in accordance with the Biobank Act, but their transfer raised many ambiguities, both legally and in terms of social sustainability (Salokannel et al. 2019). However, the Biobank Act (Section 13) allows a higher education institution, research institution and healthcare facility to transfer to a biobank the human samples and related information that was collected for a specific study initiated before the entry into force of this Act. Likewise, it is possible to transfer samples and the associated data originally collected for diagnostic purposes to a biobank. The transfer is possible without impairing confidentiality clauses if the donor— after being informed of the change of purpose with respect to the samples and data— does not object and unless the Ethics Committee deems the transfer of samples to a biobank to be ethically unacceptable. Thus, the National Supervisory Authority for Welfare and Health decides on the transfer of the samples to a biobank if the ethics committee does not deem it to be morally acceptable. It should be emphasised that even if the transfer assumes a special notification process, when the samples are numerous or outdated and it is difficult to contact donors with reasonable effort, the notification process can take place through publication in an official paper, in a public communication network and, when necessary, in one or more daily papers. The law establishes that the donors will be contacted and informed of the transfer of samples to the biobank; however, the doctrine has underlined that, in general, it was not customary for biobanks to recontact patients or research participants. It has been pointed out that in practice, biobanks primarily operate with samples that have been transferred to their collections with a notification procedure consisting of a public announcement (Salokannel et al. 2019). Thus, the autonomy of the donors is reduced and their ability to opt out is not real.

3.1

Secondary Use of Health Data

In general terms, if data are used for purposes other than those for which they were collected, the rules on so-called secondary use must be considered. In Finland, the Act on the Secondary Use of Social and Health Data11 aims to facilitate access to 11

https://stm.fi/documents/1271139/1365571/The+Act+on+the+Secondary+Use+of+Health+and +Social+Data/a2bca08c-d067-3e54-45d1-18096de0ed76/The+Act+on+the+Secondary+Use+of +Health+and+Social+Data.pdf?t=1559641328000.

Finland

493

personal health and social data for secondary uses. Secondary use of health and social data means that ‘customer data and records created during the activities of the health and social services industry will be used for a purpose other than the primary reason for which it was originally saved12’. Secondary uses covered by the Act include scientific research, statistics development and innovation activities. The future reform (2024) aims to ensure that this law also complies with the requirements of the General Data Protection Regulation.

4 The Retention Period of Samples and Data It is an ordinary criterion and a constant juridical consideration that every right must be exercised without abusing it and within the limits established by the law, which, in some cases, is also fixed in terms of time. The Biobank Act limits the right to keep the samples and the information associated with them to the real need for them to be maintained, which must be evaluated regularly and at least every ten years. Samples and information that are not necessary with respect to the biobank’s area of research and criteria for processing the sample shall be destroyed (Section 25). Furthermore, if the ownership and control of a sample and the information associated are transferred to another biobank, the transferred samples shall be re-coded by the biobank receiving them. When the operations of the biobank come to an end, the samples and the like information are destroyed; the consent register and the sample and information register shall be transferred to an archive, as provided in the Personal Data Act, and the custodian of the biobank is required to destroy the code register.

5 Conclusion Although the Finnish Biobank Act has been internationally considered very attractive, the regulatory context would seem to require greater transparency and openness; for this reason, the future reform (2024) is rooted in the auspices to meet the highest standards of protection, principles and requirements of the GDPR.

12

https://stm.fi/en/secondary-use-of-health-and-social-data.

494

A. Langella and S. Brizioli

References Forsberg J, Soini S (2014) A big step for Finnish biobanking. Nat Rev Genet 15:6. https://doi.org/ 10.1038/nrg3646 Government report on information policy and artificial intelligence (2018). https://vm.fi/ documents/10623/7768305/VM_Tiepo_selonteko_070219_ENG_WEB.pdf Ministry of Social Affairs and Health (2022) Biobank Act to be updated to meet requirements of EU General Data Protection Regulation. https://stm.fi/en/-/biobank-act-to-be-updated-to-meetrequirements-of-eu-general-data-protection-regulation Salokannel M, Tarkkala H, Snell K (2019) Legacy samples in Finnish biobanks: social and legal issues related to the transfer of old sample collections into biobanks. Hum Genet 138:1287– 1299. https://doi.org/10.1007/s00439-019-02070-0

France Viviana Di Capua

1 Introduction The history of research on human biological materials and information (personal, medical, biological and genetic) and of biobanks—the places where collections of materials and information are stored, preserved and distributed—is firmly linked to the regulatory puzzles that have been developed over time to govern and regulate methods and directions (Tallacchini 2013, p. 157; for a semantic overview of the phenomenon of biobanks, see Cannovo et al. 2020; Guarino and Cannovo 2015; Guidi et al. 2019). The principles and rules that govern, on the one hand, cells and tissues in their materiality and, on the other hand, the set of data associated with them have been constructed to fulfil the protection of heterogeneous assets and interests: the protection of privacy and the private life of the patient (donor), the freedom and functionality of medical–scientific research, the legal–economic relationship between the biobank and the researcher and the intellectual property rights referable to biotechnological patents resulting from genetic investigation as well as economic claims of funding bodies and/or users, such as the pharmaceutical industries (Lorenzon 2012, p. 42). More specifically, the definition of the discipline was inspired by the need to ensure freedom and solidarity in the provision of biological materials and health safety in their use, while in the collection of information (personal, family, clinical, biological and genetic) preference was given to the protection of privacy. The latter profile has recently been regulated by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data,

V. Di Capua (✉) Department of Political Science, University of Naples Federico II, Naples, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_56

495

496

V. Di Capua

and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR),1 applicable from 25 May 2018 (for a legal overview of GDPR, see Cippitani and Colcelli 2021, p. 2; Pohle 2018, p. 97). This paper aims to give an overview of the regulation of biobanks in the French legal system, with a particular focus on the state of implementation of European Law on the processing of personal data and on any national specifications and/or derogations.

2 Scientific Research and Biobanking in France Legal Framework In France, there is no law specifically dedicated to biobanks (Fiant 2019). However, the activities they carry out are strictly regulated (on the main problems related to the functioning of French biobanks, see Washetine et al. 2017). At present, the French legislation is based on two laws governing the general procedures for the management of collections of human biological samples for scientific purposes: Law no. 2004-806 of 9 August 2004 relating to public health policy2 and Law no. 2004-800 of 6 August 2004 relating to bioethics.3 Law 2011814 of 7 July 20114 implemented a first reform of the sector and was, in turn, modified by Law no. 2013-715 of 6 August 20135 authorising research on embryos and embryonic stem cells under certain conditions (Binet 2013, p. 1562). This is an activity subject to the general principles of the Civil Code on the dignity of the person, the inviolability of the human body, the extra-patrimonial nature of the body and its products and elements6 (Cippitani 2018, p. 55). More generally, biobanks are subject to the Public Health Code (PHC),7 which governs scientific activities and biomedical research without prejudice to compliance with the general principles related to the donation and use of elements and products of the human body.8

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 2 Loi no. 2004-806 du 9 Août 2004 relative à la politique de santé publique. 3 Loi no. 2004-800 du 6 Août 2004 relative à la bioéthique. 4 Loi no. 2011-814 du 7 Juillet 2011 relative à la bioéthique. 5 Loi no. 2013-715 du 6 Août 2013 tendant à modifier la Loi no. 2011-814 du 7 Juillet 2011 relative à la bioéthique en autorisant sous certaines conditions la recherche sur l’embryon et les cellules souches embryonnaires. 6 See Article 16-4. 7 Code de la santé publique. 8 See Articles L. 1211-1 - L. 1211-9 of PHC.

France

2.1

497

The Activity of Biobanks Between the Declaration and Authorization Regime

According to the legislative definition, a collection of human biological samples ‘results from the collection, for scientific purposes, of biological samples taken from a group of people identified and selected on the basis of the clinical or biological characteristics of one or more members of the group, therefore as derivatives of these direct debits9’. The consent is signed by the patient before the biological sample is taken. This sample can be included in a biobank collection. Before starting the collection, the biobank manager must have requested the favourable opinion of the Committee for the Protection of People (CPP) and declared the conservation of the collection to the Ministry of Higher Education, Research and Innovation and the National Agency for the Safety of Medicines and Health Products (NASM), 10 as well as the Regional Hospitalisation Agency (RHA). The creation of new research data is submitted for authorisation to the National Commission for Informatics and Freedoms (NCIF; Messaoudi et al. 2020, p. 280). Law no. 2013-715 of 6 August 2013 amended the legal regime for research on embryos and embryonic stem cells. Only the bodies and organisations holding authorisation for the conservation of embryonic stem cells for research purposes are authorised to carry out this research; public and private bodies and bodies that carry out research activities that have entered into an agreement with the institutions can also carry out such research.11 The conservation of embryos and embryonic stem cells for research purposes requires the authorisation of the Agency for Biomedicine.12 Any organisation that retains embryos or embryonic stem cells for research purposes must be able to demonstrate that the consent given by the parents of the embryos has been collected. If the embryonic stem cells have been imported, the organism must be able to justify that they were obtained in accordance with the requirements of the Civil Code with the prior consent of the couple or parents of the embryo conceived in the context of medically assisted procreation and that this embryo is no longer the subject of a parental project, and that no compensation, whatever the form, has been allocated to the couple.13

9

See Articles L. 1243-3 of PHC. See Article 36-I of the Law of 6 August 2004. 11 See Article R. 2151-3, II, of PHC. 12 See Article R. 2151-20 of PHC. 13 See Article R. 2151-18 of PHC. 10

498

2.2

V. Di Capua

The Chain of Operations and Responsibilities

The manager of a collection, as the administrative manager, must ensure compliance with the law. However, the person who initiates the collection can also be identified as the scientific manager of the collection and can oversee the chain of operations. The requirements for the number of samples and the relevance of the research projects are determined by the scientific council of the biobank, which is composed of doctors and researchers and decides on the nature and type of samples authorised in the biobank.

2.3

The Essential Consent of the Patient

Patient consent and data protection are the pillars of biomedical research (Messaoudi et al. 2020, p. 281). The removal of elements from the human body and the collection of its products cannot be carried out without the prior consent of the donor, which can be revoked at any time.14 The authorisation to use a human sample requires the free and informed consent of the individual (so-called informed consent). The patient expresses in writing his or her willingness to participate in the research project after being clearly informed of the researchers’ goal, but nonetheless can withdraw from the study at any time. This consent is sent to the Committee for the Protection of People (CPP), and it is mandatory for the use of biological samples, personal data or genetic research. Sometimes the sample can be useful to more than one investigator. In this case, the patient is again consulted and informed of the new area of application. In France, the secondary use of samples is based on the principle of non-opposition. In the context of broad informed consent, the patient accepts (rectius: does not object) that the data associated with his or her sample may be used in a future project. If it is not possible to contact patients again, the scientific manager can request the Committee for the Protection of People (CPP) for global requalification of a collection by illustrating the objectives of the new research and, specifically, the need to include samples of patients that cannot be contacted. The Committee for the Protection of People (CPP) can accept the requalification except in the case of genetic studies, for which individual consent is mandatory, and for the use of gene cells. It is important to note that the principles of non-opposition and requalification reveal the limits of the traceability of individual consent. Patient information feedback is a long but fundamental step for biobanks that want to increase the size of their collections. Thanks to the Internet, exchanges with the patient could be accelerated by dynamic electronic consent (electronic informed consent), which provides information to the patient enriched by videos and interactive exchanges and offers real-time traceability of the sample (Stoeklé et al. 2017). 14

See Article L. 1211-2 of PHC.

France

2.4

499

The Protection of Data Associated with the Sample and Personal Data

When a person agrees to participate in a scientific project, he or she places trust in the doctor who takes care of the sample and guarantees the confidentiality of the results. The biological sample is then placed in a collection of a biobank. The handling of these samples requires that the data be anonymised according to a standardised procedure. The information on the person’s identity (surname, first name, fiscal code) is encoded by a key or an encryption code that facilitates longitudinal followup and patient feedback. After processing of the samples, the project promoter will create new data that needs to be protected. The adoption of the GDPR affected the activities of biobanks related to both samples (collection, storage and use in research) and to associated personal data (collection, storage and use) (Chassang et al. 2016). The requirements of the GDPR were addressed by updating existing legislation. In particular, the GDPR implementation technique was characterised by France’s symbolic choice to maintain the architecture of Law no. 78-17 of 6 January 1978 on information technology, data files and civil liberties (the so-called French Data Protection Act or French DPA),15 thereby preserving the principles that were identified several years ago by the legislature and repealing only contradictory provisions. Law no. 2018-493 of 20 June 2018 on the Protection of Personal Data16 updated the French DPA. The first enforcement decree, Decree no. 2018-687 of 1 August 2018 published 3 August 2018, specifies the organisation and functioning of the Commission Nationale de l’Informatique et des Libertés (CNIL), that is, the Data Protection Supervisory Authority for France, provides that the CNIL is to publish the lists of processing operations for which a Data Protection Impact Assessment is required (the so-called ‘DPIA Blacklist’),17 details the data subjects’ rights (e.g., conditions and guarantees under which the rights of access, rectification, restriction and opposition may be waived in the event of data processing for scientific, historical research or statistical purposes), establishes the list of categories of data processing

Loi n. 78-17 du 6 Janvier 1978 relative à l’informatique, aux fichiers et aux libertés. Loi n. 2018-493 du 20 Juin 2018 relative à la protection des données personnelles. 17 The controller must carry out a DPIA prior to the processing of personal data in the conditions provided for in Article 35 GDPR (see Article 62 of the French DPA). A DPIA must be conducted when the processing is likely to create a high risk to the rights and freedoms of the persons concerned. Thus, processing operations which fulfil at least two of the following criteria must be subject to a DPIA: assessment/scoring (including profiling); automatic decision with legal or similar effect; systematic monitoring; collection of ‘sensitive’ data; collection of personal data on a large scale; data crossing; vulnerable persons (patients, elderly, children, etc.); innovative use (use of a new technology); and exclusion of the benefit of a right/contract. The CNIL has since fulfilled its mandate to issue its ‘DPIA Blacklist’ in Deliberation no. 2018328 of 11 October 2018 and its ‘DPIA Whitelist’, which contains a list of processing activities that are not subject to the requirement of a DPIA, in Deliberation no. 2019-118 of 12 September 2019. 15 16

500

V. Di Capua

(administrative, financial, operational and medical) that may derogate from the data breach notification obligations and coordinates the Code of Civil Procedure and the Penal Code, particularly for the processing of criminal records. With these clarifications, the criticisms raised by Law no. 2018-493 of 20 June 2018 were resolved by the adoption of Ordinance no. 2018-1125 of 12 December 2018, which finally modified the architecture of the French DPA by rewriting the entire text to improve its legibility, ensure consistency with other regulations in force and correct any error and omission for coherence with the GDPR. Finally, Decree no. 2019-536 of 29 May 2019 constituted the last step in the adaptation of national law to the GDPR. The Decree guarantees the coherence of the revised French DPA with the GDPR, specifies the rights of the interested parties, adjusts the procedural rules before the CNIL and, above all, introduces the French DPA as amended by Ordinance no. 2018-1125. Therefore, it is still the provisions of the French DPA integrating the GDPR and its Decrees that set the general framework applicable to the protection of personal data in France. The definitions adopted in the French DPA are broadly the same as under the GDPR (e.g., data controller, data processor, personal data, data subject, health data, biometric data, pseudonymisation, etc.). Prior formalities with the French DPA have disappeared, bar a few exceptions (in particular, with respect to the processing of health data that will continue to be subject to either a declaration of conformity to specific requirements defined by the French DPA or its authorisation) and are replaced by a control a posteriori (Pohle 2018, p. 102). No specific requirements on collection and processing apply under the French DPA other than those in the GDPR. The French DPA contains some exceptions18 to the GDPR. For the purposes of this study, the main exception to take into account regarding the information on data processing is that France has abolished its prior notification regime (i.e., as a principle, simplified or standard declarations or authorisation requests are no longer required). However, some processing must still be notified to the CNIL for authorisation or to request an opinion. So far, the CNIL has only identified the processing of health data for research purposes and for public interest purposes as triggers for this prior notification obligation and has published the relevant authorisation request forms online. In addition, Articles 31 and 32 of the French DPA provide that authorisation by decree of Council of State is required for processing: (a) of special categories of data (data specified in Article 6-I of the

18

Article 45 of the French DPA provides that a minor may consent on his or her own to the processing of personal data from the age of 15. If the minor is less than 15 years old and the processing activity is based on consent, the lawfulness of the processing activity is subject to a requirement of a double consent: the consent of the minor and that of the holder of parental rights. The French Constitutional Court ruled that the GDPR allows Member States to decide either that (a) consent is given on behalf of the minor by the holder of parental rights; or (b) the holder of parental rights can authorise the minor to give consent, which induces a double consent.

France

501

French DPA); (b) biometric and genetic data necessary to identify persons or control identity on behalf of the State; and (c) for State national security, defence or public security purposes and relating to the prevention, search, finding or prosecution of criminal offences or to the enforcement of criminal convictions or detention orders on behalf of the State. Furthermore, Article 70-21 of the French DPA provides for the possibility to derogate from the notice requirements of Articles 13 and 14 GDPR for processing carried out by the competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.19 In the event of data breach, Article 58 of the French DPA provides for an exception to the right of communication of a data breach prescribed by Articles 33 and 34 GDPR. A decree of the Council of State after having heard the opinion of the CNIL establishes the list of treatments and categories of treatments that are authorised to derogate from this right when the communication of disclosure or unauthorised access to such data may represent a risk to national security, national defence or public security.20 Some exceptions are provided for historical and scientific research purposes. Article 4 of the French DPA provides that personal data can be retained beyond the time necessary to fulfil the historical, statistical and scientific purposes for which the data was processed and that further processing for such purposes shall be considered compatible with the original purposes of data collection. Exemptions from the obligation of the controller to inform data subjects are provided for processing necessary to retain data for historical, statistical or scientific purposes if data was initially collected for another purpose.21 Employers can process biometric data strictly necessary for the control of access to workplaces, equipment and applications used in the framework of missions entrusted to employees. Other provisions may be found in the French Labour Act. The CNIL introduces any further conditions on the processing of genetic data, biometric data and health data. In particular, the CNIL publishes guidance and template rules to ensure the security of data processing systems and to regulate the processing of genetic data, biometric data and health data.22 The CNIL may impose additional rules for processing these categories of data. Processing by a public

19

When such restriction is intended to: (a) avoid any hindrance to investigations, research or proceedings; (b) avoid any hindrance to the prevention or detection of criminal offences, investigations or prosecutions of such offences or execution of criminal penalties; (c) safeguard public security or national security; and (d) safeguard the rights and liberties of another individual. 20 This exception is applicable only to the processing of personal data necessary to fulfil a legal obligation that requires the processing of such data or for the exercise of a mission of public interest in which the data controller is invested. 21 See Article 79 of the French DPA. 22 The CNIL has currently issued the following guidance on the application of the GDPR and GDPR implementation law: (a) guidelines on the security of personal data; (b) GDPR awareness guide for SMEs; (c) GDPR guide for health professionals; (d) GDPR guide for data processors; (e) guide

502

V. Di Capua

authority of genetic data or biometric data necessary for authentication or control of the identity of individuals must be authorised by a decree of the State Council. In the case of processing for medical research purposes related to the examination of genetic characteristics, the express consent of the data subject must be obtained before the processing begins unless the affected data subject cannot be found. Health data providers must hold a certificate of conformity from an accredited certifying body in the EU to process personal data for these purposes.23 Some specific provisions are provided for the implementation of Articles 85, 87 and 89 GDPR. In particular, Article 5-III of the French DPA provides for an exemption from certain provisions of Article 85 GDPR for (a) processing for the purpose of artistic or literary expression and (b) the exercise of journalistic activity as a profession.24 Regarding Article 87 GDPR, Article 30 of the French DPA, as updated by Law no. 2019-774 of 24 July 2019 relating to the organisation and the transformation of the health system,25 provides that a decree of the Council of State adopted following a reasoned opinion and published by the CNIL determines the categories of data controllers of the treatment and the purposes for which the treatment can be implemented, when data including the registration number of persons in the national register for the identification of natural persons (NIR). Regarding Article 89 GDPR, the French DPA introduces a derogation to the rights of access, rectification, restriction, portability and objection in the case of processing for archiving purposes in the public interest. The French DPA does not contain explicit provisions on electronic marketing, which is regulated by Article L. 34-5 of the French Postal and Electronic Communications Act. The French DPA contains some variations on the GDPR’s right to access.26 For example, Article 64 of the French DPA provides that health data is to be communicated to the data subject according to his or her choice either directly or through the intermediary of a doctor who he or she designates for this purpose in compliance with the provisions of Article L. 1111-7 of the Public Health Code.27 In the end, although CNIL’s powers remain substantively the same, CNIL’s sanctioning ability is brought in line with the GDPR. Sanction provisions are thus

regarding the methodology of Impact Assessments; (f) list of types of data processing activities for which Impact Assessments are mandatory. 23 See Article 8 of the French DPA. 24 In addition, journalists can oppose the secrecy of journalistic sources to the CNIL. The French DPA is stricter than the GDPR as the exception concerning the freedom of press only applies to professional journalists and not to journalistic purposes, as provided in Article 85 GDPR. 25 Loi no. 2019-774 du 24 juillet 2019 relative à l’organisation et à la transformation du système de santé. 26 See Article 15 GDPR. 27 The Article L. 1111-7 of the Public Health Code provides that if no exceptions apply, the data must be communicated to the data subject no later than eight days after his/her request and no sooner than a 48-hour period of reflection has been observed and that specific conditions apply for minors.

France

503

more detailed due to new GDPR principles—such as direct accountability of processors—and reinforce the level of sanctions.

3 Conclusion Although biobanks have assumed increasing importance over the years in the development of scientific research, France, unlike other Northern European Countries, has not yet issued a law specifically dedicated to them. The activity of biobanks is subjected to a plurality of regulatory sources that create a fragmented, disorganised legislative framework because of possible overlaps and that is susceptible to interpretative and application criticalities. The activities of biobanks—relating to both samples (collection, storage and use) and associated personal data (collection, storage and use)—have been affected by the adoption of the GDPR. In France, the requirements of the GDPR have been addressed by updating existing legislation. Therefore, it is still the provisions of the French DPA (integrating the GDPR) and its Decrees that set the general framework applicable to the protection of personal data in France. However, this method has led to unsatisfactory results in terms of legibility. Some provisions appear to be redundant, while others are unclear with regards to their practical application or result in a meaning that substantially diverges from the GDPR provisions. As has been shown, French privacy laws and regulations have not been developed with biobanks in mind and are more general in scope. Furthermore, several regulations apply that do not facilitate the consistency of the legal framework and involve an administrative burden related to the multiplication of the conditions requested by the various laws (Rial-Sebbag and Pigeon 2015, p. 764). Therefore, the adoption of a new legislative text that organically regulates the activity of biobanks and the related processing of personal data is needed, as well as a repeal of the laws in force on the subject.

References Binet J-R (2013) Recherche sur l’embryon: Fin d’un symbole éthique et abandon d’une illusion thérapeutique. La Semaine Juridique 36:1562–1564 Cannovo N, Cingolani M, Guarino R, Fedeli P (2020) Regulation of biobanks in Italy. Front Pediatr 8:1–5. https://doi.org/10.3389/fped.2020.00415 Chassang G, Cambon Thomsen A, Rial-Sebbag E, Dagher G (2016) Éthique et réglementation des biobanques de recherche. Aspects opérationnels et perspectives. Biobanques, Paris Cippitani R (2018) Genetic research and exceptions to the protection of personal data. In: Arnold R, Cippitani R, Colcelli V (eds) Genetic information and individual rights. Series ‘Law & Science’, vol 1. Universität Regensburg, Regensburg, pp 54–79. https://doi.org/10.5283/epub.36785

504

V. Di Capua

Cippitani R, Colcelli V (2021) Bio-legal issues in the establishment of a historical collection of human tissues: the case of the Umbria Biobank Project. Medicina Historica 5:1–9 Fiant O (2019) Biobanques médicales et génomique fonctionnelle en France. Un défi pour l’intérêt général. Terminal [En ligne], 124. http://journals.openedition.org/terminal/4101 Guarino R, Cannovo N (2015) Le biobanche di ricerca in attesa di una regolamentazione giuridica. In: Buccelli C (ed) Aspetti etici della sperimentazione biomedica. Evoluzione, criticità, prospettive. Comitato Etico dell’Università Federico II, Napoli, pp 1–10 Guidi B, Gerbi M, Iannaccone F, Di Paolo M (2019) Dall’Habeas Corpus all’Habeas Data: Regole per l’archiviazione del materiale biologico. Responsabilità civile e previdenza 84(2):720–736 Lorenzon S (2012) La regolamentazione delle biobanche all’incrocio tra diritto dell’Unione e discrezionalità legislativa nazionale: Alla ricerca di un punto di equilibrio tra riservatezza e libertà di ricerca scientifica. In: Casonato C, Piciocchi C, Veronesi P (eds) Forum Biodiritto 2010. La disciplina delle biobanche a fini terapeutici e di ricerca. Università degli Studi di Trento, Trento, pp 41–92 Messaoudi Z, Soltani N, Arrighi N (2020) Bioéthique. L’existence des contraintes légales et réglementaires des biobanques (Legal and ethical considerations for the use of biobanks). Médicine Science 36(3):279–282. https://doi.org/10.1051/medsci/2020042 Pohle J (2018) Data privacy legislation in the European Union Member States – a practical overview. Comput Law Rev Int 19(4):97–116. https://doi.org/10.9785/cri-2018-190402 Rial-Sebbag E, Pigeon A (2015) Regulation of biobanks in France. J Law Med Ethics 43:754–765 Stoeklé HC, Deleuze JF, Vogt G, Hervé C (2017) Vers un consentement éclairé dynamique. Médicine Science (Paris) 33:188–192 Tallacchini M (2013) Dalle biobanche ai Genetic Social Networks. Immaginari giuridici e regolazione di materiali biologici e informazioni. Materiali per una storia della cultura giuridica 1:157–180 Washetine K, Ilié M, Hofman V, Butori C, Long E, Lassalle S, Selva E, Tanga V, Bonneteau C, Allegra M, Clément B, Dagher G, Hofman P (2017) Les biobanques: Quels enjeux en 2017? Revue Francophone des laboratoires 488:25–29

Germany Toni Fickentscher

1 Introduction In Germany, a separate law regulating the establishment and use of biobanks has not yet been enacted (am Busch et al. 2016). In addition, the scope of application of the Gene Diagnostics Act (GenDG) has been explicitly excluded for genetic examinations and analyses as well as for the handling of genetic samples and data for research purposes (§ 2 para. 2 No. 1 GenDG). Since no other specific federal data protection regulations come into consideration for biobanks, questions regarding the (further) processing of special categories of personal data within the meaning of Art. 9 of the General Data Protection Regulation (GDPR) must be measured against the general data protection requirements of the Federal Data Protection Act (BDSG)1—more specifically, against Art. 27 BDSG if research purposes are pursued. There are also some regulations at the level of the Länder that may be relevant in this context (on the relationship between the data protection provisions of the Länder and the Federal Data Protection Act, see Schlösser-Rost 2020, § 27 Rn. 9 f.). On the one hand, corresponding regulations can be found in the data protection laws of the individual Länder (see the list at Krohm 2019, § 27 Rn. 47);2 on the other hand, the regional hospital laws may contain such regulations specifically for hospitals.3 Due to the intended general presentation of the German legal situation, the explanations here will only be exemplary based on § 27 BDSG, although in the individual

1

Cf. Art. 1 Para. 2 BDSG. For example, in Bavaria Art. 25 BayDSG. 3 See, for instance, Hamburg § 12 HmbKGH. 2

T. Fickentscher (✉) Faculty of Law, University of Regensburg, Regensburg, Germany © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_57

505

506

T. Fickentscher

case the provisions of the Länder—which may even be of primary status (cf. § 1 para. 1 sentence 1 no. 2 BDSG)—must be observed. After the unfolding of the provision, possible individual questions will be dealt with based on the norm.

1.1

The Presentation of § 27 BDSG

In accordance with Article 9 para. 1 GDPR, § 27 para. sentence 1 BDSG permits deviation from the prohibition in Article 9 para. 1 GDPR of the processing of special personal data for scientific research purposes, even without consent, if this is necessary for these aims and the interests of the data subject are significantly outweighed. It is important to emphasise that § 27 para. 1 BDSG is presumably only an exception clause and that it still requires the existence of a legal basis according to Art. 6 para. 1 GDPR (see the discussion in Schlösser-Rost 2020, § 27 Rn. 5 f.; different view: Buchner and Tinnefeld 2020).4 Section 27 para. 1 BDSG also allows the transfer of data (Krohm 2019, § 27 Rn. 3; this question, in contrast, is not answered in a conclusive way: Schlösser-Rost 2020, § 27 Rn. 18).5 However, there must not be recourse to § 27 para. 1 BDSG for permission to process data that does not fall under Article 9 para. 1 GDPR for research purposes— this depends directly on Article 6 GDPR.6 The privileging exception of § 27 BDSG can be relied upon not only by institutions or companies that have research as their original purpose but also by those that pursue such an interest only as a secondary activity (Krohm 2019, § 27 Rn. 2). For the further processing of data within the meaning of Art. 9 GDPR, the data controller can refer again to § 27 BDSG; the additional requirements of §§ 23 and 24 BDSG, which would generally be applied for changes of purpose, are not valid in this respect.7 The rights of the data subject based on Arts. 158, 16, 18 and 21 GDPR are also restricted if such a necessity exists for the realisation of the research purpose and the aforementioned rights would make the achievement of the research purpose impossible or would seriously impair it (§ 27 para. sentence 1 BDSG). As far as this goes, the German legislature has made use of the opening clause of Article 89 para. 2 GDPR. At the same time, the data controller must take appropriate and

4

This is probably the view of the legislature, BT-Drucks. 18/11325, p. 99. BT-Drucks. 18/11325, p. 99. 6 BT-Drucks. 18/11325, p. 99. 7 BT-Drucks. 18/11325, p. 99. 8 Furthermore, the right from Art. 15 GDPR does not exist if the data is required for scientific research purposes and the granting of information would lead to a disproportionate effort (§ 27 para. 2 sentence 2 BDSG). 5

Germany

507

specific measures according to § 22 para. sentence 2 BDSG9 to protect the interests of the data subject (§ 27 para. 1 sentence 2 BDSG). The data in the sense of Art. 9 para. 1 GDPR must also be anonymised as soon as the research purpose permits this, except if the interests of the data subject conflict (§ 27 para. 3 sentence 1 BDSG). Until that moment, such characteristics must be separately stored based on what individual information on factual or personal circumstances can be assigned to a specific or identifiable person (§ 27 para. 3 sentence 2 BDSG); a combination is only allowed if the research purpose requires it (§ 27 para. 3 sentence 3 BDSG). Instead, the publication of personal data is only possible if this is absolutely necessary for the presentation of research results related to contemporary historical events or if the consent of the data subject has been obtained (§ 27 para. 4 BDSG).

1.2

Potential Single Questions: The Interpretation of § 27 BDSG in the Individual Case

Since the German legal system does not make any exact specifications regarding data protection in biobank research, individual concrete questions cannot be answered in a general way. No reliable and generally valid answer can be given regarding the problem of how exactly collections of health data may be used or re-used or how long tissue material, especially DNA and RNA, might be preserved. These questions will always have to be decided in each individual case (SchlösserRost 2020, § 27 Rn. 20). The necessity of processing must first be considered according to § 27 para. 1 sentence 1 BDSG—a measure is not necessary if there is a less severe means that is equally suitable for achieving the intended research purpose (Schlösser-Rost 2020, § 27 Rn. 30); for example, if the goal could also be achieved with anonymised data (Krohm 2019, § 27 Rn. 22). Furthermore, the interests must be weighed and be substantially in favour of the processing. This depends on the nature of the specific European Union law that requires the fundamental rights of the controller and the data subject to be considered in the weighing of interests. Possible parameters that are to be used to reach a decision in an individual case are named here as examples.

§ 22 para. 2 sentence 2 BDSG lists, for instance, the following measures: sensitisation of those persons involved, appointment of a data protection officer and pseudonymisation or encryption of personal data.

9

508

T. Fickentscher

2 The Valuation Standard: The Differentiation Between Fully Harmonised and Not-Determined Specific European Union Law National ordinary law—such as § 27 BDSG—or its application in a specific case is generally examined in the light of the German Basic Law (BL) if it falls in the scope of application of European Union law under Article 51 para. 1 of the Charter of Fundamental Rights of the European Union (CFR), but it is also not fully determined by the specific European Union law.10 As the latter leaves freedom to the Member States in implementing it, it generally intends diversity in terms of fundamental rights.11 On the other hand, if the specific European Union law is fully harmonised, its concrete application is controlled on the basis of the fundamental rights of the Charter since this case all depends on uniformity.12 As Article 9 para. 2 lit. j) GDPR allows the Member States themselves to regulate the processing of special categories of personal data for research purposes, it must be assumed that this opening clause doesn’t constitute, in principle, fully harmonised specific European Union law, which means that the implementation in national law—in the present case § 27 BDSG—as well as its concrete application must be regularly evaluated on the basis of the fundamental rights of the German Basic Law (Schulz 2018, Art. 9 Rn. 3).

3 The Protection of the Data Controller The freedom of science from Article 5 para 3 BL must first be taken into account with respect to the person responsible for the processing; if no diversity of fundamental rights should exceptionally be intended, Article 13 CFR would have to be applied. Such a guarantee includes the processes, behaviour and decisions based on the person’s own legalisms that are intended to be able to grasp, interpret and pass on knowledge.13 The guarantee cannot be reduced to a specific form of science but includes everything that contributes to the discovery of truth by way of a serious, planned attempt.14 The term ‘scientific research purposes’ in § 27 BDSG must, therefore, be widely interpreted (Schlösser-Rost 2020, § 27 Rn. 15a). Not only natural persons but even 10

Recently: BVerfG, NJW 2000, 300, 301, Rn. 42. On any exceptions to this principle, ibid. 304 f. Rn. 63 ff. 11 Ibid. 302 ff Rn. 49 ff. 12 Lately: BVerfG, NJW 2020, 314, 316 f. Rn. 42 ff. On exceptions to this rule, ibid. 317 Rn. 47 ff. 13 See especially: FCC vol. 35, 79, 112; vol. 90, 1, 11 f. On the openness of the concept of research: FCC vol. 61, 210, 246. 14 Particularly: FCC vol. 35, 79, 113; vol. 47, 327, 367.

Germany

509

legal entities can invoke the freedom of science (Starck and Paulus 2018, Art. 5 Rn. 483 f); moreover, Article 5 para. 3 BL protects state universities (Gärditz 2020, Art. 5 Abs. 3 Rn. 132 ff).15 Consequently, the scope of § 27 BDSG must also be interpreted largely from the personal point of view (Schlösser-Rost 2020, § 27 Rn. 15c f.).

4 The Protection of the Data Subject Regarding the data subject, that is, the donor, it must particularly referred to the right to informational self-determination from Article 2 para. 1 BL in combination with Article 1 para. 1 BL, which protects the individual from unlimited processing of his or her personal data.16 In the case of data in the sense of Article 9 para. 1 GDPR, this often concerns the innermost core content of this right (Schlösser-Rost 2020, § 27 Rn. 32). If it were exceptionally a matter of fully harmonised European Union law, Article 8 CFR would be relevant.

5 Conceivable Parameters for the Process of Consideration In the interpretation of § 27 BDSG, the aforementioned fundamental rights must be balanced in a weighing of interests in the particular case; as an objective set of values, the Basic Law also influences the interpretation of ordinary law regarding the relation between private persons.17 In this context, it must again be emphasised that the interests of the data controller must even substantially outweigh the interests of the data subject pursuant to § 27 para. 1 sentence 1 BDSG—however, the opening clause of Article 9 para. 2 lit. j) GDPR does not require this (Krohm 2019, § 27 Rn. 27). In the present case, the interests of the biobank operator or the researcher concerning the preservation or re-use of the biological material must substantially outweigh the donor’s right to data protection. The following should be considered in this regard: research in biobanks is genuinely based on the processing of special categories of personal data so that the permissibility is part of the essential core of the responsible person’s scientific activity. A differentiation as to the type of material is also likely to be important; for example, scientific freedom should be considered to a stronger degree if the DNA or RNA collection is of particular importance for research at biobanks. The fact that § 27 BDSG imposes specific obligations on the data controller (which have already been mentioned) also helps to avoid a disproportionate

15

FCC vol. 15, 256, 262; vol. 141, 143, 164 Rn. 48. Fundamentally: FCC vol. 65, 1, 41 ff. 17 Elementary: FCC vol. 7, 198, 203 ff. 16

510

T. Fickentscher

weighing of interests to the detriment of the data subject. The reference in § 27 para. 1 sentence 2 BDSG to § 22 para. 2 sentence 2 BDSG is intended to ensure that the requirements of the opening clause of Article 9 para. 2 lit. j) GDPR are fulfilled. This means that, among other things, the essence of the right to data protection as well as the fundamental rights and interests of the data subject are also safeguarded by the national exemption clause18 insofar as the need for protection of the data subject may decrease, for example, if pseudonymised processing of the data takes place (Krohm 2019, § 27 Rn. 26). Finally, the importance of research for society must be taken into account when weighing the interests (Krohm 2019, § 27 Rn. 24; Schlösser-Rost 2020, § 27 Rn. 31). For example, biobank research contributes to decoding disease pattern, and thus, new therapies can be developed; it thus directly pursues an objective that can result in an outstanding added value for the population—and ultimately for the individual. In other words, it should not be ignored that the processing of data in biobanks serves a research purpose that may benefit the entire population in decisive life situations (Buchner and Tinnefeld 2020, § 27 Rn. 12.).

6 Conclusion If the responsible person provides measures in the sense of § 27 para. 2 sentence 2 or para. 3 BDSG, it can in principle be said that, according to the opinion expressed here regarding biobank research, that the freedom of science—based on its importance to society—will substantially outweigh the donor’s interests in informational self-determination. Nevertheless, such questions can only be answered in each individual case and professional legal advice will be indispensable to the operator of a biobank. Moreover, data protection should be in the interest of the data controller because this will ensure trust in the research activity that will, in turn, help to attract new participants—the project or the original interest of the responsible person would again itself benefit (Schlösser-Rost 2020, § 27 Rn. 1.).

References am Busch BS, Gassner UM, Wollenschläger F (2016) Der Augsburg-Münchner-Entwurf eines Biobankgesetzes, DuD 365 ff. Datenschutz und Datensicherheit: DuD 40(6):365–370 Buchner B, Tinnefeld MT (2020) DSGVO/BDSG, § 27 Rn. 8. In: Kühling J, Buchner B (eds) Datenschutzgrundverordnung/BDSG Kommentar, 3rd edn. München Gärditz KF (2020) In: Maunz T, Dürig G (eds) Kommentar Grundgesetz, 91th edn. München

18

Cf. BT-Drucks. 18/11325, S. 99.

Germany

511

Krohm N (2019) In: Gola P, Heckmann D (eds) Bundesdatenschutzgesetz Kommentar, 13th edn. München Schlösser-Rost J (2020) In: Brink S, Wolff HA (eds) BeckOK Datenschutzrecht Kommentar, 34th edn Schulz S (2018) In: Gola P (ed) Datenschutz-Grundverordnung, Kommentar, 2nd edn. München Starck C, Paulus A (2018) In: Mangoldt H, Klein F, Starck C (eds) Kommentar Grundgesetz, Band 1, 7th edn. München

Greece Andreia da Costa Andrade and Carla Barbosa

1 Introduction Over the past two decades, big developments in biomedical research together with important technical advances in high-throughput analysis have resulted in the creation of an increasing number of facilities for the long-term storage of human cell and tissue samples for research. Despite significant differences in approach, purpose, scale and scope, these facilities are now collectively known as ‘biobanks’ and are regulated at national levels with important variations that compromise desirable legal harmonisation. The following analysis underlines the main issues with biobanks in the Greek legal framework.

2 Scientific Research: Exceptions and Specific Measures On 29 August 2019, the Greek law that ensures the enforcement of the General Data Protection Regulation (hereafter GDPR1) was published, namely Law 4624/2019 published in Government Gazette 137/A/29-8-2019.2

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 2 Law 4624/2019 Hellenic Data Protection Authority (HDPA), measures for implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the A. da Costa Andrade (✉) · C. Barbosa Centre for Biomedical Law, Faculty of Law, University of Coimbra, Coimbra, Portugal e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_58

513

514

A. da Costa Andrade and C. Barbosa

The third chapter of this law is dedicated to the establishment of additional measures for the processing of personal data. As in the GDPR, Greek law establishes as a principle the prohibition on the processing of personal data when health data are included. However, by way of derogation from Article 9, paragraph 1 of the GDPR, Article 22 of the Greek law under the processing of special categories of personal data establishes that the processing of those data by public and private bodies is allowed in the several situations it lists. However, scientific research is not included in these exceptions because a specific article is reserved for the processing of personal data in the scope of scientific research. Article 30 of Law No. 4624/2019 provides some rules for the treatment of personal data for the purposes of scientific or historical research and statistical purposes under a like-named heading. Despite establishing a clear and expressed preference for carrying out scientific research using anonymised data, if it is not possible to use pseudonymised data or, only as a last resort, identified data, then by way of derogation from article 9, paragraph 1, of the GDPR, the processing of specific categories of personal data is permitted without the consent of the data subject if such processing is necessary for the purposes of scientific or historical research. However, the controller must take appropriate and specific measures to protect the legitimate interests of the data subject. Measures may include: (a) restrictions on access for controllers and processors; (b) pseudonymisation of personal data; (c) encryption of personal data; and (d) appointment of a DPO. It also provides for the possibility that some rights of holders may be restricted if the exercise of these rights makes it impossible or seriously prevents the fulfilment of the objectives established in scientific research. In conclusion, derogations are provided from a data subject’s rights in such cases, while also legitimising the processing of specific categories of data in view of the principle of proportionality. Since the GDPR allows Member States a margin of discretion on the determination of the conditions for processing of genetic, biometric and health data, the Greek legislature opted for the total prohibition of the processing of genetic data for health and life insurance purposes.

protection of natural persons with regard to the processing of personal data, and transposition of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, and other provisions. https://www.dpa.gr/sites/default/files/2020-08/LAW%204624_2019_EN_TRANS LATED%20BY%20THE%20HDPA.PDF.

Greece

515

3 The Core Principle of Purpose Limitation and the Re-Use of Personal Data Increasingly, organisations also wish to ‘re-use’ personal data, that is use data collected for one purpose for a new (secondary) purpose that was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation, namely, to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These factors include: any link between the original purpose and the new purpose; the context in which the data were collected; the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions were processed (with the inference being that if they were, it will be much harder to form the view that a new purpose is compatible); the possible consequences for the data subject of the new processing; and the existence of appropriate safeguards, which may include encryption or pseudonymisation. If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases upon which to justify the new purpose are consent or a legal obligation (more specifically, an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society). Furthermore, Greece has not established any procedure or rule regarding re-use other than those listed in the GDPR and in the preceding considerations.

4 Biobanking The term biobank has not been officially defined in Greek law. The National Bioethics Commission3 defines ‘biobank’ as ‘any collection of human biological material’. This may include tissues, cells, blood or DNA that may have been collected for medical or research purposes by public or private agencies. Greece has no tailor-made legislation on biobanking, but the Greek Constitution contains some fundamental principles, such as the Protection of Dignity and Privacy, Protection of Health and Genetic Identity (Art. 5), Freedom of Research (Art. 16/1) and Protection of Public Health as an obligation of the state (Art 21). Nevertheless, the applicable diplomas that determine the legal framework of biobanks in Greek territory are to be referenced, such as Law 3089/20024 (Medically

3 4

http://www.bioethics.gr/index.php/el. Official Gazette A327/23.12.2002.

516

A. da Costa Andrade and C. Barbosa

Assisted Human Reproduction), Law 3305/20055 (Implementation of Medically Assisted Reproduction) and Presidential Decree 26/20086 (establishing standards, quality and safety for donation, supply, control, processing, maintenance, storage and distribution of human tissues and cells). The collection and processing of human samples require informed consent that should, among other aspects already mentioned, indicate the biobank’s purpose as well as the period of storage of the samples.

5 Conclusions The Greek law that ensures the enforcement of the General Data Protection Regulation has been published and establishes as a principle a prohibition on the processing of ‘sensitive’ personal data when health data are included. Although the processing of special categories of data by public and private bodies is allowed, there are several situations in which scientific research is not included in these exceptions. The processing of special categories of data is permitted without the consent of the subject if processing is necessary for scientific or historical research purposes, but the controller is obliged to take appropriate and specific measures to protect the legal interests of the data subject. Greece has no tailor-made legislation on biobanking; nevertheless, it has a range of pertinent constitutional principles as well as some referenced legal framework.

5 6

Official Gazette A 17/27.1.2005. Gazette 51/A/24-3-2008.

Hungary Balázs Hohmann, Gergő Kollár, and Gergely László Szőke

1 Introduction In Hungary, there are adequate domestic legal regulations on the personal data processing operations performed on health data and the operation of individual biobanks. In addition to the GDPR, which has a general erga omnes character (Kiss and Szőke 2015, pp. 316–318), and a direct effect in the legal systems of European countries, three domestic laws provide the central part of the regulation. First, the general conditions for data processing and the issues left to the laws of the Member States by the GDPR are provided for in Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter RISD Act).1 This legislation has two facets: it simultaneously addresses the issues of personal data protection that can be settled by the law of a Member State relating to the right to information self-determination and, at the same time, deals with the issue of freedom of information. The issue of the re-use of public data is no longer within its remit. Second, the general conditions for providing health services and carrying out medical research are laid down in Act CLIV of 1997 on health care (hereinafter Health Care Act).2 The sectoral data protection rules regarding health data are regulated by Act XLVII of 1997 on the processing and protection of health and related personal data3 (hereinafter Health Data Processing Act). This Act regulates 1 Hungarian Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information. https://njt.hu/eli/TV/2011/112. 2 Hungarian Act CLIV of 1997 on health care. https://njt.hu/eli/TV/1997/154. 3 Hungarian Act XLVII of 1997 on the processing and protection of health and related personal data. https://njt.hu/eli/TV/1997/47.

B. Hohmann (✉) · G. Kollár · G. L. Szőke Faculty of Law, University of Pécs, Pécs, Hungary e-mail: [email protected]; [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_59

517

518

B. Hohmann et al.

the special rules regarding the processing of health data, including the issues of scientific research of such data, and names a total of thirty-two different data processing purposes, the vast majority of which arise in the day-to-day operations of a health care provider. Finally, the special sectoral law on biobanks, Act XXI of 2008 on the Protection of Human Genetic Data, Rules on Human Genetic Studies and Research and the Operation of Biobanks (hereinafter Biobanking Act),4 expands the individual data protection and operational rules, giving each a legal basis, delimiting the objectives that can be assigned to each activity and providing detailed rules that create the most important framework for the operation of these institutions.

2 Legal Basis for Processing of Health Data, Biometric and Genetic Data for Research Purposes In this chapter, the national rules regarding scientific research on health data and on biobanks are summarised, including the question of the legal bases of such data processing activities.

2.1

Research Exemption: Special Rules for Scientific Research on Health Data

The research exception to the Hungarian regulations can be drawn from the requirements of the regulation: under Sect. 21 of the Health Data Processing Act, personal health data may be consulted for the purpose of scientific research, but no copy together with the identification data can be made. In publications, only those data may be disclosed from which it is not possible to identify the data subject. This may mean that the researcher can look into the personal health data generated during patient care, but copying and disclosure are not possible unless the data are anonymised. In principle, therefore, the rules of the Health Data Processing Act allow access to non-anonymised health data for research purposes that may include direct identification. As a guarantee, the application to consult the data is subject to the permission of the head of the institution or the data protection officer. However, the scope and details of the permission to consult the health data are far from clear under the law. The Act makes no mention of the examination of the research application and the possible reasons for its refusal. However, no research permit can be granted for illegal data processing, meaning the legal adequacy issue must be resolved when 4 Hungarian Act XXI of 2008 on the Protection of Human Genetic Data, Rules on Human Genetic Studies and Research and the Operation of Biobanks. https://njt.hu/eli/TV/2008/21.

Hungary

519

assessing the application. In this context, neither the legal environment nor the case law provides guidance on exactly what this should cover. It also follows from the logic of liability and data protection law that the head of the institution is able to review legal compliance in connection with the research request and access to the data but has no influence on how the researcher then uses and complies with the accessed personal and pseudonymous data, for example, whether it complies with data security and confidentiality obligations and only discloses non-personal data. The Act also prescribes that the name of the applicant, the purpose, and the date of the insights should be recorded, and this record must be kept for 10 years. If the application to consult the data is refused, this decision shall be justified, and there is a judicial legal remedy against it. In this case, pursuant to Sect. 21 Para (3) of the Act, the procedural rules on refusing data of public interest shall apply. This means that the lawfulness and reasons for the refusal must be demonstrated by the data controller. This solution is unusual in terms of access to personal data and refers much more to a legislative intention to prioritise openness and not data protection. Although Sect. 21 of the Health Data Processing Act deals with the question of consulting health data, it does not provide a full regulation on how to transfer, merge or analyse such data, which makes it challenging in practice how to analyse health data from different sources. It is also worth mentioning that Research on health data is almost certainly regarded as non-interventional medical research on a human subject that also requires ethical authorisation. So the regulatory regime on medical research5 should also be considered for data-based scientific research on health data. The Hungarian legal regulation (based, of course, on international and EU norms) distinguishes between interventional and non-interventional studies. If the research is focused only on the processing (analysing) of health data without any intervention, it is regarded as a non-interventional study. The general rules can be found in Decree No. 23/2002. (IV.13.) EÜM of the Minister of Health Care on medical research involving human subjects. The Decree prescribes different rules for prospective and retrospective data collection. In the first case, informed consent is needed to be involved in the research, but it is not necessary in case of research based solely on retrospective data collection (which is often a secondary use of personal health data). The regulation on human genetic research also prescribes specific rules (cf. Chap. 3). Any medical research (including research based on the analysis of health data) can only be conducted after a successful ethical authorisation process. The procedure is regulated by Government Decree No. 235/2009 (X. 20). The procedure is not just a formality: in this process, a research ethics committee substantially assesses a detailed research plan submitted by the research organisation. The regulatory regime on medical research involving human subjects and the data protection rules shall be applied in parallel: the controller (researcher) shall comply

5

Sec. 157 of the Health Care Act.

520

B. Hohmann et al.

with both. In our view, the ethical authorisation process can also be regarded as a special safeguard mentioned in Art. 89 of the GDPR. Despite the quite detailed rules on carrying out research on health data, the Hungarian regulation does not clearly show the potential legal basis of these data processing activities. So, the general rules of the GDPR [Art. 6, Para (1)] shall apply. The potential legal bases, based on Opinion 3/2019 and on the Guidelines 03/2020 of the European Data Protection Board (Opinion 3/2019, 5–7; Guidelines 03/2020, 6–7),6 may be the consent of the data subject or task carried out in the public interest or legitimate interest of the controller (GDPR Art 6. Para (1) a), e), f)). The legal bases should be chosen by taking all circumstances of the data processing, including the relevant national legal norms in this field.

2.2

Genetic Data and Biometric Data

The sectoral rules for genetic data, biometric data, and biobanks are laid down in the Biobank Act. The Act was adopted in 2008 after long debates about the potential role and regulation of biobanks (Sandor and Bard 2009, pp. 3–4). However, the scope of the Act (Sect. 2, Para (1), is limited. It shall apply to genetic sampling for human genetic study and human genetic research performed on the territory of Hungary, the processing of genetic data irrespective of the place of sampling, and to genetic study and genetic research and to biobanks. Section 2, Para (3) of the Biobanking Act stipulates that the scope of the Act does not cover the DNA profile register according to the Act on the Registration of Criminal and Law Enforcement Biometric Data.7 As to the details, Sect. 8 of the Biobank Act requires the consent of the data subject for sampling, and Sect. 24 requires the data subject’s consent for the storage of a genetic sample or data together with personal identification data. According to Sect. 8, consent may cover several different activities and purposes, so there is a wide range of possibilities to diversify the consent. Section 8 para (3) prescribes that valid consent to sampling has to include several elements. First, the statement of consent to the following:

6

EDPB—Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art. 70.1.b). https://edpb.europa.eu/sites/default/files/files/file1/edpb_opinionctrq_a_final_en.pdf. EDPB—Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak. https://edpb.europa.eu/sites/default/ files/files/file1/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf. 7 Act XLVII of 2009 on the Criminal Registration System, the Register of Judgments handed down by the courts of the Member States of the European Union against Hungarian citizens, and the register of criminal and law enforcement biometric data. https://njt.hu/eli/TV/2009/47.

Hungary

521

(a) taking a genetic sample from him or her, (b) storing the genetic sample and the derived genetic data in a biobank and forwarding it to another biobank, (c) storing the genetic sample and the derived genetic data in an archived collection; Second, the declaration of the person concerned that they give their consent to (a) use it only for the primary purpose of sampling, (b) use it for any purpose under the Biobank Act; (c) use it solely for research purposes. Third, the declaration of the person concerned according to which he or she gives their consent to the storage of the genetic sample and data together with personal identification data or the storage of the same in an encoded or in a pseudonym or anonymised format. (Sandor and Bard 2009, p. 7). So, consent to sampling cannot be interpreted as a wide consent to process sampling data for any purposes. This is important because it excludes cases in which the data subject consents to the sampling but does not consent to the related processing of his or her data, which would then amount to a refusal of consent (Sandor 2017, pp. 141–144). Section 24 applies to a narrower category as it requires consent for the joint processing of a genetic sample and personal data. However, the separate treatment of the data only implies the incorporation of a later pseudonymisation mechanism or the absence of unique identification at the time of data collection, with all sampling subject to consent. It is thus theoretically unnecessary to request consent from unidentified persons (i.e., those recorded without recording the data specified in Sect. 3/B of the Health Data Processing Act). The concept of a pseudonymised genetic sample or data or an anonymised genetic sample or data is also part of the Biobanking Act, which in theory, means that it may be possible to treat it in such a protected form (in the former case, we can no longer talk about personal data, while in the latter case, it is probably pseudonymous personal data under Sect. 24), and according to Sect. 18, the data subject may at any time during the process request that the coding, pseudonymisation or anonymisation of the genetic sample as well as the genetic data derived from it be for research purposes only. According to the wording of the Biobank Act, it is otherwise possible to find a solution to the problem of Broad Consent (Shabani et al. 2021, p. 48), since Sect. 8, para 3, expressly provides that the data subject must provide in a statement of consent whether the genetic sample or the genetic data derived from it can be placed in an archived collection; whether the sample/data may only be used for the primary purpose of sampling; whether it can be used for any purpose; or whether it may only be used for research purposes. In our view, based on the Hungarian legal practice of the Hungarian Data Protection Authority, this detailed legal regime of consenting to different purposes does not necessarily mean, that the legal bases for data processing could only be the consent (GDPR, Art. 6. Para (1) a)] of the data subject, mostly if the conditions of the GDPR for consent are not met.

522

B. Hohmann et al.

In the current Hungarian legal system, the meaning of consent in the general sense and the terminology of ‘consent’ used by the GDPR or RISD Act may differ. In recognition of this, the Hungarian Data Protection Authority, for example, in the NAIH/2020/2888 Resolution,8 stated that it considers it correct to use the legal basis in Article 6, Para (1), Subs. e) of the GDPR in relation to digital education and images requested by public educational institutions as opposed to the Hungarian Civil Code (Act V of 20139) 2:48. § Para (1), which explicitly awaits the consent of the data subject (which grammatically coincides with Article 6 (1) (a) of the GDPR).

3 Legal Requirements for the Use and Re-Use of Health Data 3.1

Historical Archives of Health Data and Research Based on the Biobank Act

According to Sect. 30 of the Health Data Processing Act, medical records must be kept for at least 30 years from the data collection, and the final report must be kept for at least 50 years. After the mandatory registration period, the (personal) data may continue to be recorded for medical treatment or scientific research if justified (standalone data processing, with a separate erasure period—thus, it may be subject to specific rules). According to para (3), a health record that is of scientific importance must be submitted to the competent archives after the mandatory registration period. Under the rules of the Archives Act,10 the archives are basically an institution established for the purpose of ensuring the permanent preservation, archival processing and proper use of documents of permanent value. In this sense, the competent archives have access to archived data. During these periods, the health data can be subject to research (as a secondary use) according to Sect. 21 of Health Data Processing Act, as analysed above. Another potential re-use purpose may be a statistical analysis, which is regulated in Sect. 20 of this Act. On the other hand, under Sect. 19, Para (1) of the Biobanking Act, the use of an un-anonymised genetic sample or data stored in an archived collection for new research requires the consent of the data subject under Sect. 8, Para (1). Section 18 also prescribes that the data subject can ask for pseudonymisation or anonymisation of his or her data at any time in the course of the scientific research.

8

Hungarian National Authority for Data Protection and Freedom of Information NAIH/2020/2888. Resolution. https://www.naih.hu/files/Adatved_allasfoglalas_NAIH-2020-2888.pdf. 9 Hungarian Act V of 2013 on Civil Code. https://njt.hu/eli/TV/2013/5. 10 Act LXVI of 1995 on public records, archives and the protection of private archival material. https://njt.hu/eli/TV/1995/66.

Hungary

3.2

523

Specific Legal Requirements of Biobanking Activities: Conservation of Tissues, DNA and RNA from Tissues

Section 26 of the Biobanking Act set up a 30-year-long recording period regarding the genetic sample or data stored in a biobank, together with all the information on any process, activity or data transfer regarding the sample or data. If the data subject withdraws their consent in this period, the data should be deleted. After the 30-yearlong period, the data can be processed based on the rules of the Health Data Processing Act (as shown above).

4 Special Law on Biohacking Activities In Hungary, the phenomenon of biohacking is relatively new, and accordingly, it has not yet gained proper regulation in the Hungarian legal system. To avoid abuses and to ensure the regularity of health care, certain acts are prohibited by the Criminal Code (Act C of 2012)11 with the prospect of criminal consequences. The following can be considered as such: Procedures on the Human Genome (Sect. 168); Illegal Use of Human Gametes (Sect. 169); Altering the Gender of an Unborn Child (Sect. 170); Violation of the Rules of Experimental Research on Humans (Sect. 171); Violation of the Rules of Experimental Research with Embryos or Gametes (Sects. 172–173); Producing Genetically Identical Human Individuals (Sect. 174); an Illegal Use of a Human Body (Sect. 175).

5 Conclusion Looking at the Hungarian regulation regime as a whole, it can be stated that wellfounded regulation can be found in the field of research and, within it, in the field of the data protection aspects of the provision of health services and research. This also establishes that, as a regulation of the Member States, there is an appropriate legal basis for the performance of these activities and services, and thus, these activities can be implemented in Hungary within a legal framework with appropriate regulation. All this contributes to the consistent development of the Hungarian health economy, which is quite prosperous in the country: in addition to adequate human resources, the regulation of the legal environment also creates the opportunity for inclusive development.

11

Hungarian Act C of 2012 on Criminal Code. https://njt.hu/eli/TV/2012/100.

524

B. Hohmann et al.

As to the governance procedures regarding these activities, some detailed rules are still missing. Although Sect. 31 of the Biobanking Act authorize the minister responsible for health care to adopt ministerial Decree about the details of processing, storing, and coding of the genetic sample and genetic data and about the minimum criteria of the operation of biobanks, no such decrees have been published. Nevertheless, there are additional regulatory needs in the area of data re-use (re-thinking of Sect. 21 of the Health Data Processing Act) and regulation of biohacking activities for which full regulation is not yet in place and which can be considered the most important regulatory challenges in the coming period.

References Kiss A, Szőke GL (2015) Evolution or revolution? Steps forward to a new generation of data protection regulation. In: Gutwirth S, Leenes R, De Hert P (eds) Reforming European data protection law. Springer, pp 311–332. https://doi.org/10.1007/978-94-017-9385-8_13 Sandor J (2017) Whose biobank? Should biobanks serve research interests or the needs for personalized medicine? Analysis of the Hungarian law. Genet Test Mol Biomarkers 21(3): 140–147. https://doi.org/10.1089/gtmb.2016.0400 Sandor J, Bard P (2009) The legal regulation of biobanks – national report: Hungary (October 5, 2009). CELAB Paper Series No. 1. https://doi.org/10.2139/ssrn.2295635 Shabani M, Chassang G, Marelli L (2021) The impact of the GDPR on the governance of biobank research. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Law, governance and technology series, vol 43. Springer, pp 45–60. https://doi.org/10.1007/978-3030-49388-2_4

Ireland Tunjica Petrašević and Romana Ćosić

1 Introduction Ireland’s country report deals with the current state of regulation of human tissues for research purposes as well as the protection of natural persons with regard to the processing of personal data and the free movement of such data. These subjects find grounds in different mechanisms at the European Union (EU) level. The law dealing with human tissues at the EU level includes Directive 2004/23/EC of 31 March 2004 (the EU Tissue Directive1) and Commission Directive 2006/17/EC of 8 February 2006,2 which lay down standards of quality and safety for human tissues and cells from human application to ensure a high level of protection of human health. These instruments require Member State implementation in their national systems. The main piece of legislation to take into account for data protection is the 2016

This paper is a product of work that has been supported by the Faculty of Law Osijek Josip Juraj Strossmayer University of Osijek under the project “Artificial intelligence and criminal law” (IP-PRAVOS-18). 1 Directive 2004/23/EC of the European Parliament and of the Council of 31 March 2004 on setting standards of quality and safety for the donation, procurement, testing, processing, preservation, storage and distribution of human tissues and cells, O.J. (L 102). 2 Commission directive 2006/17/EC of 8 February 2006 implementing Directive 2004/23/EC of the European Parliament and of the Council as regards certain technical requirements for the donation, procurement and testing of human tissues and cells, O.J. (L 330 M).

T. Petrašević (✉) Faculty of Law Osijek, Josip Juraj Strossmayer - University of Osijek, Osijek, Croatia e-mail: [email protected] R. Ćosić Faculty of Law Osijek, Josip Juraj Strossmayer - University of Osijek, Osijek, Croatia Municipal Court in Vukovar, Vukovar, Croatia © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_60

525

526

T. Petrašević and R. Ćosić

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also known as the General Data Protection Regulation (GDPR). Even though these regulations are directly applicable in the Member States, the GDPR leaves room for Member States to further regulate certain relevant issues through their national legal systems, such as the use of personal data for scientific research purposes. The next few paragraphs describe how Ireland has decided to deal with these issues while implementing the EU directives and introducing specific derogation to EU regulations.

2 The GDPR and Its Consequences on Health Data Processing Ireland is one of the 27 Member States of the European Union that has attempted to align its national legislation to the provisions and scope of the GDPR. As said in the recital (1) of the GDPR, the protection of natural persons in relation to the processing of personal data is a fundamental right as stated in Article 8(1) of the Charter of Fundamental Rights of the European Union (the Charter) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU), both of which provide that everyone has the right to the protection of his or her personal data. Recital (26) of the GDPR says that the principles of data protection should apply to any information about an identified or identifiable natural person; at the same time, there is no specific regulation at the EU level on the processing of health data for research purposes with a particular focus on biobanking. It is thus understandable that the GDPR established some common ground rules to be used in tackling the processing of personal data for research activities. Even though the GDPR does not apply to biological samples per se, it fully applies to the personal data associated with those samples (Health Research Board 2018). As far as the processing of personal data for scientific and research purposes (Clarke et al. 2019, p. 1131) is concerned, the GDPR contains opening clauses to allow Member States the freedom to legislate for specific derogation or research exemptions at the national level. The aim of this paper is to analyse the Irish national legislation on the processing of health data for research purposes with a particular focus on biobanking activities related to research after the GDPR took effect on 25 May 2018. Ireland has adopted the Data Protection Act 2018 (DPA 2018), and based on its Sect. 36(2),3 the Minister for Health has enacted Data Protection Act 2018 (Sect. 36(2) Health Research) Regulations 2018 (HRR 2018), which has been amended by Data Protection Act 2018 (Sect. 36(2) Health Research Amendment) Regulations 2019 (HRR 2019). 3

https://www.irishstatutebook.ie/eli/2018/si/314/made/en/pdf.

Ireland

527

As previously mentioned, the Irish Act and regulations give effect to the GDPR’s provisions on the processing of data for research purposes, especially when health data are concerned. This prompts attention to the Irish regulatory framework that introduces additional requirements and safeguards for the protection of data health in relation to the governance, processes and procedures (Kirwan et al. 2020) of research activities.

3 Processing of Personal Data for Research Purposes Ireland took advantage of the opportunity given by the GDPR and first regulated the processing of data for research purposes in the Data Protection Act 2018, then introduced rules for health data and its processing for research purposes in the Irish Health Research Regulations (HRRs). Section 36(1) of the Data Protection Act 20184 establishes some measures that should be considered to safeguard the fundamental rights and freedoms of data subjects in processing personal data. The suggested measures/safeguards include explicit consent of the data subject for one or more specified purposes; limitations on access to personal data; strict time limits for the erasure of personal data; specific targeted training for those involved in processing operations; and pseudonymisation and encryption of the personal data (Data Protection Act 2018). Section 36(3) further specifies that additional suitable and specific measures identified in regulations may relate to governance structures, processes or procedures for risk assessment purposes, processes or procedures for the management and conduct of research projects, and other technical and organisational measures designed to ensure that the processing is carried out in accordance with the Data Protection Regulation (Data Protection Act 2018). Pursuant to Sect. 36(2) of the Data Protection Act 2018, which requires suitable and specific measures for the processing of data, the Irish Minister for Health signed the HRRs that establish a number of conditions for the processing of personal data for health research purposes (effective August 2018). (Kirwan et al. 2020). From the point of view of researchers, the HRRs 2018 may have raised difficulties about the conditions for processing personal data for research and scientific purposes. However, these Regulations helped clarify a relevant point not expressly detailed in the GDPR and Data Protection Act 2018: the definition of health research. According to Regulation (3)2, ‘health research’ means any of the following types of scientific research for the purpose of human health: research with the goal of understanding normal and abnormal functioning at molecular, cellular, organ system and whole body levels; research that is specifically concerned with innovative strategies, devices, products or services for the diagnosis, treatment or prevention of human disease or injury; and research with the goal of improving the diagnosis

4

Data Protection Act 2018. http://www.irishstatutebook.ie/eli/2018/act/7/enacted/en/print#sec36.

528

T. Petrašević and R. Ćosić

and treatment of human disease and injury and of improving the health and quality of life of individuals (Health Research Regulations 2018). Although health research is described at molecular, cellular and organ levels, there is no appropriate reference to genetic and biometric data, neither is there a significant explanation of the role of researchers within the context of biobanks. Besides defining health research, an interesting issue in the Irish legislation on the processing of health data is the question of consent. While explicit consent is a lawful precondition for the processing of data under Article 9 of the GDPR, it is not a mandatory requirement. The HRRs 2018 specify that explicit consent is a suitable and specific measure for the purpose of safeguarding the fundamental rights and freedoms of the data subject (Health Research Regulations 2018, par. 6(3)) For this reason, the consent of the data subject to the processing of his or her personal data for the purpose of health research shall be obtained in accordance with the European regulations and must not have been withdrawn (Health Research Regulations 2018, par. 6(4b)). According to this wording, it seems that the research exemption is not allowed, and the Irish regulatory framework poses the GDPR’s explicit consent as a safeguard for the processing of personal data for the purpose of health research. But a closer look reveals that the use of personal data without explicit consent is permitted in exceptional circumstances: researchers must submit an application to the national Health Research Consent Declaration Committee (HRCDC) established by the HRRs 2018 for a consent declaration, demonstrating that substantial public interest exists and that the GDPR explicit consent is not feasible, among other requirements. (Kirwan et al. 2020). Ireland requires even higher standards for the protection of health data of natural persons than does the GDPR itself. However, from the researchers’ perspective, the requirement of explicit consent could result in numerous problems that could eventually lead to a reduction in the amount of medical research in Ireland, both ongoing and in the future. Some disadvantages of asking for explicit consent (in ongoing research) may be, for example, the death of participants or their unwillingness to be reminded of previous illnesses. Depending on the size of the duty, other pitfalls may occur, such as the inability to contact all of the participants. Last, asking for re-consent can make some of the participants feel like their privacy has been violated. Some authors also argue that making explicit consent conditio sine qua non for health research means significantly limiting scientific health research and putting the protection of personal data of individuals before health and health security. From our standpoint, this issue deserves case-by-case decisions and depends on the type of research involved, keeping in mind the principle of proportionality. Section 5 of HRRs 2018 offers an exception for the use of personal data without explicit consent but only when researchers can demonstrate that public interest outweighs the interest in protecting the data of natural persons. Section 5 (5) HRRs 2018 says ‘The Committee may, only where it is satisfied that the public interest in carrying out the research significantly outweighs the public interest in requiring the explicit consent of the data subject, and that all the requirements in

Ireland

529

paragraphs (3) and (4) have been met, make a declaration’. Even though there is this exception to the explicit consent rule for health research, it will take time to see whether this exception will be effective in practice or not.

4 Tissue Issue One of the main pieces of European legislation about tissues is Directive 2004/23/ EC of the European Parliament and of the Council of 31 March 2004 on setting standards of quality and safety for the donation, procurement, testing, processing, preservation, storage and distribution of human tissues and cells. The Irish Minister for Health and Children adopted the European Communities Regulations (i.e., the Quality and Safety of Human Tissues and Cells Regulations) in 2006 as a means of implementing Directive 2004/23/EC and Commission Directive 2006/17/EC of 8 February 2006. Another statutory instrument, the European Communities Regulations 2007 (Human Tissues and Cells Traceability Requirements, Notification of Serious Adverse Reactions and Events and Certain Technical Requirements), implemented Commission Directive 2006/86/EC (Yuko and Gordijn 2011, p. 116). In this context, the ongoing process for the adoption of the so-called Human Tissue Bill in Ireland is even more interesting5 (General scheme of the Human Tissue Bill 20186). The proposed Bill is intended to regulate the removal, retention, storage, use and disposal of human tissue from deceased persons; provide general conditions for the removal, donation and use of organs and tissue from deceased and living persons for the purposes of transplantation; and provide for an opt-out system of consent for organ donation and for an associated register (Kirwan et al. 2020). Another relevant aspect of this proposed Bill is the question of consent. The Bill provides for the introduction of an opt-out system of consent for deceased organ donation and an associated register. Under this new opt-out system of consent for organ donation, consent will be deemed unless a person has, while alive, registered their wish to not become an organ donor after death.7 This makes the question of consent central, and it varies from an opt-out system of consent for organ donation to explicit consent in terms of health data usage. However, none of the aforementioned legal documents provides answers on conserving tissue, obtaining RNA and DNA from tissue, principles for the protection of personal data during different processes or principles of re-use of that particular personal health data.

5

Human Tissue Bill. http://www.organdonation.ie/news/1-latest-news/256-human-tissue-bilpublished.html. 6 General scheme of the human tissue (transplantation, postmortem, anatomical examination, and public display) Bill 2018 https://assets.gov.ie/9367/8e96a0ab73ed42c58477d629e90690c4.pdf. 7 http://www.organdonation.ie/.

530

T. Petrašević and R. Ćosić

5 Conclusion The GDPR provides for a two-level framework to enable derogations from these rights when scientific research is concerned: (a) by directly invoking provisions of the GDPR on condition that safeguards must include ‘technical and organisational measures’ that are in place; and (b) through Member State law. Ireland decided to enact some legislation regarding the protection of the processing of health data for research purposes. As far as the ‘research exemption’ is concerned, Ireland decided to require even higher standards for health data processing than the GDPR. In its Data Protection Act 2018 and Irish Health Research Regulations, Ireland requires explicit consent to approve health research except for those extraordinary cases in which the public interest prevails. To conclude, the Irish regulatory framework is stricter than that of most of the other EU Member States, and in some sense, puts protecting personal health data before scientific (health) research and benefits for public health. However, making explicit consent conditio sine qua non for health research means significantly limiting scientific health research and putting the protection of personal data of individuals before health and health security. Moreover, the Irish legislation defines the meaning of health research. Even though it should be considered an improvement in comparison to EU legislation, not even Ireland has included or regulated genetic and biometric data, the possibilities of (re)using historical archives of health data, nor the area of biobanks. This leaves considerable room in Ireland, as in the EU, for the improvement of rules and standards in the fields of health data protection and health research.

References Clarke N, Vale G, Reeves E, Kirwan M, Smith D, Farrell M (2019) GDPR: an impediment to research? Ir J Med Sci 188(4):1129–1135. https://doi.org/10.1007/s11845-019-01980-2 Health Research Board (2018) Guidance on Information Principles for informed consent for the processing of personal data for health research. https://www.hrb.ie/fileadmin/1._Nonplugin_ related_files/RSF_files/GDPR_guidance_for_researchers/Health_Research_Information_ Principles.pdf Kirwan M, Mee B, Clarke N, Tanaka A, Manaloto L, Halpin E, Gibbons U, Cullen A, McGarrigle S, Connolly EM, Bennett K, Gaffney E, Flanagan C, Tier L, Flavin R, McElvaney NG (2020) What GDPR and the health research regulations (HRRs) mean for Ireland: ‘explicit consent’—a legal analysis. Ir J Med Sci 2021(190):515–521. https://doi.org/10.1007/s11845020-02331-2 Yuko E, Gordijn B (2011) The transfer, storage and procurement of human cells and tissues. In: Beier K, Schnorrer S, Hoppe N, Lenk C (eds) The ethical and legal regulation of human tissue and biobank research in Europe: proceedings of the Tiss.EU Project. Göttingen University Press, pp 105–119

Italy Stefania Stefanelli

1 Introduction In Italy, there is no specific law dealing with biobanking. For this reason, research activities in biobanks are regulated by provisions on scientific research and the protection of the subjects involved in such activities, which are primarily the rules for the protection of personal data.1 In the Italian legal framework, the protection of personal data is set forth in Legislative Decree 196 of 30 June 2003 (the ‘Personal Data Protection Code’2), as amended by Legislative Decree 101 of 10 August 2018, (which adapted the Code to the provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR). The privacy authority (known in Italian as the Garante) may adopt guidelines and codes of conduct with respect to the processing of personal data for research activities. The Authority has adopted the ‘Deontological rules for processing for statistical or scientific research purposes’ (in Italian, the ‘Regole deontologiche per

1

In many aspects, the equivalence of biological samples and personal data stands. General Authorization n. 8 of 2016, updated to 5 June 2019, provides that ‘if the data subject revokes the consent to the processing of data for research purposes, the biological sample is also destroyed as long as it has been taken for such purposes, unless, in origin or thanks to following treatment, the sample can no longer be referred to an identified or identifiable person’ (Art. 4.11.2). 2 https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9740796. S. Stefanelli (✉) Department of Law, University of Perugia, Perugia, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_61

531

532

S. Stefanelli

trattamenti a fini statistici o di ricerca scientifica’, which are hereinafter referred to as the Deontological Rules), which were published on 19 December 2018.3 The Deontological Rules refer to ‘all processing operations carried out for statistical and scientific purposes – in accordance with the methodological standards of the relevant subject area – which are carried out by universities, other research bodies or institutes and scientific societies, as well as by researchers working within such universities, research bodies, research institutes and members of such scientific societies’ (see Article 2, paragraph 1). According to this document, ‘the deontological rules do not apply to processing for statistical and scientific purposes connected with health protection activities carried out by health professionals or health bodies, or with comparable activities in terms of significant personalized impact on the data subject, which shall continue to be governed by the relevant provisions’ (Article 2, paragraph 2). To identify the special provisions applicable to certain activities, as recommended by the Deontological Rules, Article 3 of the Deontological Rules indicates a formal requirement to draw up a research project, which is to be deposited at the university, research institution, or scientific society, and kept confidential for five years from the scheduled conclusion of the research (Article 3, paragraph 3), in compliance with the ‘methodological standards of the relevant disciplinary sector’. The aim is to demonstrate that the data processing is carried out for appropriate and effective statistical or scientific purposes (Article 3, paragraph 1). The project, from the point of view of the protection of personal data, has to include (see Article 3, paragraph 2): a) the measures to be adopted in the processing of personal data, in order to ensure compliance with the Deontological Rules as well as with the legislation on the protection of personal data; b) the identification of the data controller(s); and c) a declaration of a commitment to comply with the Deontological Rules. Furthermore, other acts adopted by the Authority include several measures, among them the General Authorizations n. 8 (relating to the processing of genetic data) and 9 (for the processing of personal data for scientific research purposes including medical, biomedical, and epidemiological research) of 2016, as amended by the measure No. 146 of 5 June 2019.4

3

Legislative Decree 101 of 2018 entrusted the Garante with the task of verifying compliance with the provisions of the codes of conduct set out in Annexes A.1, A.2, A.3, A.4 and A.6 of the Personal Data Protection Code. The compatible provisions have been renamed the deontological rules. ‘Regole deontologiche per i trattamenti a fini statistici o di ricerca scientifica’. https://www. garanteprivacy.it/home/docweb/-/docweb-display/docweb/9069637. 4 https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9124510#4.

Italy

533

2 Treatment of Genetic and Health-Related Data Research activities carried out in biobanks may involve data of a particular nature, since the data may be genetic, or related to the health of the participants. Article 9 (1) of the GDPR establishes, as a general rule, a prohibition on the processing of these categories of data. However, paragraph 1 does not apply if the processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes or statistical purposes in accordance with Article 89(1), based on Union or Member State law which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject. The EU Member States are required to maintain or introduce further conditions, including limitations, with regard to the processing of data belonging to these categories (Article 9(4) GDPR). Italy has introduced a rule regarding ‘guarantee measures for the processing of genetic, biometric and health-related data’.5 As far as this special category of data is concerned, the provision by the Authority, which must be adopted at least every two years, will identify the aforementioned ‘additional conditions’6 and follow a public consultation lasting for at least sixty days.7 As specified in the Illustrative Report of Decree 101/2018, safeguards concern the technical and organizational measures as well as the security measures to be adopted with regard to each category of personal data being processed.8 Indeed, paragraph 5 of Article 2 septies specifies the following as security measures and/or methods: encryption and pseudonymization techniques; minimization; methods for selective access to data and for making information available to interested parties; and any other measures necessary to guarantee the rights of the interested parties. Furthermore, the General Authorization n. 8 of 2016 on genetic data provides for precautionary requirements dealing with the custody and safety of genetic data and biological samples.9 When it comes to this kind of data, it is stated that: a) access to the premises must take place according to a documented procedure established by the data controller, 5

Art. 2, paragraph 1, lett. (f) of Legislative Decree n. 101 of 2018, which added Chapter II, Article 2 septies to the Personal Data Protection Code. 6 Art. 2 septies, (paragraph 2) The order laying down the safeguards shall be adopted at least every two years and shall take into account: (a) the guidelines, recommendations and best practices published by the European Data Protection Board and best practices on the processing of personal data; (b) scientific and technological developments in the field covered by the measures. 7 Art. 2 septies, (paragraph 3). 8 Explanatory Report on Legislative Decree no. 101 of 10 August 2018. https://www. gazzettaufficiale.it/eli/id/2018/09/04/18G00129/sg (page 9). 9 For the purposes of this provision, genetic data are personal data relating to inherited or acquired genetic characteristics of a person that provide unambiguous information about the physiology or the health of that person, and which result from the analysis of a biological sample.

534

S. Stefanelli

which provides for the identification of persons, previously authorized, who gain access for any reason after closing time; b) the storage, use and transport of biological samples must be carried out with methods aimed to guarantee their quality, integrity, availability and traceability; [. . .] e) genetic data and biological samples contained in lists, registers or databases must be processed with encryption techniques, pseudonymization or other solutions which, given the volume of the data and samples processed, make them temporarily unintelligible even to those authorized to access them and allow them to identify the interested subjects only in case of need, so as to minimize the risk of accidental knowledge and abusive or unauthorized access. Where the lists, registers or databases are kept electronically and also contain data concerning the genealogy or the state of health of the people concerned, the aforementioned techniques must also allow genetic and health-related data to be processed separately from other personal data that allow the people involved to be directly identified (see para. 4.2 of General Authorization n. 8/2016).

3 Special Provisions for Medical, Biomedical, and Epidemiological Research Pursuant to Article 8 of the Deontological Rules, when personal data are collected for medical, biomedical or epidemiological research: a) the research activities must be carried out in compliance with the relevant international and EU guidelines and provisions, such as the Convention on Human Rights and Biomedicine of 4 April 1997 ratified by Act No. 145 of 28 March 2001, the Recommendation of the Council of Europe R (97) 5 adopted on 13 February 1997 concerning the protection of medical data, and the Helsinki Declaration of the World Medical Association on Principles for Research Involving Human Subjects; b) information on the processing of personal data must enable data subjects to distinguish research activities from health protection activities; and c) when giving his/her consent to a medical or epidemiological investigation, the data subject must be required to declare whether or not he/she wishes to know about any unexpected findings made about him/her during the research.

4 Exceptions, for Scientific Reasons, to the Regulation of Information and Consent Article 105, paragraph 2 of the Personal Data Protection Code confirms that research purposes must be specified unambiguously and made known to the data subject in accordance with Articles 13 and 14 of the GDPR. Written informed consent (National Bioethics Committee and the National Committee for Biosafety, Biotechnology and Life Sciences 2009) is required for the

Italy

535

processing of special categories of personal data pursuant to Article 9 GDPR (also see Article 7 of the Deontological Rules). Despite this, Italian legislation recognizes cases in which personal data may, without the informed consent of the data subjects, be processed for medical, biomedical, and epidemiological research purposes. Thus, Article 110 of the Personal Data Protection Code states that consent is not necessary if there are particular or exceptional reasons, and it is not possible to inform the data subject. Information is not necessary when it would require a disproportionate effort and/or would risk the achievement of the purposes of the research being rendered impossible or seriously impaired. In such cases, the data controller must adopt appropriate measures to protect the rights, freedoms, and legitimate interests of the data subject. The research programme is subject to a reasoned and favourable opinion forwarded by the geographically competent ethics committee, and prior consultation with the Authority, pursuant to Article 36 of the Regulation (Article 110, para. 1). Moreover, the General Authorizations of the Italian Authority add further possible justifications for the absence of consent: (1) ethical reasons when the person concerned is not aware of his/her condition;10 (2) organizational impossibility;11 or (3) because of the seriousness of his/her clinical state, the subject involved is unable to understand the information and to give valid consent12 (Garante per la protezione dei dati personali 2017, p. 69). When it comes to the processing for statistical or scientific research purposes of personal data collected for other purposes, an exception to the consent and information regulation for scientific reasons is also contained in Article 105 of the

10

This category includes research for which making available information on the processing of the data would entail the disclosure of information concerning the conduct of the study, knowledge of which could cause material or psychological damage to the interested subjects themselves (this may include, for example, epidemiological studies on the distribution of a factor that predicts or may predict the development of a morbid condition for which no treatment exists) (see para. 5.3. of General Authorization n. 9/2016). 11 (See para. 5.3., General Authorization n. 9/2016) This is the case, in particular, with regard to the inclusion criteria of the study, the method of enrolment, the statistical size of the sample chosen, and the period of time that has elapsed since the data referring to the subjects were originally collected (for example, in cases where the study concerns subjects with diseases with a high incidence of mortality, or subjects in the terminal phase of a disease or of advanced age and with serious health conditions). In particular, it is possible to process personal data for research purposes if, after all reasonable efforts to contact the data subjects, (including verification of their state of life, consultation of data in clinical documentation, use of any telephone numbers provided, and the acquisition of contact data from the register of patients or residents), they turn out to be deceased or not contactable. 12 In relation to this, in 2017 the Authority authorized the San Raffaele Hospital in Milan, and other centres participating in the treatment, to process the data of patients suffering from acute respiratory distress syndrome. The authorization, limited to the data and operations that were strictly necessary and relevant for the conduct of this international multicentre study, was given in absence of prior information being given to patients and specific consent, since the patients were temporarily unable to give consent and this lack of ability would not be reacquired before the end of the expected follow-up period. Authorization n. 6503911 of 11 May 2017.

536

S. Stefanelli

Personal Data Protection Code. In accordance with this provision, it is not necessary to give information to the data subject when it requires a disproportionate effort compared to the protected right, if appropriate forms of advertising/publicity are adopted. Pursuant to Article 6 of the Deontological Rules, the data controller must adopt suitable forms of publicity when data are collected from third parties, or the processing for scientific purposes concerns data collected for other purposes, and providing information entails a disproportionate effort compared to the right protected. Forms of publicity might be: advertisement in at least one newspaper with a wide national circulation, or advertisement on a national radio and television broadcaster, for treatments concerning numerous subjects who are distributed throughout the country; advertisement in regional (or provincial) newspapers or advertisement on regional (or provincial) radio and television broadcasters when the data subjects are distributed within a region; and an announcement through means of information for which the parties are ordinarily recipients, when the processing concerns special categories of subjects identified by specific demographic characteristics and/or particular training or employment conditions. Finally, General Authorization n. 8/2016 establishes that, in the absence of consent, biological samples and related genetic data can also be stored and used for scientific or statistical research purposes to carry out research projects and statistical surveys other than the original ones and, therefore, in addition those for which such data or samples had been collected (see para. 4.11.3, General Authorization n. 8/2016).

4.1

Retention Period

As far as the exception for scientific research is concerned, another relevant provision should be pointed out, namely Article 99 of the Personal Data Protection Code. By way of derogation from the principle of storage limitation, the provision establishes that ‘processing of personal data for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes, may also be carried out for longer than is necessary for achieving the individual purposes for which the data had been previously collected or processed’. Similarly, Article 11 of the Deontological Rules states that ‘Personal data may be stored for statistical or scientific purposes even beyond the period necessary to achieve the purposes for which they were collected or subsequently processed’.

Italy

537

5 ‘Secondary Use’ and Bio-archives The secondary use of data essentially means that the initial purpose upon which the data collection was based does not cover the scope of the subsequent research; for example, human tissue may have been archived for clinical-diagnostic, preventive and treatment purposes and, subsequently, there is a wish to use the samples and the related data for a secondary use, for a purpose of scientific research. The secondary use of tissues and data is an essential component of the research arsenal for tackling health and health care questions (Black 2003). However, the use for research purposes of data and samples that are stored in a diagnostic collection or an archive to guide therapy introduces a series of sensitive aspects (both legal and ethical) (Cippitani and Colcelli 2021). In this regard, the opposing interests of those involved must be considered: conflicts may arise between the pathologists who are responsible for the supervision of the tissues and the investigators who need these materials for research purposes (Giannini et al. 2011). The issue of secondary use is particularly complex vis-à-vis the expression of consent of the data subject or donor. There are no ad hoc rules for consent to use bio-materials and data contained in the archives of diagnostic documentation for research activities.13 Recital 50 of the GDPR provides that ‘the processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected’, and ‘further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations’. However, Recital 156 of the GDPR establishes that ‘the further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymization of the data)’. In the Italian legal framework, the aforementioned Article 110 is relevant. The provision allows the secondary use of data for medical, biomedical and epidemiological research subject to a favourable opinion of the competent Ethics Committee on the research programme, and following consultation of the national Authority. Furthermore, the Law of 20 November 2017, n. 167, as amended by Article 8 of Legislative Decree 101 of 2018, introduced Art. 110 bis of the Personal Data Protection Code. According to this provision, the Authority may authorize further

13

In most cases, there is no informed consent for the use of samples for research purposes and, very often, it is no longer possible to ask for consent from donors because they have died in the meantime.

538

S. Stefanelli

processing of personal data14,15 for research purposes by third parties in cases in which it is for some reason impossible to inform the subjects, or entails a disproportionate effort, or there is a risk of the scientific purposes becoming impossible or being seriously impaired. It will be necessary to take appropriate measures to protect the rights, freedoms, and legitimate interests of the data subject, in accordance with Article 89 of the GDPR, including by data minimization and anonymization (Article 110 bis, paragraph 1). The Authority must communicate its decision on a request for authorization within 45 days, and the silence will be understood as a rejection (Article 110 bis, paragraph 2). Looking closely to these provisions (110 and 110 bis) additional measures are required (consultation and authorization): the procedures imply the involvement of the national Authority to proceed without the data subject consent when it is impossible to obtain consent or it requires a disproportionate effort, or risks making the research impossible. However, whereas in the case of Article 110 the health data are used for the different purpose of research (medical, epidemiological and biomedical), in the case governed by article 110 bis, the secondary nature of the processing is in “subjective term” because the further processing for research purposes is carried out by third parties. Furthermore, as regard to the normative sources, the Data Protection Code must be considered as primary source of reference. However, the provisions of General Authorisations Nos. 8 and 9 of 2016, which are compatible with the GDPR must be taken into account as they contain prescriptions for the the processing of special categories of data (Articles 6(1)(c) and (e), 9(2)(b) and 4). Thus, against this background the Authorisations represent a guidance for the interpreter and the data controller when they define the strategy for the security of the processing of those specific categories of data. In this way, the General Authorization n. 8/2016 (art. 4.11.3.), on the conservation of biological samples and genetic data collected for health protection purposes, provides that these samples and data can be used in a research activity even in the absence of the consent if research of a similar purpose cannot be carried out by processing data relating to persons from whom informed consent can be or has been obtained and aa) the research programme involves the use of biological samples and genetic data which do not make it possible to identify the data subjects or bb) such use has been authorized by the ethics committee and submitted to the Authority for an opinion pursuant to Article 36 of Regulation (EU) 2016/679 (GDPR); without prejudice to ‘the obligation to disclose information to the subjects included in the research if, during the study, this will be possible and, overall, where they contact the care centre, even for check-ups, in order to allow them to exercise the rights provided for by the regulation’ (General Authorization n. 9/2016).

14 The Authority may also give this authority by general provisions (that will be published in the Official Gazette of the Italian Republic (paragraph 3)). 15 Including those referred to in Art. 9 of the Regulation.

Italy

539

Furthermore, it should be borne in mind that pathologists have the responsibility to preserve tissues stored in a diagnostic archive for care and prevention purposes. The Oviedo Convention requires compliance with the ‘functional constraint’ for which the biological material was taken and establishes that ‘when in the course of an intervention any part of a human body is removed, it may be stored and used for a purpose other than that for which it was removed, only if this is done in conformity with appropriate information and consent procedures’ (Article 22). The Italian Superior Council of Health (Consiglio Superiore della Sanità) has adopted guidelines (Ministry of Health, Italian Superior Council of Health 2015) (not yet implemented) that set a minimum term for the duration of the retention obligation. The preservation obligation is ten years from the validation of the diagnostic report. The minimum retention period is intended to protect different interests: on the one side, the diagnostic purposes of the material (and the need for the health of the patient not to be affected or endangered); and, on the other side, the medico-legal purposes (also including any defence of the doctor against civil or criminal proceedings) (Ministry of Health, Italian Superior Council of Health 2015, p. 33). However, the possibility of keeping the material for a longer time is not excluded. After ten years, it would be lawful to destroy the samples. A fortiori, tissues contained in diagnostic archives may be transferred to a research biobank as a valuable resource with a unique potential for research and community well-being.

6 Conclusion Italy has a great heritage of biological samples organized in collections or placed in structured biobanks,16 and most of these are found in facilities or institutions connected to the national health system.17 Despite the considerable number of biobanks in Italy,18 there is no law regulating their activity and the resulting 16

See the website of the National Node of BBMRI Italy, https://www.bbmri.it/ The BBMRI is a nationwide infrastructure that includes biobanks, biological resource centres and collections located in different Italian regions. It was set up thanks to the joint efforts of the Ministry of Universities and Research and the Ministry of Health. Its task is to promote the harmonization of biobanks and facilitate their collaboration, for increasingly effective studies. 17 These are therefore supported by the Regions. The Regions are responsible for the authorization of the biobanks within their territory. See the Agreement pursuant to Article 4 of Legislative Decree No. 281 of 28 August 1997 of the Permanent Conference of 25 March 2009. https://www. trovanorme.salute.gov.it/norme/renderNormsanPdf?anno=0&codLeg=28714&parte=1%20& serie=null. 18 BBMRI-IT includes 90 biobanks/biological resource centres/collections organized in thematic networks and regional networks with a matrix architecture. https://www.bbmri-eric.eu/nationalnodes/italy/.

540

S. Stefanelli

landscape is complex. One must consider not only the national data protection law but also the authorizations adopted by the Authority and, as scholars point out, this involvement of the Garante makes the Italian model ‘hybrid’ (Macilotti et al. 2015). Opposing interests in biobanking must be balanced: the protection of the subjects involved must be balanced against the needs of scientific research. The GDPR aims to create a new set-up regarding the processing of personal data for research activities. Article 9 refers to special categories of personal data, and paragraph 4 provides for the possibility for Member States to maintain or introduce further conditions with regard to the processing of genetic data, biometric data, or data concerning health. In the exercise of this power, the domestic legislator has included further conditions for the processing of these categories of data. In particular, the Authority must adopt a general measure outlining specific safeguards. For genetic data, with respect to which a special regime is set out, appropriate safeguards are to be adopted in consultation with the Ministry of Health, after obtaining the opinion of the Superior Council of Health. The safeguards may identify, in the event of particular and high-level risks, consent as an additional measure to protect the data subject’s rights. The constitutional rules (Article 32) and ordinary law (see Law no. 219/201719) provide for consent as a legal basis. However, the regulatory framework regulates cases where consent is not necessary because the data are used for medical, biomedical, or epidemiological research purposes. Moreover, Italian law provides for an exception to the purpose and storage limitation principle: tissues should only be maintained for a period that is no longer than necessary for the purposes for which they were collected (Authorization n. 9, Article 5.6 para. 1); and the retention period, after conclusion of the study, at the end of which these data and samples must be anonymized, must be indicated in the research project (para. 2).

References Black N (2003) Secondary use of personal data for health and health services research: why identifiable data are essential. J Health Serv Res Policy 8:36–40. https://doi.org/10.1258/ 135581903766468873 Cippitani R, Colcelli V (2021) Bio-legal issues in the establishment of a historical collection of human tissues: the case of the Umbria Biobank Project. Medicina Historica 5:1–9 Garante per la protezione dei dati personali (2017) Annual Report. https://www.garanteprivacy.it/ home/docweb/-/docweb-display/docweb/9007915 Giannini C, Oelkers M, Edwards WD, Aubry MC, Muncil MM, Mohamud KH, Sandleback SG, Nowak JM, Bridgeman A, Brown ME, Cheville JC (2011) Maintaining clinical tissue archives and supporting human research: challenges and solutions. Arch Pathol Lab Med 3:347–353. https://doi.org/10.5858/2010-0044-SA.1

19

https://www.gazzettaufficiale.it/eli/id/2018/1/16/18G00006/sg.

Italy

541

Macilotti M, Penasa S, Tomasi M (2015) Consent, privacy, and property in the Italian biobanks regulation: a hybrid model within EU? In: Mascalzoni D (ed) Ethics, law, and governance of biobanking. The International Library of Ethics, Law and Technology, vol 14. Springer, Dordrecht, pp 53–77. https://doi.org/10.1007/978-94-017-9573-9_5 Ministry of Health, Italian Superior Council of Health (2015) Guidelines on traceability, collection, transport, storage and archiving of cells and tissues for pathological anatomy diagnostic investigations. https://www.salute.gov.it/imgs/C_17_pubblicazioni_2369_allegato.pdf National Bioethics Committee and the National Committee for Biosafety, Biotechnology and Life Sciences (2009). http://bioetica.governo.it/it/pareri/pareri-gruppo-misto-cnbcnbbsv/raccolta-dicampioni-biologici-a-fini-di-ricerca-consenso-informato/

Latvia Sabrina Brizioli

1 Introduction The protection of personal data and the right to be informed are interlinked in Latvian legislation. The discipline of informed consent stems from an articulated set of rules and biomedical practices so that ‘Informed consent thus can be seen as a procedure through which concepts of autonomy and human dignity are framed and used to define medical practice’ (Putniņa 2013, p. 340) Latvia adopted a data protection law to align its legislation with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as GDPR).1 The scope of the Latvian Personal Data Processing Law2 is to create legal preconditions for setting up a system for the protection of personal data at a national level by determining the competence and basic principles for processing, guaranteeing the free movement of data3 and providing oversight institutions4 for such purposes. 1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 2 Personal Data Processing Law, 21 June 2018, Latvijas Vestnesis, 132, 04-07.2018, Chapter I, General Provisions, Sect. 2. https://likumi.lv/ta/en/en/id/300099-personal-data-processing-law. 3 Ibid., Chapter I, Section 2. 4 Ibid., Chapter II, Chapter III, Section 6, The Personal Data Processing Law institutes the Data State Inspectorate (referred to as The Inspectorate) as the data supervisory authority within the meaning of the Data Regulation, which has the competence to carry out the tasks in the area of data processing specified in the GDPR and in this law. S. Brizioli (✉) Department of Law, University of Perugia, Perugia, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_62

543

544

S. Brizioli

2 The GDPR and the Latvian Legal Framework: Exceptions and Consent As far as special categories of data are concerned, the Latvian law recalls Article 6(1) of the GDPR5 and the preconditions in Article 9(2) if the processing involves genetic data, biometric data or data concerning health, sex life or sexual orientation.6 In compliance with the GDPR, the Personal Data Processing Law contains some relevant safeguards, requires explicit and legitimate purposes for the processing of data and respect for the principle of minimisation of their use.7 The processing of data for purposes other than those for which the data were initially collected8 is allowed, but some specified conditions need to be met: (a) the processing of the data is not otherwise prohibited; (b) the conditions for data processing established in the GDPR are satisfied; and (c) the data processing is compatible with its initial purposes.9 This implies that the controller, who determines the compatibility of the secondary processing purpose with the original one, considers the criteria specified in GDPR 6(4). It thus seems that the Latvian law clarifies the way the GDRP is applied, and even in the case of further processing, the basic principles of personal data processing remain unchanged as do the rights and safeguards of the data subject. Despite this, the Personal Data Protection Law in Latvia mentions some limitations or makes some changes to the scope of data subjects’ access rights:10 when the processing of personal data is finalised, this law restricts the data subjects’ rights to official publications, scientific or historical research, statistical purposes or archiving in the public interest.11 The rationale behind such exceptions is that the exercise of access rights by the data subject could render impossible or seriously impair the achievement of those specific purposes. Even though this reason makes derogations justified and necessary, it is relevant to consider other normative sources dealing with data and material subjects’ rights. It seems that the Personal Data Protection Law must be read in the light of the provisions concerning human genome research, more precisely, the rules of the Human Genome Research Law.12 In Latvia, the Human Genome Research Law requires specific consent and expressly states that ‘before a person participates in the genetic research, a doctor shall issue to the person written information regarding: 1) the purpose, content and GDPR, art. 6 ‘every person has the right to protection of his or her personal data’. See Personal Data Processing Law, Chapter VIII, Section 25(2). 7 Ibid., Chapter VIII, Section 25(3). 8 Ibid. 9 Ibid. 10 Ibid., Chapter VIII, Section 27. 11 Ibid., Chapter VIII, Sections 28–31. 12 Human Genome Research Law 13.06.2002. https://likumi.lv/ta/en/en/id/64093-human-genomeresearch-law. 5 6

Latvia

545

duration of the genome research project; 2) the potential risks; 3) the right to freely express his or her consent and to revoke it at any time; and 4) a possibility to perform genetic research outside of Latvia’.13 Confidentiality regarding the identity of the gene donor and his or her tissue samples, the description of the state of health and genealogy is to be observed in taking tissue samples for preparation of the description of the state of health.14 The use of genetic data requires written and informed consent, and the Human Genome Research Law defines the requirements of the consent document for the gene donor: this document shall be prepared in two copies, signed and dated by the gene donor or the lawful representative of a minor and the chief processor or the authorised processor. One copy of the consent document shall be kept in the state population genome register and the other shall be issued to the gene donor or the lawful representative of a minor.15 When genetic research is performed independently of the genome database, the parties involved are the gene donor (or the lawful representative of a minor) and the gene researcher who prepares one copy of the consent document for each party.16 Scholars have argued that until a new act is adopted, the derogations to consent as expressed by the Personal Data Protection Law might have limited effect (Tzortzatou et al. 2021), and that to be valid, the derogations could be included in specific regulations dealing with particular research projects or embodied in research projects adopting an interpretation in light of the GDPR research exemption.

3 Additional Conditions on the Right to Be Informed, Participation in Clinical Trials and the Processing of Data for Scientific Research Purposes In Latvia, additional relevant features of informed consent as related to medical health care and research activities are framed in the Law on the Rights of Patients.17 The purpose of the law, which seems to recall some of the basics of the different forms of informed consent, that is, the dynamic consent, is to ‘promote favourable relationships between a patient and the provider of health care services, facilitating the active participation of the patient in his or her health care, as well as to provide him or her with an opportunity to implement and protect his or her rights and interests’.18 13

Ibid., Chapter II, Section 10. Ibid., Chapter III, Section 13(5). 15 Ibid., Chapter II, Section 10(2). 16 Ibid., Chapter II, Section 10(5). 17 Law on the Rights of Patients, 17.12.2009, Latvijas Vestnesis, 205, 30.12.2009. https://likumi.lv/ ta/en/en/id/203008-law-on-the-rights-of-patients. 18 Ibid., Section (2). 14

546

S. Brizioli

This Law not only points out the definition of informed consent19 but also provides an articulated discipline for the right to be informed that includes the right to know and the right to refuse the information20 as well as the right to medical treatments. Moreover, pursuant to Section 9 of the Law of the Rights of the Patients, ‘a patient has the right to become acquainted with his or her medical documents. He or she has the right to request and receive extracts or copies in a timely manner’.21 The patient also has the right to receive information on the use of the data included in his or her medical documents in accordance with the GDPR, and the faculty to make corrections and additions to ensure the retaining of information, updating or supplementing.22 Consent is also crucial for the participation of the patient in a clinical trial, and the Latvian law explains the preconditions and the discipline for patient involvement.23 In particular, ‘Prior to involvement in a clinical trial, a patient shall be provided information regarding the relevant clinical trial, the purpose, methods, duration, anticipated benefit and risk thereof and the conditions for implementation of the clinical trial, as well as regarding the right to withdraw from participation in the clinical trial at any time and regarding other rights’, 24 and ‘The information acquired in clinical trials regarding the patient may be used if the relevant consent has been received from the patient or, if he or she is unable to express his or her wish, from the person who has given consent to the involvement of the patient in the trial, and the anonymity of the patient shall be guaranteed’.25 Regarding the use of data recorded in medical documents for specific research activities, the Latvian Cabinet of Ministers Regulation No. 446 prescribes the procedures and the duties of State administrative institutions.26 The permit for the use of the patient data recorded in the medical documents (hereinafter the permit) is issued by the Centre for Disease Prevention and Control that also indicates its content. The Ibid., Section 1(2), n. 2. The law defines informed consent as ‘the consent of a patient to medical treatment which he or she gives in oral or written form, or by such activities which explicitly certify the consent, moreover, it is given freely on the basis of the information provided by a medical practitioner in a timely manner regarding the objectives, risks, consequences and methods used for medical treatment’. 20 Ibid., Section 4. 21 Ibid., Section 9. 22 Ibid., Section 9(2–3). 23 Ibid., Section 11 (1). The law specifies that ‘A patient shall be involved in a clinical trial which has been approved in accordance with the procedures specified in the laws and regulations regarding clinical trials if his or her informed written consent has been received and the clinical trial is being carried out upon concurrent existence of the [specific] conditions [. . .]’. 24 Ibid., Section 11(4). 25 Ibid., Section 11(7). 26 Republic of Latvia Cabinet, Regulation No. 446, 4.8.2015, Procedures for Using the Patient Data in Specific Research, Latvijas Vestnesis, 152, 06.08.2015. https://likumi.lv/ta/en/id/275747procedures-for-using-the-patient-data-in-a-specific-research. This regulation has been issued pursuant to Section 10 par. 8 Clause 2, of the Law on the Rights of Patients. 19

Latvia

547

permit contains (a) the objective of the research; (b) the medical documentation necessary for the research; (c) the list of medical treatment institutions from which it is intended to request the medical documentation necessary for the research; (d) the categories of data to be researched and the persons who will have access to identifiable medical documentation; and (e) the term of validity of the permit.27 The decision to issue the permit is followed by the publication of the relevant elements of the permit on the website (i.e., the name and surname of the recipient, the name of the research, the time limit of the permit and the list of medical treatment institutions).28

4 Biobanking in Latvia Latvia is actively engaged (Swede et al. 2007) and possesses many prerequisites for the development of a flourishing research biobanking environment in terms of human resources, infrastructure and knowledge, but there are some obstacles that prevent the successful functioning of biobanks. The main concerns are the legal framework and policies and whether they meet current European and international standards. Some scholars have also underlined a lack of public knowledge about biobank infrastructures and biobank research and the absence of a public debate in social and political fora (Mezinska et al. 2020a). Public awareness, participation and active engagement are essential prerequisites for fostering the rights of those who are involved in research activities, developing new procedures and the functioning of biobanking in a sustainable way. The measuring of public involvement implies the analysis of some crucial features, namely the effective awareness of research participants to donate specific types of biological samples, the exercise of opt-out consent for biobanking and knowledge of the use of data in open access systems. A research study has investigated this aspect, tackling the engagement and willingness of donors in Latvia and gathering data with the 2010 Eurobarometer study (Mezinska et al. 2020a). The study underlines that ‘In comparison with 2010, there is less awareness of research biobanks among the general public in Latvia, but the public is slightly more willing to participate in research biobanks by donating biological samples and personal data’ (Mezinska et al. 2020a, p. 9). Thus, the role of consent is crucial, and the preferred and ethically most acceptable type of informed consent remains broad consent, which operates together with solidarity in maximising the public benefit in biobank activities. Latvian biobanks currently use broad consent even though the research participants who provide samples and data prefer narrow consent: the study has revealed that ‘Broad consent for donation of biological samples to a biobank was preferred by only 27.4% of all

27 28

Ibid., par. 8. Ibid., par. 10.

548

S. Brizioli

participants; 62.2% preferred narrow consent; 105 (10.3%) had no opinion on this question’ (Mezinska et al. 2020a, p. 4). The aforementioned study considers the introduction of dynamic consent as a tool to foster consent and to continuously inform donors of the development of research (e.g., it offers choices to be involved or not) (Mezinska et al. 2020a, p. 8). However, it is underlined that the most relevant impediment to implement this type of consent in Latvia is the paucity of financial resources for biobanks to activate the digital and IT features of dynamic consent. The use of digital tools and platforms for dynamic consent also risk a deepening of the digital divide, leaving behind those who do not have access to these technologies (Mezinska et al. 2020a, p. 9). Another interesting aspect is the returning of research results. This issue is at the crossroad of fair communication and ethics and widens the attention on the last part of the research activity process. Latvian studies have demonstrated that the return of results and incidental findings to donor relatives are the major ethical questions faced by researcher in Latvia (Mezinska et al. 2020b). Indeed, this issue is not clearly regulated by law or guidelines in Latvia (Mezinska et al. 2020b). This theme triggers many unsolved dilemmas, such as the kind of information on family members that may be collected from research participants without the informed consent of the relatives; consideration of the involvement of relatives (and/or friends) in the donation of samples and personal data of donors; and the need to include family members as secondary research subjects (Neethu 2016). These legal and ethical problems still lack an answer in Latvia, but they could influence both the researchers’ activities and the donor’s awareness: the former do not have guidelines or protocols dealing with the disclosure of incidental findings to donors’ relatives, and the latter should be more informed about sharing the outcomes of research using their samples and data with their relatives.

4.1

The Interplay of the Protection of Privacy, Informed Consent and Rights of the Research Participants in the Genome Database

The population of the Genome Database of Latvia (LGDB) provides an example of how to give relevance to informed consent by stating that the initial criterium for access is compliance with informed consent obtained from the donor of the biological samples and associated data.29 The Central Medical Ethics Committee of Latvia grants access and verifies that the intended research is in accordance with ethical

29

For further information see Access policy for samples and data. https://gec.biomed.lu.lv/en/ conditions-for-the-issue-of-biological-materials-and-data. It is recalled the relevant regulations of Latvia, namely the Human Genome Research Law and the associated Regulations of Cabinet of Ministers.

Latvia

549

norms.30 Donor willingness should also correspond to the use of the biological material or data31 (taking into account any restrictions). The template for the material/data transfer agreement and a sample of informed consent for the genome database are provided by the LGDB, and both indicate security and confidentiality matters that should be accepted by all stakeholders involved (donors, researchers, institutions, etc.).32 The material and data transfer agreement between the Latvian biomedical research and study centre, acting as the providing institute, and the receiving institute (with the mention of the principal investigator) indicates general conditions for the transfer of the material. Parties indicate the quantity of materials as well as the purposes of the use and information. A close look at those clauses that concern the involvement of the research participants reveals that the MTA/DTA takes into consideration cases in which confidential information pertaining to the research participants who provided the materials33 may be incorporated. The general conditions specify that the materials provided to the receiving institute are pseudoanonymised, and a receiving institute that inadvertently receives information that allows identification of the individual research participants must take all relevant and appropriate measures to protect the privacy and confidentiality of the information, for example, the immediate destruction of the information or a report of any identification of research to the providing institute. Moreover, the receiving institute agrees not to re-identify research participants and linkages of data.34 Another relevant aspect to consider is the return of individual results, and the MTA/DTA specifies that ‘Participants in Providing Institute have consented to the return of Individual Research Results and Incidental Findings that are clinically significant, analytically valid, and actionable (i.e., treatable or preventable)’. The return of results also concerns the receiving institute that must return to the providing institute the results of the research.35

30

Ibid. Ibid. The transfer outside Latvia should be carried out according to state legal norms and restrictions imposed by the donor. 32 See the format of the Material and Data Transfer Agreement – MTA/DTA https://gec.biomed.lu. lv/uploads/materials/LGDB_MTA.pdf. 33 Ibid., General Conditions, par.2 Confidentiality. 34 Ibid., par. 2.3. 35 Ibid., par. 4 Return of individual-level results. 31

550

S. Brizioli

5 Conclusion The processing of personal data and the biobanking activities strongly rely on the compliance with legal norms and ethical principles that emphasize the importance of informed consent. The above-mentioned normative sources ensure that consent of the patient to medical treatments and research is given freely, explicitly and on the basis of information regarding the objectives, risks and consequences of the activities undertaken. The study points out that the main scope of the regulatory framework is to promote relationships between participants and health professionals, enhance right to information and in turn progress with scientific advancements. Against this background, the Personal Data Processing Law safeguards the relevance of scientific purposes by overcoming the rights of the data subjects insofar they may render impossible or seriously impair the specific purposes.

References Mezinska S, Kaleja J, Mileiko I, Santare D, Rovite V, Tzivian L (2020a) Public awareness of and attitudes towards research biobanks in Latvia. BMC Med Ethics 21:65. https://doi.org/10.1186/ s12910-020-00506-1 Mezinska S, Kaleja J, Milelko I (2020b) Becoming and being a biobank donor: the role of relationships and ethics. Plos One 15. https://journals.plos.org/plosone/article/file?id=10.13 71/journal.pone.0242828&type=printable Neethu R (2016) ELBERTE v LATVIA: the to be or not to be question of consent. Med Law Rev 25(3):484–493. https://doi.org/10.1093/medlaw/fww028 Putniņa A (2013) Bioethics and power: informed consent procedures in post-socialist Latvia. Soc Sci Med 98:340–344. https://doi.org/10.1016/j.socscimed.2013.03.040 Swede H, Stone CL, Alyssa R, Norwood AR (2007) National population-based biobanks for genetic research. Genet Med 9(3):141–149. https://doi.org/10.1097/gim.0b013e3180330039 Tzortzatou O, Slokenberga S, Reichel J, da Costa Andrade A, Barbosa C, Bekaert S, van Veen EB, Casabona CMR, Cathaoir KÓ, Chassang G, Debucquoy A, Derèze JJ, Dollé L, Fält SE, Halouzka R, Hartlev M, Hisbergues M, Hoppe N, Huys et al (2021) Biobanking across Europe post-GDPR: a deliberately fragmented landscape. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Individual rights, public interest and research regulation across Europe. Springer, pp 397–419. https://doi.org/10.1007/978-3-030-49388-2

Lithuania Sabrina Brizioli

1 Introduction Many relevant legal sources contribute to the setting up of a detailed discipline for the processing of health data in Lithuania. In a broad sense, when data and information refer to rights and values linked to life, dignity, private life of individuals and inviolability of body, their protection and safeguard fall within the provisions of the Civil Code of the Republic of Lithuania recognizing their nature and linkage to the principles of good morals for their transfer (Art. 1.114–1.115 personal non-property rights and values). General insights on the right to information and participation in scientific and medical experiments could be found in the Law on The Rights of Patients and Compensation of the Damage to Their Health1 establishing the rights of patients and procedure of assessing and compensating the damage caused by the legitimate actions of health professionals (physician and nursing staff members). Indeed, after having recognised the respect of personal privacy and dignity of patients throughout the development of the disease, the Law stresses the right to obtain information about heath conditions, disease diagnosis, medical examination results, treatment methods and treatment prognosis.2 This provision does not only underline the relevant interest of patients to know about their health situations but also ensure their active participation. Furthermore, their engagement is furthermore reinforced by the physician’s duty ‘to correct, complete, remove, explain and (or) change inaccurate, incomplete, ambiguous data or data not related to the 1 Law On The Rights of Patients and Compensation of the Damage to Their Health, 10 March 1996. https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/TAIS.42491?jfwid=dg8d2q5ef. 2 Ibid., art. 6 (4).

S. Brizioli (✉) Department of Law, University of Perugia, Perugia, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_63

551

552

S. Brizioli

diagnosis, treatment or nursing’ at the patient’s justified request.3 Such an obligation occurs even in the cases in which information is provided to a patient who is a minor and the treating physician must be guided by the interests of the minors in presenting the information.4 With reference to the patient’s participation in scientific and medical experiments, the law introduces a very general provision on the necessity for patient’s consent5 leaving considerable room for the establishing of procedures to make use of patients in training processes and scientific and medical experiments.6 And indeed, as detailed in the following sections other legal acts establish rules for the processing of personal data for dedicated purposes and, more precisely, in the field of biomedical research. When considering databases including personal data of patients (name, family status, date of birth, sex, address etc.) the most relevant ones are Patient database and electronic health history databases that are comprised in the State Electronic Health Services and Cooperation Infrastructure Information System (acronym ESPBI IS). The legal basis for the development and management of this system are regulated by Order No 1057 of the Government of the Republic of Lithuania Regarding Approval of the Regulations of the State Electronic Health Services and Cooperation Infrastructure Information System7 and other legal acts.8 The use of personal health data collected in the system for research purposes requires the data subject’s consent. The rationale behind this relies in the fact that in the absence of specific exemptions applicable, the personal data were collected not considering the further processing for scientific research purposes.

3

Ibid., art. 6 (6). Ibid., art. (6) 7. 5 Ibid., art 7(1). 6 Ibid., art 7 (2). 7 Order No 1057 of the Government of the Republic of Lithuania Regarding Approval of the Regulations of the State Electronic Health Services and Cooperation Infrastructure Information System. (In Lithuanian) https://e-seimas.lrs.lt/portal/legalActEditions/lt/TAD/TAIS.406145?facesredirect=true. 8 Order No V-657 of the Minister of Health Regarding Approval of the Operation of the State Electronic Health Services and Cooperation Infrastructure Information System. (In Lithuanian) https://e-seimas.lrs.lt/portal/legalActEditions/lt/TAD/49e35880064e11e5b0d3e1beb7dd5516? faces-redirect=true. 4

Lithuania

553

2 Data Subject Rights at the Crossroad of the GDPR and the Law on Ethics for Biomedical Research The law on Legal Protection of Personal Data9 (hereinafter referred to as Data Protection Law), which was last modified in 2018, is the principal piece of legislation for the protection of individuals regarding the processing of personal data and the free movement of data. This law implements the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as GDPR)10 and sets up additional provisions for the processing of data specifically in Lithuania. Even though there are no remarkable national variations to the GDPR with respect to personal, territorial and material scope, the Data Protection Law considers as supervisory authorities in Lithuania the State Data Protection Inspectorate and the Office of the Inspector of Journalist Ethics, and it also explains their duties and responsibilities.11 The GDPR provisions on consent and the interests of the data subject are directly applicable in Lithuania, but exceptions exist for the processing of data for journalistic, academic, artistic or literary purposes;12 it is expressly stated that in these cases, Articles 12–23, 25, 30, 33–39, 41–50 and 88–91 of the European regulation do not apply. Indeed, for these purposes, some relevant rights and faculties of the data subject are limited, such as the right to be informed, right to access, right to rectification and to erasure and right to object/opt out. A more precise framework of the rights and safeguards of individuals with respect to the confidentiality of information is provided by the Law on Ethics of Biomedical Research.13 This law seems to complete the legal framework as designed by the Data Protection Law since it deals with the more specific field of scientific activities for biomedical research.14 The scope of the Law on Ethics of Biomedical Research is to set forth requirements and principles of ethics for biomedical research to guarantee that scientific

9

Legal Protection of Personal Data, 11 June 1996 No. I-1374 as amended in 2018. https://vdai.lrv.lt/ en/legislation. 10 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. (L 119) (hereinafter referred to as GDPR). 11 Legal Protection of Personal Data, Art. 1(2). 12 Ibid., Art. 4. 13 Republic of Lithuania Law on Ethics of Biomedical Research, 11.05.2000 No. VIII-1679 (as last amended on 26 June 2014-No. XII-981). https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/d7231dc04 89411e4ba2fc5e712e90cd4?jfwid=4t02btl9k. 14 Ibid., Art. 1.

554

S. Brizioli

activities are based on the respect for the human being15 that prevail over the interests of society and science. For the purpose of this study, Article 2 of this law is particularly worth mentioning as it repeats and specifies the terminology of ‘confidentiality of information’16 and ‘informed consent’17 so as to underline the relevance of the right to be informed and respect for the subject consenting to the research.18 As a matter of fact, the role played by individuals who are involved in biomedical research is central and lies at the base of the scientific activities. To conduct biomedical research, the law requires: (a) scientific and practical merit of the scientific research; (b) the protection of the interests of the subject and confidentiality of information; and (c) the free consent of the subject.19 The law not only identifies cases in which vulnerable subjects are involved20 but also poses conditions for the protection of their interests, such as: (a) the necessity of biomedical research; that is, it cannot be replaced by another research that does not involve human subjects; (b) freely given consent; and (c) the right to appropriate health care even in cases of withdrawal of consent.21 The Law on Ethics of Biomedical Research also details the main steps to reach informed consent and the discipline of confidential information. Pursuant to Art. 8, the written consent of the subject represents the pre-condition to undertake biomedical research. Before giving consent, the subject shall be informed about the ‘the goal, plan of the research, the methods applied and the decisions of the Lithuanian Bioethics Committee or an appropriate regional biomedical research ethics committee’.22 The types of information to provide are: (a) the foreseeable benefits of the biomedical research to the subject; (b) the rights, foreseeable risks and inconveniences as well as the compensation in the event of damage incurred due to the biomedical research; (c) the right to revoke consent to participate in the biomedical research at any time; and (d) guarantees of confidentiality of information.23

15

Ibid., Art. 1(2). Ibid., Art. 2. ‘Confidentiality of information means preservation of information about the state of health of the research subject, diagnosis, prognosis, medical treatment and other personal data relating to the subject’s health’. 17 Ibid., ‘Informed consent’ (hereinafter ‘consent’) means an explicit and knowing written consent by the subject to participate in a biomedical research. 18 This law not only concerns ethical requirements for biomedical research, such as informed consent and confidentiality, but also other relevant issues, for example, compensation for costs for research participants; requirements for the investigator; authorisation and monitoring of the conduct of biomedical research; and civil liability and procedures for examining complaints. 19 Republic of Lithuania Law on Ethics of Biomedical Research, Art. 4. 20 Ibid., Art. 5. 21 Ibid., Art. 4 and 6. 22 Ibid., Art. 8(1). 23 Ibid., Art. 8(1) n.1–4. 16

Lithuania

555

It is also relevant to consider the way in which consent influences biomedical research on tissues, organs, cell or genetic materials that were obtained from a person for other purposes. In this case, the Law on Ethics of Biomedical Research states that irrespective of the fact that biomedical research is undertaken on medical documents, or the materials obtained during medical intervention, the approval of the Lithuanian Bioethics or a regional biomedical research ethics committee to conduct biomedical research is necessary.24 Information that is obtained in the course of biomedical activities, for example, the subject’s state of health, diagnosis, prognosis of medical treatment and other health-related personal information, shall remain confidential and the law requires compliance with the Law on the Rights of Patients and Compensation for the Damage to their Health.25

3 Biobanking and Processing of Information and Human Samples Since 2015, a new version of the Law on Ethics of Biomedical Research has been approved and its purpose has been enlarged to ‘set forth requirements for biomedical research, terms and condition of processing of human biomedical samples and managing personal health information for the purposes of biomedical research and activities of biobanks, terms and conditions of issuance of approvals to conduct biomedical research, supervision of conducting of biomedical research and liability of sponsors of biomedical research and investigators for damage resulting from the subject’s health impairment of death’.26 The more recent amendments have introduced some relevant definitions and the discipline of biobanks and the processing of information and/or human biological samples.27 A biobank is defined as ‘a public legal person acting in the capacity of a budgetary or public establishment and holding a licence for personal health care services, including the right to process human biological samples and health information for the purposes specified in the Law and conducting of biomedical research (a ‘licence for biobanking’)’.28 The processing activities relate to both personal health information and human biological samples; in both cases, the term

24

Ibid., 8(2). Ibid., Art. 9. 26 Republic of Lithuania Law Amending Law No. VIII-1679 on Ethics of Biomedical Research, 17.09.2015 No. XII-1938, art. 1. https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/76582f93e9c811 e59b76f36d7fa634f8?jfwid=-ji9gt0req. 27 Ibid. art.2. 28 Ibid., Art. 2, n. 5. 25

556

S. Brizioli

‘processing’ indicates a series of operations and activities that include collection, storage, classification and grouping.29 The new provisions also include the discipline of a person’s consent to biobanking and its pre-conditions, namely the capacity of the subject to express his/her will and the requirement of free and informed consent.30 Furthermore, the Law addresses secondary uses in biobanking activities. Pursuant to Art. 8(8), ‘a biobank may process health information and human biological samples remaining after surgery, invasive and/or interventional procedures whereof a person has not given a person’s consent to biobanking [. . .], but only to the extent necessary for the preservation of these human biological samples and, where the person would give consent to biobanking one month after a surgery, an invasive and or interventional procedure, processing of the samples in the biobank, while health information – only to the extent necessary for the assessment of the suitability of such human biological samples’.31 When it comes to secondary uses for purposes other than a person’s medical treatment or diagnosis, any invasive and or interventional procedure is permitted only ‘if a person’s consent to biobanking contains a consent to procure a human biological samples for this purpose’.32 With regard to biobanking activity, Chapter III of the Law on Ethics of Biomedical Research indicates that ‘biobanks shall carry out their activity in compliance with the requirements of this law, the Law on Legal Protection of Personal Data and the Law on Health Care Institutions, while respecting the rights and freedoms of individuals and observing the principles of transparency, reliability, data security and openness’.33 According to the Law on Ethics of Biomedical Research, biobanks process human biological samples and health information, and they are entitled to both be sponsors and to conduct biomedical research.34 They also cooperate with the biobanks of European Union Member States and other states of the European Economic Area, third countries and international organisations. Art. 14 of this Law indicates the requirements for the issuance of a licence for biobanking: (a) to ensure traceability, security, quality and availability to investigators of human biological samples and health information; and (b) to appoint a member of staff responsible for compliance with the processing of human biological samples and health information.35 Some of the biobanking activities are further described in articles 15–19, namely the ‘right’ of a biobank to obtain health information, the processing of human biological samples and health information, the notification of human biological

29

Ibid., Art. 2, n. 3 and n.19. Ibid., Art., 8 n. 1, 2, 3. 31 Ibid., Art. 8(8). 32 Ibid., Art. 8(9). 33 Ibid., Art. 13(1). 34 Ibid., Art., 13(3), n. 1. 35 Ibid., Art. 14. This provision also states that a licence for biobanking shall be suspended and revoked in accordance with the procedure laid down by the Law on Health Care Institutions. 30

Lithuania

557

samples and/or health information and information which is important for a person’s health. It is also specified that the biobank’s right to obtain the health information of a person whose human biological sample and information are processed follows the receipt of the person’s consent to biobanking and can be exercised when health information is not available in registers and or state information systems.36

4 The Lithuanian System of Ethical Review of Biomedical Research Lithuania is one of the few countries in Central and Eastern Europe (Dranseika et al. 2011) that has regulated biomedical research with a specific law, the Law on Ethics of Biomedical Research. As described, this Law has enforced rules to safeguard the data protection of subjects involved in biomedical research, but this piece of legislation has also implemented a system of ethical review that is structured as a national body, the Lithuanian Bioethics Committee (LBC), and regional research ethics committees (regional RECs).37 The system of ethical review of biomedical research started in the late 1980s when two major institutional review boards established two research ethics committees with the aim to approve biomedical research projects, among them clinical drug trials. A formalised ethical review was established by the Decree on the Ethical Expertise of Biomedical Research of the Minister of Health in 1997, and the LBC was designed to be the sole institutional authority to issue approvals to conduct biomedical research projects.38 The Law on Ethics of Biomedical Research (entered into force in 2001) and its amendments provides the basic principles of biomedical research ethics, and it introduced a two-tier system of research ethics committees. In 2016, this law was amended to set regulations for the establishment of biobanks and rules for the participation of individuals and minors in research activities. The system of research ethics committees is a two-tier one that is based on both the LBC and the regional RECs: the former issues approvals for medical research

36

Ibid., Art. 15(2). Republic of Lithuania Law Amending Law No. VIII-1679 on Ethics of Biomedical Research, art.20. Also see the European Network of Research Ethics Committees, National Information: Lithuania. http://www.eurecnet.org/information/lithuania.html. 38 For further information, see Lithuanian Bioethics Committee (Lietuvos Bioetikos Komitetas). http://bioetika.sam.lt/index.php?1608991497. 37

558

S. Brizioli

projects carried out in more than one region,39 while the latter issues approvals for those projects carried out in the region. The LBC is also tasked by the law to coordinate and monitor the activities of the Regional RECs by organising seminars, providing guidelines and reviewing reports of the activities of the regional RECs.40 In the field of biomedical research, the LBC provides advice to the Ministry of Health and informs the general public, but one of its main functions is the ethical review of biomedical research for clinical drug trials.41 This task is pursued by a group of experts established by the LBC and that is composed of nine members (five professionals in biomedical sciences and four experts in the area of social sciences and humanities). The group evaluates the biomedical research projects submitted to the LBC by considering the ethical and legal aspects to determine their acceptability.42 Regional RECs are based at universities with tertiary medical education levels, and they are accountable to both the university and the LBC. The membership and status of RECs are approved by the Rector of the University and the Minister of Health.43

5 Conclusion Lithuanian data protection law is in line with the European legislative framework and the rules established by the GDPR. The local derogations introduced do not represent considerable variations to the European discipline on the processing of personal data. Even though the national law includes exceptions concerning the processing for determined purposes, that is journalistic and/or academic ones, the main framework of reference for the managing of personal health information is the Biomedical Research Law. The specific regime, which applies to data processing for research in the field of health purposes, points out the centrality of informed consent and the human beings’ interests priority over scientific interests. In this context procedures for issuing approvals to conduct and control biomedical research are accompanied with an institutionalized ethics oversight. Looking closely to this legal background it seems that the cases exempting researchers from the obligation to inform data subject and as recognised by the Data protection law are reduced in the field of biomedical research. Indeed, the Biomedical Research Law is strongly anchored to the duty to obtain informed consent from subjects and to provide them with understandable information.

39 Republic of Lithuania Law Amending Law No. VIII-1679 on Ethics of Biomedical Research, art. 21, n.2. 40 Ibid. 41 Ibid., Art. 21(3). 42 Ibid., Art. 21(4). 43 Ibid., Art. 22.

Lithuania

559

Furthermore, while the Bioethics Committees play a significant role in order to perform biomedical research ethically, it is necessary to avoid that further requirements risk to hamper the conducting of biobanking activities.

Reference Dranseika V, Gefenas E, Cekanauskaite A, Hug K, Mezinska S, Peicius E, Silis V, Soosaar A, Strosberg M (2011) Twenty years of human research ethics committees in the Baltic States. Dev World Bioeth 11(1):48–54. https://doi.org/10.1111/j.1471-8847.2010.00288.x

Luxembourg Alessandra Langella

1 Introduction Biobanks have existed for a long time, not only in anatomical pathology institutes and medicine departments of hospitals, but also in the collections of skeletons and mummies stored in numerous natural history museums. Today, these collections are playing an important role in the progress of medical science (Beier and Lenk 2015), and although the authorities have encouraged their use to address the needs of research and industry, only a few countries have brought in legislation to frame their management and activities. The Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter GDPR)1 has specific provisions on the protection of data used in scientific research, but the crucial role of biobanks in the conduct of biomedical research is not effectively governed, and the regulation of biobanks is not harmonised across Europe.

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) OJ L 119.

A. Langella (✉) Department of Law, University of Perugia, Perugia, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_64

561

562

A. Langella

In the context of the Benelux countries, Belgium has a specific law dedicated to this phenomenon. In Luxembourg, there is no general set of rules concerning biomedical research: the 2006 draft law (2006/Parl. Doc. 5552) has not yet been approved.2 However, when approved, it will constitute an important reference, since it will also regulate the use of biological samples for research purposes.3 The national regulation does not refer to biobanks per se, and the term biobank does not exist in any legal text. However, useful regulatory links can be found in some relevant current legislation: the Act on autopsy;4 the Act on blood;5 the Act on the removal of human substances;6 and the Act on tissue and cells with human application.7 Other reference provisions are those regarding health-related data processing and scientific purposes contained in the GDPR and in the implementing national law.

2 The 2006 draft law (2006/Parl. Doc. 5552) (also referred to the Health and Sports Commission in 2018) was not approved. https://wdocs-pub.chd.lu/docs/exped/089/493/048982.pdf. To follow the steps of the draft law https://www.chd.lu/fr/techdossier/3064. 3 Art. 1, 2006 draft law (2006/Parl. Doc. 5552) (2) ‘this law does not apply to research carried out in vitro on biological material taken from human beings, provided that the material was taken for purposes other than research. If the material is taken for research purposes, the law [. . .] shall apply’. 4 Law of 17 November 1958 concerning autopsy, as well as the use of human corpses for a scientific or therapeutic interest, in the Official Journal of the Grand Duchy of Luxembourg, Memorial A n. 61. http://data.legilux.public.lu/eli/etat/leg/loi/1958/11/17/n1/jo. 5 Law of 15 March 1979 regulating blood transfusion, in the Official Journal of the Grand Duchy of Luxembourg, Memorial A n. 30. http://data.legilux.public.lu/eli/etat/leg/loi/1979/03/15/n4/jo. 6 Law of 25 November 1982 regulating the withdrawal of substances of human origin, in the Official Journal of the Grand Duchy of Luxembourg, Memorial A n. 98, http://data.legilux.public.lu/eli/etat/ leg/loi/1982/11/25/n2/jo, amended by the Law of 25 June 2015 (in the Official Journal of the Grand Duchy of Luxembourg, Memorial A n. 125. http://legilux.public.lu/. 7 Law of 1August 2007 on tissues and cells destined for human application, Official Journal of the Grand Duchy of Luxembourg, Memorial A n. 150. https://www.legilux.public.lu/eli/etat/leg/ loi/2007/08/01/n12/jo

Luxembourg

563

2 The New Data Protection Law in Luxembourg Luxembourg implemented the GDPR by enacting the Law of 1 August 2018.8,9 This new Data Protection Act repealed the previous Law of 2 August 2002.10 The Data Protection Act is structured into two parts. The first Title sets out the composition, competences, and tasks of the National Data Protection Commission (hereinafter referred to as the CNPD). The second Title contains specific provisions required by the GDPR and establishes a general framework for personal data protection. As a matter of fact, and as result of the competence of the Member States, the national law addresses three specific areas complementing the GDPR: (1) Processing of personal data for the sole purpose of journalism, university research, art or literature; (2) Processing of personal data for scientific or historical research purposes, for statistical purposes, or for archiving purposes in the public interest; and (3) Processing of special categories of personal data (genetic data). Biobank activity links science and health, and this is the reason why it is necessary to investigate the processing of data in scientific research and the rules about health-related data.

8

The Act of 1 August 2018 on the organisation of the National Data Protection Commission, implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), amending the Labour Code and the amended Act of 25 March 2015 stipulating the rules of remuneration and the terms and conditions for the promotion of State civil servants. Official Gazette of the Grand Duchy of Luxembourg, Memorial A n. 686. https://cnpd.public.lu/dam-assets/fr/ legislation/droit-lux/Act-of-1-August-2018-on-the-organisation-of-the-National-Data-ProtectionCommission-and-the-general-data-protection-framework.pdf. 9 On 1 August 2018, Luxembourg also adopted the Act of 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters to implement the Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data in criminal matters. https://legilux.public.lu/ eli/etat/leg/loi/2018/08/01/a689/jo. 10 Law of 2 August 2002, Official Journal of the Grand Duchy of Luxembourg, Memorial A n. 91. https://cnpd.public.lu/dam-assets/en/legislation/droit-lux/doc_loi02082002mod_en.pdf.

564

2.1

A. Langella

Exceptions and Safeguards for the Processing of Special Categories of Personal Data for Scientific Research Purposes

Within the framework of the GDPR, the general rule that prohibits the processing of the special category of genetic and health-related data (Article 9) exempts cases in which this processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in accordance with restrictions set out in Article 89(1). The previous Luxemburg law prohibited the processing of health and genetic data (Article 6, 1st par., Law 2002) except for processing in the public interest for historical, statistical, or scientific reasons, under authorisation of the National Commission. The current law regulates the protection of personal data used in scientific research in Articles 63, 64, and 65 of the second Title, second Chapter. Research benefits from a special regime. The processing of special categories of personal data, including genetic data,11 may be carried out for scientific purposes (Art. 9(2)(j) GDPR) if the controller meets the requirements set out in Article 65. Pursuant to Article 63 of the national Law, where personal data are processed for scientific or historical research purposes or for statistical purposes, ‘the controller may derogate from the rights of the data subject as laid out in Articles 15, 16, 18 and 21 of Regulation (EU) 2016/679, insofar as these rights are likely to render impossible or seriously impair the achievement of specific purposes.’ However, the measures required in Article 65 must be implemented. The provisions about the protection of special categories of personal data used in scientific research reinforce the law with some additional criteria to protect the data subject’s interests. When the data controller does not comply with those legal requirements, it must justify this choice, by documenting and explaining their reasons, for each scientific research project involving the processing of personal data (Art. 65 last paragraph). The controller is obliged (Art. 65, point 1) to designate a data protection officer; (point 2) to analyse the impact of the envisaged processing operations on the protection of personal data; (point 3, 4) to anonymise, pseudonymise or adopt another functional separation mechanism (which a trusted third party must provide) for the data to ensure that data collected for scientific research cannot be used to take decisions or actions in respect of the subject concerned. The encryption of personal data, as well as state of the art management (point 5), the periodical evaluation by an independent audit of the effectiveness of the technical and organisational measures adopted (point 10), and the assumption of specific sectoral codes of conduct (point 12) are further safeguarding measures.

11

The Law (Chapter 3, art. 66) prohibits the processing of genetic data for the purposes of the exercise of the specific rights of the controller in the field of labour law and insurance.

Luxembourg

565

Moreover, the Law requires the use of technologies that strengthen the protection of the privacy (point 7) the use of log files enabling the reason, date and time that data is consulted and the identity of the person collecting, modifying or deleting personal data to be retraced (point 8) and also promoting the awareness of the staff involved about the processing of personal data and professional (point 9). These safeguards must be put in place in accordance with the nature and the context of the processing. The controller should evaluate the origin, nature, and severity of the risk to decide what kind of measures to adopt. For processing of special categories of data (referred to in Article 9(1)) on a large scale, the GDPR requires a privacy impact assessment to be carried out (Art. 35(b)). Assuming that the biobank is engaged in this particular type of data treatment, the controller should carry out a data protection impact assessment. After all, the activity of a biobank, given the category and the volume of the data processed, the number of people involved and the duration of the processing, must be considered to fall into the category of ‘high risk’ data for which an impact assessment is required (Guidelines on Data Protection Impact Assessment).12 Although the CNPD has the power to draw up a list of ‘high risk processing’ activities, it has not yet done so. However, the controller is required to consult the CNPD when, despite the measures, the risks remain high. The use of genetic data also carries a high risk to the privacy of individuals and their family members. However, research on genetic data makes an important contribution in medicine (WP 29, 2004).13 Researchers must consider several ethical aspects when the activity involves genetic data (Art. 4 GDPR), including the issue of managing ‘incidental findings’. The National Research Ethics Committee (hereinafter referred to as the CNER) has developed a reference framework14 to manage the issue of participants’ consent to being contacted again if incidental findings occur in research projects involving the complete sequencing of their genome. The CNER has also drawn up the minimum content that must appear in the consent form for the ‘genetic’ part of a project if this includes the complete sequencing of the genome.15

12

Article 29 Data Protection Working Party (2017). Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679 (adopted on 4 April 2017). http://ec.europa.eu/justice/data-protection/ index_en.htm. 13 Article 29 Data Protection Working Party (2004). Working Document on Genetic Data, Adopted on 17 March 2004, p. 11. https://ec.europa.eu/justice/article-29/documentation/opinion-recommen dation/files/2004/wp91_en.pdf. 14 Terms of reference: Incidental Findings (IFs) - Informed consent specifications and communication process in Luxembourg. https://www.cner.lu/Portals/0/Terms%20of%20Reference%20IFs,% 20IC%20and%20communication%2016.11.2016.pdf. 15 https://www.cner.lu/en-gb/Procedures/Incidental-Findings.

566

2.2

A. Langella

Consent and ‘Secondary Use’

The consent of the subject involved in research activity is a cornerstone imposed by several conventions and regulations. The Additional Protocol to the Convention on Human Rights and Biomedicine (Oviedo Convention), concerning Biomedical Research, states that ‘no research on a person may be carried out without the informed, free, express, specific and documented consent’ (Art. 14). Moreover, ‘the persons being asked to participate in a research project shall be informed of the rights and safeguards prescribed by law for their protection, and specifically of their right to refuse consent or to withdraw consent at any time without being subject to any form of discrimination’ (Art. 13). The Oviedo Convention has not yet been ratified.16 However, the Luxembourg draft law on biomedical research also states that research on a person cannot be carried out unless free, express, specific, and written informed consent has been given. However, the right to withdraw consent is limited when the subject has authorised the collection of biological material for scientific purposes and the collection has been completed (Art. 9 draft Law on biomedical research).17 Furthermore, a living person may give written authorisation for the future use of material taken from his or her body for research purposes after his or her death (Art. 2 Act on autopsy). The acquisition of consent is also a prerequisite for the lawfulness of the processing of personal data. The GDPR (Art. 6(1)(a)) states that processing is lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes. Since ‘it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection; therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research’ (Recital 33). Research activity carried out by a biobank uses human samples collected for medical purposes, and a single collection of biological samples might be of interest for several studies. The result is that the re-use of tissues is significant. Despite the principle of the purpose limitation (Article 5(1)(b)), the GDPR ensures that information which was collected for other purposes can be used for scientific research. When the processing for a purpose other than that for which the personal data were collected is not based on the data subject’s consent, the controller

16 See the countries that have ratified the Convention https://www.coe.int/fr/web/conventions/fulllist?module=signatures-by-treaty&treatynum=164. Draft Law for the approval of the Oviedo Convention, 2006, No 5528/2. https://wdocs-pub.chd.lu/docs/exped/076/453/047552.pdf. 17 See also Article 8 of the Law of 1 August 2007 on tissues and cells destined for human application, Official Journal of the Grand Duchy of Luxembourg, Memorial A n. 150. https:// data.legilux.public.lu/filestore/eli/etat/leg/memorial/2007/a150/fr/pdf/eli-etat-leg-memorial-2007a150-fr-pdf.pdf.

Luxembourg

567

must verify whether processing for another purpose is compatible with the purpose for which the personal data were initially collected (Article 6(4)). The GDPR is directly applicable and fixes the parameters within which Luxembourg researchers can re-use data collected for prior treatment in a different procedure. However, when the research activity concerns samples stored in the frame of a previous project and secondary use is not covered by the informed consent given for the primary study, a CNER opinion request is required. When the further use is covered by the informed consent given for the original research, a mere notification is sufficient.18

3 Conclusion Biobanks are an ongoing study.19 Biobanking in Luxembourg is subject to several pieces of legislation, but the overall outcome is a very limited framework. However, some laws that are still awaiting approval may be of support. In the absence of a lex specialis, biobanking relies on various texts and sources: international conventions, European law, constitutional provisions, and national sectoral laws, including the discipline of data protection. The GDPR has harmonised data protection across Europe, while leaving space for adjustments by Member States. Luxembourg has implemented the EU Regulation with its Data Protection Law, adopted on 1 August 2018, and specific provisions for the processing of data for research purposes have been included (Arts. 63, 64, 65). According to Article 89(2) of the GDPR, under the national law the controller may derogate from the data subject’s rights if those rights may prejudice or render impossible the achievement of scientific purposes. However, certain additional safeguards are provided to protect the data subject’s freedoms (Art. 65). Consent is the legal basis for the processing of personal data (Art. 6 GDPR), including the processing of special categories of personal data (Art. 9 GDPR). According to the draft law on biomedical research, consent must be given. The presence or absence of consent also affects the regime for the use of samples for secondary research and the procedures of the Ethics Committee.

18 The Luxembourg National Research Ethics Committee (Comité National d’Ethique de Recherche du Luxembourg), CNER, Procedures, Utilisasion secondaire d’échantillons récoltés dans le cadre d’un project de recherche. https://www.cner.lu/Portals/0/PROCEDURE%20UTILISATION%20 SECONDAIRE%20D%C3%89CHANTILLONS%20R%C3%89COLT%C3%89S%20DANS% 20LE%20CADRE%20DUN%20PROJET%20DE%20RECHERCHE_v6.6.2019%20fr-de-en.pdf? ver=2019-07-02-164444-030. 19 Article 29 Data Protection Working Party, Working Document on Genetic Data, p. 11.

568

A. Langella

Reference Beier K, Lenk C (2015) Biobanking strategies and regulative approaches in the EU: recent perspectives. J Biorepos Sci Appl Med 3(1):69–81. https://doi.org/10.2147/BSAM.S64578

Malta Sabrina Brizioli

1 Introduction The involvement of individuals and the sharing of their data and biological material for scientific research is central in Malta. The Maltese regulatory framework provides safeguards ranging from minimising the processing of personal data to ensuring continuous control over the data, and the data protection system applies the usual principles, such as subject rights and lawfulness. Despite this, some exemptions and derogations are allowed when the processing of data is finalised for the achievement of specified purposes. Furthermore, ethical standards are in place in the field of health science and research as well as in clinical trials: this ethical oversight supports the presumption of compatibility of processing for scientific research purposes and other appropriate safeguards.

2 The Maltese Legal Framework for Data Protection The current law on the processing of personal data and the free movement of such data is the Data Protection Act, Chapter 586, which entered into force on 28 May 20181 (the Data Protection Act). This Act repealed and replaced the former Data Protection Act, Chapter 440,2 and implemented not only the relevant provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 1

Data Protection Act, Chapter 586, 28 May 2018. https://legislation.mt/eli/cap/586/eng/pdf. Data Protection Act, Chapter 440, 22 March 2002 (and amendments). https://legislation.mt/eli/ cap/440/eng/pdf.

2

S. Brizioli (✉) Department of Law, University of Perugia, Perugia, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_65

569

570

S. Brizioli

27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as GDPR)3 but also introduced some specificities for the conditions and the authorities involved in the processing of personal data in Malta.4 The Maltese legislation expressly indicates that this Act does not apply: (a) in the course of an activity which falls outside the scope of European Union Law; (b) when carrying out activities falling within the scope of Chapter 2 Title V of the TUE; (c) in the course of a purely personal or household activity; or (d) for the purposes of prevention, investigation, detection or prosecution of criminal offences.5 Pursuant to Art. 6 of the Data Protection Act, the controllers and processors may derogate from the provisions of Art. 15, 16, 18 and 21 of the GDPR for the processing of personal data for specified purposes. As far as scientific purposes are concerned, the exception operates when the exercise of the data subject’s rights is likely to render impossible or seriously impair the achievement of those purposes and the data controller reasonably believes that such derogations are necessary for the fulfilment of those purposes.6 Despite this, the processing of data for scientific purposes requires additional obligations and procedures to safeguard the rights and freedoms of the data subjects. More precisely, the Data Protection Act indicates as ‘appropriate safeguards’, ‘pseudonymization and organizational measures to ensure the respect for the principle of data minimization’7 in all cases that could lead to the identification of data subjects. The processing of data, biometric data or data concerning health for statistical or research purposes in the public interest is subject to prior authorisation from the Commissioner.8 In this case, the Data Protection Act specifies that ‘where genetic data, biometric or data concerning health are required to be processed for research purposes, the Commissioner shall consult a research ethics committee or an institution recognised by the Commissioner’.9 The doctrine related to the exceptions for the processing of personal data for academic purposes10 has underlined that the Maltese Data Protection Act does not

3

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 4 See Data Protection Act, art. 4. 5 Ibid., art. 4 (1). 6 Ibid., art. 6 (1), lett. a); b). 7 Ibid., art. 6 (4). 8 Ibid., art. 7 a). The Data Protection Act specifies the competences of the Commissioner who shall be responsible for monitoring and enforcing the application of the provisions of the Act and the Regulations in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of personal data and to facilitate the free flow of personal data between Malta and any other Member State; see art. 11 (2). 9 Ibid., art. 7 (2). 10 Ibid., art. 9 (1).

Malta

571

define the meaning of the wording ‘academic expression’, nor does it consider whether the scientific or health research purposes may fall into this context (Tzortzatou et al. 2021).11 Malta is among a limited number of EU Member States that has enacted sectoral laws to regulate the further processing of personal data in the health sector that is not linked to the primary purpose for which the data was originally collected (hereinafter referred to as ‘secondary processing’). The discipline of secondary processing is articulated in Subsidiary Legislation 528.1012 (hereinafter referred to as Subsidiary Legislation), which has rules that comply with the provisions of the Data Protection Act and the GDPR. The Subsidiary Legislation provides specific insights on secondary processing for the health sector and indicates that among different authorities, the data controller ‘shall also include the Chief Executive Officer of entities providing a healthcare service to patients’.13 According to the Subsidiary Legislation, the processing of personal data and its sharing for secondary activities is permitted when: (a) the processing or analysis concerns records kept by all entities of the health sector; (b) the analysis is of health records supplied to the Ministry for Health in accordance with licencing legislation, contractual obligations, compliance with EU regulations on public health statistics and to safeguard other public health interests, to produce the indicators required for monitoring, and to ensure the quality and cost effectiveness of health services at the national level; (c) the monitoring of contractual obligations, including quality control, management information and services arising from public–private partnerships; (d) the fulfilment of the obligations related to the provision of statistical information, and this may involve the linkage of existing administrative databases and disease registers; (e) the compilation of evidence in medico-legal cases; (f) the investigation and monitoring of health threats that require the processing of health record data for the protection of public health; and (g) access to health records for the purpose of research activities14 (European Commission – DG Health and Food Safety 2021, pp. 67–68). In cases of access to health records for the purpose of research activities, the Subsidiary Legislation not only affirms that ‘personal data may be processed where the research activities are in the public interest’ but also considers the conditions that must be followed when the processing cannot be achieved using anonymised data.15 When the research activity is conducted within the Ministry for Health or its

11 See also European Data Protection Supervisor. (2020). A preliminary opinion on data protection and scientific research. https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_ research_en.pdf. 12 Subsidiary Legislation 528.10, Processing of Personal Data (Secondary Processing) (Health Sector) Regulations, 8 October 2019. https://legislation.mt/eli/sl/528.100/eng. 13 Ibid., art. 2. 14 Ibid., art. 3, lett. a)-g). 15 Subsidiary Legislation 528.10, art. 4.

572

S. Brizioli

partners, it is necessary to obtain the approval of the Health Ethics Committee within the Ministry of Health and prior authorisation from the Commissioner for data protection pursuant to Art. 7 of the Data Protection Act.16 The same measures occur in cases in which the research activity is conducted by academics or students or any NGOs or public bodies having the remit to assist patients in need of health services.17 The Subsidiary Legislation emphasises the role of consent expressed by the data subject and its relevance for secondary processing by recalling the discipline as provided in the GDPR.18

3 The Role (and Type) of Consent for Research Activities The Maltese legal framework does not specify the type of consent required to carry out research on data, human tissue and cells. This implies to consider the adoption of the broad consent currently practiced (Staunton et al. 2019). The GDPR as transposed into Maltese law represents one of the regulatory patterns for research activities and it should be read together with other relevant rules, such as those set for Clinical Trials19 and best practices. Unique emphasis on the consent of the data subject/patient could be found in the Patient’s Charter that gives relevance to the patient’s right ‘to receive all the relevant information related to clinical trials of any form that one may be subjected to’.20 The involvement of the data subject is further stressed to allow discussion of ‘ethical matters that arise in the course of one’s care including treatment, participation in research or educational projects’.21 Furthermore, shared decision-making processes and informed consent are addressed in Principle 4 of the Patient’ s Charter; with respect to research, the Charter expressly states that one has the right: (a) to receive a detailed explanation of the nature and consequences of any research or clinical trials in which one might be invited to participate before they are conducted and to obtain and document one’s consent or refusal to participate; and (b) to be informed and be completely free of coercion as to whether to accept or decline participation or withdraw from participation in clinical research or student training22 at any time. 16

Ibid., art. 4 a). Ibid., art. 4 b). 18 Ibid., art. 5. 19 Subsidiary Legislation 458.43, Clinical Trials Regulations, 26 November 2004. https:// legislation.mt/eli/sl/458.43/eng/pdf. See Subsidiary Legislation 458.43, art 3; art. 4, lett. b), d); art. 5 c); art. 6 (1), lett. a) for informed consent; art. 2; art. 4; art. 7; art. 8–10 for the role of the ethics committee. 20 Minister for Health. (2016). Patient’s charter, rights and responsibilities, point 8, p. 11. https:// deputyprimeminister.gov.mt/en/hcs/Documents/Patient’s%20Charter/Patient’s_Charter_EN.pdf. 21 Ibid., point 10, p. 11. 22 Ibid., points 7–8, p. 13. 17

Malta

573

Along with the rights of individuals to privacy and personal data protection as mentioned in the Patient’s Charter, it is important to point out the principles of ethical research conduct as established by the research code of practice of the University of Malta that expressly mentions to ‘honour the requirement of informed consent and continuous dialogue with research participants’.23 The practical guidance on how to implement principles states that ‘to satisfy the requirement for informed consent and continuous dialogue with research participants, it is very important that all research in which personal data is being collected has the consent of each research participant and that the research participants are informed about the research and any risks that they may be exposed to’.24 This implies that researchers shall obtain consent from participants in their research prior to processing any personal data, and the consent shall be specifically related to the research being undertaken. Suitable consent forms need to be used to obtain consent in writing.25 The consent forms shall contain explanations of the purposes of the research and descriptions of the subject’s rights according to the GDPR and the Malta Protection Act 2018 to access, rectify and erase the data related to them.26 The right to request written information about the personal data being processed and to request further insights into the research27 are ensured to strengthen the relationship between the participant and the researcher.

4 Biobanks in Malta: Public Awareness and Dynamic Consent It could be said that Malta has followed the ‘biobanking wave’, that is, the rise in the number of biobanks and their key role in health research and genetic studies. Malta is a founding member of the Biobanking and BioMolecular Resources Research Infrastructure – European Research Infrastructure Consortium (BBMRIERIC) and the Malta Biobank, which was established in 1989, holds human biological samples in a clinical bank and a population bank: the former hosts samples of individuals diagnosed with illnesses and diseases, while the latter holds samples of healthy individuals from the general public.28

23

Research Code of Practice, Principles of Ethical Research Conduct, par.2, n.5. https://www.um. edu.mt/media/um/docs/research/urec/ResearchCodeofPractice.pdf. 24 Ibid., par. 3.1.1. 25 Ibid., par. 3.1.2. 26 Ibid., par. 3.1.3, lett. j). 27 Ibid., par. 3.1.3, lett. k). 28 For further information, see BBMRI-ERIC Malta. https://www.bbmri-eric.eu/national-nodes/ malta/.

574

S. Brizioli

Malta is also active in research projects that strongly rely on the active engagement of participants who provide biological samples and corresponding personal health data. An interesting study regarding the involvement of the public examined the awareness of biobanking activities in Malta and people’s perceptions of these infrastructures (Desira and Martin 2018). Findings revealed a very low level of awareness and showed that a large portion of the Maltese public ignores the basis of biobanking regulation, for example, people do not know the meaning of the term biobank and how biobanks could be associated with biomedical and genomic research (Desira and Martin 2018). This is a crucial point for biobanking activities because ethics are built upon informed, robust and transparent consent procedures. Regarding informed consent or authorisation to obtain material for research issues, Malta has adopted an approach which is a balance between the more restrictive form of consent and the new consent forms according to which the data subject’s approval is requested for each new research project. The Malta Biobank has adopted a participant-centric approach to stimulate the engagement of donors and enhance individual support for biomedical research that uses the term ‘research partner’ to indicate those who provide materials for research. As evidence of patient engagement, the wording ‘research partner” is meant to indicate that donors as research participants are at the centre of decision making as equal partners in the research process (Mamo et al. 2020). Moreover, a relevant role is played by dynamic consent that gives individuals the opportunity to be better informed and to express consent on the ongoing research process. A team of experts has recently published a study to present a web portal for dynamic consent (called Dwarna) (Mamo et al. 2020) that helps genomic research to gather data about humans and uses the blockchain technique. The use of the blockchain technique both ensures the dynamic consent mechanisms and the storage and access to samples and data (Mamo et al. 2020, p. 616). Acting as a hub to connect the multiple actors involved in research activities (biobank managers, researchers, partners and the general public), Dwarna is equipped with a data controller who ensures data protection and who operates in compliance with the GDPR (Mamo et al. 2020, p. 610).

5 Conclusion The special regime for scientific research gathers appropriate derogations from certain GDPR prerogatives and safeguards in Malta. The Maltese framework reflects the intention to pursue research activities in the public interest by adapting them to data protection and individual rights and interests.

Malta

575

The analysis of the Maltese legislation has detailed the attention to some fundamental rights which are at stake in the processing of data, such as the right to privacy, the right to integrity and the right to health. The dialogue between data protection and the common interest in genuine research activities in the public interest is guaranteed by the active work of ethical review bodies, public awareness strategies and the new approaches to informed consent, even in biobanking activities.

References Desira M, Martin GM (2018) Banking on you? The level of public awareness of biobanks in Malta. Xjenza Online-Sci J Malta Chamber Sci 6:110–116 European Commission – DG Health and Food Safety (2021) Assessment of the EU Member States’ rules on health data in the light of GDPR. Luxemburg Publications Office of the European Union. https://ec.europa.eu/health/sites/default/files/ehealth/docs/ms_rules_health-data_en.pdf Mamo N, Martin GM, Desira M, Ellul B, Ebejer JP (2020) Dwarna: a blockchain solution for dynamic consent in biobanking. Eur J Hum Genet 28(5):609–626. https://doi.org/10.1038/ s41431-019-0560-9 Staunton C, Slokenberga S, Mascalzoni D (2019) The GDPR and the research exemption: considerations on the necessary safeguards for research biobanks. Eur J Hum Genet 27(8):1159–1167. https://doi.org/10.1038/s41431-019-0386-5 Tzortzatou O, Slokenberga S, Reichel J, da Costa Andrade A, Barbosa C, Bekaert S, van Veen EB, Casabona CMR, Cathaoir KÓ, Chassang G, Debucquoy A, Derèze JJ, Dollé L, Fält SE, Halouzka R, Hartlev M, Hisbergues M, Hoppe N, Huys et al (2021) Biobanking across Europe post-GDPR: a deliberately fragmented landscape. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Individual rights, public interest and research regulation across Europe. Springer, pp 397–419. https://doi.org/10.1007/978-3-030-49388-2

Netherlands Hedley Christ

1 Introduction There is no specific legal framework within The Netherlands for the governance of research with human biological material. In fact, as Hendricks, A.C. & Hellemondt, R.E. van notes ‘Almost everyone in the Netherlands is aware of the shortcomings and lacunae of the current regulatory system and the haphazard way in which courts, monitoring bodies, medical professionals, researchers, and others respond to issues that arise in the field of biobanks’ (Hendricks and van Hellemondt 2016, p. 68). The rationale for the collection and storage of tissue samples is surrounded by the idea of ‘explicit consent’ of the individual whose sample provided the data, and this explicit consent could be disregarded only if there were ‘true anonymity’. The understanding of explicit consent being that an individual would ‘opt-in’ for their sample to be used in research. Like many European countries therefore, The Netherlands makes a distinction between the use of biological material in research and the datafication of that biological material.

2 The Legal Basis of Processing of Personal Data for Research Purposes The laws relating to data privacy lie both internally and internationally. The notion of privacy forms part of the Constitution at Article 10, however; The Netherlands also has legislation in the form of the Personal Data Protection Act 2001 and Data Registration Act 1989. H. Christ (✉) Law Department - Brighton Business School, Brighton, UK e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_66

577

578

H. Christ

More recently the General Data Protection Regulation (GDPR) was brought into Dutch Law by the Dutch GDPR Implementation Act. Article 44 of this Implementation Act, covers Articles 15, 16, and 18 of the GDPR regarding data protection as applied to scientific research.1 The processing of personal data in The Netherlands is now primarily governed by the GDPR Implementation Act.2 The Netherlands has several laws relating to scientific research, the most important here, relating to the collection and storage of human tissue is the Medical Research Involving Human Subjects (WMO) 1998 and, the Protection of Persons Participating in Biomedical Research. These Acts provide that medical or scientific research involving individuals may only be conducted if there is a detailed research protocol and only with the approval of an ethics research committee.3 Researchers must obtain the written consent of the individuals who participate after providing them with full information of the objectives of the research. As a result, the protection of personal data within The Netherlands constitutes a range of laws both national and International. Within this international framework is the recognition of the need for scientific progress. The Netherlands is a signatory to The International Covenant on Economic, Social and Cultural Rights (CESCR, 1966) which provides, at Article 15, for not only the right to scientific freedom, that is, scientific research, but also that everyone should benefit from scientific research (Hendricks and van Hellemondt 2016, p. 72. The Authors note that although The Netherlands are not signatories to The European Convention on Biomedicines and Human Rights, The Netherlands recognizes that this convention ‘reflects a European standard that is also binding for States that decide not to ratify the treaty’). Beyond the national and international laws are a number of guidelines and codes of practice. For example, the FEDERA Human Tissue and Medical Research, Code of Conduct for Responsible Use,4 and LUMC Code of Conduct for research Integrity. Such codes of conduct include the ethical and responsible requirements of researchers. Thus, like many European countries The Netherlands is a patchwork of legislation, regulations, directives, guidelines, codes of practice, and ethical codes of practice that represent both hard law and soft law.

1

The European Data Protection Supervisor provided an Opinion on data protection and scientific research (2020) which recommended the need for dialogue between data protection authorities and those involved in scientific research. 2 A public consultation in July 2020 considered updating the GDPR Implementation Act through the Data Protection Collective Act. 3 These committees are known as Medical Ethical Assessment Committees (METCs) of which there are around twenty-seven in the Netherlands. If one of these Committees rejects the research there is an appeals process, in particular to the Central Committee on Human-bound Research (CCMO). 4 FEDERA stands for Federation of Dutch Medical Scientific Societies and, this Code of Conduct was produced in 2011.

Netherlands

579

3 Research Exemption Under The Netherlands Patent Act 1995, Article 53 provides for an exception to infringement of a patent when the act is solely serving for research purposes on the patented subject matter. In ICI/Medicopharma5 it was held that infringing activities may only be carried out under Article 53(3) NPA 1995 if justified by the aim of the research. These aims have to be genuine scientific research on the invention, such as investigating whether the invention can be put into practice or investigating whether the invention can be improved. The exemption does not apply for research for commercial purposes, (ARS/Organon).6 The scope of this exemption therefore not only determines how the patented invention works, that is, determines the scope of the invention and its claims, but also whether improvements to the patented invention may be made and whether other inventions can lead to further inventions. This research, however, must be shown to be genuine scientific research and not for commercial purposes.

4 Use/Reuse of Historical Archives of Health Data: Governance Procedures and Policies on the Use and Reuse of Personal Data Like other European jurisdictions the health records are generally held by the national health service providers. However other historical records are maintained by family research websites and, for example museums such as the Museum Boerhaave being, the Dutch National Museum for the History of Science and Medicine. This museum houses a number of archives relating to health data including the Hamilton Health Science (HHS) collection of hospital records. Since the GDPR and the Dutch GDPR Implementing Act relates to living individuals there is no difficulty in using historic health records for research purposes. However, it is important to recognize that the use of personal health records may help decision making, disease management and care coordination decisions within health services. This can be helped by the use of patient healthcare records of those individuals still alive. As a result, there are a number of web-based archives which can be used for these purposes. However, there is no national electronic health record system in The Netherlands. As a result of COVID 19 for example a nation-wide data sharing collaboration was launched in March 2020. All hospitals in The Netherlands were asked to participate and share pseudonymized electronic health record data of critically ill COVID 19 patients. Data sharing agreements were signed by the

5 6

Supreme Court, 18 Dec. 1992, BIE 1993/81 (ICI/Medicopharma). Supreme Court, 23 June 1995, NJ 1996, 463 or BIE 1995/33 (ARS/Organon).

580

H. Christ

participating hospitals before data transfer. These data will undoubtedly be used and re-used in order to determine best practice response for pandemics in the future. Similarly, are the archives produced by biobanks.7 In 2009 The Netherlands introduced the Biobanking and Biomolecular Research Infrastructure for The Netherlands (BBMRI-NL),8 a network of biobanks. The network was established to enhance collaboration between biobanks and the exchange of material and data. The governance of these biobanks therefore consists of a number of mechanisms relating to the practise of the biobanks themselves, often through codes of practice and agreements between them, for example, Material Transfer Agreements. The Netherlands does not have a specific law on biobanks. Like other areas of medical research therefore, governance relies on a network of laws and guidelines, that is, both hard and soft law. For example, the Act on Medical-Scientific Research with Human Beings 1998 regulates the studies in which individuals participate. Also, the Medical Contract Law Act 1995 regulates the contractual relationship between patients and health care providers. Along side these are codes of practice such as FEDERA’s Good Practice Code. The issue of the use and re-use of health care records therefore depends on whether the data subject is alive or dead and the requirements of The Netherlands’ needs for decision-making related to the vital interests of the country.

5 Conservation of Tissues and DNA/RNA Obtained from Tissues How long tissue is retained will inevitably depend on the nature of the research and whether the tissue can be used for further research purposes. Tissue samples come about from three different circumstances. The first is the extraction of samples collected from patients undergoing treatment. The second is samples collected from individuals for specific research purposes. The third is where tissue is collected from post-mortems’ sample collection. The length of time therefore these tissue samples are retained will differ for reasons of tissue collection. The FEDERA code states that an Ethics Committee may review a ‘further use’ proposal relating to samples on the basis that no objection is made. However, central to the code is that storage of the tissue, which includes DNA/RNA, is for the original purpose of the research. The code, therefore, states that ‘The human tissue should be used and stored as described in the protocol and possible Material Transfer

7 The Royal Dutch Academy of Science (KNAW) defined a biobank as ‘A collection of bodily samples with linkage to medical and/or genetic and/or genealogical and/or other data about donors.’ 8 This is a counterpart to the European Network of Biobanks (BBMRI).

Netherlands

581

Agreements’. Within this protocol should be the means of removal of human tissue and its destruction – this is particularly important if a donor withdraws their consent.

6 Biohacking The Netherlands has a number of cybercrime legislation stemming from the Computer Crime Act 1993, Computer Crime II Act 2006, and Computer Crime III Act 2019. These Acts provide extensive legislation on computer crime. Originally hacking a computer was only an offence if someone infringed a security measure. However, the 2006 Act removed the security measure relying upon unlawful entry as its criteria for hacking. Hacking a computer unlawfully is therefore a criminal offence in The Netherlands with a maximum of 4 years imprisonment. There are, however, no specific biohacking laws within The Netherlands. It should be noted that Biohacking, in English, refers to do-it-yourself biology, by which, biohackers make small, incremental diet or lifestyle changes, improving their health and wellbeing.

Reference Hendricks AC, van Hellemondt RE (2016) Regulating privacy and biobanks in The Netherlands. J Law Med Ethics 44(1):68–84. https://doi.org/10.1177/1073110516644200

Poland Joanna Osiejewicz

1 Introduction Biobanks are the basis for the existence of modern medicine. They arouse enormous hope for future research, namely the understanding of many diseases and discoveries on how to treat them. However, the development of health research requires the availability of large collections of well-characterised samples from precisely defined patients. It is also necessary to ensure that samples are stored under conditions that guarantee good access to data as well as protection of donor information. In 2013, the Biobanking and Biomolecular Resources Research Infrastructure ERIC was established based on Art. 187 of the Treaty on the Functioning of the European Union 1 to enable the exchange of biological samples and related data for scientific purposes among European countries. Poland became a full member of this European network in 2016 (Witoń et al. 2017). The Polish Biobank Network, which has been operating since 2017 under the auspices of the Ministry of Science, connects 43 biobanks and is constantly looking to connect new units with it. The network aims to gather Polish scientists involved in the acquisition, collection and research of biological material. The vast majority of biobanks are created in hospitals and are public entities. Some of them are specialised, as in the case of the brain cell biobank (located at the Institute of Psychiatry and Neurology in Warsaw). There are also biobanks run by private entities, for example, pharmaceutical companies and biotechnology companies (Kozera et al. 2018, p. 13).

1

Consolidated version of the Treaty on the Functioning of the European Union. O.J. (C 326).

J. Osiejewicz (✉) University of Warsaw, Warsaw, Poland e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_67

583

584

J. Osiejewicz

2 The Legal Framework The regulation of genetic testing and biobanking has been announced in Poland for the last few years. Currently, these areas are partially regulated by several legal acts2 (Uchańska 2018, p. 1), for example, the Act on Laboratory Diagnostics3 (Dz.U. 2001 nr 100 poz. 1083); the Act on Patient Rights and the Patient Rights Ombudsman4 (Dz.U. 2009 nr 52 poz. 417); the Act on Accreditation in Health Care5; the Act on the Protection of Personal Data6; the Act on the Collection, Storage and Transplantation of Cells, Tissues and Organs 7; the Act on the Information System in Health Care 8; the Act on Medical Activity9; the Act on the Professions of Physician and Dentist10; the Regulation on the Requirements to be Met by a Medical Diagnostic Laboratory11; Regulation on Medical Records 12; the Regulation on Quality Standards for Medical Diagnostic and Microbiological Laboratories13; and the Regulation on the Model Document ‘The right to practice the profession of laboratory diagnostician’. 14 Rules regarding the institution of a biobank or the possibility of obtaining a permit for this type of activity are quite precise. However, the requirements related to the protection of the right to privacy and intimacy or the right to secrecy in the context of genetic research are underregulated,

2 TKP The Law. https://www.traple.pl/2018/07/24/badania-genetyczne-i-biobankowanie-bedamialy-swoja-ustawe/. 3 Ustawa z dnia 27 lipca 2001 r. o diagnostyce laboratoryjnej, Dz.U. 2001 nr 100 poz. 1083. 4 Ustawa z dnia 6 listopada 2008 r. o prawach pacjenta i Rzeczniku Praw Pacjenta, Dz.U. 2009 nr 52 poz. 417. 5 Ustawa z dnia 6 listopada 2008 r. o akredytacji w ochronie zdrowia, Dz.U. 2009 nr 52 poz. 418. 6 Ustawa z dnia 10 maja 2018 r. o ochronie danych osobowych, Dz.U. 2018 poz. 1000. 7 Ustawa z dnia 1 lipca 2005 r. o pobieraniu, przechowywaniu i przeszczepianiu komórek, tkanek i narządów, Dz.U. 2005 nr 169 poz. 1411. 8 Ustawa z dnia 28 kwietnia 2011 r. o systemie informacji w ochronie zdrowia, Dz.U. 2011 nr 113 poz. 657. 9 Ustawa z dnia 15 kwietnia 2011 r. o działalności leczniczej, Dz.U. 2011 nr 112 poz. 654. 10 Ustawa z dnia 5 grudnia 1996 r. o zawodach lekarza i lekarza dentysty, Dz.U. 1997 nr 28 poz. 152. 11 Rozporządzenie Ministra Zdrowia z dnia 3 marca 2004 r. w sprawie wymagań, jakim powinno odpowiadać medyczne laboratorium diagnostyczne, Dz.U. 2004 nr 43 poz. 408. 12 Rozporządzenie Ministra Zdrowia z dnia 6 kwietnia 2020 r. w sprawie rodzajów, zakresu i wzorów dokumentacji medycznej oraz sposobu jej przetwarzania, Dz.U. 2020 poz. 666. 13 Rozporządzenie Ministra Zdrowia z dnia 23 marca 2006 r. w sprawie standardów jakości dla medycznych laboratoriów diagnostycznych i mikrobiologicznych, Dz.U. 2006 nr 61 poz. 435. 14 Rozporządzenie Ministra Zdrowia z dnia 16 lipca 2004 r. w sprawie wzoru dokumentu ‘Prawo wykonywania zawodu diagnosty laboratoryjnego’, Dz.U. 2004 nr 182 poz. 1885.

Poland

585

while the protection of special data is unregulated, despite the changes caused by the implementation of the General Data Protection Regulation. 15 Moreover, significant legal problems related to the collection of remuneration for research using human biological material, including genetic research carried out in connection with the conduct of experiments, are still unresolved. In particular, issues related to entities authorised to perform such activities, the procedures applied and the rights of the person from whom the tested material is taken or the rights of persons related to such a person have thus far not been regulated. Issues such as these clearly demonstrate the need for urgent, detailed and prudent regulation of these matters. There is currently no legal definition of biobanks for scientific purposes in Polish law. The definition of a biobank was developed as part of expert work carried out by the Team for Principles of Scientific Research in Biomedicine at the Ministry of Science and Higher Education in 2013–2014 (Łakomiec 2018, p. 106). In this sense, biobank means ‘an organizational unit that conducts the activity in the field of collection (collection, processing, storage), distribution and sharing of biological material and related data for the purposes of scientific research, using the collected resources in a repeated and long-term manner, applying specific procedures, in order to preserve the high quality of accumulated resources and to protect the rights of donors, and having an appropriate supervisory body in the form of a scientific and ethical committee’.16

3 Rights of Researchers, Donors and Patients in Biobanking The Polish law lacks not only specific legal regulations for biobanking but also for conducting biomedical research. The only legal regulation expressly related to the conduct of scientific research involving humans is the Act on the Professions of Physician and Dentist17 (Dz.U. 1997 nr 28 poz. 152). This Act permits scientific research to be conducted on a human being as a medical experiment. However, it does not apply to biobanking and conducting scientific research on a human biological sample. This is due both to the construction of the notion of a medical experiment in Polish law and for historical reasons (Krekora-Zając 2019b, p. 168). Thus, biobank regulation remains based on fundamental constitutional freedoms.

15 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 16 Zespół do Spraw Zasad Prowadzenia Badań Naukowych w Biomedycynie (2015). Wytyczne dotyczące biobankowania. 17 Ustawa z dnia 5 grudnia 1996 r. o zawodach lekarza i lekarza dentysty, Dz.U. 1997 nr 28 poz. 152.

586

J. Osiejewicz

Due to the lack of a specific law on scientific biobanks, the rules regarding the permissibility of their operations and defining the limits of freedom to study human biological samples should be interpreted from the entire legal system (Łakomiec 2014, p. 54). Freedom of scientific research is one of the fundamental human and civil rights that is directly protected in the Constitution of the Republic of Poland18 (Dz.U. 1997 nr 78 poz. 483). Pursuant to Art. 73 of the Constitution, everyone is guaranteed the freedom of artistic creation, scientific research and publication of results, as well as the freedom to teach and use cultural goods. This freedom is associated with the acquisition and dissemination of information, including in the public interest (Królikowski and Szczucki 2016, pp. 1685–1686). The Polish Constitution provides broad protection to entities that exercise the freedom of research. Freedom of research covers not only the scientific activities of scientists whose duties include conducting scientific research but also the activities of other persons who conduct scientific research without formal links with the scientific sector. The guarantees contained in Art. 73 of the Constitution protect natural persons and other legal persons against unjustified state interference in the subject and methods of scientific research as well as the content and methods of teaching. Such broad protection indicates that scientific freedom is a universal value, and its limitation is possible only when it is necessary to protect other constitutional values (Krekora-Zając 2019b, p. 172). The freedom of scientific research may be limited only on the basis of Art. 31 (3) of the Constitution. It is subject to the principle of proportionality. Restrictions may be established by law as occur in a democratic state to guarantee security or public order, the protection of the environment, health and or morals and the freedoms and rights of other people. Apart from this, restrictions may not violate the essence of freedoms and rights (Królikowski and Szczucki 2016, p. 1686). This means that when the legal order does not provide clear boundaries as well as consequences for breaching them, the conduct of scientific research is permissible, and the legislator, public administration and all other entities are obliged to refrain from interfering in this freedom (Krekora-Zając 2019b, p. 173). The concept of scientific research is not defined in the Constitution. Therefore, each entity implementing scientific research in biobanking enjoys constitutional protection. Within the meaning of the Constitution, the freedom of scientific research is protected as a human freedom, without subjective limitations. The researcher is obliged to adhere to ethical principles resulting from codes of good practices and soft law (Królikowski and Szczucki 2016, p. 1685)19 and should take care to preserve the confidentiality of all information that could pose a direct or indirect risk to the 18 Konstytucja Rzeczypospolitej Polskiej z dnia 2 kwietnia 1997 r. uchwalona przez Zgromadzenie Narodowe w dniu 2 kwietnia 1997 r., przyjęta przez Naród w referendum konstytucyjnym w dniu 25 maja 1997 r., podpisana przez Prezydenta Rzeczypospolitej Polskiej w dniu 16 lipca 1997 r., Dz. U. 1997 nr 78 poz. 483. 19 The interests of society or scientific objectives may not prevail over the good of the individual. It is absolutely necessary to pay respect to the dignity of every human being. This extends to respect for the human body and its parts, even after death.

Poland

587

deceased or his or her relatives. The human body or its parts may not constitute a source of financial benefits. Researchers dealing with human biological material may not stigmatise and discriminate against the donors of material, their families or persons belonging to a specific ethnic group. The handling of biological material should be undertaken by experts who are experienced in the collection, processing and storage of biological material and familiar with legal and ethical aspects related to the collection and long-term storage of human biological material and data (Krekora-Zając 2019b, p. 173). Scientific freedom is also protected under Polish private law. The Polish Civil Code20 (Dz.U. 1964 nr 16 poz. 93) in Art. 23 also encompasses non-pecuniary values accompanying scientific, artistic, inventive and rationalising creative activity. The products of scientific research are directly protected by the provisions of Art. 23 and 24 of the Civil Code (Pazdan 2012, pp. 1258–1260). Given that there is no specific law on biobanking and research on human biological samples, donor rights are the subject of the main legal publications on biobanking in Poland. Donor rights are derived from basic human rights and personal rights (Krekora-Zając 2019b, p. 175): the right to privacy as guaranteed in Art. 47 of the Constitution and the informational autonomy of the individual, which is an element of the right to privacy (Art. 51 of the Constitution). In the context of biobanking, the right to privacy21 entails the protection of donor privacy, that is, the protection of donor-related information (Pawlikowski 2015, p. 163). It covers the protection of personal data processing, the protection against discrimination and the right to be informed and not to be informed. These rights have been substantially amended by the GDPR; hence, the GDPR allows restrictions on the rights of the persons from whom the data originates (Krekora-Zając 2019b, p. 177; Krekora-Zając 2019a, pp. 124–143; Marciniak et al. 2018, pp. 73–86; Mednis 2018). This refers, for instance, to the secondary use of personal data for scientific purposes (without obtaining a new consent), limiting the right to be forgotten and limiting the information obligations of the data controller.

20

Ustawa z dnia 23 kwietnia 1964 r. - Kodeks cywilny, Dz.U. 1964 nr 16 poz. 93. The Constitutional Tribunal pointed out that the right to privacy consists of principles and rules related to various spheres of an individual's life, and their common denominator is granting an individual the right to make autonomous choices while limiting external interference in these choices (24 April 1997, K 21/96, OTK ZU 1997, No. 2, item 23). The Constitutional Tribunal also stated (P 56/11) that under Art. 47 of the Constitution, the right to privacy applies to many different spheres of individual activity, protecting a multilevel network of personal rights and, thus, remaining closely related to the detailed regulation contained, inter alia, in Art. 30, 48, 49, 50, 51, 53 (1), 53 (7), and 76 of the Constitution. Thus, the subjective constitutional right to privacy, which constitutes one of the basic elements of the axiology of a democratic state ruled by law, has two aspects. The first is the decision-making autonomy of an individual, understood as the possibility of self-determination over one’s personal life in the objective, subjective and temporal aspect. The second is the informational autonomy of an individual, which guarantees, in particular, the individual's ability to independently determine the spheres of accessibility to other subjects of information about himself. 21

588

J. Osiejewicz

The conditions for processing information about an individual have been of interest to the Constitutional Tribunal for a long time. The Tribunal has expressed its views on the norms expressed in Art. 47 and 51 of the Constitution as well as on their mutual relationship22 (U 3/01; K 41/02; K 4/04). In the opinion of the Constitutional Tribunal, the protection of private life, which is guaranteed in Art. 47 of the Constitution, also includes information autonomy (Art. 51 of the Constitution). This means the right to decide for themselves whether to disclose personal information to others and the right to exercise control over such information if it is in the possession of other entities. The Tribunal stated that Art. 47 and 51 of the Constitution contain norms aimed at protecting the same value, namely the sphere of privacy.23 The right to privacy under the Constitution should be considered as an aggregate of norms (an institution) which, due to the functional bond, consists of norms that shape the subjective rights of an individual and impose certain obligations on the state correlated with these rights (Łakomiec 2014, p. 64; Łakomiec 2018, p. 109). Of high importance is the judgement of the Constitutional Tribunal on genetic information of 11 October 2016 (SK 28/152024) on the principles of collecting biological material for genetic testing (although it concerns criminal proceedings, the remarks on the constitutional rules relating to the processing of genetic information are universal; Łakomiec 2018, p. 109). In that case, it was stated that taking biological material from a human body was an interference with personal inviolability, the essence of which is related to, inter alia, the inviolability of bodily integrity. It should be emphasised that such an intervention was considered to be a non-invasive method of obtaining tissue, that is, taking a smear from the cheek mucosa. The Tribunal specified that this act constituted an interference with personal inviolability (Art. 41 (1) of the Constitution). Further, the Constitutional Tribunal found that the collection of biological material may be considered a restriction of the right to protection of private life. According to the Tribunal: ‘Due to the amount and nature of the information contained in a sample of biological material, in the form of the human genetic code, which contains important data, e.g. on health, origin and hereditary features, obtaining biological material that allows DNA analysis, which is additionally very personal, interferes with the sphere of human privacy, because the mere awareness of the use of genetic information in the future, it may cause stress, anxiety or otherwise adversely affect the mental integrity of a person. As a consequence, the very act of taking a smear from the cheek mucosa constitutes an interference with the privacy sphere of an individual, protected under Art. 47 of the Constitution, primarily in the

22 Judgements of the Constitutional Tribunal: 19 February 2002, U 3/01, OTK-A 2002, No. 1 Pos. 3; 20 November 2002, K 41/02, OTK-A 2002, No. 6, Pos. 83; 20 June 2005, K 4/04, OTK-A 2005, No. 6, Pos. 64. 23 Judgement of the Constitutional Tribunal, 13 December 2011, K 33/08, OTK-A 2011, No 10, Pos. 116.K 33/08. 24 Judgement of the Constitutional Tribunal of 11 October 2016, SK 28/1520, OTK-A 2016, No 79.

Poland

589

aspect of mental integrity and informational autonomy’.25 The Constitutional Tribunal also considered whether the taking of a biological sample constituted an interference with the information autonomy of an individual. In the opinion of the Tribunal, since the content of information autonomy is, inter alia, the right to independently decide whether to disclose information about oneself and to allow everyone the freedom to define the sphere of accessibility to others of their knowledge, the obligation to provide samples of biological material containing important and very personal information, including the genetic code of a human being, constitutes entering the sphere of autonomy understood in this way. The protection resulting from Art. 51 (2) of the Constitution covers any type of information about an individual, regardless of the method of its consolidation, and therefore also genetic information carried by an isolated DNA sample. This is in line with the views of the Supreme Court, which stated that prepared fragments of tissues and organs may constitute medical documentation (V CSK 256/10; Łakomiec 2018, p. 110).

4 Conclusion Polish national legislation provides for little guidance for processing the personal data for research purposes. Genetic testing and biobanking are partially regulated by several legal acts. However, rules regarding the institution of a biobank or the possibility of obtaining a permit for this type of activity are quite precise. Polish regulations and jurisprudential practice raise two important practical problems in the field of biobanking for scientific purposes. One is the obligation to provide donors with information relevant to their health discovered somewhat accidentally as part of conducted research (so-called incidental findings). Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall be subject to appropriate safeguards for the rights and freedoms of the data subject. These safeguards consist in the implementation of technical and organizational measures ensuring compliance with the principle of data minimization. According to Art. 9 of the Act on Patient Rights and Patient Ombudsman, the patient has the right to obtain all information about their health. Such information is needed to be able to make an independent and informed decision about the choice of therapy. Therefore, when a physician receives any information, including research that is relevant to the patient's health, he or she must disclose it to the patient. However, biobanks are not always informed of the discoveries of the scientists to whom they donate samples, and they receive pseudonymous or even non-identifiable data. This makes it difficult to fulfil this legal obligation (KrekoraZając 2019b, p. 177). Another problem is to identify the rights to a human biological sample and the rules for transferring the sample to other research units or researchers. Clear

25

Judgement of the Supreme Court, 9 February 2011, V CSK 256/10, LEX No. 794581.

590

J. Osiejewicz

governance procedures and policies on the use and re-use of tissues (including DNA and RNA data) are not existing. The same refers to biohacking activites. The transfer of samples and data is undertaken based on the Material Transfer Agreement and the Data Transfer Agreement. These contracts are of a model nature. They are prepared by individual biobanks or scientific and medical organisations. They define the rules for submitting a sample or data and set fees, intellectual property rights to the results of tests carried out with the use of samples, copyrights for the publication of the results and the possibility for the recipient to use the samples or data (Krekora-Zając 2019b, p. 178). Patient rights do not protect samples that are no longer needed for diagnostic or therapeutic processes—they will only be classified as medical waste (Krekora-Zając 2019b, p. 179).

References Kozera Ł, Stapagiel D, Gleńska-Olender J, Chróścicka A, Ferdyn K, Skokowski J, Kalinowski L, Pawlikowski J, Marciniak B, Pasterk M, Matera-Witkiewicz A, Lewandowska-Szumieł M, Piast M, Witoń M (2018) Biobankowanie ludzkiego materiału biologicznego dla celów naukowych w Polsce i Europie. Studia Iuridica 73:13–29 Krekora-Zając D (2019a) Biobanki. In: Zielińska E, Boratyńska M, Konieczniak P (eds) Regulacja prawna czynności medycznych. Wolters Kluwer, Warszawa, pp 124–143 Krekora-Zając D (2019b) Legal aspects of biobanking HBS for scientific purposes in Poland. Studia Prawnicze 4:165–184 Królikowski M, Szczucki K (2016) Konstytucja RP. In: Safjan M, Bosek L (eds) Komentarz art.1–86, vol I. C.H. Beck, Warszawa Łakomiec K (2014) Wybrane konstytucyjne aspekty funkcjonowania biobanków populacyjnych. Państwo i Prawo 12:54–64 Łakomiec K (2018) Biobanki w dobie big data z perspektywy prawa konstytucyjnego. Studia Iuridica 72:105–118 Marciniak B, Topolski P, Strapagiel D (2018) Anonimizacja w dobie wielkich danych – sytuacja biobanków w kontekście RODO. Studia Iuridica 73:73–86 Mednis A (2018) Ochrona danych genetycznych jako danych osobowych. Studia Iuridica 73:87– 104 Pawlikowski J (2015) Ochrona prywatności dawców w kontekście biobankowania ludzkiego materiału biologicznego dla celów badań naukowych. In: Nawrot O, Wnukiewicz-Kozłowska A (eds) Temida w dobie rewolucji biotechnologicznej – wybrane problemy bioprawa. Gdańsk, E-Wydawnictwo. Prawnicza i Ekonomiczna Biblioteka Cyfrowa Pazdan M (2012) In: Safjan M (ed) Prawo cywilne – cześć ogólna, vol I. C.H. Beck, Warszawa Uchańska, J. (2018). Badania genetyczne i biobankowanie będą miały swoją ustawę – potrzeba kompleksowej regulacji wreszcie dostrzeżona przez Ministerstwo Zdrowia Witoń M, Strapagiel D, Gleńska-Olender J, Chróścicka A, Ferdyn K, Skokowski J, Kalinowski L, Pawlikowski J, Marciniak, Pasterk M, Matera-Witkiewicz A, Kozera Ł (2017) Organization of BBMRI.pl: the polish biobanking network. Biopreserv Biobank 3:264–269

Portugal Carla Barbosa and Andreia da Costa Andrade

1 Introduction This paper analyses the main issues of biobanks in the Portuguese legal framework. The guiding and conforming principles for the treatment of biological samples and the personal data of participants in scientific research studies are derived from the conjunction of the provisions set out in Convention 108 of the Council of Europe of 28 January 1981 and in the EU Regulation 2016/679 of the European Parliament and the European Council of 26 April 2016 (hereafter the GDPR1) as well as in national law, such as Article 26°/1, Article 35° and Article 73°/4 of the Constitution of the Portuguese Republic (the CPR) and Law n.º 58/2019, of 8 August (ensures the implementation, in the national legal order, of Regulation (EU) 2016/679 of the Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data data); Law n° 21/2014 of 16 April2 and repealing Law n° 73/2015,3 of 27 July, Law on Medical Research (LMR); and Law n° 12/2005 of 26 January on personal genetic data and health data,4 as well as the regulation thereof made by Decree-Law n° 131/2014 of 29 August.5

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 2 Only available in Portuguese. https://files.dre.pt/1s/2014/04/07500/0245002465.pdf. 3 Only available in Portuguese. https://files.dre.pt/1s/2015/07/14400/0502705028.pdf. 4 Diário da República n.° 18/2005, Série I-A de 2005-01-26. https://dre.pt/dre/detalhe/lei/12-200 5-624463. 5 https://files.dre.pt/1s/2014/08/16600/0458704594.pdf. C. Barbosa (✉) · A. da Costa Andrade Centre for Biomedical Law, Faculty of Law-University of Coimbra, Coimbra, Portugal e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_68

591

592

C. Barbosa and A. da Costa Andrade

2 GDPR and Portuguese Legal Framework: Exceptions for Scientific Research In the Portuguese national legislative framework, a definition of scientific research that meets the demand in Recital 159 of the GDPR is not offered in clear and distinct terms. Although a definition of scientific research that spells out the scope of the concept is not advanced, the legislature uses the concept in the normative stipulations pertaining to the theme, as in the case of Article 19°/3 of Law n. ° 12/2005 which limits the establishment of biobanks (or to use the legal expression: biological product banks) to the purpose of health care provision and basic or applied health research. On 8 August 2019, the Portuguese law – Law 58/2019 – that ensures the enforcement in Portugal of the General Data Protection Regulation was published6. Article 31° of Law 58/2019, that ensures implementation of the GDPR in the national Portuguese legal order does not exclusively focus on the subject of the protection of personal data in the context of scientific research using biological samples, but rather refers to it without providing a definition or detailing what should be considered scientific research. Nonetheless, it goes on to recognise that ‘treatment for scientific research purposes shall respect the principle of data minimization and include the anonymization or pseudonymization of the data, provided that the objectives can be achieved by one of these means.’ Within the framework of the GDPR, the national law also states that in these cases, ‘rights of access, rectification, limitation of treatment and opposition provided for in articles 15, 16, 18 and 21 are inhibited where the exercise of those rights has become impossible, in particular in the event of anonymization of the data collected’ or is likely to seriously jeopardise the achievement of the purposes underlying the processing of the data. The national law further states that ‘the general rules on consent, as provided for in the GDPR, apply [to data processing for scientific research], considering that it may cover several research areas, and the ethical standards recognized by the scientific community must be complied with’. In this context, it should also be noted that the national legislature has made no distinction between public-sector or private-sector funded data processing for scientific research purposes, thereby demonstrating an unwillingness to develop the crux of the matter, to wit: public interest linked to scientific research. Thus, the exception provided for in the GPDR is not removed even though it is not being enforced in Portuguese law. The national legislature also does not develop in sufficient detail in national law the concepts of personal data or pseudo-anonymisation but refers to them as set out in Article 4 of the GDPR.

6

Diário da República n.°151/2019, Série I de 2019-08-08. Only available in Portuguese. https://dre. pt/dre/detalhe/lei/58-2019-123815982.

Portugal

593

Whereas the previous national legislation, now repealed, defined in the exact terms of the transposing Directive the concept of personal data, the new proposal does not deal with this particular aspect. The current national data protection law merely states that ‘treatment for scientific research purposes should comply with the principle of data minimization’—without expanding further on the concept – and to ‘include their anonymization or pseudonymization where the aimed ends can be reached by one of these ways’ (Article 31°).

3 Further Processing for Record Purposes in the Public Interest or for Scientific Research The clause in Article 5 (b) of the GDPR is critically important, particularly in the health care research sector, as it admits that further processing for record purposes in the public interest or for scientific, historical research or statistical purposes is not considered to be incompatible with the initial purposes in accordance with Article 89 (1). Article 5/1, e) of the GDPR states that personal data must not be kept in a form that permits the identification of subjects for any longer than is necessary for processing purposes. However, an exception clause has been added that allows personal data processed for scientific research purposes to be kept for longer periods in accordance with Article 89 (1) although the data are subject to the application of appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject. The Portuguese legislature has only put forward a general proposal as to the data retention period. In Article 21° of the Law on adaptation to the GPDR, the legislature makes the period of retention of personal data dependent on a legal stipulation or imposition; or in cases in which it is not possible due to the nature and purpose of the treatment to determine in advance the time when data retention is no longer necessary, the preservation of personal data for an unlimited period is lawful. This clearly might be the case with medical scientific research.

4 Conditions for Processing Health, Genetic and Biometric Data The GDPR allows Member States to determine new conditions or limitations on the treatment of special categories of data, such as genetic and biometric health data (and the Portuguese law on the execution of the GDPR does not establish any additional rules for the treatment of genetic data; those that exist were in effect prior to the

594

C. Barbosa and A. da Costa Andrade

GDPR and can be found in Law 12/2005, of 26 January). The Portuguese law merely cites the principle set out in the GDPR on this without adding to it. It is also important to highlight the provisions of Article 31°/ 2 of the law that adapt the GDPR norms, according to which ‘where personal data are processed for purposes of record in the public interest, scientific or historical research or official statistical purposes, the rights of access, rectification, limitation of the processing and opposition provided for in Articles 15, 16, 18 and 21 of the GDPR are undermined where the exercise of those rights has become impossible, namely where the data collected are anonymized, or liable to seriously undermine the attainment of those objectives’. The Portuguese legislature did not recognise within the possibilities for exceptions to the GDPR the right of a data subject within the scope of scientific research purposes to be forgotten (Art. 17 of the GDPR).

5 The Re-Use of Personal Data The Portuguese national law also does not offer solutions for the re-use of data. However, Deliberation 227/2007 of the National Data Protection Commission7 is still relevant, and it indicates that for retrospective scientific investigation of health information extracted from personal data other than samples (clinical records, for example), if there is an absence of consent under the terms indicated, the authorisation for the processing of personal data must be carefully weighed. First, the ‘special situations’ (see paragraph 6 of Article 19 of Law 12/2005 ‘In the case of retrospective use of samples or in special situations’) must be fully detailed and demonstrated (which establishes the impossibility of obtaining consent). These situations must be truly special, and not occurring for greater convenience, advantage, etc. Second, the existence and importance of the public interest of the study or research in question must be unequivocally demonstrated; that is, there is a public interest that must be immediately and directly pursued as a result of the research. This means that the result of the research must immediately materialise and directly relate to the public interest in question, which must have unquestionable importance for the community. It is not enough that the pursues the public interest in an indirect, mediated, reflexive or remote way. In the case of retrospective studies, Law 12/2005 (which, as already mentioned, remains in force) admits that the use of biological material and DNA samples for which the consent of the holder has not been obtained or may not have been obtained due to the amount of data or the previous death of the holder has its legitimacy

7

Deliberation 227/2007 of the Portuguese Data Protection Authority (CNPD) applicable to treatment of personal data in the scope of investigational studies related to healthcare.

Portugal

595

ground for the processing of personal data in the provisions of paragraph 6 of Article 19 of Law no. 12/2005 of 26 January. In this case, the processing of personal data for scientific research fulfils the condition of legitimacy by checking the circumstances of the application of this legal standard.

6 Biobanking in Portugal Portugal has in place a range of legislation regulating the establishment and functioning of biobanks. There is legislation in force to regulate stem cell biobanks,8 biobanks for criminal and civil purposes9 and biobanks (so-called bio-data banks) for health care provision, including disease diagnosis and prevention and basic or health research. Law n° 12/2005 of 26 January (hereafter Law 12/2005) applies to biobanks for research purposes.10 Article 19/1 of Law 12/2005 defines biobanks as ‘any repository of biological samples or their derivatives, with or without limited storage life, whether using prospective harvesting or previously harvested material, or being obtained as part of routine health care, whether in screening programmes, or for research purposes, which must include personally identified, identifiable, anonymized or anonymous samples’. In Portugal, there has recently been a considerable effort and a growing number of initiatives from various universities and research centres to systematise the collection of biological samples and information associated with them. The collections of blood and other biological products and the DNA samples obtained for research

8 With regard to the use of stem cells, we should first consider Law n.° 12/2009 of 26 March (amended by Law n.° 1/2015 of 8 January and Law n.° 99/2017 of 25 August), which establishes the legal regime governing quality and safety relating to the donation, collection, analysis, processing, preservation, storage, distribution and application of human tissues and cells, transposing into the domestic legal order Directive 2004/23/EC of the European Parliament and of the Council of 31 March, 2006/17/EC of the Commission of 8 February and 2006/86/EC of the European Parliament. However, it is the legal provision itself that removes its application with regard to stem cell research. Thus, in all matters relating to stem cell research, we must resort to the general laws regulating clinical research in Portugal, namely Law n.°21/2014 of 16 April. The law regulates clinical research, defined as ‘any systematic study to discover or verify the distribution or effect of health factors, states or outcomes, processes or disease, performance, or safety of interventions or provision of health care’, thus transposing into Portuguese law two European directives (Directive 2001/20/EC of the European Parliament and of the Council of 4 April on the approximation of Member States’ laws, regulations and administrative provisions relating to the application of good clinical practice into the conduct of clinical trials on medicinal products for human use and the partial transposition of Directive 2007/47 / EC of the European Parliament and of the Council of 5 September). 9 Law n° 5/2008 of 12 February, Database of DNA profiles—for purposes of civil and criminal identification, amended by Laws n° 40/2013 of 25 June and Law n° 90/2017 of 22 August. 10 Repealed by Law n° 26/2016 of 22 August and regulated by Decree-Law n° 131/2014 of 29 August.

596

C. Barbosa and A. da Costa Andrade

purposes must be kept for the period necessary for the pursuit of the purposes of collection or further treatment. Genetic information obtainable from tissues when treatment is carried out for the purpose of diagnosis or health research may be kept for a longer period provided that the rules on consent provided for in Decree-Law n° 131/2014 are respected and after issuance of a favourable opinion by the Portuguese Data Protection Authority.

7 Conclusion In light of the untouchable value of the dignity of the human person, the Portuguese legislature considers it lawful to impose special protection duties on scientific research activity in which biological samples and associated data are used. The purpose of regulation is to ensure that scientific research into human health is conducted in a transparent way and in accordance with ethical standards, thereby promoting its excellence and credibility as well as the protection of society and the individual.

Romania Florin I. Mangu and Mircea Criste

1 Introduction This report considers the national legal provisions regarding the processing of personal data, including genetic and biometric data, for scientific purposes, and also their archiving, use and reuse. The report also addresses issues related to human tissue, DNA and RNA obtained from human tissue, and biohacking activities. Romania concerned itself with the adoption, in the national legislation, of the legal provisions necessary for the implementation of the European normative acts in the matter of personal data, legislating three incidental laws in this field. Furthermore, three other normative acts rule the sampling and preservation of DNA and RNA from human tissues, and also the activity of biohacking is regulated.

2 The Legal Framework: Processing of Personal Data for Research Purposes Article 3 of Law no. 190/20181 on measures for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the 1

Law no. 190/2018 on measures for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), published in the Official Gazette of F. I. Mangu (✉) · M. Criste Faculty of Law, West University of Timișoara, Timișoara, Romania e-mail: fl[email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_69

597

598

F. I. Mangu and M. Criste

free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation),2 is entitled ‘Processing of genetic data, biometric data or health data’. This article specifies that the processing of genetic, biometric or health data for the purpose of carrying out an automated decision-making process or for creating profiles is permitted with the explicit consent of the data subject or, if the processing is carried out under express legal provisions, with the establishment of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject. Furthermore, the processing of health data carried out for the purpose of ensuring public health, as defined in Regulation (EC) No. 1338/20083 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work, cannot be performed later for other purposes by third parties.

3 Policies and Procedures for the Use and Reuse of Personal Data In Romania, the use and re-use of personal data is regulated in different pieces of legislation. Law no. 363 of 28 December 20184 refers to the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of preventing, detecting, investigating, prosecuting and combating crime or the execution of punishments, and educational and security measures, and the free movement of these data.

Romania, no. 651 of 26 July 26, 2018. https://www.dataprotection.ro/servlet/ViewDocument?id=1 685. 2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1. 3 Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (Text with EEA relevance) OJ L 354. 4 Law no. 363 of 28 December 2018 on Provisions Regarding the Processing of Personal Data by Competent Authorities for the Prevention, Detection, Investigation, Prosecution, and Control of Criminal Offences or the Execution of Sanctions, Education, and Measures, published in the Official Gazette of Romania, no. 13 of 7 January 2019. https://anp.gov.ro/centrul-educativ-targuocna/wp-content/uploads/sites/7/2019/01/Legea-nr.363-din-2018-Privind-protectia-persoanelorfizice-referitor-la-prelucrarea-datelor-cu-caracter-personal.pdf.

Romania

599

Law no. 102 of 3 May 2005 concerns the establishment, organisation and functioning of the National Authority for the Supervision of Personal Data Processing.5 Law no. 190 of 18 July 2018 contains measures to implement Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). These normative acts clearly establish the rules for the processing of personal data (including the use and reuse of such data), the central body that is given the competence to monitor the processing of such data, the procedures that this body has at its disposal to control the way in which personal data are used, and the prosecution of those who violate the legal provisions.

4 Tissues and the DNA and RNA Obtained from Tissues: Focus on Conservation In Romania, the discipline for the preservation of tissues of human origin is subject to: (a) Law no. 95/2006 on health care reform6, Title VI, on the collection and transplantation of organs, tissues and cells of human origin for therapeutic purposes; (b) the Standards of 12 June 2007 on the selection and evaluation of tissue and cell donors, alert systems and emergency procedures, qualification of staff working in tissue and cell banks, quality systems, import and export of human tissues and cells, and relationships between tissue and cell banks and third parties, which were issued by the Ministry of Public Health7; and (c) the Order of the Ministry of Public Health no. 1763/2007 of 12 October 2007 laying down technical requirements for the donation, sampling, testing, processing, preservation, distribution, coding and traceability of tissues and

5

Law no. 102 of 3 May 2005 on the establishment, organization and functioning of the National Authority for the Supervision of Personal Data Processing, republished in the Official Gazette of Romania, no. 947 of 9 November 2018. https://www.dataprotection.ro/servlet/ViewDocument? id=172. 6 Law no. 95/2006 on healthcare reform, as republished in the Official Gazette, Part I, no. 652 of 28 August 2015. https://www.anm.ro/en/_/DM/LEGI/Titlul%20XX_MD_2016_EN.pdf. 7 Order of the Ministry of Public Health no. 1242 of 12 June 2007, published in the Official Gazette of Romania, no. 543 of 9 August 2007, modified by Order of the Ministry of Public Health no. 1257 of 30 October 2017, published in the Official Gazette of Romania, no. 890 of 13 November 2017, on Standards of 12 June 2007 on the selection and evaluation of tissue and cell donors, alert systems and emergency procedures, qualification of staff of tissue and cell banks, quality systems, import and export of human tissues and cells, and relationships between tissue and cell banks and third parties.

600

F. I. Mangu and M. Criste

cells of human origin used for therapeutic purposes, and the notification of severe adverse events and adverse reactions during their transplant.8 This legislation transposes into the national law Directive 2004/23/EC of the European Parliament and of the Council of 31 March 2004 on the establishment of quality and safety standards for the donation, procurement, control, processing, preservation, storage and distribution of human tissues and cells. The provisions of Directive 2010/53/EU of the European Parliament and of the Council of 7 July 20109 on quality and safety standards for human organs intended for transplantation are also transposed into the national regulatory framework (see arts. 1-3, art. 4(3), art. 5(1), art. 9(1), art. 10, art. 11(1), arts. 12-16, art. 17(1), and (2) (b), (g) and (h), art. 18(1)(a) and (c), art. 20(1), arts. 21-23 and art. 31). According to Order no. 1763/200710, Annex VI to the Technical Requirements, letter b), the storage and delivery of tissues and cells in a tissue or cell bank must meet the following criteria: (a) the maximum storage period must be specified for each type of storage; and (b) the chosen period must take into account the possible deterioration of the required properties for the tissue and cells. This means that there is no general regulation regarding the maximum period for tissue preservation, and there is no specific focus on the DNA and RNA that can be obtained from tissue.

5 Law on Biohacking Activity In Romania, the Criminal Code (Law no. 286/200911), the law implementing the Criminal Code (Law no. 187/201212), and Law no. 76 of 8 April 2008 on the organisation and functioning of the National Judicial Genetic Data System13 represent the general framework for the conditions under which biological samples may

8

Order of the Ministry of Public Health no. 1763/2007 of 12 October 2007 laying down technical requirements for the donation, sampling, testing, processing, preservation, distribution, coding and traceability of tissues and cells of human origin used for therapeutic purposes and the notification of severe adverse events and adverse reactions during their transplant, published in the Official Gazette of Romania, no. 698 of 16 October 2007. 9 Directive 2010/45/EU of the European Parliament and of the Council of 7 July 2010 on standards of quality and safety of human organs intended for transplantation, OJ L 207. 10 Published in the Official Gazette of Romania, no. 698 of 16 October 2007. 11 Criminal Code (Law no. 286/2009), published in the Official Gazette of Romania, no. 510 of 24 July 24, 2009. 12 Law for the implementation of the Criminal Code (Law no. 187/2012), published in the Official Gazette of Romania, no. 757 of 12 November 12, 2012. 13 Published in the Official Gazette of Romania, no. 289 of 14 April 2008.

Romania

601

be taken from certain individuals or from traces left at a crime scene in order to determine genetic profiles. Furthermore, the conditions under which the data included in the National Judicial Genetic Data System can be processed mean that the processing can be carried out: (a) to exclude persons from a circle of suspects and identify the perpetrators of those crimes included in the annex to the Law; (b) to establish the identity of persons who are victims of natural disasters, mass accidents and acts of terrorism; (c) to exchange information with other states and combat cross-border crime; (d) to identify those who have participated in the commission of the offences included in the annex to the Law; and (e) to prevent and combat acts of a sexual nature, or actions exploiting persons or minors. Law no. 187/2012 and Law no. 76/200814 each have the same annex that lists, in a limited way, the offences for which certain biological samples can be taken from an offender, in order to determine his genetic profile and include it in the National Judicial Genetic Data System. Apart from these cases, it is not legal, without the person’s consent, to take biological samples from a human being in order to determine his genetic profile. Moreover, it is not legal to use any biological sample taken from a human being for any purposes other than those provided by the law.

6 Conclusion The legislation in Romania, which was adopted in order to implement the provisions of the European Directives and Regulations in this area, deals with the issues related to the processing and free circulation of biometric data, genetic data, and personal health data, restricting these activities and making them dependent on the explicit consent of the person whose data are used. The power to use and/or reuse these data is given only to the authorities who are legally authorised in this regard. Regarding the time for which tissue can be preserved, there is no general regulation in Romania regarding the maximum period for tissue preservation. There is no specific focus on the DNA and RNA that can be obtained from tissue. Regarding biohacking activity, there are strict legal provisions that establish the conditions under which biological samples may be taken from certain individuals or from traces left at a crime scene, in order to determine genetic profiles, and the conditions under which the data included in the National Judicial Genetic Data System can be processed.

14

Law no. 76 of 8 April 2008 on the organization and functioning of the National Judicial Genetic Data System, published in the Official Gazette of Romania, no. 289 of 14 April 2008.

Slovakia Sabrina Brizioli

1 Introduction In Slovakia, the processing of health data, the rules for research activities in bioethics and the legal–ethical aspects of health care and medical treatment have been subjected to a complex regulatory framework influenced by the international conventions and the European Union law (Sándor et al. 2010). The Constitution of the Slovak Republic guarantees that international treaties on human rights and relevant liberties ratified by the Slovak Republic take precedence over its own laws when they assure greater safeguards of constitutional rights and liberties than does national law.1 The protection against unauthorised collection of data, publication or misuse falls under the constitutional protection of integrity and privacy that ensures the inviolability of the person.2 Slovakia has not adopted any specific or comprehensive regulatory instrument to deal with biobanks despite its legal guardianship of fundamental rights and freedoms built upon the constitution and the legislative provisions on personal and health data. The discipline of biobanks essentially depends on pieces of legislation from different normative patterns, such as laws on data protection and health care and rules on tissues and cells or transplantation.

1 Constitution of the Slovak Republic, Art. 7(5): ‘International treaties on human rights and fundamental freedoms and international treaties for whose a law is not necessary, and international treaties which directly confer rights or impose duties on natural personas or legal persons and which were ratified and promulgated in the way laid down by a law shall have precedence over laws’. 2 Ibid., Art. 16: ‘The right of every individual to integrity and privacy shall be guaranteed. The right may be restricted only in cases specifically provided by a law’.

S. Brizioli (✉) Department of Law, University of Perugia, Perugia, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_70

603

604

S. Brizioli

2 Data Protection and the Research Exception The Constitution of the Slovak Republic states fundamental rights and freedoms, giving particular attention to the collection and processing of personal data. The right to protection against unauthorised interference in private and family life and the inviolability of the person are guaranteed by Art. 16-19(2-3)3 and are integrated by the regulatory framework for data protection.4 The protection of rights,5 the discipline of obligations and the responsibility during the processing of the personal data of natural persons are now the objective of the current Data Protection Act that came into force on 25 May 2018.6 On the one hand, the Data Protection Act duplicates the provisions of the Regulation (EU) 2016/ 679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as GDPR)7—which is directly applicable in Slovakia—while, on the other hand, the national provisions contain exceptions and derogations. The rationale behind the adoption of certain exceptions is that peculiar areas and activities may fall outside the scope of the European Union law; it is also questionable whether the GDPR takes precedence over national law in the case of health care and health data as well as their processing for research scopes.

3 Ibid., Art. 19 (2): ‘Everyone shall have the right to be free from unjustified interference in his or her private and family life’; Art. 19 (3): ‘Everyone shall have the right to be protected against unjustified collection, disclosure and other misuse of his or her personal data’. 4 The processing of personal data and collection was originally regulated by the Personal Data Protection Act (Act. No. 122/2013) complemented and amended by other implementation decrees. https://dataprotection.gov.sk/uoou/sites/default/files/kcfinder/files/Act_122-2013_84-2014_en.pdf. The updated law is the Personal Data Protection Act (Act. No. 18/2018). https://dataprotection. gov.sk/uoou/sites/default/files/2019_10_03_act_18_2018_on_personal_data_protection_and_ amending_and_supplementing_certain_acts.pdf#overlay-context=sk/content/18201 8#overlaycontext=sk/content/182018%22. 5 The Data Protection Act regulates (a) the protection of the rights of natural persons against unauthorised processing of their personal data; (b) the rights, obligations and responsibility during processing of personal data of natural persons; and (c) the status, activity and organisations of the Office for Personal Data Protection of the Slovak Republic (Art. 1, Section 1). 6 According to the Data Protection Act, Section 5 ‘Definitions’, lett. e), the ‘processing of personal data’ means a ‘processing operation or set of processing operations which is performed on personal data or on sets of personal data, whether or not by automated means, particularly for collection, recording, organisation, structuring, storage, alteration, retrieval consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure. 7 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1 (hereinafter referred to as GDPR).

Slovakia

605

The Slovak national legislation seems to mimic the GDPR’s definitions8 and guarantees the free movement of personal data between the Slovak Republic and the Member States as long as transfers respect the protection of fundamental rights of natural persons, namely the right to privacy in connection with the processing of personal data.9 The Data Protection Act lists some relevant principles concerning the processing of personal data, namely the principle of lawful treatment of data, the principle of purpose limitation and that of data minimisation.10 The joint reading of these provisions reveals that personal data should be processed lawfully and without any infringement of the fundamental rights of the data subject. When the processing of personal data is based on the data subject’s consent,11 the controller12 is responsible to demonstrate that the data subject has consented to the processing of personal data and such consent must be made in an accessible, clear and understandable form.13 The collection of data should be for specific, explicit and legitimate purposes; further processing of personal data to achieve the scopes of scientific or historical research shall not be incompatible with the initial intent.14 The principle of data minimisation also expresses the need to limit the processing of data for specific purposes, and together with the principle of accuracy, it aims to ensure a reasonable and efficient use of data, including erasure and rectification without delay at the end of the collecting process.15 The processing of personal data that is essential pursuant to a special regulation or international treaty binding upon the Slovak Republic or is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller is subject to special laws that shall lay down the scope of the processing, the list of personal data processed and the category of data subjects.16 The centrality of the consent of the data subject emerges when the purpose of the processing of personal data is different from the purpose for which the personal data

For example, the inclusion of definitions such as ‘restriction of processing’ or ‘pseudonymisation’; Section 5 lett. f ) and h) of the Data Protection Act. 9 Ibid., Section 4. 10 Ibid., Chapter two, title one, Sections 6-18. 11 Ibid., Section 5, lett. a), ‘consent of the data subject’ means ‘any serious and freely given, specific, informed and unambiguous indication of data subject’s wishes by which he or she, by a statement of or by a clear affirmative action, signifies agreement to the processing of personal data relating to such data subject’. 12 The Data Protection Act describes the controller as anyone ‘who determines the purposes and means of the processing of personal data’. The controller’s role and functions are determined by special regulation or international treaty binding upon the Slovak Republic. Ibid., Section 5, lett. o). 13 Ibid., Section 14 (1,2). 14 Ibid., Section 7 ‘Principle of purpose limitation’. 15 Ibid., Section 8 ‘Principle of data minimisation’ and 9 ‘Principle of Accuracy’. 16 Ibid., Section 13 (2). 8

606

S. Brizioli

were collected or the processing is requested by special regulations. In this case, the controller shall ascertain whether processing for the additional purpose is compatible with the initial consent that was given at the beginning of the collecting activities.17 The law expressly states that the controller shall take into account the original purpose and how it relates to the intended further processing of personal data, the possible consequences for the subject, the context in which the personal data were collected, the nature of the personal data18 and the existence of appropriate safeguards that may include encryption or pseudonymisation. Section 16 affirms the prohibition on the processing of special categories of personal data, namely data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data and data concerning health or a natural person’s sex life or sexual orientation. However, the prohibition does not apply to a well-determined set of situations; for example, the data subject has given explicit consent to the processing of personal data for at least one specific purpose but the consent is considered to be invalid; consent is excluded by a special regulation; or processing of the personal data is necessary to protect the life, health or property of the data subject or of another natural person and the data subject is physically or legally incapable of giving consent. The most relevant exception refers to research purposes, jointly with archiving, historical or statistical purposes, as required by an Act, special regulation or international treaty binding upon the Slovak Republic. In this case, the processing shall be appropriate and in compliance with the law protecting personal data in order to safeguard the fundamental rights and interests of the data subject.19 According to section 23, the data subject has the right to obtain from the controller the erasure of personal data about him or her without undue delay, and the controller has the obligation to erase personal data when this right is exercised. Despite this, such a rule does not operate when the processing is necessary for selected scopes, among which is scientific purposes.20 The mentioned set of rules is completed by the dispositions of the Health Care Act (Act no. 576/2004 on healthcare, services related to the provision of health and on the amendment and modification of some other laws).21 The Health Care Act governs health care with special emphasis on informed consent and health records, and it adopts a broad significance for health care, including health services and medical aids.

17

Ibid., Section 13 (3). Pursuant to Section 16 or personal data related to criminal convictions and offences processed pursuant to Section 17. 19 Ibid., Section 16 (2) lett. k). 20 Ibid., Section 23 (4) lett. d ). 21 Health Policy Institute, Slovak Health Reform. Reform Laws, 2005, Bratislava, p. 4. http://www. hpi.sk/cdata/Documents/reform_laws.pdf. 18

Slovakia

607

The Heath care Act lays down the necessity of obtaining the informed consent of the patient, considered as the ‘demonstrable approval preceded by the provision of clear information’.22 In this context, the discipline of medical records is relevant, that is, summary data (name, anamnesis, extent of the health care provided, identification of the provider, etc)23 that are not subject to ownership; each patient must express prior consent (in person or through a legal representative) when his/her portfolio of a practice is transferred. The law defines the way health records are consulted and how accession is performed by third parties by virtue of their profession or to safeguard the state of health of the person in danger (e.g., in case of psychiatric patients).24 One section of the act is devoted to biomedicine research to govern the mechanism of research approval, the subjects involved as research participants and the extent of informed consent. The reform of health legislation also contributed to the creation of a ‘new milieu’ for medicine and health care by requiring the establishment of ethics committees to deal with ethical problems connected to heath care provision (Steinkamp et al. 2007). The Health Care Act also asked for the establishment of regional ethics committees to address the ethical problems of health care, public health and biomedical research at the regional level (Steinkamp et al. 2007, p. 467).

3 Biobanking in Slovakia Slovakia does not have domestic legislation on biobanks (Nordberg 2021), and the development of biobanking for research has followed the systemic transformation of the Slovak health care and biomedical research that brought the organisation of human cell and tissue banking for health (Glasa 2000). Similar to other countries in Western Europe, the improvement of biobanking activities has been accompanied by ethical and legislative changes that have been essential to enhance international exchanges and collaboration. A special role is reserved to the discipline of donation and transplantation that has as its main aspects the respect of donors and recipients and the exchange of tissues and genetic material. In 2007, Slovakia implemented the European Directives concerning the requirements for protection of human rights and privacy, the assurance of confidentiality for any health-related information, the traceability of donations and the distribution of tissues and cells (European Directives 23/2004/EC,17/2006/EC, 86/2006/EC). In this context, the Ministry of Health was appointed as the competent authority for tissues and cells (Bárd and Sándor 2009, p. 28). Activities are coordinated by the Slovak Centre for Organ Transplantations (SCOT) to guarantee traceability and

22

Ibid. Ibid., p. 5. 24 Ibid., p. 6. 23

608

S. Brizioli

privacy protection. SCOT has established a new centralised computer information system called Transplantation Information System Slovakia (TISS) to ameliorate privacy protection and confidentiality and ensure the traceability of cells, organs and tissues (Bárd and Sándor 2009, p. 28). But the lack of robust biobanking facilities and the absence of appropriate funding, coordination and standardisation of procedures risks hampering participation in international research and negatively affecting the conduct of scientific projects. In 2017, a multi-stakeholder initiative was begun to articulate a national system of biobanks, to help the existing Slovak infrastructures to comply with European and international standards and to provide legal certainty in biomedical research and health care legislation. In fact, most of the collections of human cells and tissues grown in hospital and university clinical pathology departments were used in health care by national clinical institutes or for diagnostic purposes (Glasa et al. 2020). The 2017 initiative moved from the idea that biobanking is a prerequisite for biomedical research to recognition of these collections as a national resource that should have been integrated by other collections used for clinical drug trials and prospective population studies. From the normative and legal perspective, a robust set of rules is needed to regulate the establishment of biobanks, their scope, the research of ethics committees and the adjustment of existing legal provisions. Moreover, significant adjustments are essential in the sphere of informed consent and to make possible the transfer of ‘older samples’ to subsequent research activities and/or different research purposes. In 2018, Slovakia joined the international research infrastructure ECRIN (European Clinical Research Infrastructure Network)25 and the Slovak Clinical Research Infrastructure Network, a national research infrastructure network connecting hospitals, universities and scientific institutions involved in academic clinical research, and gained the status of observer.26 An expert Working Group set up by the Institute for Research and Development started intense drafting work on biobanking legislation, but the proposal of a special law on biobanks took second place behind the necessity of a substantial amendment to the biomedical research legislation and the framing of legal provisions on research ethics and informed consent (Glasa et al. 2020).

25 See ECRIN’s organization model: members & observers. https://ecrin.org/who-we-are/membersobservers 26 More information about SLOVACRIN. https://slovacrin.sk/en/about-us/what-is-slovacrin/

Slovakia

609

4 Conclusion Some special purposes, such as processing of personal data for historical research, archiving and scientific scopes, derogate from some principles and rights in Slovakia (i.e., right to access, right to rectification, right to restriction, right to object and, in case of archiving purposes, also the right to portability). However, the Data Protection Act in Slovakia provides appropriate safeguards that ensure technical and organisational measures, namely data minimisation and data pseudonymisation. An additional exemption relates to health data, which are considered as a special category of personal data when the processing is necessary for providing healthcare, public interest, scientific or historical research and it is proportionate with respect to the scope. The role of biobanking as a source of data and expertise is crucial but it should be strengthened. Existing structures need to be upgraded to achieve technical, legal and professional standards, and the comprehensive restyling of the current Slovak biomedical research is a priority. This could represent the lynch pin for the making of a legal framework for future local biobanks. The successful completion of such an institutional shift could support appropriate domestic research and foster involvement in high-quality international research partnerships.

References Bárd P, Sándor J (2009) Anonymisation and pseudonymisation as means of privacy protection. In: Beier K, Schnorrer S, Hoppe N, Lenk C (eds) The ethical and legal regulation of biobank research in Europe, Proceedings of the Tiss. EU Project. Universitätverlag Göttingen, pp 25–34 Glasa J (2000) Bioethics and the challenges of a society in transition: the birth and development of bioethics in post-totalitarian Slovakia. Kennedy Inst Ethics J 10:165–170. https://doi.org/10. 1353/ken.2000.0012 Glasa J, Kollár D, Čvapek P, Glasová H, Antošvá M, Pella D, Kvietiková I (2020) Establishing a national biobank. Biobanking infrastructure initiative in Slovakia – Public policy, legal and ethical issues. Heath Policy Technol 9:53–55 Nordberg A (2021) Biobank and biomedical research: responsibilities of controllers and processors under the EU general data protection regulation. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Individual rights, public interest and research regulation across Europe. Springer, pp 61–89. https://doi.org/10.1007/978-3-030-49388-2 Sándor J, Schvéger J, Bárd P (2010) The legal regulation of biobanks: National report: Slovakia (Celab Paper Series No. 13). Center Ethics Law Biomed (CELAB) 13:3–16 Steinkamp N, Gordijn B, Borovecki A, Gefenas E, Glasa J, Guerrier M, Meulenbergs T, Różyńska J, Slowther A (2007) Regulation of healthcare ethics committees in Europe. Med Health Care Philos 10:461–475. https://doi.org/10.1007/s11019-007-9054-6

Slovenia Tunjica Petrašević and Romana Ćosić

1 Introduction In 2007 Slovenia adopted the Act on quality and safety of human tissues and cells intended for medical treatment (hereinafter Act on Human Tissues).1 The Act on Human Tissues is compatible with the requirements and obligations of Directive 2004/23/EC2 and the Commission Directive 2006/17/EC (8 February 2006) implementing the Directive 2004/23/EC.3 Some legal provisions on biomedical research are also included in the actual Penal Code. (Beier et al. 2011, p. 75).

This paper is a product of work that has been supported by the Faculty of Law Osijek Josip Juraj Strossmayer University of Osijek under the project “Artificial intelligence and criminal law” (IP-PRAVOS-18). 1

Act on quality and safety of human tissues and cells intended for medical treatment, Zakon o kakovosti in varnosti človeških tkiv in celic, namenjenih za zdravljenje, Official Gazette of the Republic of Slovenia No. 61/07. http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO4666 (unofficial translation). 2 Directive 2004/23/EC of the European Parliament and the Council of Europe (31 March 2004) on setting standards of quality and safety for the donation, procurement, testing, processing, preservation, storage and distribution of human tissues and cells, O.J. (L 102). 3 Commission directive 2006/17/EC of 8 February 2006 implementing Directive 2004/23/EC of the European Parliament and of the Council as regards certain technical requirements for the donation, procurement and testing of human tissues and cells, O.J. (L 330M). T. Petrašević (✉) Faculty of Law Osijek, Josip Juraj Strossmayer - University of Osijek, Osijek, Croatia e-mail: [email protected] R. Ćosić Faculty of Law Osijek, Josip Juraj Strossmayer - University of Osijek, Osijek, Croatia Municipal Court in Vukovar, Vukovar, Croatia © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_71

611

612

T. Petrašević and R. Ćosić

Regulation (EU) 2016/679 (GDPR) must be taken into account with respect to data protection at the EU level, and although European regulations are directly applicable in the Member States, Slovenia has its own Personal Data Protection Act (Zakon o varstvu osebnih podatkov 2007)4 that deals with the processing of personal data. In the next few paragraphs, this analysis explores these aforementioned acts adopted in Slovenia to establish rules for human tissue issues and the processing of personal health data in the context of scientific research.

2 Human tissue The Slovenian Act on Human Tissues regulates the standards of quality and safety in the use of human tissues and cells in order to ensure a high level of protection of human health in the Republic of Slovenia (Art.1). According to Articles 17, 18 and 19 of the Act on Human Tissues, all data of donors, recipients, tissues and cells, particularly identification data, data on age, sex and medical and family history, should be maintained in the database of the tissue bank. This Act establishes that such data must be kept for at least 30 years after the transplantation of tissues and cells. The Act on Human Tissues does not prescribe a timeframe and deadlines for the conservation of human tissues. It also does not specify how many times tissues can be conserved. However, Article 32 of the Act underlines that unused tissues and cells shall be stored, transported and disposed of in a manner determined by the Minister in a regulation that duly complies with Directive 2004/23. The tissue and cell institution must notify Slovenia transplant of unused or destroyed tissues and cells. Thus, it is possible to conclude that tissue banks should take care of unused tissues and cells and destroy them after they have been unused for some time, but the timeframe for that isn’t set in stone. In addition to data processing and conservation of human tissues, two other issues are relevant under the Act on Human Tissues. Unlike Directive 2004/23/EZ, according to which states seek to ensure voluntary and free donation of tissues and cells but donors may receive compensation that is strictly limited to costs and interruptions related to donation, the Slovenian Act on Human Tissues in Article 13 explicitly states that human tissue donation is voluntary and unpaid. Keeping this in mind, special attention should be paid to the type of consent asked of the donor and the recipient. As stated in Articles 14 and 31 of the Act on Human Tissues, both the donor and the recipient of tissues or cells shall confirm in writing that they have been informed of the procedure for treatment with tissues or cells and

4

Personal Data Protection Act 2007, Zakon o varstvu osebnih podatkov, Official Gazette of the Republic of Slovenia, No. 94/07 and amendments.

Slovenia

613

possible consequences and that they have consented to it. Thus, informed consent must be given to donate and/or receive human tissues or cells in Slovenia.

3 Processing of Personal Data for Research Purposes The GDPR is now directly applied in Slovenia, that is, without any changes to domestic legal acts (Vrebec 2020, p. 121). In 2005, Slovenia enacted Zakon o varstvu osebnih podatkov (Personal Data Protection Act 2004)5 that determines the rights, obligations, principles and measures that prevent unconstitutional, illegal and unjustified encroachments on the privacy and dignity of an individual in the processing of personal data. This Act is also relevant for the processing of personal data for research purposes. Pursuant to Article 17 of this Act, personal data may be further processed for historical, statistical and scientific research purposes regardless of the original purpose of collection (Personal Data Protection Act 2004). However, there are differences in the way in which data can be processed. Data would be processed without anonymization if the data subject had previously given written consent that his or her data can be processed without anonymization. Otherwise, data should be transmitted to the user of personal data in an anonymised form. After data has been used in historical, statistical or scientific research, it shall be destroyed at the end of processing. Article 6 of the Personal Data Protection Act defines biometric characteristics as physical, physiological and behavioural characteristics that all individuals have but that are unique and permanent for each individual and from which it is possible to determine the identity of the individual, especially using a fingerprint, image of papillary lines from the finger, iris, retina, face, ears, deoxyribonucleic acid and characteristic posture. Biometric measures of biometric characteristics, that is, data, in the public sector may be determined by law only if this is strictly necessary. This safeguards the security of people or property or is intended to protect classified information and business secrets. Such a purpose cannot be achieved by milder means, and in the private sector, the use of the data is allowed only if strictly necessary for the performance of activities, for the security of people or property or for the protection of classified information or business secrets. In this case, employees need to be notified in writing in advance. (Personal Data Protection Act 2004) Another piece of legislation is Zakon o arhivskem gradivu, ki vsebuje osebne podatke o zdravljenju pacienta (entered into force on 12 January 2017) that acts as a special legal act (Act Regulating Archives Containing Personal Data from Medical

5

Personal Data Protection Act 2004, Zakon o varstvu osebnih podatkov, Official Gazette of the Republic of Slovenia, No. 86/04 and amendments. http://pisrs.si/Pis.web/pregledPredpisa?id= ZAKO3906#.

614

T. Petrašević and R. Ćosić

Records).6 According to the Article 6 of this Act, archival material located in public archives shall be available to researchers for the purposes of scientific research on the basis of: the written consent of the patient, the written consent of the patient’s legal heirs after the death of the patient or the grant of access by the Commission in the case of databases from which it is not possible to deduce the identity of an individual patient even with disproportionate effort, cost or time if access is justified on grounds of public interest in the advancement of scientific progress. Either way, access to the archival material must be adequate and appropriate regarding the purpose and scope of the conducted research. It is interesting to note that both the Personal Data Protection Act and the Act on Archives contain regulations on punishment in case the provisions of these respective laws are violated.

4 Conclusion Slovenia is the only EU Member State that has yet to adopt GDPR implementing law, so the regulatory framework is basically composed of the Private Data Protection Act, which is in force but derogated by the provisions of the GDPR that are directly applicable and prevail over domestic law. Thus, Slovenia has its own laws dealing with personal data protection for scientific research, and in the near future it is likely to consider the adoption of a new version (Draft on Personal Data Protection Act 20197) of this mentioned law. Current law defines biometric data and very restrictively prescribes measures for their use, both in the public and private sectors. Slovenia has its own law on the use of historical archives of health data, prescribing that archives of health data can be used for scientific research. The preconditions for utilisation of the archives are: (a) written consent of the patient or of legal heirs; (b) access that is granted on the grounds of public interest in the advancement of scientific progress. The use of medical data by archives is strictly limited to the purpose for which access to the data was granted, and any disposition of such collected data outside the stated purpose is punishable. The Slovenian Act on Human Tissues does not set a timeframe or deadlines for the conservation of human tissues. Furthermore, this Act does not specify how many times tissues could be conserved. But in this context, informed consent is required for all stages by both donors and recipients of human tissues or cells. A comparison of all the mentioned Slovenian legal acts makers it possible to conclude that written and informed consent is the minimum that is required when it

6

Act Regulating Archives Containing Personal Data from Medical Records, Zakon o arhivskem gradivu, ki vsebuje osebne podatke o zdravljenju pacienta, Official Gazette of the Republic of Slovenia, No. 85/16. http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7541. 7 Predlog Zakon o varstvu osebnih podatkov from 6th September 2019, Vlada Republike Slovenije. https://e-uprava.gov.si/.download/edemokracija/datotekaVsebina/380981?disposition=inline.

Slovenia

615

comes to the processing of private data, whether we are dealing with health data or other private data used for research purposes. According to the GDPR, informed consent is also a basic requirement. How the further development of Slovenian law will proceed in this area remains to be seen.

References Beier K, Schnorrer S, Hoppe N, Lenk C (2011) The ethical and legal regulation of human tissue and biobank research in Europe. Proceedings of the Tiss.EU Project. Universitätsverlag Göttingen Vrebec HU (2020) Slovenia: Introduction to the most recent public draft of the GDPR implementing law. Eur Data Protection Law Rev 6:121–127. https://doi.org/10.21552/edpl/ 2020/1/16

Spain Joaquín Sarrión Esteve

1 Introduction According to the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (hereafter GDPR1) three categories of data are concerned, namely health, genetic and biometric data, which have as a common aspect that the data is obtained from the physical or psychic spheres of individuals (Gómez Sánchez 2021). When linked to privacy, these data are also considered sensitive (Sarrión Esteve 2018), and this makes it even more important to provide safeguards for their processing finalised to (scientific) research purposes. This study aims to analyse the Spanish legislation for the processing of health data for research purposes with a particular focus on biobanking activity related to research. Taking into account the international and Spanish legal framework, it is necessary to distinguish between two types of biomedical research activities: (a) the use of human biological material or samples and (b) the use or processing of health

This work is realised under the Grant RYC-2015-18821 funded by MCIN/AEI/10.13039/ 501100011033 and by ESF ‘Investing in your future’; and UNED research project TrascenRights ref. 096-034298. Disclaimer: the author is currently an expert member of the Technical Commission of the Spanish National Bank on Cell Lines (BNLC), but his opinions and reflections are only personal and do not reflect, in any way, the views or positions of the Commission. 1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. 4.5.2016 L 119/1.

J. Sarrión Esteve (✉) Constitutional Law Department - Faculty of Law- National University of Distance Education (UNED), Madrid, Spain e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_72

617

618

J. Sarrión Esteve

data, including the use of information generated from the analysis of the biological material and associated information. For the purposes of the present study, a wide definition of ‘health data’ is used, that is, it includes not only data related to health but also genetic and biometric data (European Commission 2021);2 and scientific research is intended to be interpreted in a broad manner (Gómez Sánchez 2021). In addition, even though this analysis points out the specificities of Spanish biobanks and their legal framework, it is evident that samples stored in biobanks have related data for which processing3 falls directly under the provisions of the GDPR. Despite the current Spanish Data Protection Act (entered into force 7 December 2018; the SDPA)4 that tackles special categories5 of data, these latter types of data are regulated in a different way than the processing of health data (Gómez Sánchez 2021, p. 1044). In fact, the SDPA does not refer to biological samples and, therefore, its provisions apply to data related to samples and not to the sample itself. Article 9(2) SDPA stipulates that the processing of data covered in letters (g), (h) and (i) of Article 9 GDPR must be funded under Spanish legislation (and act with position of law) that can include additional requirements related to security and confidentiality. Article 9(2) also specifies that the SDPA may cover the processing of health data when necessary for health and social care systems and services (both public and private) and/or the execution of an insurance contract. The Act includes a specific provision (additional provision 17) entitled ‘Health data treatments’ (Tratamientos de datos de salud) which acknowledges that the processing of health- and geneticrelated data regulated in the previous Spanish legislation is covered by letters (g), (h), (i) and (j) of Article 9(2) GDPR. This includes—withing letter (j)—the processing of health data regulated in the Biomedical Research Act. In addition, Article 9(2) of the SDPA establishes the guarantees and criteria for the processing of health data. Moreover, additional provision 17 (2) of the Data Protection Act covers the processing of personal data in health research, particularly biomedical research, developing the legal bases that can cover this processing of health data.6

2

It is usual to use a wide concept of health data including genetic and biometric data. In fact, in some reports it is usual to use a wider concept of health data, including any data generated in the context of healthcare including non-sensitive data. 3 As is known, the GDPR provides a legal concept of ‘processing’, meaning any operation or set of operations which are performed on personal data or on sets of personal data (see Art. 4(2) GDPR). 4 Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (the Spanish Data Protection Act, Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales). 5 Although Article 9 does not include a specific catalogue of special data, one may suggest that the Spanish Act endorses the categories included in the GDPR. 6 Despite the attempts of the Spanish legislature to specify that the pre-existing Spanish health and biomedical research legislation covers the processing of health data, adding some guarantees in the

Spain

619

2 The Subject’s Consent Although Article 9(1) SDPA maintains the general prohibition on the processing of several special categories of data, this is not applicable for health data (including genetic and biometric data). It seems possible to affirm that the Spanish Act overcomes the prohibition on the processing of these categories based on the explicit consent of the data subject. Therefore, the processing of health data (including not only data related to health but also genetic and biometric data) based exclusively on the initial data subject’s consent for scientific research is lawful in Spain. Additional provision 17 2(b) of the Data Protection Act includes the criteria for the processing of health data for health research based on the subject’s consent: the subject or his/her legal representative may give consent for the use of data for the purposes of health research and, particularly, for biomedical research. It is stated that health research and biomedical issues may include ‘categories related to general areas linked to a medical or research specialty’. A close look at this provision suggests that it covers broad consent, thereby facilitating related future research (Martínez Martínez and Álvarez Rigaudias 2019).

3 Secondary Use Secondary use can be understood as any use not directly related to the initial purpose for which consent was obtained. Under the Spanish legislation, the specific initial consent can be given in a broader or flexible way that covers more than a specific research purpose and may include ‘categories related to general areas linked to a medical or research specialty’. Thus, the initial purpose can be very open (see additional provision 17 2(b) of the Spanish Data Protection Act) as analysed in Sect. 2. The SDPA in additional provision 17 2(c) considers the re-use of personal data for other health and biomedical research purposes, and it specifies that re-use can occur ‘when, having obtained consent for a specific purpose, the data are used for purposes or research areas related to the area in which the initial study was scientifically integrated’. This provision recognises that secondary use is lawful, but it requires a connection to the research area of the project for which the initial consent was given. Processing under this provision is clearly required without pseudonymisation (Martínez Martínez and Álvarez Rigaudias 2019, p. 281),

additional provision, concerns regarding the lack of a specific law on processing of health data remain. SESPAS, Valoración de la Ley Orgánica 3/2018, de 5 de Diciembre, de Protección de Datos Personales y Garantía de los Derechos Digitales en lo que hace al tratamiento de datos de salud, prepared by J. L. Beltrán Aguirre, and adopted by SESPAS in February 2019. https://sespas. es/wp-content/uploads/2019/02/Valoraci%C3%B3n-nueva-LOPD-febrero-2019.pdf.

620

J. Sarrión Esteve

although minimisation must always be guaranteed when processing data (Art. 5(1) (c) GDPR). In this context, data controllers shall publish in an easily accessible place on the corporate website of the centre where the research is conducted the information provided in Article 13 of the GDPR with regard to the processing of personal data and on freedom of data and, when appropriate, publish the information on the website of the sponsor and shall also by electronic means notify the persons affected of the existence of this information.7 It is also possible that the secondary use of data or further processing for archiving purposes in the public interest, for scientific or historical research or for statistical purposes can be considered compatible with the initial purposes (Article 5(b) GDPR) without taking into account the initial legal base for the processing when the processing is made in accordance with Article 89(1) GDPR (with pseudonymisation guarantees). In this regard, the Spanish Data Protection Act specifies the lawful processing of pseudonymised data for health research and particularly, biomedical research with some guarantees (see Sect. 5). In addition, the 16th provision of the Spanish Data Protection Act covers and considers ‘secondary use’ to be lawful, including the further processing in health and biomedical research of data lawfully collected (historical archives) before the entry into force of the Act. In this case, the following requirements must be met: (a) personal data may be used for the specific purpose for which the consent was given; and (b) having obtained consent for a specific purpose, the data are used for purposes or areas of research related to the initial research (in similar terms to the additional provision 17(2)(c) (Nicolás Jiménez 2021).8

4 Public Health Interest Research by Public Health Authorities According to additional provision 17(2)(b) of the Data Protection Act, in accordance with 9(2) (i) GDPR, ‘Health authorities and public institutions with competence in public health surveillance may carry out scientific studies without the consent of those affected in situations of exceptional relevance and severity for public health’. This legal basis is exceptional and, therefore, as a special provision, only applies to special situations of health crisis, such as the recent COVID-19 crisis (Troncoso Reigada 2021).

7

Moreover, when persons affected do not have the means to access such information, they may request its transmission in another format. 8 The aim of this provision is to outline the secondary use of data collected with the legal basis of initial consent that occurred prior to the new regulation.

Spain

621

5 The Use of Pseudonymised Data As noted before, the Spanish Data Protection Act specifies the lawful processing of pseudonymised data for health research and, particularly, biomedical research with some guarantees: (1) a technical and functional separation between the research team and those who carry out the pseudonymisation and preserve the information that makes the re-identification of the data subject possible (additional provision 17 2(d) (1) Data Protection Act); (2) the pseudonymised data may only be accessible to the research team when there is an explicit commitment to confidentiality and that no re-identification activity will be carried out; (3) to adopt specific security measures to prevent the re-identification and access of unauthorised third parties to data (additional provision 17 2(d)(2) Data Protection Act). Nevertheless, re-identification is allowed when the result of a research project reveals a real and specific risk to the safety or health of a person or a group of people, or a serious threat to their rights, or if it is necessary to ensure adequate health care (additional provision 17(2)(d) in fine, Data Protection Act). In addition, the processing of personal data for the purposes of health research (especially biomedical research) and pursuant to Article 89(2) GDPR may derogate from the rights covered in Articles 15, 16, 18 and 21 GDPR. In particular, this occurs: (a) when the aforementioned rights are directly exercised before researchers or research centres that use anonymised or pseudonymised data; (b) the exercise of such rights refers to the results of the research; and (c) the investigation has as its object an essential public interest related to state security, defence, public security or other important objectives of general public interest, provided that in the last case, the exception is expressly included by a norm with the rank of law (additional provision 17(2)(e) Data Protection Act). Among additional specific guarantees, the use of pseudonymised personal data for public health research purposes and, in particular, biomedical research, must be submitted in a prior report to the research ethics committee provided for in the sectoral regulations (additional provision 17(2)(g) Data Protection Act). It is also possible to carry out an impact assessment pursuant to Article 35 GDPR or when established by the supervisory authority.9

9 This assessment shall specifically include the re-identification of risks linked to the anonymisation or pseudonymisation of the data; to submit scientific research to quality standards and, when appropriate, to international guidelines on good clinical practice; to adopt, when appropriate, measures aimed at ensuring that researchers do not access identification data of the interested parties; and to designate a legal representative in accordance with Article 74 of Regulation (EU) 536/2014 if the sponsor of a clinical trial is not established in the EU, which may coincide with what is provided in Article 27(1) of the GDPR (additional provision (17th 2(f) Data Protection Act).

622

J. Sarrión Esteve

6 Biobanks: Biological Samples and Health Data in the Spanish Biomedical Research Act The Spanish legal framework refers to several types of biobanks: (a) biobanks for biomedical research regulated by the Biomedical Research Act (Articles 63–71 of Biomedical Research Act) and (b) biobanks for other purposes regulated by specific rules (e.g., banks for therapeutic purposes and specialised biobanks for the transplantation of organs, tissues and cells—according to the Spanish National Transplant Organisation10—banks for reproductive purposes,11 population studies banks12 (Romeo-Casabona 2021) and criminal DNA profiles database13). That said, the rest of this section will focus on the regulation of biobanks for biomedical research purposes and the processing of data for research purposes. While the Biomedical Research Act14 establishes a specific regulation for biobanks in Articles 63–71, the Biobank Regulation (Royal Decree 1716/2011) sets the basic requirements for authorisation and operation of biobanks for biomedical research purposes and the treatment of biological samples of human origin. This latter regulation encompasses the operation and organisation of the National Registry of Biobanks for biomedical research, according to which it is mandatory for all

10

See Act 30/1979, of 27 October, on organ extractions and transplantation (Ley 30/1979, de 27 de octubre, sobre extracción y trasplante de órganos). https://www.boe.es/buscar/act.php?id=BOE-A1979-26445. See the Royal Decree-Law 9/2014, of 4 July, which establishes the quality and safety standards for the donation, obtaining, evaluation, processing, preservation, storage and distribution of human cells and tissues and approves the rules of coordination and operation for use in humans (Real Decreto-ley 9/2014, de 4 de julio, por el que se establecen las normas de calidad y seguridad para la donación, la obtención, la evaluación, el procesamiento, la preservación, el almacenamiento y la distribución de células y tejidos humanos y se aprueban las normas de coordinación y funcionamiento para su uso en humanos). https://www.boe.es/buscar/act.php?id=BOE-A2014-7065. 11 Act 14/2006 of 26 May on assisted human reproduction techniques (Ley 14/2006, de 26 de mayo, sobre técnicas de reproducción humana asistida). https://www.boe.es/buscar/act.php?id=BOE-A2006-9292. This Act establishes some requirements and guarantees for the use of gametes and pre-embryos for research (Articles 14–16). Moreover, in the case of secondary use, when the scientific research is not linked only to reproduction techniques, the Biomedical Research Act includes some other requirements and applicable guarantees. See Article 34 of Law 14/2007, of 3 July, on Biomedical Research (the Biomedical Research Act, Ley 14/2007, de 3 de julio, de Investigación Biomédica). https://www.boe.es/buscar/act.php?id=BOE-A-2007-12945. 12 There is not a national database nor a specific regulation for population studies banks. Casabona points out that there are some local banks for epidemiological studies, and these types of studies require consent according to Article 54(5) Biomedical Research Act. 13 See Organic Act 10/2007 of October, which regulates the police database of identifiers obtained from DNA (Ley Orgánica 10/2007, de 8 de octubre, reguladora de la base de datos policial sobre identificadores obtenidos a partir del ADN). https://www.boe.es/buscar/act.php?id=BOE-A-200 7-17634. 14 Law 14/2007, of 3 July, on Biomedical Research (the Biomedical Research Act, Ley 14/2007, de 3 de julio, de Investigación Biomédica). https://www.boe.es/buscar/act.php?id=BOE-A-2007-12 945.

Spain

623

biobanks in Spain to be registered;15 this fully complements the regulation on the use, collection and transfer of samples for research purposes (Arias-Díaz et al. 2013).16 It is also important to mention the national platform of Spanish biobanks (the National Biobank Network—RNBB, Red Nacional de Biobancos),17 the National DNA bank (NDNAB),18 the several autonomous territorial banks, health banks at hospitals, banks specialised in specific biological samples, among others (RomeoCasabona 2021, pp. 368–369). Nevertheless, the Spanish legal framework distinguishes between the so-called National Bank on Cell Lines (Banco Nacional de Líneas Celulares, BNLC)19 and biobanks. The Biomedical Research Act specifically regulates genetic analysis for health purposes and the processing of personal genetic data in Articles 46–57 and the obtainment and use of biologic samples in Articles 58–62.

6.1

Genetic Analysis for Health Purposes and the Processing of Personal Genetic Data

The Spanish Biomedical Research Act sets additional requirements as compared to the general data protection regulation: explicit and specific consent (Art. 48); the right to be/or not to be informed (Art. 49); the practice of the genetic analysis by qualified personnel in accredited centres with quality requirements established by regulations, the health personnel’s right at the centre where the clinic history is recorded, and access to the data in order to assist the patient with duties of confidentiality20 (Art. 50(1)). This personal genetic data ‘may only be used for epidemiological, public health, research or teaching purposes when the interested party has expressly given their consent, or when said data has been previously anonymized’ Article 50(2)). In exceptional cases of general health interest, the

15

This National Registry is entitled to Carlos III Health Institute. Moreover, this legal framework includes the three possible ways in which samples can be used for research (gathering for use in a specific project, storage in a collection or storage in a biobank). 17 The National Biobank Network (RNBB) integrates the knowledge of the 39 biobanks that it includes. 18 Created in 2004, as a technological platform to support biomedical research. It has become a national and international reference biobank with the aim of promoting and facilitating the development of genetic and research projects. https://www.bancoadn.org/en/presentation.html. 19 The BNLC is a national structure or network (Article 42 of the Spanish Biomedical Research Act and Article 2 Order SCO/393/2006, cited above) to guarantee the availability of cellular lines for research in all the Spanish national territory (Article 2 Order SCO/393/2006). There is an obligation on any public or private institution in Spain to declare the existence of any stable embryonic or adult stem cell lines and deposit them in the BNLC (Article 11 Order SCO/393/ 2006). 20 See Article 51 Spanish Biomedical Research Act. 16

624

J. Sarrión Esteve

competent authority may authorise after a favourable report from the data protection authority the use of encoded genetic data, provided that the data cannot be related to or associated with the subject by third parties (Article 50(3)). Genetic data will be kept for a minimum period of 5 years (from the date they were obtained), then the interested subject may request its cancellation (Article 52(1)). If there is no request to cancel, data will be kept for the period necessary to preserve the health of the data subject or third persons related to him/her (Art. 52(2). It is also stated that data can be kept anonymised -but only anonymised- for research purposes (Article 52(3)). Therefore, it can be affirmed that Spain has specific rules for research using genetic data as well as several safeguards: the protection of the dignity and identity of the person, the interest and wellbeing of the human being and the development of biomedical research taking into account fundamental rights and liberties. Some unusual means to provide guarantees of confidentiality in the processing of both personal data and genetic data are the previous and favourable report of the Research Ethics Committee and the prevention of risks to life and health in the evaluation of the research pursuant to the precautionary principle (Article 2). Title V of the Spanish Biomedical Research Act not only establishes the relevant rules for the use, processing and conservation of genetic data but it also tackles the correct use of biological samples (Article 44(1) and (2)).21 However, there is no specific focus on the DNA and RNA obtained from tissues due to the general reference to the collection, use and processing of biological samples and derived material and data. The use of biological samples for biomedical research purposes is subject to the previous written and informed consent of the data subject, which is revocable (Articles 58(1) and 59).22 This also implies an explanation of the consequences and risks that the collection may entail for the subject’s health. Consent for the use of biological samples is expressed at the time of the sample’s collection or it follows the collection, but it is specific: this means that consent is expressed for ‘a specific investigation’ (Article 60(1)). When the use of biological samples for other research is not linked to the initial purpose for which consent was granted, a new expression of consent is required (Article 60(2)). A favourable opinion from the centre’s Research Ethics Committee is a precondition for both the obtainment and use of biological samples for biological research and for biodiversity studies, especially in cases in which biological samples derive from deceased persons or of the use of biological samples for research that is not related to the use for which the consent was initially obtained (Article 62).

21

The obtainment and use of biologic samples is specifically regulated in Articles 58–62 of the Spanish Biomedical Research Act. 22 The revocation of the consent can be total or for certain purposes and can occur at any time. When the revocation refers to any use of the sample, the sample will be immediately destroyed without prejudice to the conservation of the data resulting from the investigations that had been previously carried out (Article 60(3) of the Spanish Biomedical Research Act).

Spain

625

From the perspective of the Biomedical Research Act, the secondary use23 of biological samples always requires the subject’s consent, whether or not the samples are anonymised (Article 58(2)). But the Spanish law provides for several exceptions, for example, when the obtainment of consent is not possible or represents an unreasonable effort. In these cases, the opinion of the corresponding Research Ethics Committee is necessary. The donor is also informed in writing of the conditions of conservation of the biological samples as well as the objectives, future uses and transfer to third parties. Finally, the donor is informed of the conditions to withdraw or request the destruction of samples.24 Art 58 (4) refers to access to the biological samples of donors and family members even in cases of non-anonymisation when needed for health reasons (Art. 58(4)). Special conditions concern obtainment of biologic samples from minors and vulnerable persons (Article 58(5)), and safeguards are set to guarantee local and ethnic traditions in studies of genetic diversity to avoid any stigmatising or discriminatory practices (Art. 58(6)). Finally, unique rules apply to research with embryonic cellules and tissues that originated from assisted reproductive techniques (Title V, Articles 32–43). In this context, the role of the Commission of Guarantees for the Donation and Use of Human Cells and Tissues25 is relevant because the Commission has the competence according to Article 35 of the Spanish Biomedical Research Act to issue a required previous opinion in order to obtain the authorization, of the competent public health authority, to develop research with material of embryotic origin or other material with a similar function, with the exception of IPSC lines26 which, after the recent modification of Article 35, requires the favourable previous opinion of the corresponding Research Ethics Committee (Sarrión Esteve, 2023: 60-62). 27

23 When the aim is to use the samples for biological research but for other research than that for which the consent was obtained. 24 Biological samples used in biomedical research are kept as long as they are necessary for the purposes that justified their collection unless the donor has given explicit consent for subsequent uses (Article 61(1)). 25 See Royal Decree 1527/2010, of 15 November, which regulates the Commission of Guarantees for the Donation and Use of Human Cells and Tissues and the Registry of Research Projects. 26 ‘Induced Pluripotent Stem Cells’, also called IPSCs or iPS. 27 Final provision 1(1) of Act 17/2022, of 5 September, introduces a new paragraph 3 to Article 35 of the Biomedical Research Act, in order to facilitate the development of biomedical research with IPSCs lines in Spain, thanks to the introduction of an exemption from the requirement of the previous opinion of the Commission of Guarantees, and therefore it is sufficient in these cases, under certain conditions, with the favourable opinion of the corresponding Research Ethics Committee, which may consult the Commission if necessary, in order to obtain the authorization by the competent health public authority (See Article 35 (3) of the Spanish Biomedical Research Act, and Sarrión Esteve, 2023: 60-62).

626

J. Sarrión Esteve

7 Conclusion This analysis has shown the way in which the Spanish legal framework set the discipline for the processing of health data for biomedical research with a particular focus on biobanking activity related to research. The Spanish regulation is composed of several rules that could be compared to other national developments implementing the GDPR.

References Arias-Díaz J, Martín-Arribas MC, García Del Pozo J, Alonso C (2013) Spanish regulatory approach for biobanking. Eur J Hum Genet 21:708–712 European Commission, DG Health and Food Safety (2021) Assessment of the EU Member States’ rules on health data in the light of GDPR. Publications Office of the European Union, Luxembourg. https://ec.europa.eu/health/sites/default/files/ehealth/docs/ms_rules_health-data_ en.pdf Gómez Sánchez Y (2021) Categorías especiales de datos personales: Los datos de origen étnico o racial, los datos genéticos, los datos biométricos, los datos relativos a la salud, los datos relativos a la vida sexual y la orientación sexual (Comentario al artículo 9.1 RGPD). In: Troncoso Reigada A (dir) Comentario al Reglamento General de Protección de Datos y a la Ley Orgánica de Protección de Datos personales y Garantía de los Derechos Digitales, vol I. Thomson Reuters Aranzadi, Madrid, pp 1041–1065 Martínez Martínez R, Álvarez Rigaudias C (2019) El uso de datos con fines de investigación biomédica. (Arts. 9 y 89 RGPD. Art. 9, Disposición adicional decimoséptima. Disposición final novena y Disposición transitoria sexta LOPDGDD). In: López Calvo J (coord) La adaptación al nuevo marco de protección de datos tras el RGPD y la LOPDGDD. Bosch, Madrid, pp 279–287 Nicolás Jiménez P (2021) Garantías y excepciones aplicables al tratamiento con fines de investigación biomédica (Comentario al artículo 89 GDPR y a la disposición adicional decimoséptima, a la disposición transitoria sexta, a la disposición final quinta y a la disposición final novena LOPDGDD) disposición adicional decimosétima LOPDGDD. Tratamientos de datos de salud. In: Troncoso Reigada A (dir) Comentario al Reglamento General de Protección de Datos y a la Ley Orgánica de Protección de Datos personales y Garantía de los Derechos Digitales, vol II. Thomson Reuters Aranzadi, Madrid, pp 3395–3427 Romeo-Casabona CM (2021) The new European legal framework on personal data protection and the legal status of biological samples and biobanks for biomedical research purposes in Spanish law. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking, Law, governance and technology series, vol 43. Springer, Cham, pp 363–378. https://doi.org/10.1007/978-3-03049388-2_20 Sarrión Esteve J (2018) Health data treatment. An approach to the international and EU legal framework. In: Arnold R, Cippitani R, Colcelli V (eds) Genetic information and individual rights, Series ‘Law & Science’, vol 1. Regensburg Universiät, Regensburg, pp 36–53 Sarrión Esteve J (2023) Retos y perspectivas en la investigación biomédica con datos en España. Derecho y Salud 33(1): 53-71 Troncoso Reigada A (2021) Las categorías especiales de datos personales y los tratamientos de datos de salud (Comentario al artículo 9 RGPD y la disposición adicional decimoséptima de la LOPDGDD). In: Troncoso Reigada A (dir) Comentario al Reglamento General de Protección de Datos y a la Ley Orgánica de Protección de Datos personales y Garantía de los Derechos Digitales, vol II. Thomson Reuters Aranzadi, Madrid, pp 4623–4738

Sweden Joakim Nergelius

1 Introduction The aim of this contribution is to analyse the most relevant issues concerning legislation for the processing of health data for research purposes, with a particular focus on biobanking activity related to research. Since the legal doctrine on this issue is very limited, this will mainly be done by analysing the current legislation, which dates back to 2002 but was partly modernised in 2019. As always in Swedish law, the travaux préparatoires are of importance.1 Against this background, a new law bill has now been presented to Parliament suggesting a number of changes to the Biobank Act,2 which is intended to enter into force on 1 July 2023. A governmental committee did in fact launch a proposal for a new law on biobanks back at the beginning of 2018.3 Five years later, the proposal will thus be realised.

1

These are mainly found in the governmental bill (proposition) 2001/02:44, as well as, more recently, 2018/19:85. 2 New Biobank Act (2023:38) did in fact enter into force on 1 July, 2023. 3 SOU 2018:4, Framtidens biobanker. J. Nergelius (✉) University of Örebro - School of Behavioural, Social and Legal Sciences, Örebro, Sweden e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_73

627

628

J. Nergelius

2 The Legal Basis of Processing Personal Data for Research Purposes at the National Level The main piece of legislation is the so-called law on biobanks in the health sector (lag (2002:297) om biobanker i hälso- och sjukvården m.m., sometimes given the official title Biobanks in Medical Care Act). Here, the nature, functions and contents of biobanks are defined and explained. More precisely, Chapter 2 of the law establishes rules on how they are established and supposed to operate. Another important definition is found in Chapter 1, Article 3, which states that the law applies to any biobank established in Sweden and to any tissues or samples from such biobanks that have been distributed or handed out in order to be preserved and used by another health provider, research institute or medical (or other) company. This is true regardless of where the material is actually preserved as long as the samples may be traced back, after being handed over, to the human beings from whom they originate (be they dead or alive). Fosters are also included in the category ‘human being’.4 This law is not directly based on any of the existing EU regulations within this area. More detailed rules on the way in which biobanks work and function can be found in rules from the Swedish Board on Health and Social Care (Socialstyrelsen). In particular, decree 2002:11 contains important rules on various details5 within this topic of expertise. It may also be noted that the law on biobanks is subsidiary, in case of conflict, to certain other more specialised laws in the medical area, such as the law on genetic integrity (2006:351).6 This will change when the new Biobank Act enters into force in 2023, but the law on biobanks is somewhat more general in its character than most other parts of the relevant legislation in this area. For general information purposes, it may also be good to ascertain that in 2017 a special association called Biobank Sweden was founded, based on an agreement between regions, university hospitals and universities with a medical faculty.7

4

See Chap. 1, Art. 2. Its full name is SOSFS 2002:11, Socialstyrelsens föreskrifter och allmänna råd om biobanker i hälso- och sjukvården m.m., as changed in 2018. 6 See Chap. 1, Art. 4 on the Law on Biobanks, as well as SOU 2018:4, pp. 106 and 202. For coercive measures—vital in modern times—see Smittskyddslagen (2004:168, the law on Protection against contagious diseases). 7 For information on its activities, see www.biobanksverige.se. 5

Sweden

629

3 The Research Exemption According to Chapter 2, Article 1 of the current Biobank Act, upon the founding of a biobank, its main operator8 must immediately decide for which purpose the biobank may be used and who should be held legally responsible for its actions. Then, it is clarified in Chapter 2, Article 3 that in case the biobank in question is intended to be used for research or ‘clinical testing’ (‘klinisk prövning’), any such decision must be reviewed and approved by a committee on research ethics (‘forskningsetisk kommitté’, which is itself defined in Chapter 1, Article 2 as a special body for review of ethical questions related to research, composed by representatives of public authorities and scientists, and attached to a university or research funding institute).9 Otherwise, it must be noted that the law on biobanks applies to ‘ordinary’ medical as well as scientific activities. For research in general, there is a special law on the ethical assessment of all research projects (Etikprövningslagen, 2003:460), which is somewhat controversial within the research community since it seems to impose the same kind of ethical criteria to all research projects, regardless of their scientific field and whether they are big or small, dangerous or harmless. For instance, law scholars in general do not like to have to undergo the same procedure as physicists, psychiatrists or clinical medical scientists.

4 The Use/Reuse of Historical Archives of Health Data Chapter 3, Article 7 of the law refers to general rules, which would normally imply the law on Transparency and Secrecy (2009:400, Offentlighets- och sekretesslagen). However, here we also find a reference to Article 3 of the law on Patients’ Files (Patientjournallagen, 1985:562).10 This rule states that the files on each patient— which are of course confidential—must contain information not only concerning the patient’s identity, but also on their diagnosis, the measures taken, the information given to the patient and information on who has had access to the file and thus been able to add new information to the file. All such files are to be preserved according to general rules (i.e., up to 30 or 50 years, depending on the circumstances). This means that any such information may be used for quite a long time, although the material will only be given out for research purposes after an evaluation in each specific case (e.g., for every new research project).

‘Huvudman’, who is according to Chap. 1, Art. 2 of the Law normally a caretaker, health provider or a Research Institution. 9 The main scientist responsible is also obliged to make an annual report on all activities within the given project to this body. 10 Patientdatalagen (2008:355) may also be relevant here, albeit normally at a more general level. 8

630

J. Nergelius

The most fundamental general rule within this area in the law on Transparency and Secrecy is Chapter 25, Article 1, which states that secrecy should always prevail concerning information on the health conditions of individuals, unless it is clear that such information may be revealed or disclosed without any damage to the individual (s) concerned.11 In relation to medical research based on information from or related to specific individuals, absolute secrecy will prevail for 70 years, without any risk assessment in the specific case.12 The EU regulation on Data Protection (GDPR) has been Swedish law since May 2018. It applies to the same extent in Sweden as elsewhere in the EU.13

5 Procedures and Policies on the Use and Reuse of Personal Data and Tissues First of all, samples from individuals may only be taken after express consent from the individual in question. Samples are here defined as ‘biological material from a human being’.14 According to the law on biobanks, this only applies to samples that are possible to trace to specific individuals.15 It does not, however, apply to samples that are routinely taken at hospitals for analysis, diagnosis and treatments and that are then not saved.16 Samples may only be used for the purpose to which the person in question gave their consent.17 As far as tissues are concerned, according to SOSFS 2002:11, the main operator responsible for each biobank may decide for how long the tissues may be conserved. However, based on a delegation rule in Chapter 6, Article 8 of the law on biobanks, the responsible public authority Socialstyrelsen has decided on the times of preservation; it thus follows from its decree SOSFS 2002:11 that the time of preservation shall be based on the durability and usefulness for the purposes for which the biobank in question was founded. For each individual biobank, the time of preservation shall be stated and clarified in its statutes.18

11

For certain exceptions, for example, in emergency situations, see Chap. 10 of that same Law. See Chap. 24, Arts. 7–8 of the same Law. 13 This was implemented in Sweden through a special Law (2018:218) with completing rules. 14 Chap. 1, Art. 2 in the Law on Biobanks. 15 Ibid. 16 Ibid., as well as Chap. 1, Art. 3 and SOSFS 2002:11. 17 Chap. 3, Art. 5. 18 SOSFS 2002:11 Chap. 2, Art. 3. 12

Sweden

631

6 Conclusion The analysis seems to suggest that the bioethics legislation tries to combine the traditional Swedish emphasis on transparency with the need to protect the integrity of the persons concerned, all in a way that may benefit medical research. All parts of the legislation seem to have taken the relevant human rights aspects into account, including the right to personal integrity and protection of sensitive information regarding individuals (cfr. art. 8 of both the European Convention of Human Rights and the EU Charter of Fundamental Rights). At the same time, the current law (2002) has been criticised, as emphasised by the governmental committee that proposed a wholly new, modernised law in 2018.19 The fact that the current law is subsidiary to other legislation within this area underlines that the first legislative act of 2002 was somewhat tentative. When the new law enters into force in 2023, this will thus be changed and also some other legal concepts may be renewed. Consequently, it may also be necessary to examine the practical applicability of the rules under a new light.

19

SOU 2018:4, as mentioned previously.

United Kingdom Hedley Christ

1 Introduction At the time of writing, the United Kingdom (UK) is no longer a Member State of the European Union (EU), and the following analysis explores both the transition period and the post-Brexit legal consequences on the processing and transfer of data and biological samples. This study first describes the legal framework of data protection in the UK before Brexit and then outlines the way the EU has scrutinised the UK data protection standards in order to adopt adequacy decisions.1 The UK legal framework was not expected to replicate the European data protection law; in fact, a third country is required to be aligned with the essence of the fundamental principles of the European GDPR. Since the UK was a Member State of the EU until 31 January 2021, it is evident that many aspects of the UK legal framework for data protection are largely equivalent to the European framework. But the adequacy decisions adopted by the European Commission are essential and

1

The European Union Commission has adopted two adequacy decisions (the UK adequacy decisions) addressing the Law Enforcement Directive and the transfers of personal data. See European Commission, Commission implementing decision of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, Brussels, 28.6.2021 C(2021) 4800 final and C(2021) 4801 final. https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_per sonal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf; (Decision on the adequate protection of personal data by the United Kingdom-General Data Protection Regulation). https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_per sonal_data_by_the_united_kingdom_law_enforcement_directive_en.pdf (Decision on the adequate protection of personal data by the United Kingdom: Law Enforcement Directive). H. Christ (✉) Law Department - Brighton Business School, Brighton, UK e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_74

633

634

H. Christ

should be taken into account for at least two reasons. First, they serve to consider the risks of a possible deviation of the UK Data Protection system from the EU acquis and the relevance of a monitoring activity to evaluate all developments in the UK at the end of the transition period. Secondly, at the end of the bridge period, the UK has the possibility to modify the retained law whilst considering the GDPR as a framework. That said, it is interesting to question whether this interplay of legal frameworks has influenced the effective protection of personal data in practice, especially when data and biological materials are used for research and health purposes. It is also worth considering whether adequacy decisions have addressed the role of entities, such us biobanks, that are involved in the transfers of data and samples from the EU to the UK as before Brexit. The transfer of data and biological samples has to be viewed in a wider context, and it does not simply imply an give-and-take relationship between the EU and the UK. The free flow of data and samples between the Member States and the UK has been established to provide clear benefits for all parties involved in health and research sectors (organisations, individuals and the scientific community). Moreover, there may be a distinction to be drawn when considering the transfer of data, depending upon the types of data being transferred. Health data may be very different from biomedical research using human beings as subjects. There may also be a distinction between research and experimentation; research has a welldefined protocol and has general application to the human population, while experimentation links experimental results to individuals and, thereby, to their health data.2 Such data may bring together a range of health data sources, including preventative or occupational medicine, medical diagnosis, the provision of health, social care or treatment and, more generally, health data related to issues of public interest in public health.

2 From Confidence to Datafication. . .and Data Protection An interesting aspect of English law is its lack of a tort of privacy. It was held in Wainwright v Home Office [2003]3 that English law neither contains nor need to create a specific privacy tort. Lady Hale, in Wainwright, noted that ‘our law [English law] cannot even if it wanted to, develop a general tort of invasion of privacy. In fact, the UK Parliament during the 1960s tried three times to produce a privacy law, but to 2

Included within this notion of research, experimentation and health is the requirement of research ethics approval as a means of governance. The UK ethics committee authority (UKECA) under the health research authorities (HRA) has the responsibility of establishing, recognising and monitoring research ethics committees. Such considerations of ethics committees may now need to include whether and how data is to be transferred. 3 Wainwright v Home Office [2003] UKHL 53; [2004] 2 AC 406; [2003] 3 WLR 1137; [2003] 3 All ER 943.

United Kingdom

635

no avail. English law, therefore, had to rely on other areas of law, in particular, the equity right of confidence, and cases regarding privacy issues were thus brought under a breach of confidence.’ But the nature of this breach of confidence is seen by the English courts to be part of a wider issue of human rights. Article 8(1) of the European Convention on Human Rights provides for the right of a private and family life, and the courts have understood this to be a right balanced against other rights, such as freedom of expression in Article 10(2) of the Human Rights Convention. This means that neither right is absolute. Furthermore, the impact of the EU Data Protection Directive on the understanding of personal information is significant in terms of how organisations, whether public or private, are able to handle personal information, particularly when personal information becomes digitalised and transformed into data, that is, datafication. In this context, UK law became influenced by international law. For example, in 1980, the OECD adopted guidelines on the protection of privacy and transborder flows of personal data (updated in 2013) (OECD 2013; McCullagh 2017). These guidelines are not legally binding, but they have had a major influence on the development of data protection laws.4 In addition, the United Nations (UN) in the 1990s adopted guidelines for the Regulation of Computerised Personal Data.5 These guidelines then found expression in 2016 with the General Data Protection Regulation (GDPR) that adopted a data protection legislation for a technological age and provided a complete, or as near as possible complete, legal framework for data protection. This left very little room for Member States to alter the levels of data protection. The GDPR came into force in May 2018 and was fully adopted by the UK despite the uncertainty of the UK’s exiting withdrawal process from the EU. The UK law regarding data protection and privacy gathers a range of laws from English common law to international law and now, a restricted EU law known as retained law. This complex legal framework of both hard law and soft law represents the general governance of data protection (as noted Kaye et al. 2012, p. 52, this leaves a ‘bewildering array of general statutes, legislative provision, regulations, directives, and common law doctrine, codes of practice, guidelines, ethical statements, conventions, declarations, opinions, recommendations, statements, policies, resolution, guidance notes, fact sheets, circulars, reports, and so forth’).

4

The guidelines produced eight minimum standards as principles. These are on collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. 5 These guidelines, like the OECD’s guidelines, used principles which included lawfulness, fairness, accuracy, purpose specification, relevant and adequacy of data collection and processing, the principle of consent, the right to know of data processing of personal information, the principal of non-discrimination, and data security. See UN General Assembly (1990). https://www.refworld. org/docid/3ddcafaac.html.

636

H. Christ

3 Data Protection and the Exchange of Data and Biological Samples with the UK: Waiting for Brexit Prior to the withdrawal from the EU on 31 January 2020, the legislative framework on the protection of personal data in the UK consisted of the EU legislation, that is, the GDPR and Directive (EU) 2016/680 of the European Parliament and Council, and national legislation, namely the Data Protection Act 2018 (DPA 2018).6 This Act has as its main scope the protection of individuals with regard to the processing of their data, and it provides for the lawful and fair processing of data on the basis of subject’s consent and aims to guarantee the right to information and rectification of inaccurate personal data by stating the responsibility of the Commissioner for monitoring the processing of data.7 The DPA 2018 establishes national rules for the protection of personal data and where/if allowed, specifies and restricts the application of the GDPR provisions.8 Pursuant to the European Union (Withdrawal) Act 2018,9 the ministers of the UK exercised the power to modify the retained EU law consequent to Brexit: they adopted the Data Protection, Privacy and Electronic Communications Regulations 2019 (DPPEC Regulations) that amended the GDPR as brought into the UK as well as the DPA 2018 and other data protection legislation to fit the domestic framework.10 With regard to the GDPR, the UK has retained, on the one hand, the principles and law regarding the Data Controller, the Data Processor and the Data object; on the other hand, since the change in the regulatory framework, the UK is a third country with regard to the transfer of data between the UK and the European Economic Area (EEA). This has relevant implications for data transfer for organisations within the UK and makes the transfer of ‘sensitive’ personal data significantly difficult, not only between the UK and the EEA but also between the UK and other countries. Data transfer, then, can no longer be seen as freely moving between the UK and the EEA, and it is worth considering how data transfer can lawfully occur within the GDPR’s restricted or restrictive transfers. In June 2020, the European Commission released a notice to stakeholders on the withdrawal of the UK and on the EU rules in the field of substances of human origin (blood, tissue and cells, organs) in order to describe the effects of the Withdrawal Agreement and the transition period (European Commission - Directorate-General for Health and Food Safety 2020).

6

Data Protection Act 2018. https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted. Ibid., Art. 2. 8 Ibid., Art. 15. 9 European Union (Withdrawal) Act 2018. https://www.legislation.gov.uk/ukpga/2018/16/contents/ enacted. 10 At the end of the transition period, the protection of personal data in the UK will consist of the UK GDPR and the DPA 2018, both as amended by the DPPEC Regulations. 7

United Kingdom

637

The European notice did not address EU law on medical devices and medical products or EU law on the protection of personal data, but it showed the legal situation and the consequences following Brexit in the field of biological material of human origin. After the end of the transition period, the EU rules apply to the UK with some modifications for import/export transfers of human biological samples that are required to comply with the EU testing requirements. This notice determines that equivalent standards of quality and safety need to be met to import blood and blood components, tissues and cells.

4 The European Union Commission Adequacy Decision: Evaluation and Effects Under the EU GDPR, the Commission has the power to determine based on Article 45 GDPR whether a country outside of the EU offers an adequate level of data protection. When an adequacy decision is provided, data transfer may occur freely, that is, without further appropriate safeguards as long as there is compliance with the EU GDPR. This process of providing an adequacy decision is also possible under the UK GDPR, and the UK has recognised the EEA as having adequate safeguards, or at least, there is a transitional recognition of all EEA countries and Gibraltar as adequate. To prepare for withdrawal from the EU, the UK enacted the EU Withdrawal Act 2018 incorporating directly applicable EU legislation into the law of the UK. The intention and effect of the Withdrawal Act 2018 is that all direct EU legislation incorporated into UK law at the end of the transition period is incorporated into UK law as it has effect in EU law immediately before the end of the transition period.11 This retained EU law, which includes the GDPR in its entirety, is accompanied by the retained general principles of EU law, but pursuant to the Withdrawal Act 2018, the ministers of the UK have the power to introduce secondary legislation to modify the retained EU law consequent to the UK’s withdrawal. On 28 June 2021, the Commission adopted the so-called adequacy decision, that is, a decision on the adequate protection of personal data in the UK.12 This decision provides a comprehensive analysis of the UK legal order to assess whether the UK guarantees a level of protection ‘essentially equivalent’ to that ensured within the EU.

11

European Union (Withdrawal) Act 2018, see note 12, Sections 2–3. European Commission, Commission Implementing Decision of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, Brussels, 28.6.2021 C(2021) 4800 final. https://ec.europa.eu/ info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_ kingdom_-_general_data_protection_regulation_en.pdf. 12

638

H. Christ

The Commission has scrutinised the law and practice of the UK and has concluded that the UK legal framework provides an adequate level of protection for personal data which are transferred from the EU to the UK.13 As a matter of fact, the UK GDPR is based on EU legislation and the data protection rules in the UK in many aspects mirror the rules applicable within the EU. The adequacy decision mainly focuses on the relationship between the UK GDPR and the DPA and points out that the UK ensures a level of protection for personal data transferred from the EU that is essentially equivalent to the one guaranteed by Regulation (EU) 2016/679. The oversight mechanisms in UK law identify and punish, in practice, infringements and offer legal remedies to the data subject (e.g., access to personal data, the rectification or erasure of data).14 The Commission has also considered the presence of effective legal protection measures of the fundamental rights of individuals whose personal data are transferred from the EU to the UK.15 In the light of the findings of the adequacy decision, the UK domestic regime and its international commitments are in compliance with the Charter of Fundamental Rights of the European Union and the European Convention of Human Rights.16 This adequacy decision is binding on all organs of the Member States to which it is addressed, including independent supervisory authorities, and the Commission supervises the relevant developments in the UK to assess whether an essentially equivalent level of protection is guaranteed.17 The monitoring activity is essential should a new data protection regime be adopted that is no longer subject to EU law and in considering transfers of personal data to third countries. For these reasons, the UK authorities should inform the Commission of any change to the UK legal framework and practices related to the processing of personal data as assessed in the adequacy decision. Special attention should be paid to the queries or complaints by EU data subjects concerning the transfer of personal data from the EU to processors or controllers in the UK.

13

Ibid., par. 5. Ibid., par. 85. 15 The European Data Protection Board raised concerns about the UK’s national security and surveillance regime in its Opinion 14/2021. However, the European Commission deemed adequate the UK’s system and its strong safeguards for access to personal data by public authorities. See European Data Protection Board, Opinion 14/2021 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679 on the adequate protection of personal data in the United Kingdom, adopted on 13 April 2021. https://edpb.europa.eu/system/ files/2021-04/edpb_opinion142021_ukadequacy_gdpr.pdf_en.pdf. 16 European Commission, Commission Implementing Decision of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, see note 16, para 276–277. 17 Ibid., par. 82. 14

United Kingdom

639

5 The Data Protection Exemptions for Research Purposes and the Governance of Biobanks in the UK The DPA 2018 (Schedule 2, Part 5) sets out some exemptions for specified purposes, namely for journalistic, artistic, academic and literary purposes. Exemptions relate to data protection principles (e.g., principles of integrity and confidentiality), the conditions for consent, the transparency obligations, the rights of the data subjects, the obligation to notify of data breaches, the requirement to consult the Information Commissioner prior to high-risk processing and the rules on international transfers. These provisions are compatible with the UK GDPR and its Art. 85(2) that allows for exemptions. Exemptions for research are possible with regard to the provisions of the UK GDPR related to access to data and safeguards for third country transfers, right to rectification, restriction of processing and objection to processing. Such exemptions are possible when the application of the provisions of the UK GDPR would ‘prevent or seriously impair the achievement of the purposes in question’,18 and they should be read in the light of section 87 of the DPA that states that the purpose of the processing must be specified, explicit and legitimate. Furthermore, data must not be processed in a manner that is incompatible with the purposes for which it is collected. Pursuant to Section 87 (3) of the DPA 2018, further processing of personal data is allowed when the controller is authorised by law to process the data for that purpose and the processing is proportionate and necessary. Compatibility is ensured if processing is finalised to research purposes and subjected to appropriate safeguards (Section 87 (4) of the DPA 2018). The adequacy decision of the European Commission recognises the relevance of the effective exercise of individual rights and underlines that any relevant developments regarding the interpretation and application of these exemptions in practice will be taken into account.19 The legal framework for the governance of biobanks in the UK is fragmented, and several pieces of legislation intercept their discipline. The DPA 201820 and the Human Tissue Act (2004)21 are significant for UK biobanks as they both ensure compliance with the EU regulation on data protection and the EU’s human tissue and cells Directives. The DPA 2018 implements the GDPR (but also derogates from its terms) and the Human Tissue Act recalls the fundamental role of ‘appropriate consent’ for the lawful removal and storage of tissues, organs and body parts. It is worth considering the consequences of Brexit on biobanks involved in the processing of data. The adequacy decision recalls the ‘accountability principle’ that 18

Ibid., par. 72. Ibid., par. 73. 20 The legal basis for the UK and its organisations, including biobanks, for the processing of data is Chapter 5 of the DPA as it deals with the lawful transfer of data out of the UK to third countries. 21 Human Tissue Act 2004, Section 3. https://www.legislation.gov.uk/ukpga/2004/30/section/3. 19

640

H. Christ

has been retained in Article 5(2) of the UK GDPR without material change.22 Under this principle, ‘entities processing data are required to put in place appropriate technical and organisational measures to effectively comply with their data protection obligations and be able to demonstrate such compliance, in particular to the competent supervisory authority’.23 Some scholars have underlined the post-Brexit consequences on the UK’s participation in the EU-funded BBMRI-ERIC network of biobanks and biomolecular resources (Phillips and Hervey 2021, p. 170) and the possibility for the UK to become an observer or member of the BBMRI-ERIC if approved by the Assembly at the end of the transition period.24

6 Conclusion More generally, any departure of the UK data protection framework from the European GDPR should be closely scrutinised in the light of adequacy standards. The adequacy decisions and equivalent standards have created a ‘closed mutual system’ in which the EU and the UK recognise each other and their legal frameworks as adequate. The adequacy decision does not mean the ‘death of data protection’: the European Commission has underlined that the UK data protection regime has not deviated from the current European level of protection, and this is the reason personal data can continue to be seamlessly transferred from the EU to the UK. Some health organisations had already welcomed the draft adequacy decision on UK data protection, issued in February 2021, by underlining that the adequacy of the UK data protection regime is crucial to benefit access to each other’s health data and improve patient safety and care across Europe.25 Now that the adequacy decision has been adopted, it represents a positive (although first) step to the continued free and secure flow of personal data between the UK and the EEA that is able to protect the European health sector. In the health and biomedical research fields, adequacy decisions for data protection, as well as equivalent standards for the transfer of human tissues, are instrumental to continue cooperation between EU and UK researchers on clinical trials and research that improves the quality of citizen lives and, in general, public health policy.

22

Ibid., par. 84. Ibid., par. 83. 24 Ibid. 25 See https://europeanbloodalliance.eu/maintaining-the-exchange-of-critical-health-data-with-theuk/. 23

United Kingdom

641

References European Commission, Directorate-General for Health and Food Safety (2020) Notice to stakeholders withdrawal of the United Kingdom and EU rules in the field of substances of human origin (blood, tissues and cells, organs). Brussels. https://commission.europa.eu/system/ files/2020-06/substances_of_human_origin_en.pdf Kaye J, Gibbons SMC, Heeney C, Smart A, Parker M (2012) Governing biobanks: understanding the interplay between law and practice. Hart Publishing, Oxford McCullagh K (2017) Brexit: potential trade and data implication for digital and ‘Fintech’ industries. Int Data Privacy Law 7:3–21 OECD (2013) Guidelines on the protection of privacy and transborder flows of personal data. https://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf Phillips AM, Hervey TK (2021) Brexit and biobanking: GDPR perspectives. In: Slokenberga S, Tzortzatou O, Reichel J (eds) GDPR and biobanking. Individual rights, public interest and research regulation across Europe. Springer, pp 145–183. https://doi.org/10.1007/978-3-03049388-2 UN General Assembly (1990) Guidelines for the regulation of computerized personal data files. https://www.refworld.org/docid/3ddcafaac.htm

Part III

Conclusion

Conclusion Angelo Sidoni and Cristina Pelliccia

1 The Point of View of Pathologists To adequately carry out the task of writing the conclusion to this book, some reflections on the ethical and legal problems of the biobanking process from the pathologist’s point of view are necessary. A Department of Pathology is an elective place for the foundation of a biobank, and a biobank should be considered as a specialised pathology laboratory that allows for future clinical or research studies by collecting, processing and storing biospecimens. As is known, pathological anatomy has always kept samples used for diagnosis (derived from biopsy procedures, surgical interventions or autopsies and transformed into slides or tissue blocks) in specific archives. Due to the intrinsic characteristics of these materials—as obtained from human tissues fixed in formalin and embedded in paraffin—it was possible to preserve them for a long time (along with the personal and clinical information of the patients from whom they were taken) and use them for teaching and research purposes. In all honesty, until 20 or 30 years ago, we always used these materials without asking ourselves if their use was lawful, genuinely believing that once the diagnosis was formulated (the reason they arrived in our laboratories), they could be considered as residual material and, in some way, assumed to be in our property or, at least, without well identified owners. We evidently lived in a much simpler world! Legislation, at least Italian legislation, has never dealt with this problem and has only belatedly assimilated the histological preparations to other components of the clinical documentation of a specific patient. In particular, the histological slides were considered in the same way as radiographic plates with an obligation of conservation for 20 years (essentially for judicial action in the event of medical malpractice A. Sidoni (✉) · C. Pelliccia Department of Medicine and Surgery, University of Perugia, Perugia, Italy e-mail: [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 V. Colcelli et al. (eds.), GDPR Requirements for Biobanking Activities Across Europe, https://doi.org/10.1007/978-3-031-42944-6_75

645

646

A. Sidoni and C. Pelliccia

problems that involve the revision of the original histological preparations).1 Faced with such a lack of interest in histopathological material, it is not surprising that the regulations on the technical requirements of repositories, on the modalities of storing personal and clinical data and on the methods of disposal (or further conservation) of the samples have always been lacking. With the progressive unfolding of the whole scenario of personalised medicine and the potentiality of genomics and the other omics, it has become increasingly clear that our archives, often dusty and disordered, were real ante litteram biobanks. In fact, histological specimens and their clinical data from inert residues of a diagnostic process indefinitely delivered to the obscurity of our repositories has turned out to be containers of a large amount of bio-pathological data that has become increasingly interesting in the face of the impressive evolution of genomic knowledge.

2 Paradigm Shifts With the definitive entry into the era of personalised therapies, the first evolutionary stage towards what is now called precision medicine, that is, the operative role of pathological anatomy in the diagnostic and therapeutic pathways, has radically changed due to some crucial aspects. First, the advent of tailored therapies and the long survival of many cancer patients has made it increasingly necessary to carry out in situ determination of biomarkers on histological sections prepared de novo on archived tissue blocks (for example, the need to determine the functional status of HER-2/neu oncogene in a patient with breast cancer diagnosed 20 or 30 years earlier). Second, the improvement in the minimally invasive techniques of biopsy sampling has led to increasingly smaller samples on which more and more investigation must be carried out to search for new biomarkers (for example, needle biopsy sampling in a patient with inoperable advanced neoplasm as a candidate for treatment with targeted therapies). Finally, many omics provide better results when performed on frozen tissue obtained at the time of surgery. On the other hand, the freezing of normal and pathological tissues can represent a useful option for both future patient needs and for research purposes, including the possibility of setting up primary cell cultures, doing mouse xenografts or building organoids and tumoroids to be hosted in the so-called living biobanks. The consequences of these three turning points could be pointed out as follows:

1 Ministry of Health. Circular No. 61 of 19 November 1986 and Superior Council of Health: Session XXXIX, Section III, sitting of 14 October 1987.

Conclusion

647

• The conservation of stored samples must be a less neglected activity in a pathological anatomy department and specific resources and more stringent regulatory standards must be dedicated to it (Nowak 2012); • Tissue samples, especially if small, must be considered precious goods to be used with extreme parsimony, carefully preserving their structural and biological integrity (Hirsch et al. 2010); • The authorisation to store frozen cells and tissues (in addition to those routinely fixed in formalin and embedded in paraffin) must provide for precise, informedconsent protocols that adapt those currently in use in most hospitals (which are often incorrect with respect to the privacy and informed consent regulations) and implement new procedures and dedicated instruments (ultra-freezers, liquid nitrogen storage tanks, cryogenic rooms, etc.).

3 Garbage in Garbage Out In addition to being an infrastructure that provides services for healthcare and research, a biobank is also a formidable data generator. In fact, the search for tissue-based diagnostic, prognostic and predictive biomarkers has grown exponentially in parallel with the increase in knowledge of the molecular mechanisms of disease and the availability of drugs directed towards specific molecular targets. After being validated for clinical use, these biomarkers, which were first investigated for research purposes or in clinical trials, have gradually become an integral part of pathological diagnostic reports. In this way, there has been a significant increase in the data accompanying the tissue samples, which is useful for both the present and future interests of individual patients and for research purposes, especially if properly received and managed in a biobank. The availability of this growing amount of data makes it necessary to update legal and ethical instruments, more precisely: • Stringent rules in ethical, legal and data protection terms as extensively covered in this book, although many aspects are still unresolved (Caulfield and Murdoch 2017); • Adequate processing, management, tracking and sharing of data; integration with national healthcare systems, with other biobanks and cross-linking with all other data that may be known about the patient’s follow-up. Despite the evolution of information technologies, there are still many critical issues in crosstalk between the numerous software systems that manage the various databases, including cyber security; • High standards in terms of quality, updating and adequacy of the stored samples and their data; With regard to this last point, pathologists play a pivotal role since the advent of precision medicine means that they must pass from the traditional role of custodian of human tissues to that of guarantor of the highest levels of quality assurance for

648

A. Sidoni and C. Pelliccia

biospecimens that arrive in the pathology department for diagnostic purposes and that can hopefully be donated to a biobank (not only tissues but also cells, blood or other biological liquids). Space reasons prevent us from dealing with this issue in detail; suffice it to recall that all the phases of the histopathological diagnostic process (pre-analytic, analytic and post-analytic) present numerous potential pitfalls capable of significantly compromising both the completeness and reliability of the data related to the preservation of cells and, consequently, the reliability of the biomarkers that are based on the cells. Numerous articles have addressed these issues and elaborated specific recommendations (Malm et al. 2013; Bass et al. 2014; Robb et al. 2014, 2015; Compton et al. 2019). Failure to comply with these recommendations has relevant clinical consequences in the determination of prognostic and predictive factors (e.g., up to 20% of HER2 functional status determinations in breast cancer have been found to be incorrect, annually resulting in societal economic costs of nearly $1 billion) (Garrison et al. 2015) with immediate (potentially catastrophic) effects for patients and with the possible placement in biobanks of unsuitable samples. There are known studies in which the results obtained have been distorted by the use of poor quality biospecimens or studies that cannot be carried out at all for the same reason. These situations are not uncommon, they are indicative of wild biobanking (i.e., samples stored without the involvement of a pathologist) and are unacceptable from all points of view. Equally worrying, however, is the finding that published translational research based on patient biospecimens rarely contains information about how the sampled have been obtained, processed or stored (Simeon-Dubach and Perrin 2011). All these considerations are consistent with the fact that living in a society based on data, or rather on Big Data, we know that data analysis can only have positive effects if it is the result of careful selection. If used to build algorithms (for example, in the field of artificial intelligence), data without these quality requirements will lead to useless or harmful results.

4 Pillars for Sustainability of a Biobank The scientific and social importance of biobanking is growing due to the rapid acceleration of biotechnology. Public and private researchers interested in using samples and/or associated data for research purposes are fundamental stakeholders of biobanking. They can be considered the engine of the infrastructure because they are also the major providers of samples and play an important role in establishing and maintaining bioresources. Their capability to act as both providers and users of samples is crucially dependent on the recognition of the impact of biobanking activities.

Conclusion

649

Biobanks are shaping national and international networks so that they share and combine resources. Several biotechnologies need bioresources to develop applications in the performance and capabilities of many different sectors, such as healthcare and medicine, agricultural production and industrial production. Thus, biobanks are precious sources of samples and data for the development of commercial products as diagnostic tests in both public and private sectors. However, several issues of policy related to public–private partnerships are still under debate. Precision medicine has now made the use of human tissue samples indispensable for translational research with particular reference to theranostics. Therefore, biobanks, or the alternative and more dynamic term of bioresources, constitute an essential component in a biomedical research infrastructure. The economic sustainability of a biobank is a constant concern of those who manage it, but in our opinion, the real danger for the survival of a biobank derives not from the number of samples stored but from their turnover and their rate of use and sharing with other research centres. A biobank inserted in a dense network of collaborations triggers a virtuous circle in terms of scientific activity and services provided to public and private partners, honouring the trust of patients who have donated the biospecimens. On the contrary, the underutilisation of samples, or worse, the storage of samples without using them, is a very negative symptom that indicates the substantial uselessness of that biobank and the undue waste of economic resources. Undoubtedly, there are many factors that determine the success and sustainability of a biobank, but we are sure that a solid juridical and bioethical corpus that addresses all the delicate aspects related to procurement, consent strategies, ownership and distribution of bio-samples together with a scrupulous policy of quality control throughout the life cycle of the biospecimens (examination at recruitment, sampling, storage, distribution, shipment and maintenance of databases with annotated data) are two essential elements which confer reliability and attractiveness to potential partners interested in scientific research and technological innovation. Therefore, investing adequately in the quality of biomaterials and ensuring compliance with legal aspects represent two of the most profitable economic aspects of a biobank business plan. Based on these considerations, we are particularly grateful to the authors of the previous chapters since they systematically analyse the legal and ethical issues concerning biobanking in an attempt to foster the awareness of a European regulatory harmonisation. We hope this book will stimulate a fruitful dialogue among all the professionals involved, regardless of their role, leading to the creation and management of a biobank for those interested in human tissue-based research.

650

A. Sidoni and C. Pelliccia

References Bass BP, Engel KB, Greytak SR, Moore HM (2014) A review of preanalytical factors affecting molecular, protein and morphological analysis of formalin-fixed paraffin embedded (FFPE) tissue: how well do you know your FFPE specimen? Arch Pathol Lab Med 138:1520–1530. https://doi.org/10.5858/arpa.2013-0691-RA Caulfield T, Murdoch B (2017) Genes, cells, and biobanks: yes, there’s still a consent problem. PLoS Biol 15(7):e2002654. https://doi.org/10.1371/journal.pbio.2002654 Compton CC, Robb JA, Anderson MW, Berry AB, Birdsong GG, Bloom KJ, Branton PA, Crothers JW, Cushman-Vokoun AM, Hicks DG, Khoury JD, Laser J, Marshall CB, Misialek MJ, Natale KE, Nowak JA, Olson D, Pfeifer JD, Schade A et al (2019) Preanalytics and precision pathology: pathology practices to ensure molecular integrity of cancer patient biospecimens for precision medicine. Arch Pathol Lab Med 143(11):1346–1363. https://doi.org/10.5858/arpa. 2019-0009-SA Garrison LP, Babigumira JB, Masaquel A, Wang B, Lalla D, Brammer M (2015) The lifetime economic burden of inaccurate HER2 testing: estimating the costs of false-positive and falsenegative HER2 test in US patients with early-stage breast cancer. Value Health 18:541–546 Hirsch FR, Wynes MW, Gandara DR, Bunn PA (2010) The tissue is the issue: personalized medicine for non-small cell lung cancer. Clin Cancer Res 16:4909–4911 Malm J, Fehniger TE, Danmyr P, Végvári A, Welinder C, Lindberg H, Appelqvist R, Sjödin K, Wieslander E, Laurell T, Hober S, Berven FS, Fenyö D, Wang X, Andrén PE, Edula G, Carlsohn E, Fuentes M, Nilsson CL et al (2013) Developments in biobanking workflow standardization providing sample integrity and stability. J Proteome 95:38–45. https://doi.org/ 10.1016/j.jprot.2013.06.035 Nowak JA (2012) Personalized medicine? Who has the tissue? Arch Pathol Lab Med 136:590. https://doi.org/10.5858/arpa.2012-0098-ED Robb JA, Gulley ML, Fitzgibbons PL, Kennedy MF, Cosentino LM, Washington K, Dash RC, Branton PA, Jewell SD, Lapham RL (2014) A call to standardize preanalytic data elements for biospecimens. Arch Pathol Lab Med 138:526–537. https://doi.org/10.5858/arpa.2013-0250-CP Robb JA, Bry L, Sluss PM, Wagar EA, Kennedy MF (2015) A call to standardize preanalytic data elements for biospecimens, Part II. Arch Pathol Lab Med 13:1125–1128 Simeon-Dubach D, Perrin A (2011) Better provenance for biobank samples. Nature 475:454–455. https://doi.org/10.1038/475454d