Processing of Genetic Data under GDPR: Unresolved Conflict of Interests

Petro Sukhorolskyi, Valeriia Hutsaliuk

Abstract

Over the last decades, developments in the fields of genetics and bioinformatics caused a marked increase in the processing of human genetic data by various companies and institutions. This results in the adoption of several international documents and the emergence of legal norms on the protection of genetic data. The paper examines how and to what extent the interests and rights of the data subject with regard to the processing of genetic data are protected in the European Union. It is concluded that under the GDPR this task is implemented through classifying genetic data as sensitive, reliance on anonymisation and pseudonymisation, as well as introduction of the procedure of data protection impact assessment. Nevertheless, given the unique characteristics of genetic data distinguishing them from other categories of personal data, these measures cannot be regarded as sufficient and effective. The paper argues that current EU data protection legislation creates favourable conditions for genetic research, thereby ensuring particular public interests, but does not establish a special regime for genetic data processing appropriate to potential threats in this field and risks to the rights of data subjects.

Keywords

Anonymisation; Balancing of Interests; Data Protection Impact Assessment; General Data Protection Regulation; Genetic Data; Pseudonymisation; Research Exemption; Sensitive Data; Special Categories of Personal Data

Full Text:

References

Show references Hide references

[1] 23andMe. (2018) Exercising Rights Under the GDPR. Right to Erasure (Right to Be Forgotten). [online] Available from: https://permalinks.23andme.com/pdf/toolkit/erasure.pdf [Accessed 9 March 2020].

[2] 23andMe. (2020) Privacy Highlights. [online] Available from: https://www.23andme.com/about/privacy [Accessed 9 March 2020].

[3] 23andMe. (2020) Research Consent Document. [online] Available from: https://www.23andme.com/about/consent [Accessed 9 March 2020].

[4] Alexy, R. (2003) On Balancing and Subsumption. A Structural Comparison. Ratio Juris, 16 (4). https://doi.org/10.1046/j.0952-1917.2003.00244.x

[5] Article 29 Data Protection Working Party. (2004) Working Document on Genetic Data, 12178/03/EN WP 91, 17 March. Available from: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2004/wp91_en.pdf [Accessed 9 March 2020].

[6] Article 29 Data Protection Working Party. (2014) Opinion 05/2014 on Anonymisation Techniques, 0829/14/EN WP216, 10 April. Available from: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf [Accessed 9 March 2020].

[7] Article 29 Data Protection Working Party. (2017) Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, 17/EN WP 248, 4 April. Available from: http://ec.europa.eu/newsroom/document.cfm?doc_id=47711 [Accessed 9 March 2020].

[8] BBMRI-ERIC (Biobanking and BioMolecular resources Research Infrastructure — European Research Infrastructure Consortium). (2015) Position Paper on the General Data Protection Regulation. [online] Available from: https://www.bbmri-eric.eu/wp-content/uploads/BBMRI-ERIC-Position-Paper-General-Data-Protection-Regulation-October-2015_rev1_title.pdf [Accessed 9 March 2020].

[9] Borry, P. et al. (2018) The Challenges of the Expanded Availability of Genomic Information: An Agenda-Setting Paper. The Journal of Community Genetics, 9 (2). https://doi.org/10.1007/s12687-017-0331-7

[10] Council of Europe. (2018) Convention 108+ (Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data), 21 June. Available from: https://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2018/09-10/Convention_108_EN.pdf [Accessed 7 March 2020].

[11] Council of Europe. Committee of Ministers. (1997) Recommendation No. R (97) 5 on the Protection of Medical Data, 30 October. Available from: https://rm.coe.int/1680505d5b [Accessed 7 March 2020].

[12] De Paor, A. (2017) The European Union and Protection of Genetic Information. In: De Paor, A (ed.). Genetics, Disability and the Law: Towards an EU Legal Framework. Cambridge: Cambridge University Press (Cambridge Disability Law and Policy Series). https://doi.org/10.1017/9781316412336

[13] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Communities (1995/L-281/31) 23 November. Available from: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=en [Accessed 7 March 2020].

[14] European Commission. (2012) Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM/2012/011 final – 2012/0011 (COD), 25 January. Available from: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0011&from=EN [Accessed 9 March 2020].

[15] European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Official Journal of the European Union (2017/C-378/399) 9 November. Available from: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52014AP0212&from=EN [Accessed 7 March 2020].

[16] European Parliament. Committee on Petitions. (2019) Petition No 0733/2018 by J.B. (Portuguese) on improving the protection of genetic data related to European Union citizens, 15 March. Available from: https://www.europarl.europa.eu/doceo/document/PETI-CM- 637225_EN.pdf [Accessed 7 March 2020].

[17] Gymrek, M. et al. (2013) Identifying personal genomes by surname inference. Science, 339. https://doi.org/10.1126/science.1229566

[18] Korf, B. (2013) Genomic privacy in the Information age. Clinical Chemistry, 59 (8). https://doi.org/10.1373/clinchem.2013.205260

[19] Mészáros, J. and Ho, C. (2018) Big Data and Scientific Research: The Secondary Use of Personal Data under the Research Exemption in the GDPR. Hungarian Journal of Legal Studies, 59 (4). https://doi.org/10.1556/2052.2018.59.4.5

[20] Mourby, M. et al. (2018) Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK. Computer Law & Security Review, 34 (2). https://doi.org/10.1016/j.clsr.2018.01.002

[21] MyHeritage. (2019) MyHeritage Privacy Policy. [online] Available from: https://www.myheritage.com/privacy-policy [Accessed 9 March 2020].

[22] Pormeister, K. (2017) Genetic data and the research exemption: is the GDPR going too far? International Data Privacy Law, 7 (2). https://doi.org/10.1093/idpl/ipx006

[23] Pormeister, K. (2018) Genetic research and applicable law: the intra-EU conflict of laws as a regulatory challenge to cross-border genetic research. Journal of Law and the Biosciences, 5 (3). https://doi.org/10.1093/jlb/lsy023

[24] Quinn, P. and Quinn, L. (2018) Big genetic data and its big data protection challenges. Computer Law & Security Review, 34 (5). https://doi.org/10.1016/j.clsr.2018.05.028

[25] Regalado, A. (2019) More than 26 million people have taken an at-home ancestry test. MIT Technology Review. [online] Available from: https://www.technologyreview.com/s/612880/more-than-26-million-people-have-taken-an-at-home-ancestry-test/ [Accessed 7 March 2020].

[26] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union (2016/L-119/1) 4 May. Available from: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN [Accessed 7 March 2020].

[27] Shabani, M. and Borry, P. (2018) Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation. European Journal of Human Genetics, 26 (2). https://doi.org/10.1038/s41431-017-0045-7

[28] Shabani, M. and Marelli, L. (2019) Re‐identifiability of genomic data and the GDPR: Assessing the re‐identifiability of genomic data in light of the EU General Data Protection Regulation. EMBO Rep, 20: e48316, 5 p. [online] Available from: https://www.embopress.org/doi/10.15252/embr.201948316 [Accessed 7 March 2020]. https://doi.org/10.15252/embr.201948316

[29] Sorgner, S. L. (2017) Genetic Privacy, Big Genetic Data, and the Internet Panopticon. Journal of Posthuman Studies, 1 (1). https://doi.org/10.5325/jpoststud.1.1.0087

[30] Staunton, C., Slokenberga, S. and Mascalzoni, D. (2019) The GDPR and the research exemption: considerations on the necessary safeguards for research biobanks. European Journal of Human Genetics, 27. https://doi.org/10.1038/s41431-019-0386-5

[31] Taylor, M. (2012) Genetic Data and the Law: A Critical Perspective on Privacy Protection. Cambridge: Cambridge University Press. https://doi.org/10.1017/CBO9780511910128

[32] United Nations Educational, Scientific and Cultural Organization. (2003) International Declaration on Human Genetic Data, SHS/BIO/04/1, 16 October. Available from: http://portal.unesco.org/en/ev.php-URL_ID=17720&URL_DO=DO_TOPIC&URL_SECTION=201.html [Accessed 9 March 2020].

https://doi.org/10.5817/MUJLT2020-2-1



Copyright (c) 2020 Masaryk University Journal of Law and Technology