Beyond 1 Million Genomes (B1MG) D2.3 Report on legal set-up including DPIA

Introduction. This report presents (i) an analysis of the legal data protection (GDPR)  framework governing the creation of a federated cohort of human genomic data across multiple Member States of the European Union (“EU”), followed by (ii) an analysis of the delineation of the pertinent national and EU competences, for a number of selected Member States, establishing the existence, scope and impact of GDPR exemptions at the level of the Member States, which analyses collectively feed into (iii) a workable mechanism to bridge the legal national divergences found, in the form of a Transnational Code of Conduct respecting national minimum standards with respect to privacy, medical secrecy (aka patient confidentiality) and protection of personal data.

While there seems to be a tendency to view privacy and data protection rights as “barriers”, or “roadblocks”, impeding the pursuit of data driven medical research, this report is based on and stresses the fact that the protection of natural persons in relation to processing of their personal data is a fundamental right. Article 8 (1) of the Charter of Fundamental Rights of the European Union (the 'Charter') and Article 16(1) of the Treaty on the functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her. 

Based on the fundamental right to data protection enshrined in the Charter and the Treaty, the EU General Data Protection Regulation (GDPR) provides every identified or identifiable person (“a data subject”, under the GDPR) with a set of rights (“data subject rights”) which, alone and in combination, protect his or her personal data. These rights are set forth in Chapter III of the GDPR and form the core element of the GDPR. Also, when any definition or provision of the GDPR is subject to interpretation, the test applied by the Court of Justice for the European Union (“CJEU”) for the proper interpretation is that the interpretation must ensure the effective and comprehensive protection of the persons concerned.

Part I of the Report: data subject rights and cross-border access issues under GDPR. Part I of this report analyses the scope of and exemptions to data subject rights under the GDPR when it comes to processing genetic data for biomedical research, as well as the obligations of controllers of personal data to facilitate the exercise of these rights, referencing  the most recent Guidance of the European Data Protection Board and recent case law of the Court of Justice of the European Union.

The GDPR data subject rights apply to the processing of data concerning genetic data per se, as well as to the processing of data, including genetic data, for the purpose of scientific research. The provision of access to genomic data of a data subject by a data controller in one Member State to a data user(s) from another Member State(s) ("Cross Border Access") is likely to involve the processing of (directly or indirectly) identifying data (personal data) and hence subject to the GDPR. As the provision of Cross Border Access involves the processing, on a large-scale, of special categories of data (i.e. genetic data), it is deemed by GDPR to be likely to result in a high risk to the rights and freedoms of the data subjects concerned. 

This high risk is likely to increase due to the proposed repeated use of the genomic data through the continued Cross Border Access to be provided to multiple data users, from a variety of jurisdictions, each with their own rules and regulations. Moreover, the high risk could increase still further due to the resultant accumulation of meaning to be ascribed to and 

derived from genomic data, and its potential of being abused, for public, political, commercial or private purposes, whether or not by linking with other personal data, resulting in economic or social disadvantage, including discrimination and limitation or denial of access to private and public services, loss of autonomy, automated decision-making and coercive medicine, for the data subject, her family or the ethnic minority to which she belongs.

To address these risks, processing these data within a Member State of the European Union (EU) is subject to the national legislation of that Member State, which includes but is not limited to the GDPR, as implemented in the Member State concerned. However, the processing of these personal genetic data across the borders of the Member States raises, inter alia, the following issues under the GDPR.

• Processing of special categories of personal data. First, under the GDPR the processing of genetic data and data concerning health is prohibited. This prohibition can only be lifted if one of the exceptions listed in the GDPR applies and provided that the processing complies with all other requirements of the GDPR, including a legal basis for lawful processing.

• Member State conditions. Second, the GDPR provides that Union law or Member State law may provide that the prohibition of processing genetic data under the GDPR may not be lifted by the data subject. Also, Member States may maintain or introduce their own, national, conditions, including limitations, with regard to the processing of genetic data. 

• Processing for purposes of scientific research requires appropriate safeguards. Third, the GDPR provides that, regardless of the type of data, processing personal data for scientific research purposes must be subject to appropriate safeguards, in accordance with the GDPR, for the rights and freedoms of the data subject.

• Member State derogations to data subject rights. Fourth, when personal data are being processed for scientific purposes, the GDPR allows the Member States, under certain conditions, to enact their own, national, derogations from certain data subject rights under the GDPR. In brief, processing of personal genetic data for purposes of scientific research has not been harmonised under the GDPR.

• Accountability for compliance with GDPR - assignment of GDPR roles. Fifth, the disclosure of genetic data by the primary collector (controller and custodian) of these data to one or more researchers established in one or more other Member State(s) raises questions about GDPR roles and responsibilities, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14 of the GDPR.

•  

• Which national law applies? Sixth, the transfer and subsequent processing of personal genetic data across the borders of the Member States raises the issue which Member State’s national data protection law applies? The territorial scope of the GDPR is directly based on the GDPR. However, this territorial effect does not apply to the territorial scope of the Member State law which is based on the GDPR. The territorial effect of such national laws depends on the national law of the Member State concerned.

• Processing genetic data may be subject to additional national specific sector laws. Seventh, processing genetic data within a given Member State is not only subject to the GDPR but also to specific (health) sector national laws and human rights, such as patient confidentiality laws, criminal laws and associated national and institutional regulations. In addition, use of the data is in principle subject to informed consent and any limitations therein and subject to prior approval by an ethics committee and any conditions of such an approval. Compliance with these additional laws and conditions is typically the responsibility of the initial collector and controller of these data, in his or her role as custodian of these data. A siloed regulatory approach, focusing exclusively on the GDPR, would compromise compliance by this controller who is also the custodian of these data pursuant to related laws, regulations, conditions, codes and associated guidance, and case law.

• Part II of the Report: delineation of national and EU competences and the existence, scope and impact of national GDPR exemptions. Part II of the Report aims to establish an acceptable ELSI framework that can strengthen the secure sharing of genomics data across Europe and determine and analyse the pan-European legal framework governing the data life cycle envisaged by the European 1+MG initiative. It aims to delineate the national and EU competences for a number of selected Member States and establish the existence, scope and impact of national GDPR exemptions, as well as flag potential challenges that can arise from cross-border processing and from bringing genomic research data to clinic. This part aims to works towards common minimum standards and identify applicable GDPR requirements as well as a relevant legal framework applicable for cross-border data sharing. 

• This part navigated the national heterogeneous ethico-legal landscapes and identified existing solutions and relevant stakeholders for input and feedback. The work is based on a series of expert workshops, organised in 2021 and the first months of 2022, with the participation of representatives of different countries across the EU from Nordic, South, Central and Eastern European regions. The results of these workshops focused on adapting and further developing existing ethical standards, analysing the national legal landscape that affects a cross-border genome initiative and creating a pool of tools to centrally govern such infrastructure. Through these workshops, this study mapped the EU legal framework governing the data life cycle of a pan-European genome initiative with a specific focus on the challenges of making genomic data available across European Economic Area (EEA) countries. Specifically, we assessed how the GDPR has been implemented at national level regarding the processing of health and genetic data and thus focused on applicable GDPR requirements for cross-border sharing, in order to assess the national derogations and divergence.

• By examining and presenting, the national legal landscape rules that govern the processing of health and genetic data light of the GDPR, based on selected examples, this part highlights possible differences and identifies elements that might affect the cross-border exchange of health and genetic data in the EU from healthcare to research and vice versa in order to support health and genetic data use and re-use. The analysis of the results of the study proves 

• that there are differences between EU countries in the implementation of the GDPR in the field of the secondary use of health and genetic data and the development of a common ethico-legal framework is indispensable.

• Part III of the Report: Cross Border Compliance by Transnational Code of Conduct. The third and final part of this report builds on Reports I and II by delivering a draft Transnational Code of Conduct governing the provision of cross border access to human genomic data for purposes of scientific research within the EU.

• In terms of substance, the draft Transnational Code requires inter alia (i) positive advice on requests for cross border access from a cross border access committee (which could be part of a regular, national access committee), (ii) data protection safeguards,  (iii) access by way of remote analysis (bringing foreign analysis to local data), (iv) allocation of obligations and responsibilities between the data custodian and the data user and (v) respecting home state specific sector rights, human rights and data subject rights, the latter as per the national implementation thereof.

• To comply with EDPB Guidance on Codes of Conduct and Monitoring Bodies, the draft Transnational Code is preceded by an Explanatory Note. Having commented on the draft Code. Upon review of the draft and incorporation of its comments, a competent Data Protection Agency has expressed its willingness to receive the draft to initiate the process for formal approval of the Code under Article 40 GDPR.