European Genomic Data Infrastructure (GDI) D2.8 Evaluation of the potential legal frameworks for the infrastructure

The establishment of a joint European genomic data infrastructure requires the establishment of a legal basis under Article 6 of the General Data Protection Regulation (GDPR) and a legitimation for processing health and genetic data for the processing within the infrastructure itself as well as for the stakeholders contributing personal data to it or using the personal data. We have identified the challenges related to the the three steps of

• how to bring data into the 1+Million Genomes (1+MG) infrastructure, 

• how to  disclose data towards users, and

• how to process data as a user, in particular where data use goes beyond research.

Here, together with the 1+MG ELSI Working Group, we have analysed the requirements for and suitability of possible legal instruments for the implementation of the 1+MG infrastructure. Building on the work performed in the Horizon 2020 B1MG project, we have further assessed the potential solutions for their ability to establish a valid legal basis not only for data access provision, but also for data holders and/or data users and their respective processing operations and secondary use purposes. In this document and in alignment with the 1+MG Declaration by the signatory countries,  a scenario using a federated data repository, where data remain locally but belong to a joint resource with a joint data governance is considered. The conclusion from the above analysis is that many national legislative frameworks do not provide an adequate solution for all stakeholders. 

For data inclusion, not even the European Health Data Space (EHDS) will provide a sufficient legislative framework to achieve the objectives of the 1+MG effectively because it focuses only on data availability through health data access bodies. The reason is that usually a legal basis provided by law only foresees a direct data sharing between a data holder, including permit authorities, and the user. Legislation does not foresee that data are made available within a repository in a harmonised way as envisaged in 1+MG. Where consent is to be used as an alternative, this consent can only be obtained once the 1+MG infrastructure and its governance is established, which in many countries means reconsenting. It also means that data made available through legislation, e.g. as currently the case in genome centres, may not become fully available as not all data subjects will respond to a request to consent or not be available at all if the data holder is a public authority that creates an imbalance between the data subject and the controller. Legitimate interest may only be available where data were not collected based on consent and the data holder is not a public authority.

For lawful data use, the users must be able to rely on a legal basis other than consent because it is not feasible and also not possible in many cases to offer dynamic consent across the entire genome collection of the 1+MG infrastructure. A major hurdle is that the legitimation for processing health and genetic data in a healthcare reuse context is not defined: legislation usually covers only a direct healthcare professional to patient relationship, not the processing of the data of other patients to provide care to an own patient. Also in the research context, there can be hurdles as there are no alternatives foreseen to consent as a legal basis for some stakeholders or because there are cumbersome authorisation procedures required.

The legal basis for the data access provision could be established through the mission of the European Digital Infrastructure Consortium, EDIC, which is one of the possible legal instruments evaluated in GDI Pillar I. The EDIC is established through a legal act and as such, a legal act on the Union level could be the basis for the processing for a task in the public interest. However, the Union law establishing 1+MG through an EDIC covers in the first place only the operations of 1+MG itself which are enshrined in its mission (e.g. provide cross-border access to genomes and health data).

It is recommended to explore with the European Commission if the legal coverage can also be extended to the data holders and/or the data users (“European level solution”). An alternative to this approach will require changes on the national level. Such changes, however, may be of interest even beyond 1+MG. It is recommended that all countries review their current legislative framework for the options to support data availability through joint initiatives. The limitations for the legal bases found are not limited to 1+MG but apply in general under all similar situations of alignment for joint interoperable cross-border data resources. Governments should therefore consider a remedy of the situation independent of their participation in, and legal model of 1+MG. The ongoing activities to implement the EU Data Governance Act provide here a unique window of opportunity where the national legislation for secondary use of personal data is addressed already (“National level solution”).