1 Introduction

1.1 Background

The GDPR has had considerable impact on biobanking. Despite foreseeing rather stringent measures to ensure that personal data are adequately protected and placing strict obligations on controllers, the GDPR has relaxed the regulation of research in two important ways. First, through lawfulness requirements for data processing, including the conditions set forth in Article 9(2) GDPR for lifting the prohibition of health and genetic data processing. Second, through derogations from certain individual rights under Article 89 GDPR. These requirements, possibilities and further regulatory opportunities offered by the GDPR co-exist with and relate to national regulatory frameworks on biobanking. 

Even though the GDPR is a regulation and, therefore, establishes a uniform framework across national legal orders, Member States’ ability to maintain existing or even introduce new national exceptions allows the preservation of the fragmented landscape of biobanking law in Europe. The GDPR offers several lawfulness avenues in the form of legal grounds for data processing that lift the general prohibition of genetic and health data processing. Particularly important among these are broad consent - a possibility offered by Article 6(1)(a) in conjunction with Articles 9(2)(a) and 7 and as guided by Recital 33. The application of these provisions does not, in principle, require further implementing measures by the Member States. Furthermore, Article 9(2)(j) GDPR grants the possibility to adopt either national law or EU law that permits processing of health and genetic data for research purposes without the data subject’s consent, provided that such processing is proportional to the aim pursued, respects the essence of the right to data protection and is accompanied by suitable and specific measures to safeguard the data subject’s fundamental rights and interests.Footnote 1 Therefore, should there be a law in place providing these guarantees, even broad consent to the processing of health and genetic data for research purposes might not be necessary.

The derogations from individual rights under the research regime set forth in the GDPR have two limbs: one that relies on the direct applicability of GDPR and does not require further implementation measures, but requires compliance with Article 89(1) GDPR; and another that provides EU/EEA Member States with the possibility to derogate from four rights foreseen in the GDPR on the condition that a national law is in place and that the requirements of Article 89(1) GDPR are met (notably, adequate safeguards are in place) and in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes. These rights are enshrined in Articles 15, 16, 18 and 21 GDPR. Additionally, the GDPR enables further regulatory opportunities for research falling within the domain of public interest.

The opportunities that the GDPR has created for research raise questions on whether they have been operationalized nationally and what implications they create for collaborative research between EU/EEA Member States. This chapter seeks to provide insight into the fragmented landscape and the research-related implications of GDPR implementation across Member States. It is not an exhaustive comparison of GDPR implementation across these countries. Rather, it reviews the legal basis for data processing, with a particular emphasis on consent, and examines the national application of Article 89(2) GDPR, specifically, whether derogations from Articles 15, 16, 18 and 21 GDPR are enabled and what safeguards are in place. Additionally, it considers what, if any, consideration for balancing individual rights and public interest has been advanced nationally. Thereafter, it considers implications for scientific research in the area of biobanking.

1.2 Method and Limitations

To provide a pan-European overview of the GDPR’s impact on the biobanking regulatory framework, experts in health law and/or data protection law, commonly with experience in the area of genetic and genomic research and biobanking, were invited to contribute their insights with respect to the following issues:

  1. (1)

    biobank infrastructure and regulatory environment;

  2. (2)

    the questions of legal basis and consent in biobanking;

  3. (3)

    individual rights and derogations under Article 89(2) GDPR, including adequate safeguards;

  4. (4)

    the balance between individual rights and public interest in national law; and

  5. (5)

    GDPR impact and future possibilities for biobanking.

Additionally, BBMRI-ERICFootnote 2 prepared and circulated a research-facilitator tool in the form of a screening table, based on which national laws were screened for further details related to the operationalization of the GDPR in the national context. The experts who participated in the study represented nineteen EU/EEA countries: Belgium, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Ireland, Italy, Latvia, Liechtenstein, Malta, the Netherlands, Norway, Poland, Portugal and Spain. Each collaborator’s answers along with the BBMRI-ERIC hosted table constituted a national report, and all data were analyzed, summarized and grouped into categories based on similarities or significant differences. The authors of these national studies have subsequently verified the accuracy of this work. All collaborators are co-authors of this study.

2 Biobank Regulatory Environment Across Europe

In the absence of a supranational actor with competence and authority to regulate biobanking and set uniform, comprehensive and binding requirements within and across borders, it falls on the national legal orders to regulate biobanking with due regard to their external commitments.Footnote 3 To identify the approach that national legal orders have taken with respect to regulating biobanks, the hereinafter analysis reviews national regulatory frameworks and governance approaches.

There are countries that have opted for a sector-specific legislation for biobanking research. Among these are Spain, where the Act on Biomedical ResearchFootnote 4 has devoted specific chapters to biobanks; Portugal, where the Biobank Act for Research Purposes has been in place since 2005;Footnote 5 and Latvia, where the Human Genome Research Law was adopted in 2002 and came into effect in 2004. Parallel to biobanking regulations, in all countries participating in the present study, national and European laws on privacy and personal data protection, namely Convention 108 and the GDPR, apply collectively. This is certainly the case for Belgium. With a network of biobanks that are linked to public institutions such as hospitals, universities and research centers, it has a number of European and Belgian provisions which regulate biobanking activities. Most notably, there is the Belgian Act on the Procurement and Use of Human Body Material (Act on HBM)Footnote 6 and the Royal Decree of 2018,Footnote 7 which provides the legal basis for the entry into force of the provisions on biobanks contained in the Act on HBM and further specifies their application.

However, even where a biobank Act is in place, other laws apply concurrently. For example, Finland’s regulatory framework for obtaining and using tissue and data from biobanks and other such repositories for research comprises mainly the Biobank Act, the Data Protection Act,Footnote 8 the Act on the Secondary Use of Social and Health Care Data,Footnote 9 and the Act on the Medical Use of Human Organs, Tissues and CellsFootnote 10. Of particular interest is Estonia, where the national Biobank EBBFootnote 11 is regulated by a sector-specific Act, as opposed to other tissue collections and biobanks in the country which are regulated by a combination of provisions on biomedical research.Footnote 12 Sweden has two specific Acts on research databases, the Act on Certain Registers for Research on what Inheritance and the Environment Mean for Human Health and the Act on Forensic Psychiatry Research Register, which both apply to biobanks.

Other countries, such as France, Germany, Denmark, Greece,Footnote 13 Croatia,Footnote 14 Czech Republic, Ireland,Footnote 15 Liechtenstein, the Netherlands and Poland,Footnote 16 regulate biobanks through a combination of national provisions on biomedical research and data protection, without a lex specialis on biobanks. In the absence of a specific biobank Act, ethical, technical and scientific guidelines supplement the regulation of biobanks.Footnote 17

Italy’s approach could be characterized as an ‘hybrid model’, since the national Data Protection Authority (DPA) issued in 2016 two specific Authorizations concerning the processing of genetic data and the processing of personal data for scientific research, which include specific provisions for biobanking research.Footnote 18 The Malta BioBank has two main arms, the Clinical Bank and the Population Bank.Footnote 19 Apart from the GDPR, which has been transposed into Maltese law by means of the Data Protection Act, no specific law regulates research, except for the Clinical Trial Regulation and laws regulating higher education and health. The biobank’s governance is regulated by the Statute for the Centre for Molecular Medicine and Biobanking.

Finally, Biobank Norway is a national infrastructure of biobanks which includes consented population-based and disease-specific clinical biobanks, and offers access to unparalleled longitudinal health data in health registers.Footnote 20 Biobanks and personal data are regulated in different laws. The Personal Data Act regulates the processing of personal data when these relate to specific biological material, while public biobanks are regulated by the Treatment Biobank Act and the Health Research Act.

As seen above, the approaches taken to biobanking regulation vary across Europe, with most countries choosing not to introduce a sector-specific piece of law into their domestic legal order. However, where countries have opted for such specific instruments, these do not sufficiently address all the issues arising from biobanking research, especially those related to the processing of participants’ personal data. Hence, national law still needs to be applied in conjunction with the GDPR and other sources of European/international law.

3 Legal Basis for Biobanking. The Place and Role of Consent as One of the Legal Bases for Data Processing in Biobanking: Informed, Broad or None?

Participants’ written and informed consent has undeniably been the most common legal basis upon which the processing of health and genetic data for biomedical research on humans has been legally justified. However, the scope of consent differs substantially across the countries included in the current study, which obstructs the transfer of data across borders within the framework of collaborative projects. The informed consent procedure has been heavily criticized as the route least likely to enhance research participants’ autonomy in biobanking, given the large amount of samples and data that need to be stored and processed for long periods of time and, most importantly, for research purposes unknown at the time of their collection. In contrast to the informed consent model, which originates in clinical practice and has a longstanding tradition in the field of medical law that aims to protect individuals from research interventions, the broad consent model is arguably best suited to biobanking research.Footnote 21

The critical question regarding consent is how countries chose to delineate its scope. Recital 33 is the only place in the GDPR where broad consent is implied, stating that ‘data subjects should be allowed to give their consent to certain areas of research’.Footnote 22 Still, nowhere in the regulation is broad consent explicitly established. It is, therefore, of particular comparative interest how Member States used their granted discretion to introduce further conditions for health and genetic data processing (Article 9(4) GDPR), and, more specifically, what approach they adopted in regards to the scope of consent. Nonetheless, as noted in the introduction of this chapter, it is not precluded that broad consent could be directly applied by invoking the provisions of the national law, unless a Member State, following the discretion left under Article 9(2)(a) or 9(4) GDPR, precludes the use of consent as a means to lift the prohibition of health and genetic data processing.

Belgium established the controller’s obligation to inform data subjects about the anonymization of their personal information and the reasons for which the exercise of their rights would render the achievement of the objectives impossible or seriously impede them from the time of the data collection. Prior to the data collection, according to the Belgian Privacy Act and without prejudice to the GDPR provisions on the controller’s responsibilities, including those on record keeping, the controller shall add specific elements to the registration of processing activities for purposes of scientific research. As stated in the law, these requirements consist in the justification of the use of the data, which may or may not be pseudonymized; the reasons why the exercise of the data subject’s rights threatens to render the achievement of the objectives impossible or seriously impedes them; and, if applicable, the data protection impact assessment, when the data controller processes special categories of data for the purposes of scientific or historical research or statistical purposes.

The Irish legislation normally requires data subjects’ explicit consent to the processing of special categories of data for research. The Health Research Regulations (2018) define consent broadly as for the purpose of specified health research, either in relation to a particular area or more generally in that area or a related area of health research, or part thereof. Specific measures must be taken to safeguard personal data, including: limitations on access; strict time limits for the erasure of personal data and mechanisms to ensure this; targeted training; logging mechanisms; designation of a data protection officer (where not mandatory) and, where processing health-related data, a requirement that the processing is undertaken by a health practitioner or a person bound by an equivalent duty of confidentiality; pseudonymization and encryption. The Health Research Regulations list further measures, such as appropriate governance structures. Researchers can apply for an exemption when they are ‘of the view that the public interest in carrying out the research significantly outweighs the public interest in requiring the explicit consent’.

Croatia leaves no room for broad consent to medical research. The Croatian Law on Patients Protection states that consent to medical research has to contain detailed explanations of involved procedures and risks.Footnote 23 In the Czech Republic, the legislator laid down no further specific conditions for consent to medical research, adopting the informed consent approach elaborated in the GDPR. In the case of Latvia, the Human Genome Research Law requires specific consent.Footnote 24 Furthermore, this consent shall be documented on a form approved by the Cabinet.Footnote 25 These rules have not been amended since the GDPR entered into force. Nonetheless, work on a new law regulating biobank research has commenced and could lead to a different approach to consent. In Spain, the data subject’s consent is required. However, the reuse of personal data for health and biomedical research shall be considered lawful if consent was obtained for the first use. Furthermore, scientific studies may be carried out without the consent of those concerned for public health reasons and in situations of exceptional relevance and seriousness to public health. Interestingly, in France, the law functions on the basis of opt-out consent (non-opposition), although opt-in consent can be required under special laws. Consent to several purposes is accepted, where these are clearly, intelligibly and explicitly presented to the individuals, who can opt for or refuse each one.Footnote 26

In Portugal, consent may cover several areas of research. This is an improvement compared to the specific consent previously required. However, consent can only be waived in exceptional cases, where samples are used retrospectively, or when the consent of the persons concerned cannot be obtained due to the number of data or individuals, their age or other comparable reasons. In these cases, data and biospecimens can only be processed for scientific research purposes or for the collection of epidemiological or statistical data.

Along the same lines, but with an even broader scope, the Finnish Biobank Act allows research participants to give their informed consent to the storage and use of samples (to be) taken from them, to the purpose of biobank research, to the transfer of their personal information (to researchers) and to linking personal data from other sources and other processing of samples and information obtained with the samples to the extent required by biobank research. Furthermore, the Biobank Act does not require a new consent to the use of biospecimens and associated data by each research project. The Biobank Act is being reviewed, however, and it is expected that the legal bases for processing by the biobank will be Articles 6(1)(e) and 9(2)(g) instead of consent (draft government bill for a new Biobank Act, May 2018), while the Data Protection Act already provides that, under certain conditions, processing personal data for scientific research is lawful based on 6(1)(e) and that the restrictions of Article 9(1) will not apply.

In Italy, data subjects’ consent to the processing of health data for scientific research is not necessary when the research is carried out on the basis of (national or EU) law, in line with Article 9(2)(j) GDPR, including when the research is part of a biomedical or health research program, provided that an impact assessment pursuant to Articles 35-36 GDPR is conducted and published. Furthermore, consent is not necessary when, due to specific reasons, informing the interested parties is impossible or involves disproportionate effort, or risks making it impossible or seriously impairing the achievement of the aims of the research. In such cases, the data controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, and the research program should receive the favorable opinion of the competent Research Ethics Committee (REC) at a territorial level which must be submitted for preventive consultation to the Garante.

In a similar vein, Germany allows biomedical research to be conducted after data subject’s informed consent, which is freely given and easily withdrawn, has been provided. However, public interest, instead of consent, may be used as the legal basis for processing special categories of personal data in the context of scientific research, if appropriate safeguards for the legally protected interests of data subjects are implemented. Such safeguards may consist of anonymizing personal data as quickly as possible, taking measures to prevent unauthorized disclosure to third parties, or processing them in an organizationally and spatially separate manner from other tasks.

In implementing GDPR, Sweden has not introduced any specific rule providing a legal basis for processing personal data in research. Existing rules on research conducted by public and private entities have been deemed sufficient. In particular, Sweden has two specific Acts on research databases providing the legal basis for researchers to access data without further consent, under certain conditions and after ethical approval, namely the Act on Certain Registers for Research on what Inheritance and the Environment Mean for Human Health and the Act on Forensic Psychiatry Research Register. Both have been adapted to the GDPR requirements. When processing is not based on informed consent, there will be a different legal basis for research conducted by public research entities (public interest as legal basis) and private ones (commonly, legitimate interest as legal basis). The Netherlands has taken further steps by adopting an opt-out approach when the personal data come from a health care provider, as the patient should not have objected to such use for research. When seeking consent is impossible and the research serves a public interest which cannot be fulfilled without these data, then research is permitted as long as appropriate guarantees are in place. Concerning Denmark’s Data Protection Act,Footnote 27 it includes a provision on the processing of personal data for scientific and statistical purposes without the data subject’s consent. Consequently, the Act makes use of the options provided by Article 9(2)(j) and Article 89 GDPR. It is a precondition that the research project is of significant societal interest, and safeguards are outlined in the Act.

Similarly, Norway’s Personal Data Act dictates that special categories of personal data can be processed without data subject’s consent if it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.Footnote 28 This requires that the benefit to society as a whole clearly exceeds the disadvantages experienced by the subject whose personal data is processed without consent. Furthermore, processing must be subject to appropriate safeguards in accordance with Article 89(1) GDPR. It is required that the controller confers with the data protection officer to make sure that such safeguards are in place. Norway also predicts that in the future, and under certain conditions, broad-based consent will be adopted for research on human biological material and personal health data.Footnote 29 When using biological material and health-related personal data, the broad consent must define the research purposes, and new consent may in specific cases be requested by the competent REC if the conditions for use of broad consent need to be specified.

The Estonian Data Protection Act takes quite a liberal approach to the research use of personal data beyond informed consent. Processing personal data in research without consent is permissible in line with GDPR requirements as long as the data are pseudonymized or any other equally effective method is followed, but (upon certain conditions) also when the data enables identification of the individual.Footnote 30 Likewise, Liechtenstein and Greece allow the processing of special categories of data for the abovementioned purposes without consent if such processing is necessary for those purposes and the processor’s interests outweigh those of the person concerned, given that specific measures are in place. Greek law, specifically refers to data pseudonymisation and encryption, DPO designation and data access restriction on behalf of the data processor and/or controller, as such measures.

Similarly, the Maltese Data Protection Act implementing the GDPR provides a derogation for scientific or historical research purposes provided that adherence to the GDPR provisions would be likely to render impossible or seriously impair the achievement of those purposes and the data controller reasonably believes that such derogations are necessary for the fulfillment of those purposes. In these cases, processing for scientific or historical research shall be subject to appropriate safeguards for the data subject’s rights and freedoms, including pseudonymization and other technical and organizational measures in order to ensure respect for the principle of data minimization. The conditions imposed for processing in the field of public health have been made applicable to processing genetic data and biometric data. Hence, the controller must consult with and obtain prior authorization from the Commissioner. The Commissioner in turn must consult with a REC.

As a review of the national approaches demonstrates, different possibilities for lifting the prohibition of Article 9 GDPR to process health and genetic data have been operationalized in the national legal orders. Often, several possibilities co-exist, in particular, a consent-based approach with a public interest-based approach or similarly regulated approach, following which the consent requirement may be misapplied or derogated from. When these derogations apply, in some countries a legal requirement to consult RECs emerges.

4 Derogations from Individual Rights Under Article 89(2) Subject to Article 89(1)

4.1 Enabling Derogations

Article 89(2) GDPR enables Member States to lay down derogations from data subjects’ rights to access, rectification, restriction of processing and objection when personal data are processed for scientific purposes. Such discretion is subject to safeguards as set out in Article 89(1), but its boundaries are not clearly defined by the Regulation. At the same time, the non-binding Recital 156 highlights that Member States also retain the ability to provide specifications and derogations from the rights to erasure and data portability. Moreover, Recital 41 indicates that ‘where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned’ provided it is clear, precise and foreseeable. Hence, what follows examines whether and how Member States did actually make use of this margin of maneuver and establish specific exceptions to the rights found in Articles 15, 16, 18 and 21 GDPR.

To begin with, it can be noted that seven of the countries participating in the study, specifically, Croatia, Germany, Greece, Malta, the Netherlands, Portugal and Sweden refrained from prescribing further derogations in their GDPR adapting legislation. The Dutch implementing Act did not embed the right to object (Article 21 GDPR) as a research exemption. According to the same Act, research institutions acting as data controllers are allowed not to give effect to Articles 15 (access), 16 (rectification) and 17 (erasure) GDPR.Footnote 31 Germany and Greece are slightly more specific when it comes to overriding the right to access for research purposes by adding that in such cases the provision of information should involve disproportionate effort. Finland lists specific safeguards that are required for the derogations to apply (appropriate research plan, designated responsibilities, confidentialityFootnote 32), including additional safeguards in case of special category personal data (DPIA provided to national supervisory authorities or compliance with an appropriate and approved code of conduct). It also enacted derogations from the controller’s obligations to provide information to the data subject under Article 13 and Article 14.

The Italian Legislative Decree 101/2018 mentions, in particular, derogations from the right to rectification, noting that in exercising data subjects’ rights pursuant to Article 16 GDPR the rectification and integration of data are noted without modifying the latter when the result of these operations does not produce significant effects on the result of the research. In Liechtenstein, under certain conditions, limitations are also possible with regard to the right to data portability of Article 20 GDPR.

Latvia adopted the Personal Data Processing Law that enables a general derogation when research is carried out in the public interest. It states that ‘if data are processed for scientific or historical research purposes in the public interest, the rights of a data subject specified in Articles 15, 16, 18, and 21 of the Data Regulation shall not be applied, insofar as they may render impossible or seriously impair achievement of the specific purposes, and derogations are necessary for the achievement of such purposes’.Footnote 33 This derogation is not aligned with the key law regulating human genome research, and consequently, until a new Act is adopted and the current one repealed, or until the current law is amended, these derogations might have limited effect. A similar approach was adopted by Denmark. The Danish Data Protection Act specifically states that Articles 15, 16, 18 and 21 GDPR do not apply to data processed for scientific or statistical purposes.

In the Czech Republic, the Act on Personal Data Processing allows for derogations from data subject rights when personal data are being processed for scientific research pursuant to Article 89(2) GDPR. Specifically, it states that the data subject’s rights to access, rectification, restriction of processing and objection to processing apply adequately or can even be postponed if this is necessary and proportional to the fulfillment of the purpose of processing. It also states that the right to access shall not apply if processing is necessary for scientific research and the provision of such information would involve disproportionate effort. However, several national legislators merged derogations from data subjects’ rights for research purposes with those for reasons of public interest, or focused only on the latter. Portugal posits the anonymization of data as an additional condition under which derogations for the sake of public interest or research purposes are allowed. The legislation to be proposed in Portugal states that in processing data for purposes of archiving in the public interest, scientific or historical research or official statistical purposes, the rights of access, rectification, restriction of processing and opposition are superseded when their exercise is impossible, namely when the data collected are anonymized, or liable to seriously hinder the attainment of the aforementioned objectives.Footnote 34

In addition to acknowledging the possibility of derogations for research purposes, Italy and Malta regulate further obligations of data controllers and rights of data subjects when such derogations occur.

More specifically, Italy provides that ethical rules, to be approved by the Italian Personal Data Protection Authority, may indicate the cases in which the rights listed in Articles 15, 16, 18 and 21 of the GDPR can be limited, pursuant to Article 89(2) of the same Regulation. The Maltese Data Protection Act provides that processing for scientific or historical research purposes, shall be subject to appropriate safeguards for data subjects’ rights and freedoms, including pseudonymization and other technical and organizational measures, to ensure respect for the principle of data minimization. When such purposes can be fulfilled by processing, which does not permit, or no longer permits, the identification of data subjects, those purposes shall be fulfilled in that manner. Furthermore, controllers must consult with and obtain prior authorization from the Commissioner when they intend to process genetic data, biometric data or data concerning health for statistical or research purposes in the public interest. The Commissioner must, in turn, consult with a REC.

Of comparative interest is also the way in which national laws treat derogations from the right to object. Norway dictates exceptions from the right to access to information, the right to rectification and the right to restriction of processing, but the national legislator argues that there is no need for further exceptions. As a result, there is no exception or extension of the scope of derogations with regard to the right to object. Equally, the Dutch GDPR Implementation Act did not embed the right to object as a research exemption, although research institutions are allowed not to give effect to Articles 15, 16 and 17 GDPR.

In Italy, derogations from the right to object are permitted when processing is necessary in the public interest. Contrary to the countries examined above, this is the only right for which research and public interest merge in the Italian law. Malta takes a different approach regarding the right to object, which may be overridden when personal data are processed for purposes of academic expression. However, neither the Maltese Data Protection ActFootnote 35 nor the GDPR offer any guidance on what is considered ‘academic expression’, making it unclear whether scientific and health research would fall under this provision. In the UK, where controllers reasonably require further information and have informed the data subject of that requirement, they are not obliged to comply with the data subject’s notice not to process their data unless this further information has been provided. Finally, both in Ireland and Greece when processing data for scientific research purposes, the rights of the data subject under Articles 15, 16, 18 and 21 GDPR are restricted to the extent that is necessary and the exercise of the rights would be likely to render impossible, or seriously impair, the achievement of the research.

Overall, the Member States are split between enabling and not enabling derogations from individual rights under Article 89(2) GDPR and the extent to which these derogations are enabled. The fragmentation of the regulatory landscape might have further implications for collaboration, and could open up the possibility of forum shopping. How Member States address this issue will be reviewed in the concluding analysis of this chapter.

4.2 Insights in Appropriate Safeguards

Derogations from the rights indicated in Article 89(2) GDPR, namely Articles 15, 16, 18 and 21 GDPR, not only require the existence of a national law, but are also subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes. Therefore, it is clear that derogations are possible. What is less clear is whether the relevance of appropriate safeguards and case-by-case assessment likewise needs to be established by law, or whether direct applicability and effect of the GDPR provisions will suffice. The formulation of the provision in Article 89(2) GDPR is rather ambiguous, but could be argued to be related to national law. Therefore, this section reviews how the requirement for safeguards is approached nationally.

Article 89(1) GDPR generally refers to ‘safeguards and technical measures’ that need to be in place to assure lawful processing of the special categories of personal data, and indicates that ‘[t]hose measures may include pseudonymization (…)’. Pseudonymization in Article 4(5) GDPR is defined as the ‘processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information’. Such additional information should be kept separately and be subject to technical and organizational measures so that the personal data can not be attributed to an identified or identifiable natural person. This explicit introduction of pseudonymization aims at minimizing risks against data subjects and is especially considered an appropriate safeguard when processing is conducted for research purposes based on Article 89(1) GDPR. Yet, according to Recital 28 GDPR, data controllers are not prevented from applying other technical measures in order to comply with their data protection obligations. In fact, this requirement is rather to be approached as an obligation, given that data controllers are bound by the duty to ensure that subjects’ personal data are adequately safeguarded, and this duty applies regardless of whether a Member State has regulated safeguards in any further way.

This study has showed the national legislators’ preference for pseudonymization when it comes to choosing among other measures for enhancing privacy. It is worth mentioning that, until the GDPR entered into force, other terms were also used in practice across Europe, such as ‘anonymized data’, ‘coded data’, ‘codified data’, ‘linked data’, ‘re-identifiable data’, ‘masked data’, ‘de-identifiable data’, in order to describe what now falls under the general term ‘pseudonymized data’. Consequently, the latter are for the first time in a data ptotection piece of legislation distinguished from the ‘anonymous data’, meaning those unable to identify the subject.Footnote 36

In terms of what constitutes pseudonymization, the majority of countries included in this study do not provide further definitions of the term, which means that Article 4(5) GDPR applies as it stands. In particular, Croatia, Czech Republic, Finland, France, Greece, Norway, Portugal, Sweden, Latvia and Liechtenstein refrain from further specifying pseudonymization, whereas Germany, Ireland and Malta repeat the definition offered by the GDPR. Interestingly, before the advent of the Regulation, Norway used to define pseudonymous data as indirectly identifiable ones, while now pseudonymization is considered to encompass all means of de-identification. In Finland, the Data Protection Ombudsman is unequivocal in classifying pseudonymized data as personal data universally. Concerning the French legislation, the implementation of pseudonymization is presumed in order to preserve confidentiality, although previous iterations of the law referred to it as coding. In Spain, both definitions of data coded and of biological sample coded are provided by the Spanish Biomedical Research Law.Footnote 37

Where most national laws present slight differentiations is the distinction between anonymization and pseudonymization as well as the relation between the two. Specifically, the Belgian legislator grants priority to the use of anonymous data. Only if controllers cannot achieve their research purposes should they turn to pseudonymous data. If the research objective remains unattainable even with the usage of pseudonymized data, then data controllers are allowed to process non-pseudonymized ones. In choosing among different methods of pseudonymization and anonymization, data controllers benefit from the guidance of a data protection officer, when such person has been designated, who advises with regard to the suitability of these methods for data protection.

In Portugal, no priority is attributed to either anonymization or pseudonymization. More specifically, ‘anonymization or pseudonymization’ is selected when the target goals can be reached through either of these. This corresponds with the Portuguese empirical reality, given that, in practice, biomedical researchers and scientists have been implementing coding techniques as a way to reconcile the protection of data subjects’ privacy with the deduction of satisfactory research outputs. Interestingly, in regards to anonymization, the Greek law further states that the data controller must anonymize the data as soon as the scientific purposes permit so, unless this is contrary to the legitimate interest of the data subject. In addition, it predicts that until anonymization takes place the features that can be used to correlate details of personal or actual situations of an identified or identifiable individual, must be stored separately. These features can be combined with individual details only if it is required by the research or statistical purposes. Furthermore, the Greek law also indicatively refers to the data controller’s and/or data processor’s data access restriction, the data encryption and the DPO designation, as additional safeguards when it comes to the processing of specific categories of data for scientific purposes. In regards to scientific publications containing personal data, these can take place either after the data controller obtains the explicit written informed consent of the data subject or after the controller pseudonymizes the data, in case no consent is obtained, however, the publication is necessary for the presentation of the scientific research results.

Italy demands that the Italian DPA provides for further conditions under which genetic, biometric and health-related data can be processed, namely encryption and pseudonymization techniques, minimization measures, specific methods for selective access and any other measure necessary to safeguard the rights of those concerned.Footnote 38 In all these cases, the Italian regulations interpret these terms based on the volume of data processed, the nature, object, context and purposes of the processing, and denote methods of rendering data not directly traceable to the concerned parties but identifiable only when necessary.

In the Czech Republic, pursuant to the Act on Personal Data Processing, if it is consistent with the purpose of personal data processing (scientific research), the personal data referred to in Article 9(1) GDPR should be processed in a form which does not allow the identification of the data subject. This does not apply when legitimate interests of data subjects prevent this.

In contrast, Norway clearly advances pseudonymization over anonymization. Norway used to define pseudonymous data as ‘indirectly identifiable’ ones, while now pseudonymization is considered to encompass all means of de-identification that meet certain requirements for whomever has access to the key. Provided that data subjects’ identity is sufficiently protected or pseudonyms are being applied, data controllers can proceed with processing data for health research. Requiring that all data used in research be anonymous is deemed unrealistic, as it would impede controlling and verifying research outcomes. Moving on to the Netherlands, it is still unclear how pseudonymization is perceived. Before the GDPR, the DPA issued a decision mentioning that pseudonymization does not per se lead to anonymization, which has regrettably opened up space for diverse, inconclusive interpretations regarding the connection between pseudonymous and anonymous data.

The NHS Health Research Authority in the UK clarified that personal data, which have been pseudonymized (e.g. key-coded), fall under the remit of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. This echoes the provisions of Recital 26 GDPR which posits that if pseudonymized data could be attributed to a natural person by the use of additional information, then they should be considered to be information on an identifiable natural person. Furthermore, data that have been anonymized are excluded from the scope of GDPR, with the act of anonymization being viewed as data processing.

Finally, a few Member States examined pseudonymization in relation to third-party transfers. In Denmark, the Data Protection Authority is authorised to issue general rules on the transfer of data processed for research purposes to third parties, with pseudonymization being among the possible requirements in the preparatory works. At the same time, in France, pseudonymization is indicated as obligatory before transferring data to non-EU countries.Footnote 39

Overall, even though Member States conformed in their incorporation of pseudonymization, this newly-suggested measure is still ambiguously phrased and examined in relation to other alternative technical measures, which raises questions about its sufficiency in eliminating risks to data subjects’ rights. Given that whether a set of data is considered anonymized or pseudonymized will determine the applicability of the GDPR provisions at each instance, it is vital that the definitions, characteristics and legal status of these techniques are further illuminated. Regarding the states that have opted for enabling the derogations but have not further specified them in their data protection legal frameworks, it is too early to conclude that these safeguards do not exist. They could be included in research-specific regulations adopted at a later stage or interpreted in light of the pre-GDPR research regulations, for example, as rules on coding and decoding of the samples under the Human Genome Research Law in Latvia. Moreover, even if the national law does not refer to or specify applications of safeguards in any way, controllers are not released from their obligation to ensure compliance with the GDPR.

5 Public Interest

Benefit sharing from research, return of the results, incidental findings and intellectual property policies are means to ensure a balance between the protection of participants’ interests, on the one hand, and the promotion of the public interest, on the other. Specifically, when it comes to biobanking, public interest has long been debated as one of the suitable legal bases for processing special categories of personal data as per Article 9(2)(j) GDPR and in opposition to consent.Footnote 40 Furthermore, as elaborated by Slokenberga in the introductory chapter, classifying biobanking as public research enables further derogations from individual rights.Footnote 41 It is crucial to see how national legislators chose to handle the abovementioned provision, which stands in close relation to Article 89(1) GDPR on technical and organizational measures and safeguards requirements.

Belgium, chose to impose two further obligations on the data controller when it comes to archiving personal data for scientific research in order to ensure public interest, namely the justification of the public interest, of the stored archives and the reasons according to which the exercise of the rights of the person concerned threatens to render the achievement of the objectives impossible or seriously impedes them. In contrast, Italy avoided imposing further obligations on the controller. Instead, it enhanced the role of the DPA in setting the regulatory framework, as reflected in the Annual Report of the DPA, where the interplay between scientific research needs and individuals’ rights protection is prominent. Similarly to Italy, Portugal’s legislation to be proposed on the establishment of biobanks for scientific research purposes sets specific requirements for transparency in scientific, health-related research. Public interest is safeguarded through the control of biobanks by the National Data Protection Commission and the Commission for Coordination of Research in Human Cells and Tissues, which will be created.

Finland’s, new Biobank Act is expected to adopt substantial public interest as a legal basis for biobanking activities. Concerns have also been raised regarding the new Act on the Secondary Use of Social and Health Care Data when it comes to the public interest, and specifically, the dissemination of research results. In particular, this Act introduces limitations to the publication of results, which interferes with the autonomy and freedom of science. In the case of Malta, society’s participation in biobanking is paramount, as reflected by the steps taken towards the creation of a portal that would allow participants to grant their digital consent. In this way, participants could track the use of their samples and associated data as well as access information and updates about the research projects in which their samples are involved. Research results would also be made available on the portal, thus turning research participants into research partners.

Since 2016, in France, ‘public interest’ has been seen as a synonym for ‘general interest’ and ‘collective benefit’, and has become important to the processing of personal data in health research. Data controllers claiming public interest research purposes should be able to justify this assertion. They can, then, process data through a simplified route. However, public interest is only mentioned as an exception to the principle of storage limitation in research when it comes to archiving reasons. Furthermore, data controllers who are involved in archiving in the public interest can derogate from the rights of access, rectification, restriction of processing and to object.

Germany and Greece, following the letter of the GDPR, provided specific rules, such as limitations on data subjects’ rights or technical measures that safeguard special categories of personal data. The Danish Data Protection Act does not include a provision specifically referring to public interest, but provides for processing of personal data for the purposes listed in Article 9(2)(h) and (g) GDPR, which seems to cover purposes outlined in GDPR Article 9(2)(i). Similarly, the Netherlands, which has many quality registries and a comprehensive cancer registry, has not implemented Article 9(2)(i) for biobanking purposes. Such registries, which are usually not based on informed consent, find a ‘workaround’, e.g. using a common data processor and/or relying on the implementation of Article 9(2)(j). The Estonian approach seems to be shifting the balance between individual rights and public interest strongly towards public interest since research is seen as a task carried out in the public interest.

Ireland allows processing special categories of data in the public interest to protect against serious cross-border threats, ensure high standards of quality and safety of health care and for archiving purposes. The obligations of controllers and rights of data subjects are restricted to the extent necessary and proportional to, inter alia, national security and enforcement of civil law claims. The relevant minister has the power to issue regulations further restricting data subjects’ rights in the public interest. Spain introduced exceptions to the interest of parties, specifically in a more extended consent approach than the GDPR, to the detriment of the widespread accessibility of data (and samples) by researchers, although it can be considered that they are still in agreement with the framework of the latter with the new Privacy Act.Footnote 42 In Latvia, even though it is not defined what research falls in the area of public interest, when it does so, derogations from Articles 15, 16, 18, and 21 GDPR are possible.Footnote 43

Finally, Croatia has no explicit definition of medical scientific research, and this has been one of the causes of discussion of the balance between the individuals’ right and public interests.Footnote 44 Specifically, where the scientific and experimental zone ends, the public interest begins where there is no such broad rights for the individuals. Such blurred boundaries might, in practice, cause challenges due to different interpretations of scientific research and experimental medicine in the country.

The analysis above illustrates that the countries implemented Article 9(2)(j) GDPR in their legislations vis-a-vis their longstanding research tradition. In those countries where the public interest had already been synonymous to general interest and a solidarity-based approach to research was already cultivated, the relevant provision was adopted as a means to further promote the balance between the public interest and individuals’ rights. However, even in cases where certain societies were already familiar with biobanking research, the national legislator did not further specify the requirements of Article 89(1), and instead chose to stick to the letter of GDPR.

6 Conclusion

As the chapter shows, the approach to regulating biobanks differs significantly across EU and EEA Member States. Differences have emerged not only on whether and to what extent biobanking is regulated, but also on the requirements set forth by laws. These differences apply to key elements such as lawfulness requirements, in particular, the appropriate legal basis for biobanking as well as the legal basis for lifting the prohibition of health and genetic data processing. Through the approach that GDPR has taken, it has opened up room for the Member States to move away from the long-established model of informed consent in biobanking, at least regarding personal data processing. Whether this room will be widely used or if Member States will stick to the generic consent requirements under the GDPR remains to be seen. Similarly, it will be interesting to examine how this will be received by RECs. Additionally, the protection of data subjects’ rights, and approaches for alternative measures to ensure high level of data protection when derogations are enabled. Finally, differences emerge in how Member States approach public interest and whether biobanking is subsumed into it. While it is often argued that biobanking research is in the public interest, not all Member States have explicitly or legally acknowledged this. Such research may benefit from the generally generous data protection regime enacted with the GDPR, but may not benefit from the additional measures concerning ‘public interest’ under the GDPR. Even though in principle these variations should not affect the free movement of personal data under the GDPR, in so far as RECs have the discretion to declare research as non-compliant with ethical principles and regulations, fragmentation will remain a challenge facing researchers in collaborative projects. This conclusion suggests the need for further research on the interaction of law and ethics nationally as well as under the GDPR. It also indicates the necessity for pan-European, sector-specific, Codes of Conduct, as encouraged by GDPR. Towards this direction, relevant initiatives have been launched with the aim of enhancing data flows across EU/EEA countries for research purposes.Footnote 45 Such initiatives, though, should be developed in coalition with comparable ones originating in the healthcare sector. Especially in the field of biomedical research, where present and foreseeable technological progress enables extraction of valuable information from existing healthcare datasets, research and healthcare reveal themselves as the two sides of the same coin. Therefore, drafting sector-specific Codes of Conduct, which will call attention to this interaction and will incorporate non-conflicting data protection provisions, particularly in relation to data flows or exchanges, should be a priority for all multi-sector actors involved in the aforementioned initiatives.