Abstract
Biobanks are collections of genetic information that have gained remarkable relevance in the field of precision medicine, though raising ethical and legal issues, which have been widely debated and investigated over the past two decades. Undeniably, there is a noteworthy scientific interest in furthering biobank research. Nevertheless, it seems imperative to safeguard those who provide human biological materials, thus making biobank research possible. There is an issue of personal sensitive data protection, since biological samples are particularly prized for their informational value. Therefore, while fostering biobank research is a desirable goal, avoiding that it may result in unappropriate uses of sensitive data is a matter of primary concern. Striking a balance and making the ends meet is extremely complex an endeavour, however worth exploring, also in the light of the EU General Data Protection Regulation and the safeguards it provides for. The Regulation, which entered into force in May 2018, actually provides a EU-wide applicable set-up for the protection of personal data, including those which are sensitive in nature such as genetic and health data, thus applying also to the domain of biobank research.
This article is based on my contribution in the Experts Meeting “Personalized medicine: A multidisciplinary approach to complexity”, which took place at Campus Bio-Medico University of Rome on February 4th, 2020. That contribution and its rielaboration in the present version are meant to comment upon and elaborate further on Antonella Ficorilli’s chapter in this volume, “Personalized medicine and research biobanking: From traditional to new informed consent generating a need for participatory governance”. My angle has been that of law and politics as to highlight the concerns – in terms of protection of individual rights – that are still far from being solved, notwithstanding the regulatory advances in the domains of biobanks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For a very comprehensive review and in-depth debate, already more than a decade ago, see Solbakk et al. 2009. More recently, Mascalzoni 2015.
- 2.
Article 8 of the Charter of the Fundamental Rights of the European Union reads as follows: “1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specific purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority”.
- 3.
The European General Data Protection Regulation entered into force on May 24, 2016. It became binding and directly applicable in all member states from May 25, 2018.
- 4.
Whatever balancing act amongst conflicting values implies a choice, which is not in the least trivial. Nonetheless, in principle, fundamental rights including the right to data protection should not be traded against any other values. The inherent, underlying theoretical question is particularly complex and far from being solved. Alas, it is well beyond the scope of this article to investigate its many facets and to constructively discuss it. For the purpose of this article, may suffice it to highlight that the public interest in scientific research – which, according to art. 13 of the Charter of the Fundamental Rights of the European Union, “shall be free of constraint” – and the contribution of scientific research to the societal good make limits to the fundamental right to data protection justifiable, provided the said limits are necessary and proportional to the purpose and provided the essence of the said right is respected. Obviously, drawing the line between what is necessary and what is merely useful or desirable is a question of great complexity that adds to the inherent difficulty of any act of balancing. Balancing can as well be read as a consequence of proportionality, which allows for limitation of fundamental rights in the European Union only “if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others” (Charter of the Fundamental Rights of the European Union, art. 52). On the proportionality test and the technique of balancing, see Scaccia 2019. Furthermore, focusing on the case law of European Courts, see Lind and Strand 2011.
- 5.
Whether data protection is broader or narrower in scope than the concept of privacy is questionable. By and large, privacy encompasses data protection, but also pertains to private and family life and respect for the confidentiality of their correspondence and communications. In this respect, see Focarelli 2015; Rodotà 2014; Davis and Patterson 2012.
- 6.
E.g., by employers or insurance companies, just to name the most obvious.
- 7.
Interestingly, while providing a EU-wide legal framework for the protection of personal data, the GDPR altogether omits the term privacy.
- 8.
Truly anonymized data cannot be linked back to an individual, whereas pseudo-anonymized data have identifiers removed and replaced by a key-code that can be used to trace back an individual. Pseudo-anonymization is defined in the GDPR, sec. 4.5., as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information , provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
- 9.
Whether data can be considered anonymous or not is a matter of risk assessment depending on a number of factors such as the technology available at the time of processing, the costs and the amount of time required for identification. Therefore anonymity is not a static concept, rather one that changes depending on specific, objective circumstances.
- 10.
The Declaration of Helsinki further requires that research subjects should also know the sources of funding, possible conflict of interest, prospective benefits and any other relevant aspect.
- 11.
Including the right to access, to rectification, to erasure, to restrict processing, to data portability and to object.
- 12.
According to the GDPR , “controller” means the natural or legal person, agency or other body which determines the purposes and means of the processing of personal data, whereas “processor” means a natural or legal person, public authority, agency or other body which process personal data on behalf of the controller (Official Journal of the European Union 2016, art.4).
- 13.
The Art.29 Working Party was the body entrusted with the task of providing EU level interpretation of data protection law under Directive 95/46, subsequently replaced by the Data Protection Board when the GDPR entered into force. It consisted of representatives of data protection authorities, in charge of the task to interpret and enforce data protection law in EU member states. The Art. 29 Data Protection Working Party adopted Guidelines on Transparency under Regulation 2016/679, which set out general principles in relation to the exercise of data subjects’ rights under the GDPR. Albeit not binding, these Guidelines are particularly authoritative and influential.
- 14.
Such as the right to access, the right to rectification, the right to restriction of processing, the right to object.
References
Davis, Kord, and Doug Patterson. 2012. Ethics of big data: Balancing risk and innovation. Sebastopol: O’Reilly Media Inc.
Eaton, Margaret L. 2010. Ethical issues associated with pharmaceutical innovation. In Business ethics of innovation, ed. Gerd Hanekamp, 39–62. Verlag-Berlin Heidelberg: Springer.
Ficorilli, Antonella. In this volume. Personalized medicine and research biobanking: From traditional to new informed consent generating a need for participatory governance. In Personalized medicine in the making. Philosophical perspectives from biology to healthcare, ed. Chiara Beneduce and Marta Bertolaso. Cham: Springer.
Focarelli, Carlo. 2015. La privacy. Proteggere i dati personali oggi. Bologna: il Mulino.
Ghilardi, Giampaolo. 2018. Etica dell’agire scientifico e tecnologico. Milano: Mimesis.
Hallinan, Dara. 2020. Broad consent under the GDPR: An optimistic perspective on a bright future. Life Sciences, Society and Policy 16. https://doi.org/10.1186/s40504-019-0096-3.
Kaye, Jane. 2015. The tension between data sharing and the protection of privacy in genomics research. Annual Review of Genomics and Human Genetics 13: 415–431. https://doi.org/10.1146/annurev-genom-082410-101454.
Lattanzi, Roberto. 2016. Data protection principles and research in the biobanks age. In Ethics, law and governance of biobanking: National, European and international approaches, ed. Deborah Mascalzoni, 79–93. Dordrecht: Springer.
Lind, Anna-Sara, and Magnus Strand. 2011. A new proportionality test for fundamental rights? SIEPS. http://www.sieps.se/en/publications/2011/a-new-proportionality-test-for-fundamental-rights-20117epa/Sieps_2011_7epa.pdf. Accessed 22 July 2020.
Monti, Andrea, and Raymond Wacks. 2019. Protecting personal information. The right to privacy reconsidered. Oxford: Hart Publishing.
Official Journal of the European Union. 2012. Charter of the fundamental rights of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT. Accessed 22 July 2020.
———. 2016. Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/eli/reg/2016/679/oj. Accessed 22 July 2020.
Penasa, Simone, Iñigo de Miguel Beriain, Carla Barbosa, Anna Białek, Theodora Chortara, André Dias Pereira, Pilar Nicolás Jiménez, Tomasz Sroka, and Marta Tomasi. 2018. The EU general data protection regulation: How will it impact the regulation of research biobanks? Setting the legal frame in the Mediterranean and Estern European area. Medical Law International 18(4): 241–255.
Pormeister, Kart. 2017. Genetic data and the research exemption: Is the GDPR going too far? International Data Privacy Law 7 (2): 137–146. https://doi.org/10.1093/idpl/ipx006.
Rodotà, Stefano. 2014. Il mondo nella rete. Roma: Laterza.
Rumbold, John M.M., and Barbara Pierscionek. 2017. The effect of the general data protection regulation on medical research. Journal of Medical Internet Research 19 (2): e47. https://doi.org/10.2196/jmir.7108.
Scaccia, Gino. 2019. Proportionality and the balancing of rights in the case-law of European Courts. Federalismi. https://www.federalismi.it/ApplOpenFilePDF.cfm?artid=38092&dpath= document&dfile=18022019195153.pdf&content=Proportionality%2Band%2Bthe%2BBalanc ing%2Bof%2BRights%2Bin%2Bthe%2BCase%2Dlaw%2Bof%2BEU%2BCourts%2B%2B% 2D%2Bstato%2B%2D%2Bdottrina%2B%2D%2B.Accessed 22 July 2020.
Solbakk, Jan Helge, Søren Holm, and Bjørn Hofmann, eds. 2009. The ethics of research biobanking. New York: Springer.
Tallacchini, Mariachiara. 2015. A participatory space beyond the “autonomy versus property” dichotomy. In Ethics, law and governance of biobanking: National, European and international approaches, ed. Deborah Mascalzoni, 21–38. Dordrecht: Springer.
Ursin, Lars Oysten. 2008. Biobank research and the right to privacy. Theoretical Medicine and Bioethics 29 (4): 267–285. https://doi.org/10.1007/s11017-008-9079-8.
Widdows, Heather, and Sean Cordell. 2011. The ethics of biobanking: Key issues and controversies. Health Care Analysis 19 (3): 207–219. https://doi.org/10.1007/s10728-011-0184-x.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Brizi, M.R. (2022). Biobank Research and Data Protection Issues Under the GDPR . In: Beneduce, C., Bertolaso, M. (eds) Personalized Medicine in the Making. Human Perspectives in Health Sciences and Technology, vol 3. Springer, Cham. https://doi.org/10.1007/978-3-030-74804-3_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-74804-3_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-74803-6
Online ISBN: 978-3-030-74804-3
eBook Packages: Religion and PhilosophyPhilosophy and Religion (R0)