As stated above, the EU arguably has the strictest data privacy law in the world, entailing a certain strain on the transfer of data outside the Union, especially since the EU has the ambition of upholding data privacy rights for EU subjects even when the data is processed overseas. In medical research based on biobanks, both human biological samples and personal data on health are used.
Some introductory remarks are given in this section on the relationship between samples and data in order to specify what resources are covered by the EU data protection law (section 3.1). The long reach of EU data privacy law is then discussed in section 3.2. These rules are analysed in section 3.3 in a medical research setting.
Data and samples
The starting point when applying data protection law is defining data. Can a human biological sample itself be considered data? Both the Data Protection Directive and the General Data Protection Regulation define personal data as “any information relating to an identified or identifiable natural person”.Footnote 39 Neither act defines more closely what type and form ‘the information relating to an identified, or identifiable natural person’ is to take. According to Article 29 of the Data Protection Working Party Group, human biological samples, such as blood samples, are themselves sources from which data is extracted, but they are not data in themselves; “the extraction of information from the samples is collection of personal data, to which the rules of the Directive apply. The collection, storage and use of tissue samples themselves may be subject to separate sets of rules.”Footnote 40
The preamble to the General Data Protection Regulation states that “[g]enetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.Footnote 41 Once again, the analysis of the biological sample is considered to be data, but not the sample itself. The sample is thus not protected under EU Data Protection Law.
Consequently, EU data protection law is highly relevant to medical research: the result from a DNA analysis will always be considered personal data, even without any accompanying information such as the name of the patient or a code to which only trusted third parties have the key. The DNA in itself is an identifier. However – even if EU data protection law is highly relevant, it is not alone. As pointed out by the Article 20 of the Data Protection Working Party Group, the handling of human biological samples may be subject to other sets of rules.
The long reach of EU data protection law – extraterritorial scope and strict requirements for transferring data
All states by definition are, at least as a point of departure, sovereign and thereby independent of each other. One feature of sovereignty is the capacity to decide on legal matters occurring within the borders of that state. Legal conventions on jurisdiction have been seriously challenged by the types and forms of data usage within the Internet.Footnote 42
Within its data protection law, the EU has taken as a general standpoint that the rights of EU data subjects should be protected regardless of where the data is processed. The EU has thus established two different paths to ensuring that EU data subjects’ rights to data protection are not undermined by free-flowing information routes on the Internet. First, the scope of application of the EU data protection law is very wide and could even be described as extraterritorial (section 3.2.1). Secondly, EU data protection law sets up far reaching requirements on the recipient of EU data in order for a transfer of data outside the scope of application of EU data protection law to be considered legal (section 3.2.2). These rules have especially stirred some controversy in relation to the US, as analysed in section 3.2.3.
The territorial scope of application of EU data protection rules
The Data Protection Directive already had an unusually broad definition of territorial scope,Footnote 43 and the General Data Protection Regulation expands it a bit further. Article 3.1–2 of the Regulation states:
This Regulation applies to the processing of personal data in the context of those activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
the monitoring of their behaviour as far as their behaviour takes place within the Union.
According to the first paragraph, all situations where a person who is established in the EU processes personal data, either on one’s own behalf (controller) or on behalf of another (processor),Footnote 44 must follow the rules in the regulation. Whether the data is actually processed, for example, in a cloud service, is irrelevant. This means, for example, that if a medical researcher responsible for processing personal data in Japan (a controller, in EU terms) uses a data storage service established in the EU, (a processor established in the EU), the Japanese controller must adhere to EU law in regards to the data stored with the European service provider.
The second paragraph defines certain situations in which it is the EU data subject him or herself that renders the regulation applicable, even when the controller and processor is established outside the EU. This is the case where the controller or processor targets the EU data subject, either by offering goods or services, or by monitoring their behaviour, if the behaviour takes place within the EU. There are countless providers of services and goods all over the world who may fall under this category, requiring them to uphold EU data protection law.Footnote 45
The requirements for transferring data to third countries
Both the Data Protection Directive and the General Data Protection Regulation contain rules setting out the requirements and conditions for the transfer of personal data outside the EU. Content-wise, the differences between the directive and regulation are not significant, however, the “rules” within the regulation are more detailed.
Article 44 of the General Data Protection Regulation sets out the general principles for allowing transfers to third countries, including any onward transfer:
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.
All transfers outside the EU must first comply – as always - with the principles in the regulation, meaning that there has to be a legal basis for the processing of the personal data that includes a transfer outside the EU.Footnote 46 In regards to special categories of data, such as health data, there must further be a specific legal ground for processing.Footnote 47 Secondly, there has to be mechanisms in place to ensure that the rights of the EU data subjects will also be upheld when the data is transferred outside the EU.
The regulation provides a number of set procedures that can be divided into three main categories. These can be seen as hierarchical, with the first category offering the most efficient and thorough protection. First, transfer may take place if the Commission has enacted an adequacy decision, meaning that the Commission has found that “a country, a territory or one or more specified sectors within that country… ensures an adequate level of protection” (Article 45).Footnote 48 Protection in this context refers to legal protection, the existence of a legal framework for data protection, together with sufficient enforcement mechanisms. A Safe Harbor Agreement, further discussed in section 3.2.3, is an example of this . Secondly, in the absence of such decision, data may be transferred if appropriate safeguards are available, on the condition that enforceable data subject rights and effective legal remedies for data subjects are available (Article 46).Footnote 49 These safeguards, for example, may be legally binding and enforceable instruments between public authorities, binding corporate rules (later further regulated in Article 47), standard data protection clauses adopted by the Commission, or on the basis of especially approved codes of conduct. Contractual clauses between the sender and recipient, subject to the authorization of a competent supervisory authority, also fall within this category. Thirdly, in the absence of either an adequacy decision or appropriate safeguards, there is a list of derogations in Article 49.Footnote 50
There are two categories of derogations; Article 49.1(1)(a)-(g) lists seven specific situational derogations. One is the existence of an explicit informed consent from the data subject where he or she has been informed of the possible risk of transfer. Others are where the transfer is necessary due to a contract involving the data subject, an important reason of public interest or in connection to a legal claim. Article 49.1(2) contains the second category of derogations, which is open, but can only be used under rather limited circumstances:
[O]nly if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
The controller must further then inform the competent supervisory authority, as well as the data subjects concerned.
A fourth and final procedure is mentioned only briefly here; the transfer of judgments and official decisions, requiring a controller or processor to disclose personal data, is permitted if based on an international agreement, such as a mutual legal assistance treaty (Article 48). If none of the abovementioned grounds are available, the transfer of EU data outside the Union is not allowed.
The Safe Harbor-agreement, Schrems and the EU/US privacy shield
The Safe Harbor-agreement between the EU and US is an example of an adequacy decision, enacted under Article 25.6 of the Data Protection Directive, the predecessor of Article 45 in the General Data Protection Regulation.Footnote 51 The agreement itself was annexed to an actual decision enacted by the Commission, ensuring that entities within the US adhered to the principles laid down in the agreement. Thereby the entities could be considered trustworthy recipients of EU data. EU controllers could transfer personal data to these entities without further ado. As stated above, the Court of Justice in Schrems found that the Commission’s decision was invalid, since the Safe Harbor agreement did not sufficiently ensure an adequate level of protection for EU data rights.Footnote 52
The Schrems-case was brought by an Austrian law student, Maximilian Schrems. He argued that his personal data on his Facebook account was not properly protected, a fact made apparent following the revelations made by Edward Snowden concerning the activities of the US intelligence services.Footnote 53 The Court held that while the term “adequate level of protection” in Article 25(6) of Directive 95/46/EC does not mean a level of protection identical to that guaranteed in the EU legal order, it must be understood as requiring a third country to ensure a level of protection of fundamental rights and freedoms “essentially equivalent” to that guaranteed within the Union by virtue of the Data Protection Directive, read in light of the EU Charter of Fundamental Rights.Footnote 54
The main criticism of the Court focused on the obligation for entities within the US to disregard the Safe Harbor-principles, in the event “national security, public interest, or law enforcement requirements” within the US legal system so required.Footnote 55 As the Court rather laconically stated, since US legislation permitted public authorities such as the NSA “to have access on a generalised basis to the content of electronic communications”, this constituted a breach of the EU right to privacy as guaranteed by Article 7 of the Charter.Footnote 56 There is no legal basis in EU data protection law that would render such indiscriminate surveillance of personal data lawful. Further, the fact that the US legal system did not provide for any effective remedy for EU data subjects was contrary to Article 47 of the EU Charter and the right to effective judicial protection.Footnote 57
The legal protection sought after by the CJEU did thus not find its match within the political reality that the Commission had tried to master over the years of negotiations with its American counterpart. The Schrems –case was not the first time criticism towards the US was heard from the EU. Negotiation between the Commission and the US on different aspects of data protection had been going on already since 2010,Footnote 58 and were intensified after the verdict of the Court was delivered in 2015. A political agreement between the EU and US was reached in early in 2016,Footnote 59 and the Commission presented a communication to the EU legislators at the end of February, explaining the agreement in detail.Footnote 60 A new adequacy decision, the EU-US Privacy Shield, was enacted in July 2016.Footnote 61
The EU-US Privacy Shield is drafted as a general decision on the transfer of data, but is mainly directed to commercial activities and businesses. The Privacy Principles comprise thirteen Framework Principles similar to those in the Safe Harbor-agreement. Further there are Supplemental Principles, including specifications and exceptions to the framework principles as well as informational and institutional rules for the American data controllers to follow. The principles are found in Annex II to the draft decision.Footnote 62
That more interesting for the issue raised here is the governance structure of the agreement and the requirements to guarantee recourse mechanisms for EU data subjects. The EU-US Privacy shield is built on a system of self-certification by which US organizations commit to the Privacy Principle.Footnote 63 The US Department of Commerce maintains, it is to maintain a list of all participating US organizations that have committed to the principles. In order to remain on the list, organizations will have to re-certify annually.Footnote 64
Further, under the Recourse, Enforcement and Liability Principle, all participating listed organizations must provide “robust mechanisms to ensure compliance with the other Principles and recourse for EU data subjects whose personal data have been processed in a noncompliant manner, including effective remedies”.Footnote 65 Organizations may choose independent recourse mechanisms in either the EU or US. This includes the possibility to voluntarily commit to cooperating with the European data protection authorities. If handling human resources data collected in the context of an employment relationship, cooperation with EU authorities is mandatory.Footnote 66 This also affects the choice of applicable law, since EU law will be relevant for interpretation of the compliance of US organizationFootnote 67:
U.S. law will apply to questions of interpretation and compliance with the Principles and relevant privacy policies by Privacy Shield organizations, except where such organizations have committed to cooperate with European data protection authorities.
European data protection authorities are to establish a specific pan-EU panel to resolve these complaints.Footnote 68 When US organizations are cooperating with EU data protection authorities, the US actors will accordingly have to abide by the EU interpretation of the Privacy Shield and its principles and will further be bound by the decisions of a pan-EU panel.Footnote 69
Applying EU data protection rules on transfer of health data in medical research
How can these requirements concerning the transfer of EU data be applied in the context of biomedical research? As set out above, a transfer of a human biological sample includes privacy issues both regarding the sample itself and regarding the personal data retrievable from the sample. These two issues are dealt with separately, at least within the EU. Regarding the transfer of the biological material itself, there are no globally applicable administrative rules (section 1). According to established medical research practices, a transfer of human biological material is to be preceded by entering into an agreement between the sender and recipient, a Material Transfer Agreement (MTA).Footnote 70 All the conditions for handling the samples are regulated in the MTA, such as specific restrictions regarding the given consent, etc.Footnote 71
Transfer of data within medical research from the EU must fall within one of the mechanisms set out above (section 3.2.2.) Even before the Schrems-judgment, the Safe Harbor principles were not commonly used when transferring health data to medical researchers in the US, since the principles are directed towards commercial activities and not research. Instead, an appropriate safeguard mechanism was applied, contractual clauses having been authorized by a competent supervisory authority, i.e. a research ethics committee.Footnote 72 These contracts are referred to as Data Transfer Agreements (DTA), regulating the obligations of both the sender and recipient of the data.Footnote 73 It should however be underlined that the requirements laid down in Safe Harbor, the Schrems-case and now EU-US Privacy Shield are still relevant for medical research, since they can be used as benchmark as to what level of protection should be ensured EU data subjects.
As stated above, applying an appropriate safeguard in the General Data Regulation is conditioned on the availability of “enforceable data subject rights and effective legal remedies for data subjects”.Footnote 74 This condition is not explicitly laid down in the Data Protection Directive. Neither does the directive explicitly require this in reference to the assessment for an adequacy decision.Footnote 75 The Court placed considerable weight on these issues in Schrems
Even though the means to which that third country has recourse, in this connection, for the purpose of ensuring such a level of protection may differ from those employed within the European Union in order to ensure that the requirements stemming from Directive 95/46 (Data Protection Directive] read in the light of the Charter are complied with, those means must nevertheless prove, in practice, effective in order to ensure protection essentially equivalent to that guaranteed within the European Union.
Since the US legal system could not ensure this protection, it was not considered safe. As pointed out by Hofmann, this is the first time the Court has declared an EU act illegal due to breaches of fundamental rights without performing a balancing test to assess whether the limitation of the fundamental right could be seen as legitimate in a democratic society.Footnote 77 The breach of the right of private life and to an effective judicial review was consequently so far-reaching that it was seen as violating the “essence both of the right to privacy and the protection of personal data as it arises from Articles 7 and 8 of the Charter as well as the essence of the right to an effective judicial remedy under Article 47 Charter”.Footnote 78
It remains to be seen how the more detailed rules for processing of health data in research will be regulated in the EU Member States. Arguably, the focus on the rights of the data subject may entail a shift concerning the expected mandate of the research ethics committees and other oversight bodies for research, if they are to uphold the Data Protection Regulation. As of today, the specific rights of the data subject, amongst others involving such matters as the right to redress, is not usually addressed in either MTAs nor DTAs entered into by sending and receiving research institutions. These agreements often include how to handle legal conflicts between the sending and receiving research institutions, for example issues relating to intellectual property, but the sample donor/data subject is usually absent.Footnote 79 The research ethics committees within the EU which are approving DTAs for transfers to third countries should thus ensure that there are effective remedies available for the data subject within the receiving institution. Accordingly, research ethics committees in states outside the EU could be asked to review and ensure the rights of EU data subjects in order to allow for research cooperation. The requirements within EU law create new tasks to be handled within the governance structure for applicable bioethical aspects. Whether this is good is discussed in the following and final section.