Abstract
The regulatory framework for biobanking in Estonia is fragmented. Whilst a specific law applies to the population-wide biobank, other entities engaged in biobanking are subject to rules stemming from various legal sources. In the case of the population biobank, participants give open consent for their data and tissue to be used in genetic research. Most other entities do not have the possibility to obtain open research consent for the use of personal data. However, national data protection law enables the use of personal data in research without the consent of individuals.
In contrast, since no stricter requirements are set, open consent can be used when tissue is obtained directly from individuals for research purposes. However, if tissue is initially obtained for other (research) purposes, further research use requires written consent in the case of blood, while due notification will suffice for most other types of tissue.
You have full access to this open access chapter, Download chapter PDF
Similar content being viewed by others
1 Introduction
Estonian law does not define the term or concept of ‘biobank’. As observed by Hallinan, ‘[t]he term has emerged as an umbrella term to describe all collections of biological samples and associated data supporting genomic research’.Footnote 1 From this broad perspective a biobank cannot be defined through an institutional prism, and any entity engaged in the collection and preservation of biological samples and associated data for purposes of, inter alia, research could be labelled a biobank. For example, hospitals and providers of direct-to-consumer genetic testing (DTCGT) services collect biosamples and relevant genomic data for the purposes of, respectively, clinical care and private testing services. However, the samples and data may be stored for future research purposes. Thus, hospitals and providers of DTCGT services can be seen as operating biobanks, though that is not their main or sole activity.
Since Estonian law does not define the terms ‘biobank’ or ‘biobanking’, and the regulatory environment concerning biobanking activities is, for the most part, not dependent on the institutional nature of the entity engaged in such activities, the general and broad definition proposed above (collection of biosamples and genetic data for research) will be adopted for the purposes of this chapter.
This chapter will first give a brief overview of the legal and regulatory environment of biobanks in Estonia and then introduce the Estonian population biobank. This will be followed by an analysis of the rights and safeguards of biobank participants. The fourth part of this chapter will explore the balance struck under Estonian law between the public interest in biobank research on the one hand and individual rights and interests on the other. Finally, the author will comment on the impact of the GDPR and future possibilities for biobanking in Estonia.
2 Biobank Infrastructure and Regulatory Environment
2.1 The Estonian Biobank and the Human Genes Research Act
The Estonian Biobank (EBB) (Geenivaramu) is a population-based biobank that was established in 2002 as a state-run foundation.Footnote 2 Since 2007 it has been part of the University of Tartu.Footnote 3 As of 2019, the EBB has over 157,000 gene donorsFootnote 4 out of a population of ca 1.3 million.
The EBB has made recruitment procedures as convenient as possible in order to attract new donors. For example, as of 20 March 2018, informed consent can be given online.Footnote 5 After informed consent has been provided, the blood samples can be donated in various locations, such as all major hospitals, certain laboratories collaborating with the EBB located throughout the country,Footnote 6 and even some pharmacies.Footnote 7
The activities of the EBB are regulated by the Human Genes Research ActFootnote 8 (HGRA), which was adopted in 2000 specifically for the operations of the EBB. Aside from a few general clauses, the HGRA does not regulate the biobanking activities of other entities.
In terms of clauses of general applicability, the most notable ones are found in Chapter 5 and establish a general prohibition on genetic discrimination and specific prohibitions in employment and insurance relationships. These prohibitions apply universally.
2.2 Biobanking Activities Other Than the EBB
As far as biobanking activities of entities other than the EBB are concerned (e.g. other research institutions, hospitals, DTCGT service providers, etc.), there are no specific regulations. It is noted in the HGRA that genetic testing beyond the activities of the EBB to which Chapters 2 to 4 of the HGRA do not apply ‘may be performed pursuant to the procedure and for the purposes provided by law’.Footnote 9 However, there is no respective law regulating genetic testing in Estonia—whether for research or other purposes.Footnote 10
As such, biobanking activities of entities other than the EBB are subject to a number of different laws. First, data protection law applies as far as genetic and health (and other associated personal) data are concerned to the extent that they constitute ‘personal data’ within the meaning of the General Data Protection RegulationFootnote 11 (GDPR).Footnote 12 Second, in terms of biosamples, international law and a few national legal acts establish a fragmented set of rules for different types of tissue.
2.3 Data Protection and Biobanking
Parallel to possible specific regulations, data protection rules apply to any research involving the use of personal data, including personal data collection for and use by entities engaged in biobanking activities and research. Thus, the GDPR and the Estonian Personal Data Protection ActFootnote 13 (the DP Act) serve as regulatory tools relevant for any biobanking facility.
The explanatory note to the DP ActFootnote 14 refers to Recital 159 GDPR to define ‘research’, which indicates that this concept is to be interpreted broadly. This is in contrast with the previous approach under the former Estonian Personal Data Protection Act,Footnote 15 according to which generally only certain entities or establishments could rely on the research exemption.Footnote 16 The approach of Recital 159 GDPR seems to focus on the research activity itself rather than the nature of the entity or institution carrying out the activity. Thus, in terms of biobanking, any entity engaged in such activities is subject to the general and research clauses of the GDPR and the Estonian DP Act.
In terms of the population biobank EBB, the HGRA does establish that data protection rules do not apply to the EBB as far as the processing of coded tissue samples, coded descriptions of DNA and coded descriptions of state of health is concerned, on the condition that they are processed as a set of data of at least five gene donors at a time.Footnote 17 This clause dates back to 2000, and its compliance with the GDPR is questionable as the GDPR clearly defines pseudonymised data as ‘personal data’.Footnote 18
2.4 Research Oversight
Research oversight in Estonia is scarce. The Estonian Data Protection Inspectorate (DPI)Footnote 19 conducts oversight of research as far as matters of data protection are concerned.Footnote 20 However, oversight of the DPI is in practice highly unlikely to occur unless there is an individual complaint.
Under the former Estonian Personal Data Protection Act that was applicable before 15 January 2019, DPI permission was required for the use of personal data in research without the consent of individuals.Footnote 21 This task is now for the most part assigned to ethics committees. Therefore, ethics committees can also be regarded as part of the research oversight system. However, aside from a few exceptions, ethics committees in Estonia are not systematically established under or regulated by law. Legislative revisions lead to the establishing of one central ethics committee at the Ministry of Social Affairs in September 2019, which would oversee ethical matters related to EBB research and the research use of data in the Health Information System (i.e. patient data submitted by health care professional to this state database).Footnote 22 All other ethical reviews are left to institutional ethics committees, which are not regulated by law.
Under Estonian law, An ethical review is mandatory for the operations of the EBB,Footnote 23 the research use of data in the Health Information System,Footnote 24 and for clinical studies under the Medicinal Products Act.
Aside from the explicit ethics review requirements concerning the research use of the data in the Health Information System, the EBB and clinical trials, for any other entity engaged in biobanking activities, an ethics review requirement has been established under the DP Act which is applicable in very limited circumstances in certain cases where personal data are used in research without the consent of individuals.Footnote 25 This will be further addressed below.
However, the DP Act does not regulate ethics committees but merely presumes their existence. Under the DP Act, in case there is no ethics committee for a given field, the DPI will conduct the review to assess compliance with data protection rules.
3 Individual Rights and Safeguards
3.1 Participation in Biobanks
3.1.1 The Use of Human Tissue in Research
There is little regulation on the use of human tissue under Estonian law. Two general rules can be derived from applicable international law on this and there are also a few national laws that address it.
In 2004, Estonia ratified the Oviedo Convention on human rights in biomedicine.Footnote 26 Under Articles 5 and 16(v) of the Convention the physical intervention to obtain tissue, including for research purposes, presumes prior informed consent of the individual. With regard to further uses of already available tissue, which is obtained, for example, for purposes of clinical care like diagnostic tests, the Oviedo Convention establishes in Article 22 a minimum threshold of due notification.Footnote 27 These two rules apply in the Estonian context in any scenario which national law does not specifically address.Footnote 28
Estonian law only specifically addresses a few cases regarding the research use of human tissue or body parts. For example, the use of embryos in research requires the consent of both gamete donors.Footnote 29 Furthermore, in the case of blood (excluding other types of tissue), the Blood ActFootnote 30 stipulates in § 10 that blood taken from a donor or patient can be used for research purposes upon written consent. The subsequent sequencing of DNA from such blood in the course of research is a matter not directly regulated by law but rather left to ethics.
The HGRA establishes that: ‘It is prohibited to take a tissue sample and prepare a description of state of health or genealogy without the specific knowledge and voluntary consent of the person.’Footnote 31 However, the referred clause is part of Chapter 2 HGRA which regulates exclusively the rights of the gene donors of the EBB. It is clear from the HGRA that Chapters 2 to 4 do not apply to genetic testing (or research) outside of the EBB.Footnote 32 Thus, under the HGRA, it is only the EBB that is prohibited from obtaining tissue samples of individuals without their specific knowledge and voluntary consent.
Therefore, in the case of the further research use of the types of human tissue not clearly addressed in national law a minimum requirement of due notification would apply. Hence, under Estonian law consent is not necessarily required for human tissue to be included in biobank research—the two clear exceptions here remain blood, which requires written consent, and the EBB, which cannot obtain tissue samples without consent.
However, given that the primary research interest in tissue lies in the information that can be derived therefrom, the rules for the use of the data are really the primary question.
3.1.2 Informed Consent for the Use of Personal Data
In the case of the EBB, the consent for the use of an individual’s tissue and data for ‘genetic research, public health research and statistical purposes’ must be in writing and signed by the donor.Footnote 33 As such, the consent of the EBB is an open or broad type of research consent allowing donors’ tissue and data to be used for essentially any type of ethically acceptable scientific research.
In terms of data protection law and informed consent, general rules under the GDPR apply. Thus, as required by Article 9(2)(a) GDPR, the specific purposes of processing must be laid out in the consent when it comes to the use of special categories of data like genetic or health data. Though Recital 33 GDPR appears to grant Member States the discretion to allow for broader consent in research, the Estonian DP Act does not establish a separate, broader notion of informed consent for research.
The informed consent of the EBB remains the only open or broad informed consent for the research use of data established under Estonian national law. Though the explanatory note to the DP Act makes no mention of the consent of the EBB and how this relates to Article 9(2)(a) GDPR, it can be argued that the consent of the EBB is to be regarded as an exercise of the discretion referred to in Recital 33 GDPR. An alternative interpretation is that the use of personal data by the EBB is based on law and not consent. On 15 March 2019, a number of changes to the HGRA came into force.Footnote 34 Amongst these changes is a clause in § 29 concerning ethics committees that obliges the committee to, inter alia, review compliance with § 6 of the DP Act. The latter, however, regulates the use of personal data in research without consent. This begs the question whether the use of personal data by the EBB is to be seen as data processing based on national law instead of processing based on the donors’ consent. Since no working document relating to these recent changes in the HGRA is publicly available, there are currently no definite answers to this question.
In summary, instead of opting for a broader informed consent to research that would also enable biobanking activities, the Estonian DP Act creates simple options for the use of personal data in research without the consent of individuals. This could arguably serve as an even greater facilitator for biobanking activities than broad or open research consent.
3.1.3 Use of Personal Data Without Consent
The Estonian DP Act creates in § 6 a legal basis for the use of personal data in research without consent.Footnote 35 The following two exceptions apply to all types of personal data.
First, personal data can be used for research purposes without consent as long as the data are pseudonymised or any other equally effective method is engaged (i.e. the requirement is technologically neutral).Footnote 36 For the use of pseudonymised data in research, no prior approval from an ethics committee or the Estonian Data Protection Inspectorate (DPI)Footnote 37 is required. Though pseudonymisation as a safeguard is explicitly mentioned under Article 89(1) GDPR, pseudonymisation of data at the earliest possible point is in any case an underlying principle of the GDPR.Footnote 38 Thus, it is arguable whether pseudonymisation of personal data as a stand-alone, though ‘appropriate’,Footnote 39 safeguard is sufficient to deem the Estonian approach compliant with the GDPR.
Furthermore, according to the explanatory note to the DP Act, neither pseudonymisation nor anonymisation (as processing activities within the meaning of the GDPR) require separate prior approval either.Footnote 40 This means that if personal data are available, they can be pseudonymised (or anonymised) for use in research and used in research without the consent of individuals or prior approval of an ethics committee or the DPI. De-pseudonymisation of such data is permitted for the purposes of additional research.Footnote 41
Second, personal data can also be used in research without consent when it is processed with direct identifiers if the following three conditions are met:
-
(1)
the purposes of data processing can no longer be achieved after removal of the data enabling identification or it would be unreasonably difficult to achieve these purposes;
-
(2)
there is an overriding public interest for it in the estimation of the persons conducting scientific and historical research or compiling official statistics;
-
(3)
the scope of obligations of the data subject is not changed based on the processed personal data or the rights of the data subject are not excessively damaged in any other manner.Footnote 42
The only additional requirement applicable to specifically special categories of data is an ethics review—or, alternatively, DPI approval—if the second exception is utilized, i.e. if special categories of data are to be used in research with direct identifiers.Footnote 43
However, even in such cases, the explanatory note to the DP Act emphasizes that prior review is only required if the entire research, including the analysis of the data, is to be conducted with direct identifiers,Footnote 44 which is rarely the case as most research projects do not require inclusion of direct identifiers in the actual analysis of the data. This comment in the explanatory note is at odds with the text of the law, which requires a review whenever special categories of data are used in research.Footnote 45
3.2 Rights of Participants
3.2.1 Gene Donors of the EBB
The rights of the gene donors of the EBB are established under Chapter 2 of the HGRA. Once individuals become donors to the EBB they have a right to confidentiality, and a donor’s identity can only be revealed by the donor or upon his consent.Footnote 46 Donors have the right to know and the respective right not to know the information kept about them in the EBB. However, in order to protect the privacy interests of other donors, donors do not have the right to access their genealogies. If a donor wishes to access his or her information, the donor is entitled to counselling.Footnote 47
It must be emphasized that the consent given by donors allows the EBB to collect all donors’ health data from all possible state databases. However, donors have the right to prohibit the EBB from further accessing their health data, which can otherwise be done by the EBB for supplementing, renewing and verifying the already obtained data.Footnote 48
If a donor wants to opt out of the EBB, the donor has the right to demand that the de-coding information be destroyed.Footnote 49 Although opting out will not have a retrospective effect and the collected tissue and data remain in the EBB and can still be used for research, the donor can no longer be re-identified. A donor has the right to demand that already-obtained tissue and data be destroyed entirely but only if the donor’s identity has been unlawfully revealed.Footnote 50
3.2.2 Participants of Other Biobanks
Although the rights of gene donors established under the HGRA are exclusively designed for participants of the EBB, many similar principles arise from data protection law that would cover any biobanking facilities. Under data protection law, all individuals have, for example, the right of access,Footnote 51 the right to be forgotten,Footnote 52 the right to restrict processingFootnote 53 and the right to object to the use of their data.Footnote 54
However, taking advantage of Article 89(2) GDPR, the Estonian DP Act creates the possibility to derogate from all of these rights, except the right to be forgotten as this right is not mentioned in the referred article. Nonetheless, an exception to this right in the research context stems directly from the GDPR itself.Footnote 55
Under the DP Act, when it comes to the research use of personal data, the controller or the processorFootnote 56 may restrict data subjects’ rights referred to in Articles 15, 16, 18 and 21 GDPR as far as such rights are likely to render impossible or seriously impair the achievement of the specific research purposes and such derogations are necessary for the fulfilment of those purposes.Footnote 57
3.3 Article 89 GDPR and Safeguards Under the DP Act
The explanatory note to the DP Act refers in the introduction to § 6 to Articles 89 and 6(1)(e) GDPR, which set out that scientific and historical research, and statistics, are tasks carried out in the public interest within the meaning of the latter article.Footnote 58 In referring to Article 89 GDPR, the explanatory note sets out that § 6 of the DP Act is designed to establish both the exceptions indicated in that article but also safeguards. However, aside from what is already mentioned directly in Article 89(1) GDPR (i.e. pseudonymisation), no other safeguards are apparent from the national law or its explanatory note.
Article 89(1) GDPR mentions pseudonymisation as one of the possible safeguards to be applied in regard to the research use of personal data. As laid out above, the DP Act allows for all types of personal data to be used in research without consent or any review process provided that the data are ‘in a pseudonymised format or a format which provides equivalent level of protection’.Footnote 59 Thus, pseudonymisation, or any technological equivalent providing for the same level of protection, is essentially the one safeguard mentioned under Estonian data protection law.
Ethics reviews and the alternative DPI approval might also be regarded as safeguards within the meaning of Article 89(1) GDPR. However, as was explained above, according to the explanatory note under the Estonian DP Act an ethics review requirement would only be triggered if special categories of data were to be used in research without consent and with direct identifiers during the analysis of the data. This means that, at least in light of the explanatory note, an ethics review would only be required in very limited circumstances,Footnote 60 and the DPI would only ever be involved if there was no ethics committee in a given field, which in practice is not likely ever to be the case in Estonia.
With regard to safeguards under Estonian law and Article 89(1) GDPR, it must be emphasized that the latter requires the implementation of safeguards in the research context regardless of the legal basis for processing (i.e. whether it be consent or national law). However, the Estonian DP Act mentions pseudonymisation only in regard to the use of personal data in research without the consent of individuals, essentially setting all pseudonymised data free as far as research is concerned. Furthermore, as noted above, de-pseudonymisation of the data is permitted for further research purposes.
Therefore, the implementation of Article 89 GDPR in Estonian data protection law is of a limited nature. In terms of safeguards, the national DP Act refers to pseudonymisation or equal measures when it comes to the research use of personal data without consent or any review process. The review process established by the DP Act only applies in limited circumstances, whereas in regard to derogations from the rights of data subjects the DP Act takes full advantage of Article 89(2) GDPR.
4 Law in Context: Individual Rights and Public Interest
It can be concluded from the previous part of this chapter that the Estonian DP Act takes quite a liberal approach to the research use of personal data. The only aspect in which the Estonian approach cannot be labelled liberal is informed consent.
As noted above, the drafters of the 2019 DP Act did not use the discretion granted to them under Recital 33 GDPR.Footnote 61 Thus, as a general rule, informed consent in research must comply with Article 9(2)(a) GDPR as far as special categories of data are concerned. This means that the informed consent must set out the specific purposes of processing (i.e. the specific research projects in which the data are to be usedFootnote 62). The one clear exception to this general rule under EU law are clinical trials for pharmaceuticals.Footnote 63 The only exception under national law to this general rule of specific consent in research remains the consent established under the HGRA for the EBB.Footnote 64
This approach to consent runs counter to the very essence of biobanks as the collection of tissue and data into biobanks is meant to enable their use for the research community as a whole, not specific single projects or projects in a specific field (though some specialized biobanks might be focused on specific fields).
Entities that do not have the option to obtain an open or broad informed consent can still establish biobanks by taking advantage of § 6 of the DP Act. If the necessary data are already available (i.e. have been obtained from individuals), they can be used for further research purposes regardless of what purposes they were initially obtained for. Even where data are initially obtained based on informed consent for specific purposes, they can still be used later for (different) research. The GDPR sets the data free from the storage and purpose limitations (Arts. 5(1)(b) and (e)), and the national DP Act provides the necessary legal basis for processing without consent.
As laid out above, the use of available human tissue and its inclusion into biobanks is subject to either a general rule of due notification or consent if there is a respective requirement in national law (e.g. written consent for the use of blood of patients and donors in research). In order to physically obtain tissue from an individual, of course, consent is required, but there is no requirement for this consent to set out specific research purposes as is the case with consent for the research use of data.
For example, clinical facilities with competency in clinical genetics accumulate large sets of tissue and genetic data of patients who have been referred to a geneticist and who have undergone genetic testing for the purposes of clinical care. The further research use of the blood sample would require written consent (not limited to specific purposes). The further research use of the genetic data could be either based on an initial limited consent for specific research projects and then later still be used in different research projects based on the DP Act. Alternatively, the step of obtaining initial specific consent could be skipped and the data could be used in research based on the DP Act. An ethics committee would be likely to ask for reasons why the researchers decided not to obtain consent and base their processing activities on the law instead. However, in genetic research the high number of individuals whose data are being handled often constitutes an impractical hardship for obtaining consent, and thus provides an acceptable justification for not obtaining consent for the use of already available data and instead opting for the law as the legal basis for processing.
It is debatable which approach—broad/open or specific consent—is more considerate of individual rights and interests. On the one hand, broad or open consent arguably does not facilitate an adequate understanding in laymen of how their tissue and data might be used in research in the future. On the other hand, the current approach in Estonia leads to an outcome where an individual might give specific consent for certain research projects but the same data could then be further used in future research projects without renewed consent. Thus, in the Estonian context, specific consent under data protection law does not leave the individual in a stronger position than broad or open consent. On the contrary, by giving broad or open consent the individual must at least be aware that the consent is not limited to specific projects or fields of research, whereas specific consent with the possibility for the same data to be later used in different research projects can be regarded as somewhat deceitful towards the individual as the initial specific consent might create a false sense of certainty.
Adding to this the fact that the Estonian DP Act allows controllers and processors to derogate from the rights of data subjects established in Articles 15, 16, 18 and 21 GDPR (in addition to the derogations within the GDPR itself, like Art. 17(3)(d)), the Estonian approach seems to be shifting the balance between individual rights and public interest strongly towards the latter. This attitude is also reflected in the explanatory note to the DP Act which emphasizes that research in general is seen as a task carried out in the public interest within the meaning of Article 6(1)(e) GDPR.
5 GDPR Impact and Future Possibilities for Biobanking
The GDPR itself cannot be deemed to have had a significant impact on biobanking activities in Estonia. Like its predecessor,Footnote 65 the GDPR sets available data free from the purpose and storage limitations as far as research uses are concerned, while the national DP Act facilitates the (further) research use of such data by creating a legal basis for processing that is independent of consent.
Even though the new Estonian DP Act does not establish a broader informed consent for research—as could have been done according to Recital 33 GDPR—it does enable biobanking activities by providing alternative legal bases for already available data to be included in (biobank) research without the consent of individuals. This makes it possible for entities engaged in research to accumulate large sets of data which can be used in various research projects without the need to obtain specific consent for each project, or any type of consent at all. Though not explicitly mentioned in the explanatory note to the DP Act, enabling the accumulation of large sets of data is likely to have been the aim of the legislator given that Estonian health care is geared towards personalized medicine.Footnote 66
The possibilities for the use of personal data in research without consent are even more significant in the Estonian context considering that all medical data (both genetic and other health data) are stored electronically. In addition to insitutional e-health records, Health data are stored in the state Health Information System, also referred to as the state-wide e-Health Records system. DNA sequencing data are not yet available through this central system but are electronically stored in institutional databases. However, part of the strategic vision of the e-Health system is to eventually include genetic data in electronic health records and create a database to accumulate pseudonymised health and genetic data that could be used for scientific research and also to further business developments.Footnote 67 This means that even today, aside from DNA sequencing data, essentially all the other health data of the whole population are readily available for research and can be used for research purposes without the consent (or knowledge)Footnote 68 of individuals.
As such, the creation of biobanks is no longer subject to the will of potential donors but is more a matter of available tissue and data. Although no entities other than the EBB (under national law) and sponsors of clinical trials (under Regulation (EU) 536/2014)Footnote 69 have the possibility to obtain open or broad consent for the research use of data, obtaining specific consent does not limit future research uses of already available data. This further enables research collaborations and exchange of available data. Whether this approach is proportional and balanced in regard to individual rights and interests is debatable.
6 Conclusions
For the purpose of transferring tissue and data directly from individuals into biobanks, consent is required for the physical intervention needed to obtain the tissue. Further use of already available tissue is subject to due notification, aside from a few exceptions. Written consent is needed to include the blood (but not other types of tissue) of blood donors and patients in research. As Estonian law does not establish any further requirements for this consent, it is not limited to specific projects or even fields of research. However, the population biobank EBB is prohibited from taking tissue samples without the specific knowledge and voluntary consent of individuals. This means that, for example, clinical facilities like hospitals that obtain large quantities of tissue samples during the clinical care of patients, are able to include these in biobank research by providing due notification (or obtaining written consent in the specific case of blood).
As for the data, which is where the core research interest lies, it may be included in research based on either consent or the national DP Act. Consent is an impractical option for biobanks since, in regard to special categories of personal data like genetic and health data, the GDPR requires consent to lay out specific processing purposes—whereas Estonian law does not establish a separate, broader research consent as could have been done. However, the national DP Act creates a legal basis for the use of any type of personal data in research without consent. Hence, available data can be included into biobanks without the consent of individuals. For example, hospitals and DTCGT service providers that obtain tissue and sequence DNA from it for purposes not related to research may store and later use the data for research purposes without consent by relying on the national DP Act as a legal basis. In the same manner, researchers who obtain tissue and sequence DNA from it based on specific consent for certain projects may later be able to still use the data for different research.
Notes
- 1.
Hallinan (2018), p. 64.
- 2.
Order no 177 of the Government of the Republic of Estonia, Sihtasutuse Eesti Geenivaramu Asutamine, adopted 13 March 2001. – RTL 2001, 37, 512.
- 3.
Official website of the Estonian Biobank. https://www.geenivaramu.ee/en/access-biobank.
- 4.
Offical website of the Estonian Biobank. Available only in Estonian. https://www.geenivaramu.ee/et/doonorile/olen-geenidoonor.
- 5.
See www.geenidoonor.ee. On this website, informed consent can be provided with a digital signature, either via using the national ID card or mobile-ID (both official means for providing a valid digital signature).
- 6.
Official website of the Estonian Biobank. Available only in Estonian. https://www.geenivaramu.ee/et/geenidoonorile/soovin-saada-geenidoonoriks.
- 7.
As of September 2019 there were three pharmacies that cooperated with the EBB in obtaining blood samples from new gene donors. Geenidoonoriks saab nüüd mugavalt hakata juba kolmes apteegis. 20 Sept 2018 Postimees: Tervis. https://tervis.postimees.ee/6409353/geenidoonoriks-saab-nuud-mugavalt-hakata-juba-kolmes-apteegis.
- 8.
Human Genes Research Act (HGRA), RT I, 13.03.2019, 64. English translation available at https://www.riigiteataja.ee/en/eli/508042019001/consolide (22 June 2020).
- 9.
§ 6(2) HGRA, ibid.
- 10.
Regulation (EU) 2017/749 on in vitro medical devices, which shall apply from 26 May 2022, will establish a few basic rules in regard to genetic testing in the healthcare setting. However, this will have no impact on genetic testing for research purposes.
See Art. 4 of Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU. OJ L117/176.
- 11.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). OJ L119/1.
- 12.
Recital 26 and Arts. 1(1), 4(1), 4(13) and 4(15) GDPR, ibid.
- 13.
Personal Data Protection Act (DP Act), RT I, 04.01.2019, 11. Official English translation. https://www.riigiteataja.ee/en/eli/523012019001/consolide.
The new Estonian DP Act that came into force on 15 January 2019 regulates personal data protection to the extent of specifying and complementing clauses of the GDPR (including but not limited to matters related to research), and implementing Directive (EU) 2016/680.
- 14.
Explanatory note to the (2019) DP Act. Available in Estonian. https://www.riigikogu.ee/download/b7c9371a-7768-46b5-9d33-9eb4e3b98125, at § 6.
- 15.
Explanatory note to the (2007) DP Act. Available in Estonian. https://www.aki.ee/et/eraelu-kaitse/oigusaktid, at § 16.
- 16.
Namely, those that met the conditions set for research and development institutions under § 3 of the Organisation of Research and Development Act. RT I 1997, 30, 471. Official English translation. https://www.riigiteataja.ee/en/eli/513042015012/consolide.
- 17.
§ 7(2) HGRA, supra n 8.
- 18.
Recital 26 GDPR, supra n 11.
- 19.
For more information on the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), see their official website. https://www.aki.ee/en.
- 20.
This includes oversight of the EBB, see § 29 HGRA, supra n 8.
- 21.
§ 16(3) of the Personal Data Protection Act (2008), RT I 2007, 24, 127. Available in Estonian. https://www.riigiteataja.ee/akt/12802623.
- 22.
See § 29(5) HGRA and § 59(index 4)(6) Health Services Organisation Act (HSOA). In March 2019, the HGRA and the HSOA were revised in parts. Amongst other things, the revisions included the establishing of a central research ethics committee via a ministerial regulation. This committee consists of expert representatives of a list of different academic and practical fields, and in addition to reviewing ethical matters related to the research of the EBB also oversees the ethics of using data of the Health Information System for research purposes. See Regulation No 60 of the Minister of Social Affairs of 24 September 2019, ‘The establishing of a research ethics committee, its rules of procedure, number and appointment of members and the rates for reviewing applications’ (as translated by the author of this chapter)—RT I, 26.09.2019, 1.
- 23.
§ 29 HGRA, supra n 8.
- 24.
§ 59(index 4)(6) Health Services Organisation Act (HSOA), RT I, 17.05.2020, 12. English translation available at https://www.riigiteataja.ee/en/eli/518052020003/consolide (23 June 2020).
- 25.
§ 6(4) DP Act, supra n 13; and § 6 of the explanatory note to the (2019) DP Act, supra n 14.
- 26.
Convention for the Protection of Human Rights and Dignity of the Human Being with regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine. Oviedo, 4.IV.1997. ETS No. 164.
- 27.
Explanatory Report to the Convention for the protection of Human Rights and Dignity of the Human Being with regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine, at para 137.
- 28.
§ 123(2) of the Estonian Constituion establishes that ‘When laws or other legislation of Estonia are in conflict with an international treaty ratified by the Riigikogu, provisions of the international treaty apply.’ The Constitution of the Republic of Estonia, RT 1992, 26, 349.
Referring to § 123(3) of the Constitution, the Estonian Supreme Court has established in its case law that a legal rule contained in an international treaty can also be directly applied if there is no respective legal rule under national law. The direct applicability of an international treaty presumes that the rule in the treaty is aimed at regulating national relationships, and that the rule is specific enough in order not to need clarification in national law. Judgment no 3-3-1-58-02 of 20 December 2002 of the Estonian Supreme Court. See also Pormeister (2018).
- 29.
§ 32(2) of the Artificial Insemination and Embryo Protection Act. Official English translation. https://www.riigiteataja.ee/en/eli/504012018005/consolide.
- 30.
Blood Act, RT I 2005, 13, 63. Official English translation. https://www.riigiteataja.ee/en/eli/510042015002/consolide.
- 31.
§ 9(1) HGRA, supra n 8.
- 32.
§ 6(2) HGRA, ibid. This is also evident from the text of the HGRA in Chapters 2 to 4 as it refers clearly to the gene donors and processing activities of the EBB.
- 33.
§ 12(1) HGRA, supra n 8.
- 34.
The latest version of the HGRA (in force as of 15 March 2019) is currently only available in Estonian. Human Genes Research Act, RT I, 13.03.2019, 64.
- 35.
DP Act, supra n 13.
- 36.
§ 6(1) DP Act, ibid.
- 37.
For more information on the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), see their official website. https://www.aki.ee/en.
- 38.
See, e.g., Recital 78 GDPR which mentions ‘pseudonymising personal data as soon as possible’ as one of the measures to demonstrate compliance with the GDPR and in particular with the principles of data protection by design and data protection by default.
- 39.
See Recital 156 GDPR which labels pseudynomisation of data as an ‘appropriate safeguard’ in the research context.
- 40.
§ 6 of the explanatory note to the (2019) DP Act, supra n 14.
- 41.
§ 6(2) DP Act, supra n 13.
- 42.
§ 6(3) DP Act, ibid.
- 43.
§ 6(4) DP Act, ibid.
- 44.
§ 6 of the explanatory note to the (2019) DP Act, supra n 14.
- 45.
§ 6(4) DP Act reads: ‘If scientific and historical research is based on special categories of personal data, the ethics committee of the area concerned shall first verify compliance with the terms and conditions provided for in this section. If there is no ethics committee in the scientific area, the compliance with the requirements shall be verified by the Estonian Data Protection Inspectorate. With regard to any personal data retained at the National Archives, the National Archives shall have the rights of the ethics committee.’
- 46.
§ 8 HGRA, supra n 8.
- 47.
§ 11(1)-(4), ibid. On 15 March 2019, amongst other changes in the HGRA, § 11(4) was altered so that the donors’ right to ‘genetic counselling’ was reduced to the right to ‘counselling’, i.e. not specifically genetic counselling. Regrettably, no explanatory notes, impact assessments or other working documents are publicly available regarding this change.
- 48.
§ 11(6), ibid.
- 49.
§ 10(1), ibid.
- 50.
§ 10(2), ibid.
- 51.
Art. 15 GDPR, supra n 11.
- 52.
Art. 17 GDPR, ibid.
- 53.
Art. 18 GDPR, ibid.
- 54.
Art. 21 GDPR, ibid.
- 55.
Art. 17(3)(d) GDPR, ibid.
- 56.
There is no comment in the explanatory note to the DP Act as to why the processor is afforded the right to decide upon derogations from the rights of data subjects.
- 57.
§ 6(6) DP Act, supra n 13.
- 58.
§ 6 of the explanatory note to the (2019) DP Act, supra n 14.
Oddly, there is no reference to Article 9(2)(j) GDPR that grants discretion to Member States to regulate the research use of special categories of data in particular, although § 6 of the DP Act clearly regulates this matter as well.
- 59.
§ 6(1) DP Act, supra n 13.
- 60.
As noted earlier, however, this extremely narrow approach laid out in the explanatory note to the DP Act is dubious and ethically questionable. Furthermore, it is at odds with the text of the law, See supra n 47.
- 61.
In the inital version of the draft law for the new DP Act (published in November 2017), the explanatory note of the law referred to Recital 33 GDPR, emphasizing the need for a broader consent in research. However, the draft law itself made no mention of consent in research. In a letter to the Ministry of Justice, the author of this chapter drew attention to this discrepancy, explaining that the consent issue must either be addressed within the law itself or the reference in the explanatory note should be removed. As a result, the reference to Recital 33 GDPR was removed from the explanatory note without any explanation for this choice in the later version.
- 62.
For arguments supporting this conclusion regarding the approach to (research) consent under the GDPR, see Pormeister (2018).
- 63.
Article 28(2), Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC. OJ L158/1. See Pormeister (2020), pp. 47–54.
- 64.
However, the reference to § 6 of the DP Act introduced into the HGRA on 15 March 2019 leaves room for doubt as to whether in terms of data protection law the data processing of the EBB should be regarded as processing based on national law instead of consent.
- 65.
See Recital 29 and Art. 6(1)(b) and (e) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L281.
- 66.
See, e.g., the official website of the Ministry of Social Affairs regarding personalized medicine. https://www.sm.ee/en/personalised-medicine.
- 67.
E-Health vision 2025. E-Health strategic development plan 2020. (E-tervise visioon 2025. E-tervise strateegiline arengukava 2020). Estonian Health Strategy 2020. Government Office, 29-31. Available in Estonian. https://www.sm.ee/sites/default/files/content-editors/eesmargid_ja_tegevused/Eesti_e_tervise_strateegia/e-tervise_strateegia_2020.pdf.
- 68.
Art. 14(5)(b) GDPR creates an exception to the controller’s obligation to inform data subjects of the processing of their data where the provision of information would ‘involve a disproportionate effort’, in particular for processing for, inter alia, research purposes. In the context of biobanking, the high number of data subjects involved is likely to enable controllers to invoke the exception (See Recital 62 GDPR). See also Pormeister (2020).
- 69.
Pormeister (2020), pp. 47–54.
References
Hallinan D (2018) Feeding biobanks with genetic data: what role can the general data protection regulation play in the protection of genetic privacy in research biobanking in the European Union? Vrije Universiteit, Brussel
Pormeister K (2018) Genetic research and consent: on the crossroads of human and data research. Bioethics 33(3):347–356. https://doi.org/10.1111/bioe.12475
Pormeister K (2020) Transparency in relation to the data subject in genetic research – an analysis on the example of Estonia. Doctoral thesis defended 13 january 2020, University of Tartu. Available online at https://dspace.ut.ee/bitstream/handle/10062/66697/pormeister_kart.pdf?sequence=1&isAllowed=y. Accessed 22 June 2020
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, duplication, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, a link is provided to the Creative Commons license and any changes made are indicated.
The images or other third party material in this chapter are included in the work’s Creative Commons license, unless indicated otherwise in the credit line; if such material is not included in the work’s Creative Commons license and the respective action is not permitted by statutory regulation, users will need to obtain permission from the license holder to duplicate, adapt or reproduce the material.
Copyright information
© 2021 The Author(s)
About this chapter
Cite this chapter
Pormeister, K. (2021). Regulatory Environment for Biobanking in Estonia. In: Slokenberga, S., Tzortzatou, O., Reichel, J. (eds) GDPR and Biobanking. Law, Governance and Technology Series, vol 43. Springer, Cham. https://doi.org/10.1007/978-3-030-49388-2_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-49388-2_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-49387-5
Online ISBN: 978-3-030-49388-2
eBook Packages: Law and CriminologyLaw and Criminology (R0)