1 Introduction

Despite lengthy public debate and consultation between 2010 and 2012, and a subsequent attempt to introduce biobank-specific legislation, there is still no specific statutory basis for the regulation of tissue- and biobanks in Germany.Footnote 1 Instead, there is an historically grown thicket of norms of varying pedigree and weight. In many cases, these norms come from associated areas and have simply been applied to the context of biobanking. In other cases, very abstract norms of civil liability or privacy protection are applied to biomaterials for research. In this chapter I will briefly outline the general regulatory environment, before turning my attention to Germany’s large population-based biobank (Nationale Kohorte) as an illustration of biobank operation in the German regulatory sphere. I will then briefly address general issues in biobanking before turning my attention exclusively on the scenario of regulating a research biobank. This is where I will discuss issues of data protection, privacy and informational self-determination, before turning to a discussion of individual rights, which are then, finally, put into the context of derogating from those rights under the provisions of Article 89 GDPR.

2 Biobanks and the Regulatory Environment

2.1 General Remarks

Based on the lack of specific legislation in relation to biobanks, commentators often turn to the definitions developed by the German Ethics Council over time in order to identify the scope of what constitutes a biobank. Given the disparate nature of regulation in this area, it makes sense to settle a definition for the purpose of this analysis. The most common and broad definition is that of a collection of human biological material, connected with corresponding personal data.Footnote 2 In the absence of specific legislation, it is this combination of tangible and intangible artefacts that provides the starting point for the identification of the current regulatory environment and further defines the legal challenges which this area poses.Footnote 3 The law has, traditionally, a strong tendency to compartmentalize the regulation of tangible and intangible assets, and therefore also the rights associated with those assets.Footnote 4 Human biomaterials represent a challenge to the clear dichotomy expected by the law and this is why biobanking represents a particularly fascinating regulatory target.

The difficulties caused by the sheer volume of the resulting regulation are further exacerbated by the fact that, if we accept this broad definition, biobanks may serve purely research purposes, or they may serve clinical and diagnostic purposes. For any of these scenarios the regulatory framework is specific and not easily transferable.Footnote 5 In the clinical context, in particular where a biobank explicitly stores biomaterials for future therapeutic use in humans, the German implementation of Directive 2004/23/EC contains provisions which incorporate the law relating to pharmaceutical products. This would increase the complexity of the discussion by an order of magnitude. For the purposes of this paper I will therefore concentrate on the regulation of research biobanks but will outline the basic regulatory requirements of other types of biobanks in Sect. 2.2 below.

2.2 Germany’s Population Biobank: Nationale Kohorte

Germany’s large-scale population biobank Nationale Kohorte (NaKo) is still the most informative case study for outlining regulatory approaches to biobanking in Germany. NaKo’s aim was to recruit 200,000 participants aged between 20 and 69 in 18 centres distributed across Germany, which it succeeded in doing five years ago. Biological samples were taken and subsequently stored, and participants were interviewed in relation to their lifestyle circumstances, with the second round of interviews (in order to pinpoint changes) being imminent.Footnote 6 Up to 20% of the participants provided extended health data, and around 30,000 participants underwent full-body medical imaging. NaKo is therefore a sizeable operation the scope of which gives rise to an illustrative set of regulatory issues.

NaKo’s aim is to track individual participants’ health over an extended period (25–30 years) and it is therefore established for the long term. The biobank is incorporated as a charitable entity (eingetragener Verein) led by a board of directors (similar to trustees). The charitable objective of NaKo is the support and development of epidemiological long-term research in the interests of society. The internal regulatory framework of the biobank (such as data access and use policies) are decided by the membership of the charity. Samples and data are generated, stored and processed in each of the 18 centres, though the main facility is the Helmholtz Centre in Munich. Personal data are pseudonymised, or coded, and NaKo pursues a trusted-third-party concept of code custodianship (Treuhandstelle) to control the keys for decoding datasets.

The incorporation of NaKo as a charity had direct impact on the scope of relevant regulation, as the controlling interest in the charity rested with public bodies, rendering NaKo a public body in its own right. In the absence of a specific statutory right to process personal data within the biobank, full informed consent is acquired.Footnote 7 The overarching duty to reduce the amount of identifiable personal data as far as technically possibleFootnote 8 necessitates the custodianship coding of data for the vast majority of data points. A full anonymisation of the data would render the proposed research impracticable. German law knows additional regulatory sources for the protection of what are termed ‘social data’ (i.e. data processed for the purposes of providing health and social care related services). These are covered by specific statutory duties of confidentiality.Footnote 9 Any sharing of data with third parties is only permitted with the explicit consent of the individual participantFootnote 10 and in accordance with a licence granted by the appropriate authority.Footnote 11 NaKo’s staff are also bound by a statutory duty to keep personal secrets confidential.Footnote 12 In addition, whilst individual participants sign a release waiving their treating physicians’ duty to maintain confidentiality as regards NaKo, all registered medical professionals are bound by their professional duties of confidentiality (depending on which profession they belong to).

NaKo’s consent is initially time limited to five years. This period is extended by a further five years respectively in perpetuity unless the participant withdraws consent in the meantime. Within each consent time span, the consent continues to have effect even if the participant loses capacity or dies. One exception to the five-year rule is the ongoing processing of health and register data which have to be regularly re-consented.

NaKo has established their consent documentation as a bundle of individual consents with differing quality and reach. Consent is sought separately to the initial interview and health data gathering, to data processing and storage of data, permission to share data with funders, procurement, storage and use of biological samples, feedback of incidental findings, further procurement of health and social data (secondary and register data), recontacting, and exclusion of commercial use.

The participants can withdraw any or all of these individual consents with the subsequent use of the data and material then depending on what is still permissible. The participant’s withdrawal has to be communicated in writing, on a specific form provided by NaKo, though the process can be triggered by telephone or by e-mail. The withdrawal is then communicated to all centres as well as to the custodian of the coding keys, and recorded in NaKo’s information management system. Where there is doubt in relation to the exact extent of the participant’s withdrawal, NaKo interprets the withdrawal in the widest possible way. The scale of NaKo has enabled the biobank to establish some pioneering processes which are likely to serve as best practice models to other establishments that fall into the same category. It is worth briefly addressing the regulatory challenges of biobanking in general, before turning our attention to individual rights in research biobanking.

2.3 Biobanking in General

The general regulatory framework for histological and pathological collections is insufficient to capture the complexity of the work in research biobanks, such as the one outlined above. Indeed, this is what poses the bulk of the legal challenge in the regulation of biobanking.Footnote 13 The very broad definition of biobanking which was outlined at the outset does, however, also capture other types of biobanksFootnote 14 and it is useful to briefly outline these here.

The EU’s Human Tissue Directive (2004/23/EC) was transposed into domestic law through a collection of amendments in the Tissue Act (Gewebegesetz). This path to implementation, rather than through a single, consolidated instrument, has led to scattered and unhelpfully structured regulation. Licensing for tissue establishments, for example, were incorporated into the Pharmaceutical Products Act (Arzneimittelgesetz). The scope of tissue establishments follows the provisions of the Directive, incorporating tissue banks, hospital departments and all other establishments within which any activities are carried out that involve the processing, preservation, storage or distribution of human tissues and cells. This also includes the procurement and testing of such materials. Following the German Ethics Council’s definition of biobank, where an establishment collects tissues, bloods or organs for clinical purposes (including diagnostics), these would fall under the scope of tissue establishment as defined by the Directive. This difficult juxtaposition of regulatory approaches makes it necessary to clearly delineate research biobanks (following the definitions in 2013/701/EU) in order to systematize the different normative frameworks. When following this, narrower, definition of biobank (which we will do for the purposes of this paper), it becomes increasingly clear that a specific regulation for research biobanking in Germany is still a long way off.Footnote 15

2.4 Data Protection, Privacy and Informational Self-Determination in Biobanking

Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) provides for protection of an individual’s private and family life. This foundational principle, naturally, also applies in Germany and it is directly relevant to questions of privacy and informational self-determination in biobanking: the European Court of Human Rights has held that Article 8 rights also extend to collections of biometric data.Footnote 16 The Council of Europe does provide additional protection in Article 10 of the Convention for the Protection of Human Rights and Dignity of the Human Being with Regard to the Application of Biology and Medicine (the ‘Oviedo Convention’). Whilst the Oviedo Convention has no immediate impact as Germany has neither signed nor ratified it, there is a compelling argument that, when applied to life sciences cases, Convention jurisprudence emanating from Strasbourg is always also likely to be imbued with Oviedo considerations, assumptions and precedent. Convention rights can only be enforced against states and not against private entities. Any privacy-related action on the basis of Convention rights cumbersome or even impossible where the biobank in question is a private or quasi-private entity (which gives additional weight to the question whether a biobank qualifies as an emanation of the state, or quasi-public body—see the NaKo discussion above).

Previously, common data protection norms were introduced through relevant OECD guidelines (1980)Footnote 17 and Conventions (1981).Footnote 18 In 1995 the EC Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (95/46/EC) was enacted. Commentators have described it as

[…] by far the most influential, comprehensive and complex international policy instrument, enacted to enshrine two of the oldest ambitions of the European integrations project, namely […] an Internal Market […] and the protection of fundamental rights and freedoms […] [20].

As European Directives are not directly applicable in the member states but have to be implemented by way of enacting national legislation, member states were given until 24 October 1998 to make appropriate domestic provisions.

The broad cornerstones were common across the European Union: any data collected had to be accurate; the collection had to be legitimated (for example through appropriate consent, or by way of a statutory right); the data subject had to be given access to information about themselves, as well as the right to object; the data had to be secure and treated confidentially; data collection, storage and processing had to be notified to a public oversight body. Additionally, the Directive established certain categories of data which enjoyed special protection: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and health or sex life. For the purposes of Convention rights, the European Court of Human Rights has previously held that genetic information, in particular, is inherently in this category of sensitive dataFootnote 19 and there is no reasonable argument that this was not also the case in relation to genetic data under Directive 95/46/EC. The widespread entry into force of the EU General Data Protection Regulation (GDPR) has not manifestly changed these fundamental considerations of approaches to data protection, but has put on a statutory footing the consensus that genetic and biometric data are special by allowing member states to create special provisions.Footnote 20

The aim having been to create a certain degree of convergence in data protection law, a nonetheless rather eclectic mix of ‘[…] legal and quasi-legal instruments on data protection […]’Footnote 21 was the result in the Member States. The effect of the directive was therefore that there was still significant variance across member state borders on privacy protection. In addition, the German implementation of privacy is found in a combination of constitutional and data protection norms, having existed in a very similar form well before any legislative initiative at EU level. The constitutional norms, having developed over decades of finely tuned jurisprudence, do not easily yield to supranational efforts at reform. Only minimal impact of more recent legislative interventions such as the EU GDPR is therefore to be expected.

Addressing the pre-existing domestic German setting, concepts of privacy feature strongly in German constitutional law by virtue of Article 2(1) and Article 1(1) of the German constitution (Grundgesetz). Article 2(1) implements ‘general personality rights’ of individuals, and Article 1(1) establishes the inalienability of the individuals’ dignity. Taken together, these two constitutional principles form the basis for an individual’s right to informational self-determination, based on a 1983 decision by the Federal Constitutional Court (Bundesverfassungsgericht). In a landmark ruling caused by the national census,Footnote 22 the Court held that the activity of large-scale collection, storage and processing of personal data is capable of infringing an individual’s fundamental right to privacy, and thereby impinge on their dignity. Each individual is entitled to decide autonomously about providing information about themselves, and how this information is subsequently used. These fundamental concepts and the doctrine of informational self-determination apply equally to data storage in the context of biobanking, and significantly limit a biobanks’ ability to work without specific consent or refuse withdrawal of consent.

The combination of supranational, constitutional and ordinary domestic frameworks mean that German data protection law is fragmented across instruments and jurisdictions. The entry into force of the GDPR has to a certain extent reduced this fragmentation but by no means eliminated it. At the same time, the common, pre-existing principles as outlined already overlap with generally accepted notions of privacy protection and there is therefore no prima facie conflict between the relevant instruments: The data subject has to be informed about the extent and quality of the data processing, only as much data should be collected as absolutely necessary and any data use must be proportionate, the data may only be used for the purpose for which they were collected, the data subject has significant control over the data, there has to be a due process for disputes in relation to data, and the data must be kept secure and confidential. These fundamental requirements are mirrored across all of the instruments and jurisdictions which are in play in this context.

2.5 Other Sources of Regulation

Despite the lack of specific regulation for biobanks, a great deal of governance can be found in various instruments which apply to this context. As briefly outlined above, international and supranational norms within geographical and political Europe provide a strong human rights-based framework for the protection of privacy, and individuals are able to take complaints in relation to a domestic failure to implement these protections to the European Court of Human Rights in Strasbourg (in the case of Convention rights) or as an infringement action to the European Commission who may subsequently take it to the European Court of Justice.Footnote 23

The German domestic framework consists partly of norms which have been developed in parallel to international regulatory efforts, and partly the implementation of supranational legislation. It is deeply rooted in constitutional law and data protection law, both of which provide for a high level of protection of the individual’s privacy. It opens up a number of possible remedies for individuals to lodge a complaint and enforce their rights through courts and regulatory bodies. The fragmented nature of data protection law in Germany has given rise to the development of a backdrop of regulatory law, steered originally by the states’ individual data protection laws, together with additional secondary or canonic norms, which are regulated and enforced by data protection offices at state level. In addition, the generally applicable rules found in civil law (e.g. on property rights and liability) and criminal law (e.g. on confidentiality) imbue this framework with further rights and obligations.

3 Individual Rights

3.1 General Remarks

In common with other jurisdictions, the valid consent of individuals who provide data and material is the starting point for addressing individual rights in biobanking. In Germany, the origins of this analysis stem from Articles 2(1) and 1(1) GG, which, as we have already seen, guarantee the free expression of an individual’s personality rights, and the inalienability of that individual’s dignity. This also means that a patient is the final arbiter of what is to be done with or to their own body. In German civil law, this means that the patient can permit or refuse interactions based on general restitution norms.Footnote 24 This applies equally to interactions with a biobank, ranging from procurement of material and data to continuous storage and processing of material and data. Additionally, there is in many cases a private contractual duty for a physician to ensure that patients are fully informed and has adequately consented to the proposed procedure.Footnote 25 It is the full, valid consent of the individual which negates the criminality of the touching, which would otherwise amount to an assault.Footnote 26

3.2 Professional Regulation

In addition, individual rights can be found in a range of professional regulations covering the exact duties of registered medical professionals to obtain and document informed consent. These types of professional norms are only binding on physicians and other regulated medical professionals, thereby leaving biomedical researchers (who are not also physicians) outside of their remit. This is particularly relevant when analysing the regulatory context of biobanking, as most staff will likely not be registered medical practitioners §8 of the Bundesärztekammer’s (German General Medical Council) code of conduct for physiciansFootnote 27 includes a duty to specifically inform a patient and obtain consent. The lower the clinical need for an intervention, the higher the duty to provide specific information in order to obtain an adequate consent. Where material is procured purely for research biobanking purposes, the information obligation on the physician is correspondingly high. In §15 the code of conduct incorporates the provisions of the Declaration of Helsinki, as well as a requirement to obtain advice from an appropriate ethics committee where the research concerns identifiable individuals’ material and data.

3.3 Constitutional Rights

There is a long history of public debate on the protection of privacy in Germany. Shaped by the twentieth century experience of two oppressive regimes with utter disregard for individual liberties, there is a great deal of sensitivity around the inviolability of individuals’ private spheres. In 1983, the German constitutional court had to decide how much control individuals have over personal information collected as part of a national census.Footnote 28 In this decision, the court developed the doctrine of informational self-determination, based on fundamental constitutional rights.

3.4 Data Subject Rights

The recent incorporation of the EU’s General Data Protection Regulation into the fragmented domestic legislative framework underpinned and explicated existing data subject rights. These include the right to access one’s own health information.Footnote 29

Where the data in question are genetic data, there may be a statutory bar to divulging this information even to the data subject, save in circumstances where a specially trained geneticist can convey and interpret the information.Footnote 30 This provision only applies to genetic information that is congenital in nature or acquired during the process of fertilisation.Footnote 31 Where the data concerns other types of stored tissue, for example in the context of a tumour biobank, these provisions do not apply. In addition, these safeguards only apply in the context of the first communication of the data to the data subject and not thereafter.Footnote 32 It is not immediately obvious whether the GenDG distinguishes clearly between raw genetic data and diagnoses or findings based on the raw data, though given that patients are able to us the raw data to pinpoint possible mutations using nothing more than a targeted internet search, it seems plausible that raw data are also captured by these restraints.Footnote 33

Where the data in question are generated by the biobank in a research context only, there is still a prima facie right to access these data on the basis of the federal data protection legislation. Some commentators also suggest that there is a concurrent contractual obligation (based on §810 BGB) between the processor of the data and the data subject which entitles the data subject to inspect these data.Footnote 34 In the case of biobanks that are attached to a clinical setting (i.e. hospital-based biobanking), data generated through research activities (rather than diagnostic processes) may be considered part of the patient’s health record,Footnote 35 which carries great significance when discussing obligations in relation to incidental findings in biobanks. There is therefore an assumption of strong data subject rights flowing from both the provisions of the GDPR, as well as from pre-existing German constitutional and civil law. The practice of requiring data subjects to contract out of these data subject rights (as is sometimes attempted through general terms and conditions, or as part of the consent documentation) is not permitted.Footnote 36 It is, however, possible to derogate from a data subject’s rights on the basis that the process of providing access to data is disproportionately onerous.Footnote 37 It is these provisions that attempt to strike the difficult balance between the data subjects’ rights (flowing from Article 2 (1) and 1 (1) GG) and the researchers’ corresponding constitutional rights of academic freedom (Article 5 (3) GG, but also in Article 13 of the Charter of Fundamental Rights, and—to a certain extent—Article 179 TFEU). In both the pure research biobank setting, as well as the hospital-based biobank setting, there are strong data subject rights entitling individuals to access to their personal data, albeit on different legal bases. Additional complexity is the result where genetic diagnoses are involved. The adequate balancing of data subject rights and the biobank’s socially desirable research activity is a matter for highly nuanced contractual, consent and information documentation and appropriate protocols. On the basis of these norms, it is evident that data in a biobank ought to always be re-identifiable, otherwise the targeted deletion of personal data upon request, or the granting of access to the data would be frustrated by design. The same is true for the transfer of data to third parties (i.e. it must be ensured that the data subject’s rights are not frustrate through such transfers). In some cases, the individual’s data has already been included in aggregated datasets for the purposes of analysis and subsequent publication. It is generally agreed that it is acceptable to define a pragmatic ‘point of no return’ after which the deletion of individual personal data from such datasets would be disproportionately onerous and therefore no longer necessary.

4 Article 89 and the Impact of GDPR

A number of issues arise following the entry into force of the General Data Protection Regulation. In particular, for the purposes of biobanking, some important terms remain undefined in domestic law. This concerns the term ‘research’Footnote 38 which has no corresponding explication in the German federal data protection legislation, as well as the exact scope of ‘personal data’Footnote 39 or ‘pseudonymisation’.Footnote 40 Neither does the German implementation provide for any purpose limitation.Footnote 41 Where this is the case, the provisions of the GDPR apply directly. The rules pertaining to the consent of individual biobank participants correlate with the established informed consent and the impact of the GDPR is limited to a more express requirement to make the withdrawal of consent as easy as possible.Footnote 42 In terms of the giving of broad consent, recital 33 opens up the possibility of giving consent to certain areas of research and refers back to ‘recognised ethical standards’. This is, in part, a departure from the paradigmatic principle of specific, informed consent that has until now been a particular challenge to data-driven biomedical research. A debate on whether biobanks fall within the scope of the term research—given that they, in most cases, are repositories rather than research-active entities does not seem to be in any way meaningful. It is in my submission clear from the drafting of Art. 89 that a biobank, as a combination of archiving and scientific research-facilitation, falls squarely within the envisaged exemptions of the GDPR. Recital 158 GDPR makes it clearer what kind of archiving the European legislator had in mind, as it limits the scope to those archives that fulfil a public duty and are therefore public entities.

The derogations contained in Art. 89 of the Regulation create an important window of opportunity for research-related processing of personal data. At the same time, there is an almost inevitable collision between the right of informational self-determination (as outlined above) and the right to academic freedom. Most importantly, the research-focused derogations from the stringent provisions of the GDPR, such as those provided for in Articles 5 (1) e. and 89 GDPR can be found in the German federal legislation.Footnote 43

The German implementation immediately derogates from Article 9(1) of the Regulation, making it lawful to process personal data for scientific and historical research purposes in the teeth of an individual’s dissent, as long as it is proportionate to do so under the circumstances, and as long as there are technical measures in place to protect the data subjects’ rights.Footnote 44 Interestingly, the German data protection law provides the possibility of derogation only for the rights established in Articles 15 (‘Data Access’), 16 (‘Rectification’), 18 (‘Restriction on Processing’) and 21 (‘Objection’). As far as the Article 15 is concerned, there is a further express limitation which removes the obligation to provide information about an individual’s data in cases where it is scientifically necessary to hold the data and it would be too onerous to provide the information.Footnote 45 Data that are used for scientific research should be anonymized, where this does not go against the grain of proposed research or against specific individual data subjects’ rights.Footnote 46 The latter is, for example, the case where data might yield information which must be communicated back to the data subject (such as serious, clinically relevant incidental findings). In other cases, the datasets ought to be pseudonymized effectively, unless the purpose of the research would be impossible to be achieved in such a case.

The ‘right to be forgotten’ as well as the ‘right to data portability’ are not captured by the derogations, which has implications for biobanking. Exactly how German biobanks are supposed to provide for data portability, in particular in the context of the unique combination of material and data, remains open.

5 Conclusions

Biobanking is an activity that is clearly societally desirable, and is key to answering some of the most vexing health issues that society faces. At the same time, the activities of (especially large-scale) biobanks touch upon some fundamental individual rights. The density of the data held by these establishments can represent a significant risk to the informational self-determination, and therewith to the well-being, of data subjects and their family members. It is therefore somewhat unusual that the area of biobanking has not attracted clear and systematic sui generis legislation. Whilst the strong top-down governance of the General Data Protection Regulation assists to some extent in clearing the thicket of regulation in this area, there is still significant fragmentation and a sustained lack of legal certainty. In particular, the challenge of finding a combined legal approach to a repository of tangible and intangible material remains unaddressed and is one of the remaining grey areas of unclear regulation. Large-scale population-based biobanks, such as NaKo, are in the privileged position of establishing governance mechanisms that can fill these blank spaces with approaches which, by virtue of being novel and singular, have the potential to become best-practice models. At the same time, even an establishment like NaKo is only one variety of biobank in a complex ecosystem of diagnostic, archival, therapeutic and research data and material repositories, each of which configuration attracts its own regulatory mixture. The concurrent development of international and supranational norms, as well as domestic constitutional norms in Germany have meant that there is to this day no absolute clarity on the extent to which norms are applicable in which scenario. If there was hope that the Regulation will bring answers to domestic legal questions, the implementation of Art. 89 shows that whilst some answers are provided, new questions arise, such as why some biobanks will have to make provisions for giving effect to research participants’ data portability rights. It is clear that this will remain an area where debate and explication of the law continue to be necessary; the law’s principal duty to create certainty has still not fully been met.