1 Introduction: Balancing Individual Rights and Public Interest in Biobank Research Post-GDPR

Balancing the individual right to data protection and the public interest in biobank research involves a number of constitutional and statutory rules within the EU. The individual right to data protection enjoys a strong constitutional protection within the EU legal order, being included both in Article 8 of the EU Charter of Fundamental Rights (Charter) and Article 16 of the Treaty of the Functioning of the European Union (TFEU). The General Data Protection Regulation (GDPR) further provides a comprehensive set of legislation on how the right is to be upheld in practice, according to what the EU refers to as ‘a gold standard’.Footnote 1 Research also benefits from some protection since freedom of science is protected in several international treaties. The 1948 Universal Declaration on Human Rights includes a right to share in scientific advancements and benefits, although this is not exactly directed at research itself. The International Covenant on Economic, Social and Cultural Rights contains an obligation on the Member States to ‘respect the freedom indispensable for scientific research and creative activity’. The EU Charter declares in Article 13 that arts and scientific research shall be free of constraint. Framed like this, freedom of science can hardly be said to be an individual right that researchers can rely on, but nevertheless it does represent recognition of the importance and value of science.Footnote 2

The protection of individual rights is, however, not the only objective of the GDPR. According to Article 1, the GDPR has as its dual aim to protect natural persons with regard to the processing of personal data and provide rules relating to the free movement of personal data.Footnote 3 Within the understanding of free movement of personal data also lies the possibility to use the data for different aims, such as research. The tension between these aims and objectives has been analysed throughout this book.

One of the more salient aims of the EU’s data protection law reform which led to the enactment of the GDPR was to diminish the discrepancies between national laws implementing the EU Data Protection Directive.Footnote 4 For the biobank community, this step was more than welcome. The fragmentation of European biobanking law has been identified as a major hurdle to prosperous biobank research.Footnote 5 In a report on the subject commissioned by the EU Commission in 2012, the first recommendation out of nine was the following:Footnote 6

Member states and European institutions should develop a consistent and coherent legal framework for biobanking that should protect participants’ fundamental rights, in particular in the areas of privacy, data protection and the use of human tissue in research.

The legislative form of the GDPR, a regulation instead of a directive, was chosen in order to ensure that the same law would be applicable throughout the EU. In Recital 10 of the GDPR it is stated that ‘(c)onsistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union’. As has been widely discussed, and is also apparent from the contributions in this book, in the area of scientific research, this objective has only been partially achieved. In the same recital it is also stated that ‘(t)his Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (“sensitive data”)’. In this way, the GDPR offers considerable room for inconsistencies at the individual project and Member State levels.

The core data protection principles are laid down in the GDPR, but the detail, the prerequisite for performing the balancing test between individual right and public interest in biobank research, is defined in the laws of the Member States. What does this mean for biobankers in the EU, and for biobank networks, such as the BBMRI-ERIC? A central question is thus the relationship between the core principles and the details in the derogations. How far does the regulatory space of the Member States reach when implementing the research exceptions? In the Schrems case the Court of Justice of the European Union (CJEU) held there limits to how far restrictions on the individual right to privacy, in this case based on Article 7 of the Charter, could go; restrictions may not compromise ‘the essence of the fundamental right to respect for private life’.Footnote 7 These boundaries are to be upheld also by the Member States.Footnote 8 The question, thus, is how a legitimate and foreseeable regulatory regime for processing of health data in biobanking is to be achieved. Does the GDPR contain mechanisms that provide a level playing field for biobanks within the EU today?

The analysis in this chapter draws on the conclusion presented in this book, in an effort to answer these questions. In Sect. 2, the background to the diversity in the regulatory landscape was analysed from the perspective of legislative competence of the EU. In Sect. 3, the outcome of the implementation of the GDPR in the Member States was discussed. In Sect. 4, the potential consequences of the differences in regulatory regimes were addressed in relation to forum shopping, and Sect. 5 did the same in relation to administrative cooperation and soft law tools for harmonisation. In the final Sect. 6, the question of how a level playing field for biobanks can be achieved is discussed.

2 Diversity in Regulatory Responses to the GDPR in the Member States

2.1 Components for Regulating the Processing of Personal Data in Biobank Research

There are two core principles in the law and ethics of biomedical research that can be considered to be universally accepted: in all bio-scientific research activity the principle of informed consent of the individual involved must be respected, and all bio-medical research should be reviewed by research ethics committees before being conducted.Footnote 9 These principles have also gained an increasing acceptance in connection to processing of personal data in research.Footnote 10 However, at the global level, there is still no legally binding document regulating these issues.

As has been discussed throughout this book, and in line with the GDPR, processing of personal data can be lawfully conducted based on either informed consent or public interest, legitimate interest, contract, etc.Footnote 11 If the personal data belong to a special category, for example, health data or genetic data, further requirements set forth in Article 9 apply. According to Article 9(2)(j) and Article 89, this type of data may be processed in research under the condition that there are appropriate safeguards available, normally via ethical approval from research ethics committees.Footnote 12 The value of research will thus be balanced against the risk of harm from privacy intrusion experienced by data subjects.Footnote 13 Regulating the processing of personal data in biobank research therefore involves at least three separate regulatory areas: data protection, research and bioethics.

2.2 EU Regulatory Competences in Data Protection, Research and Bioethics

As discussed previously in this book,Footnote 14 the regulatory competence of the EU is central to the understanding of the regulatory regime for the processing of personal data in research. In contrast to national states, the EU does not have a general legislative competence but may only enact binding law in areas where the Member States have conferred powers to legislate.Footnote 15 This notion is generally referred to as the principle of conferral and is codified in Article 5(2) of the Treaty of the European Union.

In regards to data protection, the question is unproblematic. With the Lisbon Treaty the EU was conferred a specific competence in the area of data protection in Article 16(2) TFEU. According to the Article, the EU may enact ‘rules relating to the protection of individuals with regard to the processing of personal data’ and ‘rules relating to the free movement of such data’.Footnote 16 The EU also has some competence in the area of research, but it is limited in several ways. The EU may, for example, carry out activities to define and implement programmes and set up joint undertakings or any other structure necessary for the efficient execution of Union research, technological development and demonstration.Footnote 17 One example of the latter is the regulation introducing a procedure for Member States to establish a European Research Infrastructure Consortium (ERIC), under which the BBMRI-ERIC was established.Footnote 18 However, when it comes to ethical issues, the EU does not have any competence to enact legislative acts.Footnote 19

Even though the lack of sufficient legislative competence to fully regulate the processing of health or genetic data in biobank research arguably could have been overcome through an extensive interpretation of the competence to regulate data protection issues, as has been done in the area of administrative cooperation, which is another area where the EU has only limited competence to regulate,Footnote 20 the strong connection between governance of research and bioethics and national legal culture may have made it politically impossible. Moreover, even though the underlying values and ideas of the bioethical aspects of law can to a large extent be described as universal, there are still national and regional differences, not least when it comes to health and genetics.Footnote 21 The differences in the regulatory responses of the Member States, discussed throughout this book, seem to confirm this.

2.3 Aligning the GDPR with Other International Obligations of the Member States

One central regulatory aspect of biobank research is the definition of informed consent. The GDPR permits using what is known in research circles as ‘broad’ consent. However, as noted several times throughout this book, consent in itself is not a necessity for personal data to be lawfully processed. In that way, the GDPR paves a rather smooth path for research on residual samples and data. In itself, this approach is not novel. It has previously existed in different national legal orders, as well as internationally. For example, when referring to the collection of human specimens, Article 22 of the Biomedicine Convention states:

When in the course of an intervention any part of a human body is removed, it may be stored and used for a purpose other than that for which it was removed, only if this is done in conformity with appropriate information and consent procedures.

In the explanatory report to the convention it is noted that an appropriate information and consent procedure does not necessarily mean that the patient or his or her representative must give a formal informed consent. It indicates that ‘[i]n some cases, it will be sufficient for a patient or his or her representative, who have been duly informed (for instance, by means of leaflets handed to the persons concerned at the hospital), not to express their opposition’.Footnote 22 The GDPR addresses the information requirement in this regard under Article 14, allowing exceptions if ‘the provision of such information proves impossible or would involve a disproportionate effort’.Footnote 23

From this, the question emerges whether the EU has attempted to re-define the minimum level of protection for individuals when research concerns their residual biological material. If so, this creates a conflict of laws between the Council of Europe and the EU legal orders, and it is questionable whether those Member States of the EU that have ratified the Biomedicine Convention will be able to take full advantage of what the GDPR offers. Additional questions can be raised regarding those states that have signed the convention only, and are thus obliged not to defeat the object and purpose of the treaty. A solution here could be found in Article 26 of the Biomedicine Convention which does not place Article 22 in the cluster of core values of the convention, and thus permits the state parties to restrict these rights in some situations.

However, from an ethical standpoint and at least on the surface, this can be seen as rather problematic. The control expressed by the research participant/datasubject through the possibility to decide on whether or not to participate in a particular study may not necessarily relate to the desire to control personal data. As noted by Staunton et al., it may well be attributed to the aim of the particular study and an unwillingness of the research participant/data subject to have their data used in studies that do not conform to their ethical beliefs.Footnote 24 Has the GDPR therefore stripped the data subjects of their ability to control the use of their data in research? In our view, as expressis verbis stated in Article 9(2)(j), it is in the hands of the Member States and the EU. The ability to avoid consent-based research has been subordinated to the EU competence limitations and prevailing values in a particular national legal order. It may well be the case that a particular Member State will choose not to operationalise Article 9(2)(j) GDPR, but up until now, at least according to the country laws that have been reviewed in this book, this approach has not been taken.

3 Regulating Safeguards at the National Level: Heterogeneity Remains

Article 89(1) and (2) divides the responsibility for ensuring that appropriate conditions and safeguards are in place for the lawful processing of personal data in research between the EU and the Member States. The first paragraph, Article 89(1), does not clearly point out who is responsible for ensuring safeguards but merely holds that ‘processing for (…) scientific or historical research purposes (…), shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject’. Safeguards may be provided via national law, but it is required that they are regulated ‘in accordance this Regulation’, the GDPR. Article 89(2), on the other hand, refers to either Union law or national law to allow derogations from Articles 15, 16, 18 or 21, subject to appropriate conditions and safeguards.Footnote 25 Accordingly, the conditions and safeguards for processing personal data in biobank research are regulated in a decentralised manner. Also, Article 9(4) GDPR contributes to the decentralisation by allowing Member States to maintain or introduce further conditions, including limitations for the processing of genetic data, biometric data or data concerning health. In addition, Article 23 GDPR allows for further general derogations in the public interest, for example, for public health.Footnote 26

As the pan-European survey by Tzortztou et al. in chapter ‘Biobanking Across Europe Post-GDPR: A Deliberately Created Fragmented Landscape’ in this book illustrates, the Member States have taken different approaches in implementing these conditions and safeguards in regard to both the form and content. Whilst Sweden has taken a minimalistic approach and has only made use of the possibility in Article 89(2) GDPR to adopt general derogations in a limited manner, the regulatory framework for allowing researchers to access and process data held in public population-based health registries remains wide.Footnote 27 In Italy, the entry into force of the GDPR has, on the other hand, had the function of filling the gap in the legislation with regard to biobanking for medical scientific research purposes.Footnote 28 In France and in Finland, the national regulatory approach seems to a certain extent to uphold a stricter standard than required by the GDPR, whereas in Estonia, the legislator has chosen a more lenient approach.Footnote 29 The national regulatory responses thus remain heterogeneous.

4 Addressing Regulatory Differences Via Forum Shopping?

A relevant question to pose is whether this heterogenous regulatory landscape may lead to forum shopping, in the sense that research proposals are allocated to Member States with the most beneficial regulatory regimes. The question of forum shopping, or in other words, regulatory competition, is far from unknown in the EU Internal Market and not always seen as problematic in itself. Within the Internal Market, Member States should allow a free flow of goods, services, labour and capital, unless there is a legitimate reason to hinder it.Footnote 30 It is for the economic actors in the Internal Market to allocate their business to the forums that offer the most advantageous conditions. In the Centros case, the CJEU held that it was contrary to the rules of the Internal Market for a Member State to refuse to register a ‘letterbox-company’ merely on the basis that the company wanted to allocate its business in a less restrictive regulatory environment. Only on suspicion of fraud would it be legitimate for the Member State to take action.Footnote 31 The practice is also well known in labour law where employers might want to place their headquarters in a state with a more lenient labour law regime. Even if this is often criticised, it has proven difficult to combat the practice without distorting the Internal Market.Footnote 32 As mentioned in the introduction, the GDPR has as its objective to promote free movement of personal data. In global medical research, the concepts of ‘ethics dumping’, the practice of exporting unethical research practices to lower-income settings, has been recognised as an ethical problem.Footnote 33 The differences between Member States of the EU should not be exaggerated, but at the same time researchers allocating research proposals to certain states in order to circumvent ethical regulation can be seen as problematic and will in the long run undermine social trust in biobanking. The next issue to consider is therefore whether the GDPR contains any mechanisms that may bridge the regulatory differences.

5 Addressing Regulatory Differences Via Administrative Cooperation and Soft Law Tools

As mentioned briefly above and as also discussed by Dara Hallinan in chapter ‘Biobank Oversight and Sanctions Under the General Data Protection Regulation’ of this book, the GDPR contains an elaborated governance structure for both European and national administration within the data protection area. Here, focus is laid on the potential of this structured cooperation of authorities to overcome differences in interpretations of data protection rules and concepts. It is in this context of interest to note that the administrative structure is partially regulated also in EU primary law. Both Article 8 of the Charter and Article 16 TFEU state that compliance with data protection rules shall be subject to control by an independent authority. This independency is regulated in Chapters VI and VII of the GDPR, together with the competence, tasks and powers of the national data protection authorities (DPAs) and the newly established European Data Protection Board (EDPB), which has taken over after the previous Article 29 Working Party Group.

One of the tasks of the EDPB is to issue guidelines, recommendations, best practices and opinions on a wide range of subjects.Footnote 34 Even if the GDPR does not regulate biobanking directly, these documents will often be relevant both in regards to defining core principles of data protection, such as informed consent, and in relation to processing personal data across sectors, such as clinical trials.Footnote 35 The GDPR also introduced several new tools with which DPAs can cooperate; two of these will be discussed here. These are a one-stop-shop mechanism for appointing a lead authority in cases involving monitoring of cross-border processing and a procedure for composite decision-making, labelled a consistency mechanism.Footnote 36

The first mechanism was established to offer a smooth and foreseeable means of supervision since it identifies one single DPA to act as a one-stop-shop for controllers and processors active in more than one Member State, thus giving the lead DPA a role as coordinator of the supervision of all the processing activities of that business throughout the EU in collaboration with other ‘concerned’ DPAs.Footnote 37

The second, the consistency mechanism, provides a procedure for fulfilling the role of a dispute resolution mechanism in which the EDPB functions as a dispute resolution body.Footnote 38 According to this procedure, a DPA can refer a draft decision to the EDPB before enacting a decision in different categories of situations. In the first category, consisting of six identified cases, referral is compulsory.Footnote 39 In the second category, concerning ‘any matter of general application or producing effects in more than one Member State’, referral is optional.Footnote 40 However, the procedure in the second paragraph can be initiated by any DPA, not merely the lead authority, the chair of the EDPB and the Commission. If the DPAs cannot agree, any one of them may trigger the consistency mechanism, thus inviting the EDPB to take a leading role. In both categories, the EDPB issues an opinion which all DPAs and the Commission may comment on.Footnote 41 The lead authority must ‘take utmost account of the opinion of the Board’ and communicate to the Chair of the Board whether it will maintain or amend its draft decision.Footnote 42 If the lead authority does not abide by the opinion, the EDPB may proceed with a dispute resolution. This effectively entails a decision adopted for the individual case which the DPA must implement by giving a final decision according to the requirements of the relevant national law, referring to the decision enacted by the EDPB.Footnote 43 If and to what extent this mechanism is to be used within the area of research in general or biobank research in particular remains to be seen. Within the areas where the GDPR acknowledges the regulatory competence of the Member States, such as due to the research exceptions, it is hardly conceivable that the consistency mechanism can reconcile the various approaches and traditions of the Member States, at least not in a comprehensive manner.

A more customised tool for defining the proper balance between individual right and public interest in biobank research is the code of conduct.Footnote 44 A code of conduct can be drafted by private companies and organisations for the processing of personal data by certain categories of controllers or processors.Footnote 45 The procedure for adopting a code of conduct involves both a DPA, the EDPB and the Commission, and results in a binding document specifying the proper application of the GDPR for processing within the Union and as a basis for transfer outside.Footnote 46 In June 2019, the EDPB issued guidelines on the subject.Footnote 47 These describe the codes as being able to ‘help to bridge the harmonisation gaps that may exist between Member States in their application of data protection law’, and to ‘provide an opportunity for specific sectors to reflect upon common data processing activities and to agree to bespoke and practical data protection rules, which will meet the needs of the sector as well as the requirements of the GDPR’.Footnote 48

The BBMRI-ERIC is currently drafting a Code of Conduct for Health Research which, according to its webpage, may ‘guide researchers and administrative staff, reduce unnecessary fear relating to compliance and enhance data sharing for the purpose of stimulating progress in research’.Footnote 49 Arguably, this has the potential to define and operationalise the regulatory space provided by Art 9(2)(j), and create a balanced and proportionate approach for the purpose of achieving the public interest in research while respecting the essence of the right to data protection and upholding suitable and specific measures to safeguard this fundamental right. As argued in this book, the careful calibrating requested in this operation is a difficult yet essential factor for biobanking. If unity in central areas is reached, a code of conduct for biobanking could prove a most valuable tool in the present fragmented legal landscape. However, striving for unity must be weighed against the benefit of allowing Member States some leeway to uphold national or regional traditions. The final assessment of ethical and legal viability of the individual research project in the future will also be conducted by research ethic committees (RECs) in the Member States. In order to gain general acceptance, the code of conduct must meet the ethical standards applied by these boards, taking into account the ambiguity resulting from Article 9(4) and Article 23 GDPR. Further, the international obligations discussed above (Sect. 2.3) must also be met. In order to achieve this, the stakeholders of the code of conduct must resolve the issues that the EU legislator was unable to overcome in the legislative process. A bottom-up approach may prove more successful.

6 Concluding Remarks: Can a Level Playing Field for Biobanks Develop?

One of the more salient objectives of the EU data protection reform leading to the enactment of the GDPR was to further align national laws on data protection. Nevertheless, as the GDPR allows for derogations via Member States law to such a high degree, it could be argued that it is a regulation in name only and that its form in reality is more a directive. The regulatory regime for processing personal data in biobank research thus remains a mixed responsibility for the EU and its Member States.

The question of the relationship between the core data protection principles of the GDPR and national law that provides derogations has been analysed throughout this book. As has been seen, the regulatory differences in the Member States remain. However, the GDPR also introduces governance structures for administrative cooperation and the production of soft law documents to provide guidance for the interpretations of the GDPR and its core principles. Further, with the introduction of a new legal tool, the code of conduct, private entities and collaborative networks have also been invited to take part in the regulatory work. Thus, it may be argued that the harmonising factors in the area of research will be found in the area of soft law and governance tools rather than in the area of EU and Member State legislation.

This finding can be seen as contrary to one of the general features of fundamental rights law that derogations from a right should be set out in transparent and unequivocal rules enacted in a democratically legitimate manner.Footnote 50 This notion is also recognised in the preamble of the GDPR:Footnote 51

Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

Further, as discussed above, the CJEU held in the Schrems case that there are limits to how far the right to data protection can be restricted via legally binding acts.Footnote 52

Soft law documents and private-public governance tools can generally be said to lack the qualities of democratic legitimacy and transparency in comparison to legislative acts enacted by a parliament.Footnote 53 However, the combination of practical need and lack of political will and/or legislative competence within the EU seems to have paved the way for these types of non-law solutions. One of the benefits of this softer form of developing a common understanding of law is that it does not call into question the formal transfer of powers from the national level to the supranational level, and therefore entails less of a commitment for the involved states.Footnote 54 Moreover, as held by Mayrhofer and Prainsack, this is a common way of regulating international biobanking as non-legally binding agreements and soft law regularly emerge in the absence of a central regulator.Footnote 55 Following the conclusions in the pan-European survey, chapter ‘Biobanking Across Europe Post-GDPR: A Deliberately Created Fragmented Landscape’ in this book, the assessment of the legal and ethical requirements will in the end be a question for RECs to resolve within their adjudication. The transparency and legal certainty of this adjudication would have benefitted from a fulfilment of the recommendation put forward in the 2012 Commission report, that the EU and its Member States ought to develop a consistent and coherent legal framework for biobanking that should protect participants’ fundamental rights, in particular in the areas of privacy, data protection and the use of human tissue in research.Footnote 56