Brexit and Biobanking: GDPR Perspectives

Abstract

At the time we wrote this chapter, we undertook the almost impossible task of providing a legal analysis of an event (Brexit) that had not happened and might never have happened. This chapter nonetheless contributes to the edited collection in that it reports on the then legal position in the UK, and presents an analysis of two possible immediate post-Brexit legal futures, for data protection law as applicable to biobanking in the UK. These post-Brexit futures are the position if the draft Withdrawal Agreement is ratified and comes into force, and the position if it does not (a so-called ‘No Deal’ Brexit). The chapter concludes with some thoughts on possible longer term futures. The main message is the deep uncertainties surrounding Brexit and what it means in both legal form and in practice.

The support of the ESRC’s Governance after Brexit grant ES/S00730X/1 is gratefully acknowledged.

1 Introduction

At the time we finished writing this chapter (June 2019), the UK remained a Member State of the European Union (EU). This chapter explores the landscape of biobanking in the UK and the legal framework applicable to biobanks operating in the UK, focussing on the applicable data protection legislation. At that time, there was much uncertainty around Brexit, as a Withdrawal Agreement had not yet been ratified and it was possible that the UK would leave the EU without an agreement, a so-called ‘No Deal’ Brexit. It was also still possible that the UK would not in fact leave the EU. Given this uncertainty, this chapter outlines two possible post-Brexit legal futures. One of these (the UK leaving the EU without a Withdrawal Agreement) has not come to pass. However, many of the uncertainties associated with it remain, including in the context at which this chapter is now revised (June 2020), of the negotiation of the future EU-UK trade relationship. The chapter primarily focuses on applicable data protection law in this context.

The chapter first describes the context of biobanking in the UK, showing the European and global networks within which the UK’s biobanks of various types are embedded (Sect. 2). It outlines the key legal and governance instruments applicable to UK-based biobanks. The chapter then turns to the general political and legal context following the EU referendum vote (Sect. 3), before its detailed discussion of implications of Brexit for biobanking (Sect. 4). A brief conclusion notes the effects of continued uncertainty on UK biobanking and medical research.

2 Biobanking in the UK: The Current Position

2.1 The Context: National Biobanks Within European and Global Networks

A biobank is an entity which collects and stores human biological materials, and data about such materials, organises them on the basis of population, disease type or other pertinent typology, and provides bio specimens and data for both exploratory research and clinical trials.¹ There are five main models for biobanks (small scale/university, governmental/institutional, population, commercial and virtual), four of which are present in the UK.² A 2017 list, populated by the University of Nottingham, UCL and the Advanced Data Analysis Centre, covers over 180 UK-based biobanks.³

The first biobanks began over a century ago, on a small scale, within universities. Many ‘Russell Group’ UK Universities⁴ still hold smaller scale biobanks, but these are increasingly networked globally. For instance, University College London holds several biobanks focussed on specific conditions.⁵ Another example is London School of Hygiene and Tropical Medicine’s biobank for Myalgic Encephalomyelitis (ME)/Chronic Fatigue Syndrome.⁶ A third is CNMD Biobank, London, which collects tissues and primary cell cultures from skin, muscle, stem cells and nerve cells from patients with genetically determined neuromuscular diseases.⁷ Like other university biobanks, it works collaboratively, on primary and translational research, with the European Network Eurobiobank and the EU Network of Excellence TREAT-NMD.

A major institutional/governmental repository, the UK Biobank, was established as a not-for-profit charity in 2006,⁸ as a collaboration between the medical charitable sector, the English National Health Service (NHS), and governments within the UK.⁹ It provides services to researchers worldwide. Its website description states:¹⁰

UK Biobank is a major national and international health resource, and a registered charity in its own right, with the aim of improving the prevention, diagnosis and treatment of a wide range of serious and life-threatening illnesses – including cancer, heart diseases, stroke, diabetes, arthritis, osteoporosis, eye disorders, depression and forms of dementia. UK Biobank recruited 500,000 people aged between 40-69 years in 2006-2010 from across the country to take part in this project. They have undergone measures, provided blood, urine and saliva samples for future analysis, detailed information about themselves and agreed to have their health followed. Over many years this will build into a powerful resource to help scientists discover why some people develop particular diseases and others do not.

Another significant biobank in the UK is Oxford Biobank. Oxford Biobank holds a ‘collection of 30-50 year old healthy men and women living in Oxfordshire. All participants have undergone a detailed examination at a screening visit, donated DNA and given informed consent to be re-approached.’¹¹ Oxford Biobank is an interesting example of protection of research participants’ rights, as they utilise a dynamic consent platform, which enables participants to have more control over how their data and samples are used and allows for the withdrawal of consent.¹²

Many UK-based biobanks have been and are involved in international collaborations, often with partners in the EU. For example, EPIC-Oxford is the Oxford based ‘component of European Prospective Investigation into Cancer and Nutrition (EPIC)—a prospective cohort of 65,000 men and women living in the UK, many of whom are vegetarian.’¹³ This project ‘is the largest detailed study of diet and health ever undertaken’¹⁴ and involves 23 centres from 10 European countries, including collaborators from the UK, Denmark, France, Italy, Germany, Greece, Spain, Sweden, Norway, and the Netherlands.¹⁵ Several UK biobanks also participated in BIOSHARE-EU (Biobank Standardisation and Harmonisation for Research Excellence in the European Union), which has now ended. This included UK Biobank and EPIC-Oxford.¹⁶ Currently, both UK Biobank and Oxford Biobank continue to make their resources available to researchers based outside the UK.

The UK Clinical Research Collaboration’s Tissue Directory and Coordination Centre, administered by the Medical Research Council, is a virtual biobank: an electronic web-based collection of information about existing biospecimens and data. The Centre does not hold any human material and is independent from physical biobanks, allowing it to adopt a position of neutrality. It holds the UK’s first pan-disease Tissue Directory,¹⁷ which is available for any research to search according to disease classification, age, sex, sample type, preservation details, quality indicators and datasets available. In April 2017, it covered 100 bioresources.¹⁸ Its aim is to support research by enhancing the ability of researchers and organisations to find suitable samples. The Centre is the UK node of the BBMRI-ERIC network,¹⁹ which is an EU-funded network of biobanks and biomolecular resources.²⁰ The UK was not a founding member of BBMRI-ERIC, but joined subsequently. 14 EU Member States and Norway are members; four other states are observers. Member States, third countries as well as intergovernmental organisations may become members of BBMRI-ERIC at any time, subject to approval by the Assembly of Members according to Article 11(8)(b) of its Statutes.²¹ Members of BBMRI-ERIC take collective decisions through the Assembly of Members.²² Both members and observers contribute to the budget.

Due to increasing funding pressures, there may also be collaboration and investment in public biobanks by private entities.²³ There are also commercial biobanks in the UK including, for instance, bioDock, a trading name of Future Health Technologies Ltd (Company number: 04431145), which is a Nottingham-based cryo-genetic facility, with storage facilities in Switzerland and the UK.²⁴ This biobank currently holds more than ‘500,000 samples from over 80 different countries’.²⁵ In the commercial context, businesses that offer direct-to-consumer genetic tests (sometimes called ‘personal genomics’) also can be viewed as operating biobanks, in that they develop databases from consumers’ samples and personal data. Such businesses also operate across borders.

2.2 Overview of the Current Law and Governance Arrangements for Biobanks in the UK

Several pieces of UK legislation have relevance to the governance of biobanks in the UK. The focus in this chapter is primarily on data protection. The key current legal instrument here is the EU’s General Data Protection Regulation (GDPR),²⁶ which replaced the earlier Data Protection Directive.²⁷ Some UK-based biobanks apparently take the view that legal changes brought in by the GDPR do not affect the lawfulness of their existing practices. For instance, UK Biobank’s guidance for researchers states that compliance with the previous data protection regime is sufficient to secure GDPR compliance.²⁸ This statement has not, to our knowledge, been legally tested.

As a Regulation, from the point of view of EU law, the GDPR is ‘directly applicable’ in the Member States,²⁹ which means it has legal effect irrespective of any act of transposition. From the point of view of UK law, under the European Communities Act 1972, section 2, the GDPR takes effect in UK law in accordance with the requirements of EU law. Those requirements include the supremacy of EU law, in that the GDPR must be applied in preference to any contradictory domestic law, which should be ‘disapplied’ irrespective of its date of enactment (in other words, the normal lex posteriori rule is inverted).³⁰ In practice, however, domestic courts in the UK seek to avoid any ‘clash’ of norms, but rather to interpret and apply UK Acts of Parliament consistently with EU obligations.³¹

In principle, the GDPR protects the fundamental rights of natural persons whose data are ‘processed’ within the material scope of EU law,³² where the entity processing the data is within the EU, or the data subjects are within the EU, if the entity processing the data is not, and the processing activities are ‘related to the offering of goods or services, irrespective of whether a payment of the data subject is required’.³³ Thus the GDPR applies in principle to all UK-based biobanks, which must comply with the GDPR’s terms on lawful data processing.³⁴ The GDPR also provides for the free movement of data both within and into the EU. It does so by providing harmonised minimum level standards of data protection, by requiring Member States to have a ‘supervisory authority’ to oversee their application,³⁵ and by setting up institutional fora within which EU Member States cooperate. The UK is currently obliged to participate in those institutional arrangements. Its supervisory authority is the Information Commissioner’s Office (ICO).

The GDPR permits Member States to derogate from its terms in various respects. The UK’s Data Protection Act 2018 (DPA) both implements the GDPR in domestic law and specifies how the UK takes advantage of this permission. The DPA also outlines how various aspects of the GDPR apply in practice in the UK.³⁶

The Human Tissue Act 2004 (HTA), enforced by the Human Tissue Authority, is also significant for UK biobanks. The HTA’s purpose is to regulate activities involving the removal, storage, use and disposal of human tissue. The Human Tissue Authority also secures compliance with the EU’s human tissue and cells Directives.³⁷ Under the HTA, like under the GDPR, the fundamental principle of consent underpins the lawful removal, storage and use of body parts, organs and tissue.³⁸ The HTA provides that analysis of DNA without qualifying consent is a criminal offence.³⁹ Although the HTA does not specifically define the term biobank, biobanks in the UK come within its remit, as they typically involve the collection of a broad range of human biological materials.⁴⁰ The Human Tissue Authority provides licences to organisations that collect and remove human tissue used in research and is thus responsible for licensing biobanks.⁴¹

Under the guidance issued by the Human Tissue Authority, UK-based biobanks which provide direct-to-consumer services are also obliged to comply with the provisions of the HTA, which means that all such businesses should obtain consent for the initial performance of a genetic test.⁴² The law—in particular relevant exemptions—will apply differently to such enterprises from its application to public research projects, as the nature of their business differs significantly, involving the direct sale of genetic tests as consumer services, followed often by secondary research on the genetic data generated from such tests. Furthermore, the commercial nature of these businesses means that, as well as data protection law, consumer protection legislation, including the medical devices legislative framework also applies to governance of the industry and their research activities.

In addition to the legislative framework, biobanks in the UK are subject to a range of governance provision. Much of this concerns ethical practice. For example, UK Biobank’s funders developed an Ethics and Governance Framework, as well as an Ethics and Governance Council, which is an independent body that oversees the biobank’s compliance with the Framework. UK Biobank has been licensed by the Human Tissue Authority, which means that researchers using data or samples from the biobank do not need additional licences.

Finally, in addition to those under the GDPR, DPA and HTA, the common law may afford other protections to data subjects, concerning special categories of personal data. Such special categories include: ‘data concerning health’; genetic and genomic data; and ‘biometric data that is processed to uniquely identify a natural person’.⁴³ These are all relevant categories for UK-based biobanks. For instance, claims in contract, the tort of negligence, or in equity could all be applicable in English law where biomedical research activities involve processing special categories of data collected from patients.⁴⁴ We do not discuss these further in this chapter.

2.3 Lawfulness of Processing, Transfer of Data Within the EU, and Transfer to ‘Third Countries’ in the Context of Biobanking in the UK

2.3.1 Lawfulness of Processing and the UK Biobank

To understand how the GDPR impacts in practice on biobanking in the UK, UK Biobank provides a useful illustrative example. According to its website, there are two main grounds for lawfully processing data in this context. These are either consent or legitimate public interest.⁴⁵ The HRA guidance does note though that, if it is possible to undertake the relevant research without processing personal data, then neither consent nor legitimate interest will be valid as a basis for data processing.⁴⁶ UK Biobank believes that their work meets both the consent and legitimate interests bases for processing. Its GDPR Information Notice asserts that:

Each person who joined UK Biobank provided their explicit consent for us to collect, store and make available information about them (including data from genetic and other assays of the samples that were collected) for health-related research, and for their health to be followed 25 over many years through medical and other health-related records, as well as by being re-contacted by UK Biobank.⁴⁷

UK Biobank also states that they believe that they meet the three step tests necessary for legitimate interest processing, set out in the GDPR, that is the purpose test, the necessity tests, and the balancing tests. Its Information Notice adds an additional note, stating that:

there is a further requirement under the GDPR for processing “special categories of data” and this includes data concerning an individual’s health. This requirement can be satisfied if the processing is necessary “for reasons of public interest in the area of public health of for archiving purposes in the public interest, scientific or historical research purposes ….”. The GDPR specifies that “research purposes” include “studies conducted in the public interest in the area of public health”. We consider that UK Biobank’s activities fall squarely within this requirement.⁴⁸

Where data is lawfully processed within the EU, it may be lawfully transferred anywhere within the EU. This is one of the key aims of the GDPR, to allow the flow of data within the EU’s ‘single market’. UK-based biobanks, like UK Biobank, that transfer data out to other EU countries, and other EU countries that transfer data in to the UK, currently rely on these provisions. Further, under the GDPR, standard contractual clauses provide a lawful basis for transfer of data to ‘third countries’ (i.e. non-EU countries), or international organisations.

2.3.2 Consent as a Basis for Lawful Processing

In general, the GDPR sets a high standard for consent to process personal data and especially specific kinds of data, including health data. This raised concerns during its drafting that this standard could cause difficulties for researchers, as it was common practice for consent to participate in research to be framed on a broad basis.⁴⁹ This is a matter which Member States may treat differently in their derogations, but in the UK there is some uncertainty about whether consent can be relied upon as a basis for lawful processing in the context of health and social care research, which obviously includes activities of biobanks. Although consent is central to the HTA, both the Health Research Authority and the ICO have released guidance on consent. Specifically, according to the HRA’s website:⁵⁰

For the purposes of the GDPR, the legal basis for processing data for health and social care research should NOT be consent. This means that requirements in the GDPR relating to consent do NOT apply to health and care research

The logical consequence of this guidance is that the basis of lawful processing of data by UK-based biobanks is legitimate interest, rather than consent. However, the ICO also indicates in its guidance that organisations ‘are likely to need to consider consent when no other lawful basis obviously applies’.⁵¹ Furthermore, when dealing with human tissue, as consent is the central principle upon which the Human Tissue Act is based, biobanks that handle tissue samples are likely to be required to obtain consent from research participants in order to collect samples and conduct research.

2.3.3 Legitimate Public Interest as a Basis for Lawful Processing

According to the UK’s Data Protection Act, processing of personal data that is ‘necessary for scientific … research purposes’ is lawful.⁵² This includes personal data in one of the GDPR’s ‘special categories’, which include genetic data and data concerning health. The data held by biobanks includes ‘special category’ data under the GDPR and Data Protection Act. Biobanks may collect and process several different types of ‘special category’ data. Processing of such data by a biobank that is necessary when carrying out research is lawful, so long as it is consistent with the Data Protection Act’s section 19 requirements and so long as it is in the public interest.⁵³ Section 19 provides that the processing may not, however, be ‘likely to cause substantial damage or substantive distress to a data subject’.⁵⁴ It is possible that biobanking activities could do so, for instance, if they brought to light information about someone’s genetic predispositions to medical conditions. However, where the data processing is necessary for ‘the purposes of approved medical research’, then it is compliant with the Data Protection Act.⁵⁵ ‘Approved medical research’ requires ethical clearance, either under the Health Research Authority, or a body appointed by the NHS or a research institution, such as a University.⁵⁶

Under the Health Research Authority guidance, data subjects who are research participants in public sector research projects must be informed that processing of personal data for research purposes is in the public interest.⁵⁷

2.3.4 Adequacy Decisions, ‘Appropriate Safeguards’ (Standard Contractual Clauses and Binding Corporate Rules), and Special Circumstances as a Basis for Transfer of Data to ‘Third Countries’

Under the GDPR, and Data Protection Act, it is unlawful to transfer personal data to a ‘third country’ unless there is a lawful basis for such transfer.⁵⁸ While the UK remained a Member State of the EU, and during the ‘transition’ period until end December 2020, organisations (including biobanks) processing data in the UK were able to rely on the grounds set out in chapter V of the GDPR, and chapter 5 of the DPA, as a basis for the lawful transfer of data out of the UK to ‘third countries’ (i.e. non-EU countries).

Biobanks in the UK may lawfully transfer personal data to a third country where the transfer is based on an ‘adequacy decision’.⁵⁹ Such adequacy decisions are taken by the European Commission.

In the absence of an adequacy decision, transfer may take place where ‘appropriate safeguards’ are provided. One such appropriate safeguard is the use of standard contractual clauses. Article 57 of the GDPR provides for each supervisory authority to create standard contractual clauses, which businesses can use in their agreements for data processing and transfer. The UK’s ICO has created templates for both controller to processor contracts⁶⁰ and controller to controller contracts,⁶¹ which biobanks can use. The ICO has also produced guidance on what organisations need to include in contracts for data transfer.⁶² The Health Research Authority’s guidance confirms the lawfulness of such data transfers.⁶³

However, as Lawlor et al. write, standard contractual clauses may not be the best suited mechanism for biobanking research.⁶⁴ Their work is concerned with research conducted by biobanks more generally, rather than specifically those based in the UK. They suggest that making more use of material transfer agreements, and development of a code of conduct, would assist international biobank research collaborations.

BBMRI-ERIC have also called for the development of a Code of Conduct for Health Research.⁶⁵ The aim is to ‘reach a sector-specific code that explains how the GDPR applies in practice.’⁶⁶ 130 individuals representing 80 organisations in the field of health research support the idea of such a Code.⁶⁷ This initiative is international in nature. The most recent Code drafting meeting took place in Rome in November 2018.⁶⁸ If it is eventually approved under Article 40 of the GDPR, the Code would apply broadly to a wide range of health research and would be of assistance to biobanks engaging in international data transfer into EU Member States and also potentially for those sending data outside the EU.

Another type of appropriate safeguard is ‘binding corporate rules’.⁶⁹

It is also permissible for a UK-based biobank to transfer data to a third country on the basis of special circumstances.⁷⁰ The most relevant circumstances that could be relied upon are those set out in DPA, section 76(1) (a) and (b), which allow for transfer in order to ‘protect the vital interests of the data subject or another person’ or ‘to safeguard the legitimate interests of the data subject’. Explicit consent of the data subject to the transfer is another possible ‘special circumstance’ but this would not be practical for biobanks to secure.

3 The Political and Legal Processes of Brexit to Date

This section of the chapter explains the political processes following the EU referendum in June 2016, and sets out the current legal position in general terms. Its specific application to biobanking, especially GDPR aspects, is discussed in Sect. 4 below.

Following an (advisory) referendum, and an Act of Parliament,⁷¹ the latter as required ‘in accordance with [the UK’s] constitutional requirements’,⁷² the UK formally notified its intention to leave the EU on 29 March 2017, as specified under Article 50 of the Treaty on European Union. Under Article 50 (3) TEU, the default position was that the UK would leave the EU on 29 March 2019.

Article 50 TEU obliged the EU-27 to negotiate a Withdrawal Agreement with the UK. By 25 November 2018, the UK had agreed a draft Withdrawal Agreement with the EU’s negotiating team, which was duly approved by the Council of the EU-27, along with a non-binding political declaration on the future EU-UK relationship.⁷³ However, the UK government was unable to secure support in Parliament for ratification of the Withdrawal Agreement.⁷⁴ Nonetheless, in a non-binding vote, the House of Commons also indicated its opposition to leaving the EU without a Withdrawal Agreement in place.⁷⁵

In March 2019,⁷⁶ and again in April 2019,⁷⁷ the EU and UK agreed, in accordance with Article 50 (3) TEU, to extend the withdrawal negotiation period. As at May 2019, it was agreed that the UK would leave the EU on 31 October 2019, unless the Withdrawal Agreement was ratified before that date, in which case the UK would have left when the Withdrawal Agreement entered into force. As things stood when we originally wrote this chapter, thus, on the date of entry into force of the Withdrawal Agreement, or on 31 October 2019, the UK would have ceased to be a Member State of the EU. What actually happened was that the UK did not leave the EU until 31 January 2020, at which point a revised Withdrawal Agreement entered into force.

The Withdrawal Agreement provides for a ‘transition’ or ‘implementation’ period, which ends on 31 December 2020.⁷⁸ In principle, during the transition period, EU law applies to and in the UK, producing the same legal effects, and being interpreted and applied in accordance with the same methods and principles, as before withdrawal.⁷⁹ This means that EU law as it stands at ‘Exit Day’ and as it evolves through the transition period will produce legal effects in the UK during the transition period.⁸⁰

During transition, EU institutions, bodies and agencies, including the Court of Justice of the EU, have powers in relation to the UK, and to natural and legal persons established in the UK.⁸¹ But this is ‘unless otherwise provided’ in the Withdrawal Agreement.⁸² So, for instance, the UK will no longer be included in EU institutions, bodies or agencies, and the UK’s institutions will not be considered institutions of a Member State.⁸³ Access to networks, information systems and EU databases ceases at the end of transition.⁸⁴

The transition period may be extended once, ‘to a period up to [31 December XXXX]’, by a decision of a ‘Joint Committee’⁸⁵ made before 1 July 2020.⁸⁶ The current political intention of the UK government is not to seek extension.

The UK has made initial domestic provision for withdrawal from the EU through the EU (Withdrawal) Act 2018. The EU (Withdrawal) Act originally provided for an ‘Exit Day’ of 29 March 2019. This was amended by statutory instrument on 11 April 2019, so that Exit Day is currently defined in UK domestic law as on 30 October 2019, so that Exit Day is defined in UK domestic law as 31 January 2020 ⁸⁷

The Act repeals the European Communities Act 1972, which is the domestic provision through which EU law applies in the UK and is a source of UK law. The EU (Withdrawal) Act 2018 creates, on Exit Day, a new source of UK law: ‘retained EU law’. In essence, all EU law applicable in the UK on that date will be part of UK law by virtue of the Act.

4 The Legal Position for GDPR Aspects of Biobanking Post-Brexit

All of the different types of biobank structures in the UK have been and will continue to be affected by Brexit, but in different ways. Smaller biobanks that collect, process or share data solely within the UK are affected less, although the applicable law will change. Larger, networked, UK-based biobanks that share data outward to the EU and other countries, and those which receive inward coming data from the EU and other countries are affected more, because pre-Brexit and pre-transition the basis on which the lawfulness of data protection in those transactions is secured is the UK’s membership of the EU and the Withdrawal Agreement. Some biobanks, for instance, commercial operators, may be able to circumvent the inconvenience of Brexit, and continue to operate as before within the EU, by incorporating in an EU Member State. This approach is not open to university-based or governmental/institutional UK biobanks. Those biobanks that rely on EU networks and funding may find that they are totally excluded from such access, depending on the form that the future EU-UK trade relationship takes.

We now focus on the legal position for UK data protection law, as it applies in biobanking contexts, post-Brexit. In the run up to 29 March 2019, the UK government issued several guidance notes and other policy documents giving advice about the post-Brexit legal position. Some of this guidance is relevant to the GDPR and biobanking. Of course, however, the views of the government, even expressed in formal guidance notes, do not have the force of ‘hard’ law. The section therefore outlines the position under the only relevant primary UK legislation currently enacted at the time of writing: the EU (Withdrawal) Act 2018, and under relevant secondary (delegated) legislation in the form of statutory instruments. These latter are executive acts with the full force of law in the UK.⁸⁸ These provisions apply whatever the form of Brexit, and do not distinguish between the position under the Withdrawal Agreement and that in a ‘No Deal’ situation (which did not, in the end, occur).

We then consider the legal position under each of the possible forms of Brexit discussed in this chapter: under the EU-UK Withdrawal Agreement, and what the position would have been in the event of a No Deal Brexit. We have retained the latter analysis to illustrate both the complexities of Brexit and the position should the EU and UK be unable to agree a trade agreement by the end of December 2020. When we originally wrote this chapter, we did not know how the UK would implement its obligations under the Withdrawal Agreement, so that analysis is by definition more conjectural.

4.1 Domestic Legislation, Statutory Instruments, ‘Soft Law’, Guidance

4.1.1 Soft Law and Guidance on Data Protection Post-Brexit

In December 2018, the UK government issued a technical note giving guidance on data protection post-Brexit. That guidance was withdrawn on 1 March 2019,⁸⁹ and replaced with revised guidance adopted on 6 February 2019.⁹⁰ It complements guidance from the ICO⁹¹ on the future data protection regime in case of a No Deal Brexit, which remains in place. The guidance applies to all organisations to which the GDPR applies, so it applies to UK biobanks.

4.1.2 Data Protection Under the EU (Withdrawal) Act 2018

As ‘retained EU law’, the GDPR is in principle part of UK law on Exit Day, under the terms of the EU (Withdrawal) Act 2018.

However, the GDPR (as a source of ‘retained EU law’) will be subject to future amendments made by the UK legislator. Any such amendments are legally authorised on the basis of powers set out in the EU (Withdrawal) Act 2018, the Data Protection Act 2018, and the European Communities Act 1972. These powers allow the UK government to act unilaterally to remedy any ‘deficiencies’ in ‘retained EU law’. These amendments will take effect through secondary legislation: the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019,⁹² and any subsequent secondary legislation. The EU (Withdrawal) Act 2018 makes no provision for UK compliance with the Withdrawal Agreement (see further below in Sect. 4.2.3).

4.1.3 The Data Protection, Privacy and Electronic Communications (Amendments Etc) (EU Exit) Regulations 2019

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019⁹³ (hereafter, ‘the EU Exit Regulations’) amend various parts of legislation to take account of the UK leaving the EU. They came into force on Exit Day. In summary, the Regulations amend the Data Protection Act 2018, the GDPR as ‘retained EU law’ (known in the Regulations as ‘the UK GDPR’), and merge provisions of the two.⁹⁴ Schedule 1 lists the amendments to the UK GDPR, while schedule 2 deals with the amendments to the Data Protection Act 2018. Schedule 3 deals with consequential amendments to other legislation, and schedule 4 addresses amendments consequential on provisions of the 2018 Act.

The UK government claims⁹⁵ that the majority of the changes to the existing law involve removing references to EU institutions and procedures that will not be directly relevant when the UK is outside the EU. This is accurate. Many changes, for instance, simply change ‘the Union’ or ‘a Member State’ for ‘the UK’; or ‘the competent authority’ for ‘the Commissioner’, that is, the Information Commissioner as referred to in the Data Protection Act, section 114 and schedule 12.

However, the EU Exit Regulations do make some changes to the legal position beyond removing references to the EU and its institutions and procedures. The key changes of relevance or potential relevance to biobanking are as follows:

1. (a)

   Adequacy decisions

2. (b)

   Standard data protection contractual clauses

3. (c)

   Information exchange and cooperation

4. (d)

   Removal of procedural and remedial safeguards

5. (e)

   General principles of EU law.

4.1.3.1 (a) Adequacy Decisions

The EU Exit Regulations add new sections 17A and 17B, and 74A to the Data Protection Act 2018. These give the Secretary of State power to adopt adequacy decisions by regulations, and oblige the Secretary of State to keep such decisions under periodic review. An adequacy decision may be taken in respect of a third country (which in this context, contrary to its meaning in EU and international law, means a country outside of the UK⁹⁶); a territory or one or more sectors within a third country; an international organisation (such as the EU); or a description of such a country, territory, sector or organisation. Transfer of personal data from the UK to such a country, territory, sector or organisation would not be lawful in the absence of an adequacy decision, or other basis for lawful transfer, such as ‘special circumstances’, or ‘standard data protection clauses’ (see below in Sect. 4.3.2).

When assessing the adequacy of protection in a third state or international organisation, the Secretary of State must take into account a list of factors outlined in new section 74A of the Data Protection Act. These repeat verbatim the matters that the European Commission should take into account when assessing adequacy, as provided in Article 45 (2) GDPR. Briefly, these include:

(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;

(b) the existence and effective functioning of one or more independent supervisory authorities in the third country … including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States;

and (c) the international commitments the third country … has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems…

The Secretary of State must monitor developments in such third countries, sectors etc, and amend or revoke adequacy decisions accordingly, having given the country etc the opportunity to remedy any lack of protection. In addition, each adequacy decision must be reviewed at least once every 4 years.⁹⁷

The UK government’s guidance explains that the UK ‘will transitionally recognise all EEA countries (including EU Member States) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue,’ and ‘preserve the effect of existing EU adequacy decisions’, including the EU-US Privacy Shield, on a transitional basis.⁹⁸ The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No. 2), Regulations 2019, schedule 2, article 102, inserting a new Schedule 21 into the UK GDPR provides that all EEA states (which of course include all EU27 Member States), Gibraltar, EU and EEA institutions, and all the third countries, territories, sectors or international organisations which the EU recognises with adequacy clauses (Switzerland, Canada, Argentina, Guernsey, Isle of Man, Jersey, Faroe Isles, Andorra, Israel, Uruguay, New Zealand, and the USA) are regarded as countries etc which the UK recognises as having an adequate level of protection for personal data transferred from the UK into that country. In the context of biobanking this means that it will be lawful for biobanks in the UK to continue to conduct data transfers of UK citizens’ data, and other data they hold, to organisations based in all of these places.

Obviously the UK’s EU Exit Regulations can make no provision for the transfer of personal data into the UK from another country. Non-EU countries will each need to decide how to treat the UK as a non-EU Member State, when, up to the end of the transition period they have been recognising the UK’s treatment of personal data as adequate because the UK is an EU Member State. It was reported in April 2019 that some countries have indicated that they will continue to allow free data flow into the UK, even in the event of a No Deal Brexit.⁹⁹ This might be the case also in the event of a failure to agree an EU-UK trade agreement. These countries include Switzerland, Israel, and the USA. The legal nature of these permissions is domestic law within each third country.

Transfer of personal data from EU Member States into the UK post Brexit remains subject to EU law. In the absence of any other provision being in place (but see further below Sects. 4.2.1 and 4.3.1), the UK is treated as a ‘third country’ in the terms of the GDPR. This will mean that transfer of data to biobanks in the UK is unlawful, unless there is a lawful basis for that transfer as provided for under the GDPR. At present, there is no agreement on how the UK and EU are to treat each other’s assessments of adequacy. The biobanking sector, like many (or possibly all) other sectors which rely on sharing of data across borders, have noted that it would be beneficial if some agreement was reached that would allow for mutual recognition. This will be easier to achieve because Brexit took place under the Withdrawal Agreement, as opposed to on a ‘No Deal’ basis (see further below section 4.2).

4.1.3.2 (b) Standard Data Protection Contractual Clauses and Binding Corporate Rules

Approach to Standard Data Protection Contractual Clauses and Binding Corporate Rules

The EU Exit Regulations 2019 purport to offer some level of legal continuity, as they amend the Data Protection Act to provide that standard contractual clauses and binding corporate rules that are authorised before Exit Day will remain valid.¹⁰⁰ UK-based biobanks which currently transfer UK citizens’ data, and other data they hold, to organisations based in other countries, on the basis of standard data protection contractual clauses or binding corporate rules, will be able to continue to do so after Exit Day. Post-Brexit, standard contractual clauses become known as ‘standard data protection clauses’ in UK law.¹⁰¹ The EU Exit Regulations also empower the Information Commissioner to withdraw authorisation for binding corporate rules.¹⁰²

Schedule 2 of the EU Exit Regulations adds new sections 17C and 119A to the Data Protection Act. These provisions address standard data protection clauses. Such clauses are those which the Secretary of State considers provide appropriate safeguards for transfers of data to a third country or international organisation, in accordance with new sections 17A and 17B. Schedule 3 of the Regulations revokes existing EU law (that otherwise would become retained EU law) which provides for standard contractual clauses.¹⁰³ To replace this, the Information Commissioner is empowered, in consultation with the Secretary of State, and any other stakeholders the Commissioner considers appropriate,¹⁰⁴ to specify ‘standard data protection clauses’ which are sufficient to provide adequate safeguards for the purposes of transfer of data to a third country or international organisation,¹⁰⁵ and also to amend or withdraw such standard clauses.¹⁰⁶ In effect, standard contractual clauses become standard data protection clauses in the Regulations. Documents issued by the Commissioner specifying standard data protection clauses are subject to a negative Parliamentary assent procedure.¹⁰⁷ For UK-based biobanks wishing to continue to conduct data transfers of UK citizens’ data, and other data they hold, to organisations based in other countries, standard data protection contractual clauses are a potential basis for lawful transfer of data post-transition.

Again, as with adequacy decisions, the UK’s EU Exit Regulations can make no provision for the post-transition transfer of data from EU-based entities, or those based in other countries, to UK-based biobanks. There is (as yet) no agreement on coordination or mutual recognition of such clauses between the UK and the EU, and in any event the nature of these clauses is currently the subject of litigation before the CJEU (see further below, Sect. 4.3.1).¹⁰⁸ Despite this, the ICO has produced an interactive tool for businesses to deal with standard contractual clauses if the UK does leave the EU without a deal.¹⁰⁹ The ICO recommends that organisations that need ‘to maintain the free flow of personal data into the UK from Europe, in the event the UK exits the EU without a deal… should consider using standard contract clauses’.¹¹⁰ But the ICO can only account for movement of data out of the UK, not into the UK. To write of ‘free flow’ of data, as the ICO’s recommendations do, is to misrepresent the formal legal position. It is not yet clear what the EU’s position will be on data transfer into the UK from the EU following a the failure to agree a trade agreement at the end of transition (see further below in Sect. 4.3.1).

4.1.3.3 (c) Information Exchange and Cooperation

The EU Exit Regulations remove all obligations on the UK, or entities within the UK, to cooperate within the structures of the EU, or to exchange information with the European Commission. Instead, the Regulations envisage that the Council of Europe’s Data Protection Convention¹¹¹ (which the UK has signed and ratified) will be the basis of interstate data protection cooperation post transition, through the Convention’s obligations to designate one or more authorities to furnish information to authorities in other states on law and administrative practice in data protection.¹¹² This Convention is the first binding international instrument on individual personal data protection. It seeks to prohibit abuses that may arise when personal data is collected or processed, to ensure that sensitive data (such as concerning health) is subject to legal safeguards, to secure a ‘right to know’ what information is held, and to regulate the flow of personal data across borders. The UK’s data protection law secures compliance with these international obligations. The Data Protection Convention will thus have increased significance to the UK’s data protection framework post-Brexit, where there continues to be uncertainty about how the EU will treat the UK for data protection purposes post-transition. This will depend on the type of Brexit (see further below), and what the EU and the UK eventually agree in terms of future EU-UK relationships.

4.1.3.4 (d) Procedural and Remedial Safeguards 

The EU Exit Regulations remove the obligation to the effect that the authority that supervises the application of the GDPR (in the UK, the Information Commissioner) must, when imposing administrative fines, comply with national and EU law on procedural safeguards, including effective judicial remedy and process.¹¹³ Instead, section 115 (9) of the Data Protection Act makes provision about the exercise of the Commissioner’s functions when imposing administrative fines. The right to an effective remedy and other general principles of EU law concerning due process are an important feature of EU law in various contexts, including data protection. Essentially driven by the CJEU, these principles have formed an important part of the development of EU data protection law, which includes the entitlement of data subjects to secure effective remedies for breach, part of the overall compliance and sanctions regime under the GDPR.

The Data Protection Act, section 115 (9), as amended, provides that the Commissioner may only exercise its powers to issue administrative fines by giving a penalty notice, as provided for in section 155, having determined that a person has failed, in the sense prescribed in section 149, to comply with provisions of the GDPR. The pre-Brexit position was that this form of implementation is—at least in theory—subject to scrutiny for compliance with general principles of EU law. Post-transition, this layer of scrutiny is removed. However, of course, the UK will retain its obligations to due process under the ECHR, such as a right to a fair hearing.

4.1.3.5 (e) General Principles of EU Law

The EU Exit Regulations exclude from application any case law or general principles of EU law not relevant to the GDPR, or chapter 2 or Parts 5–7 of the Data Protection Act.¹¹⁴ These are the parts of the existing law concerning interpretation of the applicable legal provisions. The change made by the EU Exit Regulations means, for instance, that future CJEU interpretations of broader principles of EU law, such as under the EU CFR, and in Mangold-type cases,¹¹⁵ will not apply in the UK as retained EU law. This is consistent with the amendment to the Data Protection Act, section 205, which provides that references in that Act to a ‘fundamental right or fundamental freedom’ are only to such fundamental rights and freedoms which continue to form part of UK domestic law after Exit Day. The European Union (Withdrawal) Act, section 4, provides that EU law rights, obligations, or remedies that come from the CJEU’s jurisprudence continue to be part of ‘retained EU law’, only if they are recognised as such in a case decided by the CJEU before Exit Day. The intention seems to be to sever the way that relevant law in the UK is interpreted from how those interpretations develop in the EU, following Exit Day, and to do so irrespective of whether the Withdrawal Agreement—which provides in its Article 131 that the CJEU’s jurisdiction continues in the UK during transition—is agreed or not. The implications of this are difficult to ascertain. During transition, the European Union (Withdrawal Agreement) Act 2020 ‘switches back on’ the European Communities Act 1972, to the effect that EU law (including judgments of the CJEU) continues to apply to and within the UK until the end of December 2020. However, after that, the European Union (Withdrawal) Act, section 4, provides that EU law rights, obligations, or remedies that come from the CJEU’s jurisprudence continue to be part of ‘retained EU law’, only if they are recognised as such in a case decided by the CJEU before Exit Day (not the end of transition). The intention seems to be to sever the way that relevant law in the UK is interpreted from how those interpretations develop in the EU, following Exit Day, and to do so despite the fact that the Withdrawal Agreement provides in its Article 131 that the CJEU’s jurisdiction continues in the UK during transition. Questions about the significance of this legislation go to questions of future regulatory alignment between the UK and the EU, which itself will then affect the extent to which the EU is able to recognise the UK’s regulatory environment as embodying an adequate protection for data, including the kinds of health-related data that biobanks process. These matters are discussed further in Sect. 4.2 below.

4.2 The EU-UK Withdrawal Agreement and Biobanking

4.2.1 Data Protection Law Under the Withdrawal Agreement

We note at the start of this section that aspects of the Withdrawal Agreement’s text on data protection are difficult to interpret.¹¹⁶ Of course, as the Withdrawal Agreement has only recently entered into force, there are no binding judicial rulings on the meaning of its text. The underlying aim of the Withdrawal Agreement is to ensure an orderly withdrawal of the UK from the EU, and to avoid disruption during the transition period by ensuring that EU law applies to and in the UK during that period.¹¹⁷ The Withdrawal Agreement’s provisions should thus be interpreted with that aimed-for continuity in mind.

In general, the Withdrawal Agreement provides that the UK is to be treated as a Member State of the EU during the transition period.¹¹⁸ So, in general, EU law continues to apply to and in the UK, as if the UK were still a Member State, from Exit Day until the end of transition.¹¹⁹ Thus, the GDPR continues to apply in and to the UK during that period. Biobanks in the UK will continue to be required to comply with the GDPR. The Withdrawal Agreement also provides that references to competent authorities of Member States in provisions of EU law made applicable by the Withdrawal Agreement are to include UK competent authorities.¹²⁰ This means that, until the end December 2020, the UK’s ICO continues to be recognised as an institution of a Member State, even though the UK is no longer a Member State of the EU.

However, this continuity rule applies only ‘unless otherwise provided’ in the Withdrawal Agreement.¹²¹ One of the key exclusions concerns the UK’s participation in EU institutions, and in decision-making and governance of the bodies, offices and agencies of the Union. The UK will no longer participates in such entities.¹²² The European Data Protection Board, established under the GDPR,¹²³ is (presumably¹²⁴) a ‘body’ of the Union for these purposes. The Withdrawal Agreement makes no explicit provision for the UK’s continued participation in the European Data Protection Board or its information sharing systems. The precise modalities of the situation where the UK Information Commissioner is excluded from the European Data Protection Board, but the ICO is still recognised as a competent national authority under the GDPR, are far from clear. This may have practical implications for UK-based biobanks, for instance seeking to rely on the European Data Protection Board’s guidance on the ‘one stop shop’ principle, in terms of which national supervisory authority should be the lead supervisory authority after Exit day and during transition. Biobanks which operate across the EU and the UK may find themselves subject to parallel proceedings.¹²⁵

The Withdrawal Agreement has a separate title (Title VII) on data processing. It covers ‘Union law on the protection of personal data’, which includes the GDPR,¹²⁶ but excludes the GDPR’s Chapter VII, which covers cooperation between supervisory authorities in the EU, consistency, dispute resolution and the European Data Protection Board. Title VII of the Withdrawal Agreement also includes ‘any other provisions of Union law governing the protection of personal data’.¹²⁷ Other relevant provisions of Union law include the EU CFR, and ‘general principles’ of EU law, both of which include the right to protection of personal data¹²⁸ and the right to privacy.¹²⁹ There is an unresolved question here about whether the EU Exit Regulations’ exclusion of general principles of EU law ‘not relevant to’ the GDPR as it applied immediately before Exit Day¹³⁰ is compliant with the UK’s obligations under the Withdrawal Agreement.

Title VII consists of just four provisions, two of which are not relevant to biobanking.¹³¹ The remaining two provisions have the following implications.

The Withdrawal Agreement, Article 71 provides

1. (1)

   Union law on the protection of personal data shall apply in the United Kingdom in respect of the processing of the personal data of data subjects outside the United Kingdom, provided that the personal data:

   1. (a)

      were processed under Union law in the United Kingdom before the end of the transition period; or

   2. (b)

      are processed in the United Kingdom after the end of the transition period on the basis of this Agreement.

It is very difficult to make sense of this provision. If the UK is to be treated as if it were a Member State of the EU during the transition period,¹³² and if EU law continues to apply to and in the UK during that time,¹³³ the GDPR continues to apply as pre-Brexit. Processing in the UK during transition (or afterwards, on the basis of the Agreement, for instance, in the case of coordination of social security entitlements of migrants) of personal data of data subjects in a Member State (‘data subjects outside the United Kingdom’) is protected under the GDPR and its coordination arrangements, as pre-Brexit. One way to make sense of this provision, therefore, is that it is an exception to the general rules in the Withdrawal Agreement. For the purposes of transfer of data of a data subject in an EU Member State from that EU Member State to the UK for processing, during transition, the UK is not to be treated as if it were a Member State, and the GDPR does not apply. But if this is the intention of the provision, its drafting is far from clear.

Article 71 covers only personal data of data subjects outside the UK processed or obtained before the end of the transition period, or on the basis of the Withdrawal Agreement. In effect, it operates as if it were an adequacy decision. It does not cover personal data of data subjects within the UK. The majority of data held by UK-based biobanks is personal data of UK-based data subjects. But, especially given the way in which biobanks are networked, some of their data is personal data of data subjects outside the UK. If this interpretation is correct, the law applicable to UK-based biobanks would differ, depending on the source of the personal data. This would potentially create difficult—or even impossible—situations for UK-based biobanks in terms of data processing, depending on the extent to which UK data protection law diverges from EU data protection law. We noted some possible places of divergence in Sect. 4.1.3 above.

Article 71 (2) provides that paragraph 1 does not apply in the event that the European Commission adopts an adequacy decision under GDPR, Article 45. There is even provision in the Withdrawal Agreement for the withdrawal of an adequacy decision during the transitional period. In that event, Article 71 (3) of the Withdrawal Agreement provides that ‘to the extent that a decision referred to in paragraph 2 has ceased to be applicable’, the UK is obliged to ensure a level of protection of personal data that is ‘essentially equivalent’ to that in EU law.

Under the Withdrawal Agreement, Article 73, the EU is obliged to continue to treat data obtained from the UK before the end of transition, or after the end of transition on the basis of the Withdrawal Agreement, the same as data obtained from an EU Member State, or rather, not to treat it differently ‘on the sole ground of the UK having withdrawn from the Union’.¹³⁴ This drafting is unfortunate, given that the text of the GDPR contemplates only two categories of states: EU Member States and ‘third countries’. It is possible that the Withdrawal Agreement’s effect, combined with the GDPR rules on ‘third countries’ is that some kind of provision for data transfer into the EU from the UK is necessary during the transition period—be that an adequacy decision, appropriate safeguard, or special circumstances. But the political declaration on the future relationship between the EU and the UK indicates that the EU intends to begin the process of adopting an adequacy decision as soon as possible after Exit Day, so as to have such a decision in place by the end of transition. Given that, the better interpretation of the Withdrawal Agreement is intention to continue the current legal position between Exit Day and December 2020 (or the end of transition if a different date).¹³⁵

4.2.2 Other Law Relevant to Biobanking Under the Withdrawal Agreement

Other aspects of the Withdrawal Agreement will also be significant for biobanking. We noted above that the UK participates in the EU-funded BBMRI-ERIC network of biobanks and biomolecular resources.¹³⁶ Under the Withdrawal Agreement, during transition, the UK is to be treated as if it were a Member State. The Withdrawal Agreement’s financial settlement provisions oblige the UK to continue making contributions to the EU budget as if it were a Member State during 2019 and 2020, and pay a share of the EU’s budgetary commitments made under the 2014–2020 Multiannual Financial Framework (but which are not yet paid on 31 December 2020 when that framework comes to an end), on which Horizon 2020 funding is premised.

This means that access to EU funding for UK-based biobanks (and other research organisations) will continue during transition. After the end of transition, the UK could become a member, or an observer, of BBMRI-ERIC, if the Assembly of Members of BBMRI-ERIC grants its approval. The Assembly must do so on the basis of agreement of at least 75% of the Members, representing at least 75% of the Members’ annual contributions. This means that no single Member of BBMRI-ERIC has a veto. At present, only EEA states are members (Norway included), but there is no legal impediment to a third country becoming a member.¹³⁷

4.2.3 Domestic Implementation of the EU-UK Withdrawal Agreement

The Withdrawal Agreement requires the UK to render its obligations under the EU/UK Withdrawal Agreement into domestic law through domestic primary legislation.¹³⁸ As the UK is a ‘dualist’ state, provisions of an international agreement are conceptualised as an executive act, and do not have automatic legal effect in its legal systems.

The European Union (Withdrawal Agreement ) Act 2020 provides for the continued application of the European Communities Act 1972 during transition. This means the continued supremacy and direct effect of law agreed between the UK and the EU (that is, the Withdrawal Agreement). In effect it creates a new source of law in the UK’s constitution: that of Withdrawal Agreement law, in the same way that the European Communities Act 1972 is, in the words of the UK Supreme Court in Miller, the ‘conduit pipe’ by which EU law becomes ‘an independent and overriding source’ of UK law.¹³⁹

The benefits of this approach are that it secures compliance with the provisions of the Withdrawal Agreement, Article 4, which provides that:

1. (1)

   The provisions of this Agreement and the provisions of Union law made applicable by this Agreement shall produce in respect of and in the United Kingdom the same legal effects as they produce within the Union and its Member States. Accordingly, legal or natural persons shall in particular be able to rely directly on the provisions contained or referred to in this Agreement which meet the conditions for direct effect under Union law.

2. (2)

   The United Kingdom shall ensure compliance with paragraph 1, including as regards the required powers of its judicial and administrative authorities to disapply inconsistent or incompatible domestic provisions, through domestic primary legislation.

3. (3)

   The provisions of this Agreement referring to Union law, or to concepts or provisions thereof, shall be interpreted and applied in accordance with the methods and general principles of Union law.

4. (4)

   The provisions of this Agreement referring to Union law, or to concepts or provisions thereof shall in their interpretation and application be interpreted in accordance with the relevant case law of the Court of Justice of the European Union handed down before the end of the transition period.

5. (5)

   In the interpretation and application of this Agreement, the United Kingdom’s judicial and administrative authorities shall have due regard to relevant case law of the Court of Justice of the European Union handed down after the end of the transition period.

Further, there is significant jurisprudence, including from the House of Lords (the predecessor to the UK Supreme Court, the highest court in the land), on the meaning and effect of the relevant parts of the European Communities Act 1972. In particular, the Factortame ruling¹⁴⁰ confirms that domestic legislation, irrespective of its date, that cannot be consistently interpreted with directly effective, validly adopted EU law, must be disapplied. This approach thus entails significant legal certainty and clarity. It is a better approach than either considering the Withdrawal Agreement as ‘ordinary’ international law (which would potentially fail to fulfil the UK’s Withdrawal Agreement obligations despite the presumption that Parliament intends to comply with the UK’s obligations in international law¹⁴¹) or using the words of the Withdrawal Agreement itself (which would introduce uncertainty about the direct effect of the Withdrawal Agreement, as there is no universal rule in EU law as to direct effect of provisions of treaties to which the EU is a party: it is dependent on the context, aims and objectives of the treaty concerned¹⁴²).

In the biobanking context, the consequences are that the decision of the UK to ‘switch back on’ the existing obligations under the European Communities Act 1972 makes it easier for the EU to take the view that the UK’s data protection regulatory environment is sufficiently protective of personal data to permit data flow into the UK. This goes to questions of adequacy decisions, standard contract clauses, codes of conduct and binding corporate rules, which are the basis on which data from EU Member States (and other countries) may be shared with UK-based biobanks after Exit Day.

4.3 The Law If ‘No Deal’ Brexit

4.3.1 The EU’s Position

When we originally wrote this chapter, it was not clear whether the EU and UK would agree a Withdrawal Agreement. At that time, the EU had been consistently clear in its position that, in the event of a No Deal Brexit, the UK would have been treated as an ordinary ‘third country’. The implications for matters such as access to EU funding, for instance through the UK’s participation in BBMRI-ERIC, were that the existing legal arrangements would have been immediately ceased, unless another legal provision was adopted to respond to the exigencies of ‘No Deal’ (so-called ‘managed No Deal’). In January 2019, the European Commission proposed, on an extraordinary legal basis, a transitional provision for 2019,¹⁴³ which in effect would have allowed the UK, and UK-based entities, to be treated as eligible for funding, provided that the UK had paid into the EU budget, on a monthly basis. This proposal was not adopted, but it could be if ‘No Deal’ becomes politically more likely again, for instance in the run up to 31 October 2019. The obvious problem with such transitional measures is that they cannot deal with difficult broader decisions about the nature of the EU-UK relationship after Brexit, which will need to be determined before longer-term collaborative funding arrangements can be secured.

The European Data Protection Board’s February 2019 information note is consistent with the position that the UK would have been treated as an ordinary ‘third country’ immediately on a No Deal Brexit:

In the absence of an agreement between the EEA and the UK (No Deal Brexit), the UK will become a third country from 00.00 am CET on 30 March 2019. This means that the transfer of personal data to the UK has to be based on one of the following instruments as of 30 March 2019:

• Standard or ad hoc Data Protection Clauses

• Binding Corporate Rules

• Codes of Conduct and Certification Mechanisms

• Derogations.¹⁴⁴

Note that none of the listed bases of lawful transfer of personal data to the UK, in the event of No Deal Brexit, is that of an adequacy decision. It might be thought that this would have been the most convenient solution for all concerned, including EU-based biobanks which are networked with UK-based biobanks and wish to continue to share data. As noted above, in Sect. 4.1.3, the UK has affirmed that it will regard the EU’s data protection provision as adequate for the purposes of transfers of data to the EU. The GDPR provides that the Commission may decide that a third country, or one or more specified sectors in that third country (such as the biobanking sector), ensures an adequate level of protection of personal data. Transfer of personal data from the EU to a country or sector within a country that is subject to such an adequacy decision is lawful under the GDPR without any further specific authorisation.¹⁴⁵ The UK has become a ‘third country’, but its law, up until, the end of transition, was (at least presumptively) compliant with EU data protection law. Indeed, post-transition under the EU (Withdrawal) Act 2018, as amended by the EU (Withdrawal Agreement) Act 2020, the GDPR will become ‘retained EU law’, a part of the law of the UK. An adequacy decision seems the logical and practical approach.

However, adequacy decisions are formal acts, taken by the Commission, assisted by a committee and according to a specified procedure,¹⁴⁶ lasting for a period of up to 4 years, at which point they are reviewed.¹⁴⁷ Although, on duly justified imperative grounds of urgency, there is a power to adopt immediately applicable implementing acts revoking or withdrawing adequacy decisions,¹⁴⁸ there is no equivalent power to take an urgent adequacy decision. The GDPR sets the procedures through which adequacy decisions must be taken, and the EU institutions are not competent to depart from those procedures. To do so would have been ultra vires. Adequacy decisions are not suitable for the immediate legal ruptures implied by No Deal Brexit: to adopt an adequacy decision would be, in effect, to create a (partial) ‘Deal’, and would thus have undermined the EU’s negotiating position.

The CJEU has already found that aspects of UK data protection law are not compliant with EU law obligations, although not in the context of biobanking.¹⁴⁹ A January 2019 report from the UK Parliament’s Joint Committee on Human Rights¹⁵⁰ noted that the Data Protection Act 2018 may not provide as comprehensive a protection as Article 8 of the EU Charter of Fundamental Rights. The onward transfer of data from the UK to countries outside the EU is also an area of contention.¹⁵¹

Furthermore, although the GDPR becomes ‘retained EU law’, as explained above, important changes to the GDPR are implemented by ministerial powers granted under the EU (Withdrawal) Act. Enforcement and remedial provisions also change: there will be no scope for dispute resolution within the European Data Protection Board, no obligation on UK courts to comply with rulings of the CJEU after the end of transition, and no jurisdiction of the CJEU to hear preliminary references from the UK courts.

All of the above explains why the EU’s contingency planning for a No Deal Brexit did not include adopting an adequacy decision with respect to the UK. This may become salient again if the EU and UK trade agreement negotiations fail. EU Member States may not lawfully adopt unilateral adequacy decisions: the power to do so rests with the European Commission only.

According to Article 44 of the GDPR, in the absence of a formal adequacy decision taken by the European Commission, or other basis for the lawful transfer of personal data, all data flows from the EU to the UK would immediately be unlawful under the GDPR.¹⁵² If the EU does not take an adequacy decision to come into effect at the end of the transitional period, biobanks seeking to lawfully transfer personal data to UK-based biobanks must therefore rely on alternative bases for that data transfer.

As noted above, these include binding corporate rules; standard contractual clauses; codes of conduct; and ‘special circumstances’. We were unable to locate examples of binding corporate rules in the context of biobanking which are in the public domain, or plans for adopting such rules in the event of No Deal Brexit, or no EU-UK free trade agreement at the end of transition. Several multinationals in the pharmaceutical and biomedical industry have successfully adopted such binding corporate rules.¹⁵³ Given that this approach is more likely to be adopted by commercial biobanks, it is not a surprise that such plans are not available for us to scrutinize. In general, they are costly and time-consuming to put in place.

The most likely mechanism for lawful data transfer from an EU Member State to a non-commercial biobank in the UK in the event of No Deal Brexit was on the basis of standard contractual clauses. Standard contractual clauses may be approved by the competent supervisory authority in any Member State, provided they comply with the conditions set out in the GDPR.¹⁵⁴ In February 2010, the European Commission issued a template for standard contractual clauses (controller to processor) under the Data Protection Directive.¹⁵⁵ The GDPR provides that this template remains in place until it is replaced under the GDPR’s new arrangements.¹⁵⁶ The Commission Decision provides that the template may not be varied, although further commercial clauses may be added. This inflexibility may present some difficulties for data transfer from the EU to a UK biobank. Further, this template will apply only where the data controller is in an EU Member State and the processor is in the UK. It will not apply in a situation where the UK-based biobank is the data controller and hosts personal data with an EU-based processor.

Most importantly, moreover, the status of standard contractual clauses as a basis for data transfer to third countries is currently the subject of litigation before the CJEU. This litigation process was not completed before Exit Day, adding to the levels of uncertainty. Case C-311/18 Schrems II was referred to the CJEU for a preliminary ruling by the Irish High Court on 9 May 2018. The AG Opinion was issued in December 2019, but the CJEU may not make its decision until after the end of transition.

One of the key questions of contention is the consistency of standard contractual clauses with the requirements under EU law for data subjects to access effective remedies for violations of their rights. An important element of standard contractual clauses as a basis for lawful data transfer under the GDPR is that the contract gives data subjects specific rights, even though the data subject is not a party to the contract. Providing effective judicial remedies for private parties is a distinctive feature of EU law in general. These questions engage application of both the GDPR’s requirements and those of the EU Charter of Fundamental Rights, Articles 7 (privacy); 8 (data protection) and 47 (right to an effective judicial remedy).

Here the UK’s amendments to the GDPR, as ‘retained EU law’, through the relevant EU Exit Regulations, noted above in Sect. 4.1.3, are important. Will the UK arrangements for remedies and enforcement suffice to secure adequate protection from the point of view of the EU? Bear in mind, first, that the EU Exit Regulations remove all obligations on the UK, or entities within the UK, to cooperate within the structures of the EU, or to exchange information with the European Commission, including in matters of enforcement.

Further, and perhaps more seriously, the EU Exit Regulations,¹⁵⁷ the amended Data Protection Act,¹⁵⁸ and the European Union (Withdrawal) Act,¹⁵⁹ all seek to prevent future developments of EU law that arise through interpretations of the CJEU becoming applicable in the UK. If Schrems II is decided after the end of transition, Exit Day, any principles of EU law deriving from that decision would not necessarily be applied in the UK, and data subjects in the UK would not necessarily be able to rely on those principles in seeking to remedy any breaches of their data protection rights.

In view of those concerns, it may be preferable for the biobanking sector to move expeditiously to adopt a sector-specific code of conduct for health research, and have this code approved under Article 40 of the GDPR. Such a code of conduct would provide a lawful basis for transfer of data to UK-based biobanks from the EU post-transition.

One final possibility is that EU-based biobanks transfer data to UK-based biobanks on the basis of ‘special circumstances’.¹⁶⁰ This may be the most appropriate basis for lawful transfer following transition where data is being shared in the context of an on-going clinical trial. A patient (data subject) already enrolled in that trial, and who perhaps cannot access any other licensed treatment for their condition, would need to secure continued data transfer to protect their ‘vital interests’. For pure research, it might be feasible to argue that ‘safeguarding legitimate interests of the data subject’ justifies continued sharing of data to the UK, at least in the context of an existing research project which may result in some benefit, however remote, for the data subjects concerned. UK Biobank certainly seems to believe that legitimate interests and the public interest are an appropriate basis for its data processing, although whether it is sufficient for data transfer is unclear. There are also discussions regarding a possibility to rely on ‘public interest’ when collaborating with the US for transfers not covered under the EU’s adequacy decision for the US (the ‘privacy shield’).¹⁶¹

The position with regard to personal data that has already been transferred from the UK to the EU remains uncertain. By analogy with the revocation of an adequacy decision under Article 45 (5) GDPR, the effects of the UK leaving the EU on the lawfulness of the transfer of the data should not have retroactive effect. In practice, unless the European Data Protection Board or European Commission takes a decision applicable to the whole EU, it is likely to depend on the view adopted by the supervisory authority in the relevant EU Member State. Hence, it may be that data is processed by biobanks in the EU in a situation that is technically unlawful, or perhaps better described as a situation of ‘a-legality’,¹⁶² failure of the EU and UK to reach agreement on the matter.

4.3.2 The UK Position

The UK government’s position was to seek to secure as much continuity as possible in the event of No Deal Brexit, and presumably also a failure to reach agreement on a future trade relationship. For Horizon 2020 funding, the UK Chancellor announced in August and October 2016 that the UK government would guarantee funding for UK participants (but not for their EU collaborating partner organisations) in Horizon 2020 projects in place before Exit Day. A further ministerial statement made to Parliament on 26 July 2018,¹⁶³ and accompanied by a statement of liabilities in a departmental Minute laid before the UK House of Commons, assures UK organisations (which includes biobanks) that

The Treasury is also guaranteeing funding in event of a no deal for UK organisations which bid directly to the European Commission so that they can continue competing for, and securing, funding until the end of 2020. This ensures that UK organisations, such as charities, businesses and universities, will continue to receive funding over a project’s lifetime if they successfully bid into EU-funded programmes before December 2020.

The details of how this commitment would have been administered in practice in a No Deal Brexit situation, where funding is shared among consortia involving UK organisations and those in EU Member States, were far from clear, and the UK government has recognised that this was the case.¹⁶⁴

If the UK Clinical Research Collaboration’s Tissue Directory and Coordination Centre were excluded from BBMRI-ERIC and/or other EU funding and collaboration arrangements, it may look to intensify other collaborations, for instance with projects in the USA, Russia and China. This approach would obviously only be legally viable if the sharing of data under such collaborations complies with the post-Brexit and post-transition UK regulatory provisions, as outlined above.

The UK government’s position under a No Deal Brexit was that there would be no immediate change to data protection law,¹⁶⁵ and this presumably remains the case post-transition. The EU (Withdrawal) Act and secondary legislation based on it, such as the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, discussed above, make no distinction between different types of Brexit. At the end of transition, the Data Protection Act 2018 would remains in place, and the GDPR changes from being EU law to being ‘retained EU law’. For data transfers from the UK to the EU, EEA and third countries deemed adequate by the EU at the end of transition, the UK has in effect taken an adequacy decision under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No. 2), Regulations 2019, schedule 2, article 102, inserting a new Schedule 21 into the UK GDPR.

The assertion that there would be no immediate change to data protection law is self-evidently not the case with regard to data transfer from the EU to the UK, as without an adequacy decision, or other basis on which data may lawfully be transferred to a UK-based entity, such as ‘appropriate safeguards’ (standard contractual clauses, a code of conduct, or binding corporate rules), or ‘special circumstances’, the EU will treat the UK as non-compliant with its data protection law. This is also the case for data transfer from other countries which currently rely on the UK’s membership of the EU to allow data transfer into the UK. As noted above, the consequence for the activities of biobanks which rely on sharing of data with UK-based biobanks is that any continued sharing of data would potentially be unlawful. Given the difficulties with adequacy decisions, and the need for recognition from the EU, or a national competent authority in the EU, of standard contractual clauses, codes of conduct or binding corporate rules, this situation may be one in which the ‘special circumstances’ provision of the GDPR may be tested.

However, even with regard to data protection law as applicable solely within the UK, a better description of the legal position is that there would be no immediate change to the content of data protection law (apart from the changes outlined in Sect. 4.1.3 above), but that the source of data protection law would change. With this change of source, there may also be implications for the effects of the relevant law. Indeed, the UK government’s December 2018 guidance¹⁶⁶ itself described the GDPR as ‘sitting alongside’ the Data Protection Act, which is a quite different to the pre-Brexit legal position to the effect that the GDPR is a source of supreme EU law.

5 Conclusion

Since the EU referendum vote in June 2016, despite the considerable uncertainties, many of which are outlined above, biobanks in the UK are adopting a ‘business as usual’ approach. For instance, UK Biobank continues to receive applications for and approve projects involving EU (and indeed international) partners, and as far as we have been able to ascertain, there is no falling away of the numbers of such projects being approved. For instance, in May 2019, UK Biobank approved a 5 year project with the Ecole Polytechnique Federale de Lausanne (EPFL), France, to explore diet/lifestyle/health factors as causes and modifiers of genetic determinants of healthspan, ageing and longevity.¹⁶⁷ In April 2019, UK Biobank approved a year-long project with Sanofi, France, to support the eventual development of precision medicine.¹⁶⁸ These are far from isolated examples.¹⁶⁹ In 2018 and 2019, UK Biobank approved three projects from researchers based in the Netherlands; eight projects from researchers based in Sweden; a project from researchers based in Germany; and in June 2019 has approved a project from researchers based in Denmark.¹⁷⁰

This ‘biobanking business as usual’ approach makes good sense. The UK has not left the EU, but the Withdrawal Agreement was agreed, ratified and entered into force, securing significant levels of continuity will be secured until the end of the transition period (currently until the end of December 2020). By contrast, under a No Deal Brexit, legal continuity was far from guaranteed, and this is the case at the end of transition too, although sharing of data with UK-based biobanks may be able to continue on the basis of appropriate safeguards, including possibly a code of conduct for biomedical research, or even perhaps a (temporary) adequacy decision. Given the uncertainty, inflexibility, cost and time investment that surrounds other types of appropriate safeguards, prompt moves towards a code of conduct, within the context of BBMRI-ERIC, would offer timely reassurance to the biobanking sector, both within the UK and on a European and international level, given the ways in which UK biobanks are nested within European and global networks.

At this time (June 2020), it is still not possible to predict what the relationship will be between the UK and the EU in the future, for data transfer, in the biobanking sector and beyond. The political declaration setting out a framework for the future relationship between the EU and the UK,¹⁷¹ issued at the same time as the draft Withdrawal Agreement, gives a prominent place to data protection.¹⁷² The declaration states that the EU will begin the process of adopting an adequacy decision for transfer of data to the UK, as a ‘third country’, ‘as soon as possible after the UK’s withdrawal’. The UK will reciprocate. The EU and UK should also ‘make arrangements for appropriate cooperation between regulators’. Of course, this is a political commitment only, and not legally binding on the EU or the UK. Yet, at least at the time it was promulgated, the intention to secure continuity was present, even if the precise legal modalities of how to do so were distinctly elusive.

All that said, given that prominent biobanks in the UK are continuing to collaborate internationally, it seems likely that such collaborations and data transfer will also continue both in to the UK and outwardly to the EU, in one way or another. Nevertheless, the chilling effect of the uncertain legal basis on which future collaborations involving data transfer will take place, is undoubtedly having implications for the biobanking sector in the UK.