The Regulation of Biobanking in Germany

Biobanking in Germany is currently not subject to sui generis regulation. Instead, a plethora of norms from differing areas of law form the bundle of regulation that applies to biobanking. The exact shape and extent of the bundle depends on the exact configuration of the biobank. In the context of data protection, the rather fragmented nature of the regulation is to a certain extent alleviated by the direct impact of the EU General Data Protection Regulation (GDPR). In particular, the federalized system of data protection in Germany is simplified by an overarching set of norms that apply equally across the board. Whilst this is a welcome systematization of this part of the regulation of biobanking in Germany, the exact nature of the implementation of the Regulation raises novel issues in its own right. In this paper, I will outline the fragmented nature of biobank regulation in Germany, illustrate the issues on the basis of Germany’s population biobank NaKo and then discuss some of the more significant issues raised by the GDPR in the context of biobanking

The GDPR and the research exemption: considerations on the necessary safeguards for research biobanks

The General Data Protection Regulation (GDPR) came into force in May 2018. The aspiration of providing for a high level of protection to individuals’ personal data risked placing considerable constraints on scientific research, that was contrary to various research traditions across the EU. Therefore, along with the set of carefully outlined data subjects’ rights, the GDPR provides for a two-level framework to enable derogations from these rights when scientific research is concerned. First, by directly invoking provisions of the GDPR on a condition that safeguards that must include ‘technical and organisational measures’ are in place and second, through the Member State law. Although these derogations are allowed in the name of scientific research, they can simultaneously be challenging in light of the ethical requirements and well-established standards in biobanking that have been set forth in various research-related soft legal tools, international treaties and other legal instruments. In this paper we review such soft legal tools, international treaties and other legal instruments that regulate the use of health research data. We report on the results of this review, and analyse the rights contained within the GDPR and Article 89 of the GDPR vis-à-vis these instruments. These instruments were also reviewed to provide guidance on possible safeguards that should be followed when implementing any derogations. To conclude, we will offer some commentary on limits of the derogations under the GDPR and appropriate safeguards to ensure compliance with standard ethical requirements

Appropriate safeguards and Article 89 of the GDPR: considerations for biobank, databank and genetic research

The collection and use of biological samples and data for genetic research, or for storage in a biobank or databank for future research, impacts upon many fundamental rights, including the right to dignity, the right to private and family life, the right to protection of personal data, the right to freedom of arts and sciences, and the right to non-discrimination. The use of genetic data and other health-related data in this context must be used in a manner that is rooted in human rights. Owing in part to the General Data Protection Regulation (GDPR) coming into force, the right to the protection of personal data in the context of scientific research has been afforded increasing attention. The GDPR gives effect to the right to data protection, but states that this right must be balanced against other rights and interests. The GDPR applies to all personal data, with specific attention to special categories of data, that includes health and genetic data. The collection, access to, and sharing of such data must comply with the GDPR, and therefore directly impacts the use of such data in research. The GDPR does provide for several derogations and exemptions for research from many of the strict processing requirements. Such derogations are permitted only if there are appropriate safeguards in place. Article 89 states that to be appropriate, safeguards must be “in accordance” with the GDPR “for the rights and freedoms of the data subject”. In particular, those safeguards must ensure “respect for the principle of data minimisation”. Despite the importance of safeguards, the GDPR is silent as to the specific measures that may be adopted to meet these requirements. This paper considers Article 89 and explores safeguards that may be deemed appropriate in the context of biobanks, databanks, and genetic research

Ethical and social reflections on the proposed European Health Data Space

The COVID-19 pandemic demonstrated the benefits of international data sharing. Data sharing enabled the health care policy makers to make decisions based on real-time data, it enabled the tracking of the virus, and importantly it enabled the development of vaccines that were crucial to mitigating the impact of the virus. This data sharing is not the norm as data sharing needs to navigate complex ethical and legal rules, and in particular, the fragmented application of the General Data Protection Regulation (GDPR). The introduction of the draft regulation for a European Health Data Space (EHDS) in May 2022 seeks to address some of these legal issues. If passed, it will create an obligation to share electronic health data for certain secondary purposes. While there is a clear need to address the legal complexities involved with data sharing, it is critical that any proposed reforms are in line with ethical principles and the expectations of the data subjects. In this paper we offer a critique of the EHDS and offer some recommendations for this evolving regulatory space

Legislation of direct-to-consumer genetic testing in Europe: a fragmented regulatory landscape

Despite the increasing availability of direct-to-consumer (DTC) genetic testing, it is currently unclear how such services are regulated in Europe, due to the lack of EU or national legislation specifically addressing this issue. In this article, we provide an overview of laws that could potentially impact the regulation of DTC genetic testing in 26 European countries, namely Austria, Belgium, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the Netherlands and the United Kingdom. Emphasis is placed on provisions relating to medical supervision, genetic counselling and informed consent. Our results indicate that currently there is a wide spectrum of laws regarding genetic testing in Europe. There are countries (e.g. France and Germany) which essentially ban DTC genetic testing, while in others (e.g. Luxembourg and Poland) DTC genetic testing may only be restricted by general laws, usually regarding health care services and patients’ rights

Analysis of the legal and human rights requirements for genomics in and outside the EU : SIENNA D2.2

SIENN

Analysis of the legal and human rights requirements for genomics in and outside the EU : SIENNA D2.2

SIENN

You can't put the genie back in the bottle : On the legal and conceptual understanding of genetic privacy in the era of personal data protection in Europe

This article sheds a light on how the data protection requirements enshrined in the General Data Protection Regulation (GDPR) relate to shaping genetic privacy in the context of a complex and integrated genetic testing enterprise. It suggests that the informational dimension of genetic privacy in the era of data protection could be described as a sphere of controlled access. Given that the GDPR does not prescribe quantitative or contextual limitations relating to access once the applicable requirements are met, one could argue that there are good preconditions for the field to head in the direction of genetic transparency. This puts on the agenda the questions of what challenges this could bring and whether adequate mechanisms exist to deal with them