Allocation of Regulatory Responsibilities: Who Will Balance Individual Rights, the Public Interest and Biobank Research Under the GDPR?

Balancing the individual right to data protection and the public interest in biobank research involves a number of constitutional and statutory rules within the EU. The individual right to data protection enjoys a strong constitutional protection within the EU legal order, being included both in Article 8 of the EU Charter of Fundamental Rights (Charter) and Article 16 of the Treaty of the Functioning of the European Union (TFEU). The General Data Protection Regulation (GDPR) further provides a comprehensive set of legislation on how the right is to be upheld in practice, according to what the EU refers to as ‘a gold standard’.¹ Research also benefits from some protection since freedom of science is protected in several international treaties. The 1948 Universal Declaration on Human Rights includes a right to share in scientific advancements and benefits, although this is not exactly directed at research itself. The International Covenant on Economic, Social and Cultural Rights contains an obligation on the Member States to ‘respect the freedom indispensable for scientific research and creative activity’. The EU Charter declares in Article 13 that arts and scientific research shall be free of constraint. Framed like this, freedom of science can hardly be said to be an individual right that researchers can rely on, but nevertheless it does represent recognition of the importance and value of science.²

The protection of individual rights is, however, not the only objective of the GDPR. According to Article 1, the GDPR has as its dual aim to protect natural persons with regard to the processing of personal data and provide rules relating to the free movement of personal data.³ Within the understanding of free movement of personal data also lies the possibility to use the data for different aims, such as research. The tension between these aims and objectives has been analysed throughout this book.

One of the more salient aims of the EU’s data protection law reform which led to the enactment of the GDPR was to diminish the discrepancies between national laws implementing the EU Data Protection Directive.⁴ For the biobank community, this step was more than welcome. The fragmentation of European biobanking law has been identified as a major hurdle to prosperous biobank research.⁵ In a report on the subject commissioned by the EU Commission in 2012, the first recommendation out of nine was the following:⁶

Member states and European institutions should develop a consistent and coherent legal framework for biobanking that should protect participants’ fundamental rights, in particular in the areas of privacy, data protection and the use of human tissue in research.

The legislative form of the GDPR, a regulation instead of a directive, was chosen in order to ensure that the same law would be applicable throughout the EU. In Recital 10 of the GDPR it is stated that ‘(c)onsistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union’. As has been widely discussed, and is also apparent from the contributions in this book, in the area of scientific research, this objective has only been partially achieved. In the same recital it is also stated that ‘(t)his Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (“sensitive data”)’. In this way, the GDPR offers considerable room for inconsistencies at the individual project and Member State levels.

The core data protection principles are laid down in the GDPR, but the detail, the prerequisite for performing the balancing test between individual right and public interest in biobank research, is defined in the laws of the Member States. What does this mean for biobankers in the EU, and for biobank networks, such as the BBMRI-ERIC? A central question is thus the relationship between the core principles and the details in the derogations. How far does the regulatory space of the Member States reach when implementing the research exceptions? In the Schrems case the Court of Justice of the European Union (CJEU) held there limits to how far restrictions on the individual right to privacy, in this case based on Article 7 of the Charter, could go; restrictions may not compromise ‘the essence of the fundamental right to respect for private life’.⁷ These boundaries are to be upheld also by the Member States.⁸ The question, thus, is how a legitimate and foreseeable regulatory regime for processing of health data in biobanking is to be achieved. Does the GDPR contain mechanisms that provide a level playing field for biobanks within the EU today?

The analysis in this chapter draws on the conclusion presented in this book, in an effort to answer these questions. In Sect. 2, the background to the diversity in the regulatory landscape was analysed from the perspective of legislative competence of the EU. In Sect. 3, the outcome of the implementation of the GDPR in the Member States was discussed. In Sect. 4, the potential consequences of the differences in regulatory regimes were addressed in relation to forum shopping, and Sect. 5 did the same in relation to administrative cooperation and soft law tools for harmonisation. In the final Sect. 6, the question of how a level playing field for biobanks can be achieved is discussed.

Article 89(1) and (2) divides the responsibility for ensuring that appropriate conditions and safeguards are in place for the lawful processing of personal data in research between the EU and the Member States. The first paragraph, Article 89(1), does not clearly point out who is responsible for ensuring safeguards but merely holds that ‘processing for (…) scientific or historical research purposes (…), shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject’. Safeguards may be provided via national law, but it is required that they are regulated ‘in accordance this Regulation’, the GDPR. Article 89(2), on the other hand, refers to either Union law or national law to allow derogations from Articles 15, 16, 18 or 21, subject to appropriate conditions and safeguards.²⁵ Accordingly, the conditions and safeguards for processing personal data in biobank research are regulated in a decentralised manner. Also, Article 9(4) GDPR contributes to the decentralisation by allowing Member States to maintain or introduce further conditions, including limitations for the processing of genetic data, biometric data or data concerning health. In addition, Article 23 GDPR allows for further general derogations in the public interest, for example, for public health.²⁶

As the pan-European survey by Tzortztou et al. in chapter ‘Biobanking Across Europe Post-GDPR: A Deliberately Created Fragmented Landscape’ in this book illustrates, the Member States have taken different approaches in implementing these conditions and safeguards in regard to both the form and content. Whilst Sweden has taken a minimalistic approach and has only made use of the possibility in Article 89(2) GDPR to adopt general derogations in a limited manner, the regulatory framework for allowing researchers to access and process data held in public population-based health registries remains wide.²⁷ In Italy, the entry into force of the GDPR has, on the other hand, had the function of filling the gap in the legislation with regard to biobanking for medical scientific research purposes.²⁸ In France and in Finland, the national regulatory approach seems to a certain extent to uphold a stricter standard than required by the GDPR, whereas in Estonia, the legislator has chosen a more lenient approach.²⁹ The national regulatory responses thus remain heterogeneous.

A relevant question to pose is whether this heterogenous regulatory landscape may lead to forum shopping, in the sense that research proposals are allocated to Member States with the most beneficial regulatory regimes. The question of forum shopping, or in other words, regulatory competition, is far from unknown in the EU Internal Market and not always seen as problematic in itself. Within the Internal Market, Member States should allow a free flow of goods, services, labour and capital, unless there is a legitimate reason to hinder it.³⁰ It is for the economic actors in the Internal Market to allocate their business to the forums that offer the most advantageous conditions. In the Centros case, the CJEU held that it was contrary to the rules of the Internal Market for a Member State to refuse to register a ‘letterbox-company’ merely on the basis that the company wanted to allocate its business in a less restrictive regulatory environment. Only on suspicion of fraud would it be legitimate for the Member State to take action.³¹ The practice is also well known in labour law where employers might want to place their headquarters in a state with a more lenient labour law regime. Even if this is often criticised, it has proven difficult to combat the practice without distorting the Internal Market.³² As mentioned in the introduction, the GDPR has as its objective to promote free movement of personal data. In global medical research, the concepts of ‘ethics dumping’, the practice of exporting unethical research practices to lower-income settings, has been recognised as an ethical problem.³³ The differences between Member States of the EU should not be exaggerated, but at the same time researchers allocating research proposals to certain states in order to circumvent ethical regulation can be seen as problematic and will in the long run undermine social trust in biobanking. The next issue to consider is therefore whether the GDPR contains any mechanisms that may bridge the regulatory differences.

As mentioned briefly above and as also discussed by Dara Hallinan in chapter ‘Biobank Oversight and Sanctions Under the General Data Protection Regulation’ of this book, the GDPR contains an elaborated governance structure for both European and national administration within the data protection area. Here, focus is laid on the potential of this structured cooperation of authorities to overcome differences in interpretations of data protection rules and concepts. It is in this context of interest to note that the administrative structure is partially regulated also in EU primary law. Both Article 8 of the Charter and Article 16 TFEU state that compliance with data protection rules shall be subject to control by an independent authority. This independency is regulated in Chapters VI and VII of the GDPR, together with the competence, tasks and powers of the national data protection authorities (DPAs) and the newly established European Data Protection Board (EDPB), which has taken over after the previous Article 29 Working Party Group.

One of the tasks of the EDPB is to issue guidelines, recommendations, best practices and opinions on a wide range of subjects.³⁴ Even if the GDPR does not regulate biobanking directly, these documents will often be relevant both in regards to defining core principles of data protection, such as informed consent, and in relation to processing personal data across sectors, such as clinical trials.³⁵ The GDPR also introduced several new tools with which DPAs can cooperate; two of these will be discussed here. These are a one-stop-shop mechanism for appointing a lead authority in cases involving monitoring of cross-border processing and a procedure for composite decision-making, labelled a consistency mechanism.³⁶

The first mechanism was established to offer a smooth and foreseeable means of supervision since it identifies one single DPA to act as a one-stop-shop for controllers and processors active in more than one Member State, thus giving the lead DPA a role as coordinator of the supervision of all the processing activities of that business throughout the EU in collaboration with other ‘concerned’ DPAs.³⁷

The second, the consistency mechanism, provides a procedure for fulfilling the role of a dispute resolution mechanism in which the EDPB functions as a dispute resolution body.³⁸ According to this procedure, a DPA can refer a draft decision to the EDPB before enacting a decision in different categories of situations. In the first category, consisting of six identified cases, referral is compulsory.³⁹ In the second category, concerning ‘any matter of general application or producing effects in more than one Member State’, referral is optional.⁴⁰ However, the procedure in the second paragraph can be initiated by any DPA, not merely the lead authority, the chair of the EDPB and the Commission. If the DPAs cannot agree, any one of them may trigger the consistency mechanism, thus inviting the EDPB to take a leading role. In both categories, the EDPB issues an opinion which all DPAs and the Commission may comment on.⁴¹ The lead authority must ‘take utmost account of the opinion of the Board’ and communicate to the Chair of the Board whether it will maintain or amend its draft decision.⁴² If the lead authority does not abide by the opinion, the EDPB may proceed with a dispute resolution. This effectively entails a decision adopted for the individual case which the DPA must implement by giving a final decision according to the requirements of the relevant national law, referring to the decision enacted by the EDPB.⁴³ If and to what extent this mechanism is to be used within the area of research in general or biobank research in particular remains to be seen. Within the areas where the GDPR acknowledges the regulatory competence of the Member States, such as due to the research exceptions, it is hardly conceivable that the consistency mechanism can reconcile the various approaches and traditions of the Member States, at least not in a comprehensive manner.

A more customised tool for defining the proper balance between individual right and public interest in biobank research is the code of conduct.⁴⁴ A code of conduct can be drafted by private companies and organisations for the processing of personal data by certain categories of controllers or processors.⁴⁵ The procedure for adopting a code of conduct involves both a DPA, the EDPB and the Commission, and results in a binding document specifying the proper application of the GDPR for processing within the Union and as a basis for transfer outside.⁴⁶ In June 2019, the EDPB issued guidelines on the subject.⁴⁷ These describe the codes as being able to ‘help to bridge the harmonisation gaps that may exist between Member States in their application of data protection law’, and to ‘provide an opportunity for specific sectors to reflect upon common data processing activities and to agree to bespoke and practical data protection rules, which will meet the needs of the sector as well as the requirements of the GDPR’.⁴⁸

The BBMRI-ERIC is currently drafting a Code of Conduct for Health Research which, according to its webpage, may ‘guide researchers and administrative staff, reduce unnecessary fear relating to compliance and enhance data sharing for the purpose of stimulating progress in research’.⁴⁹ Arguably, this has the potential to define and operationalise the regulatory space provided by Art 9(2)(j), and create a balanced and proportionate approach for the purpose of achieving the public interest in research while respecting the essence of the right to data protection and upholding suitable and specific measures to safeguard this fundamental right. As argued in this book, the careful calibrating requested in this operation is a difficult yet essential factor for biobanking. If unity in central areas is reached, a code of conduct for biobanking could prove a most valuable tool in the present fragmented legal landscape. However, striving for unity must be weighed against the benefit of allowing Member States some leeway to uphold national or regional traditions. The final assessment of ethical and legal viability of the individual research project in the future will also be conducted by research ethic committees (RECs) in the Member States. In order to gain general acceptance, the code of conduct must meet the ethical standards applied by these boards, taking into account the ambiguity resulting from Article 9(4) and Article 23 GDPR. Further, the international obligations discussed above (Sect. 2.3) must also be met. In order to achieve this, the stakeholders of the code of conduct must resolve the issues that the EU legislator was unable to overcome in the legislative process. A bottom-up approach may prove more successful.

One of the more salient objectives of the EU data protection reform leading to the enactment of the GDPR was to further align national laws on data protection. Nevertheless, as the GDPR allows for derogations via Member States law to such a high degree, it could be argued that it is a regulation in name only and that its form in reality is more a directive. The regulatory regime for processing personal data in biobank research thus remains a mixed responsibility for the EU and its Member States.

The question of the relationship between the core data protection principles of the GDPR and national law that provides derogations has been analysed throughout this book. As has been seen, the regulatory differences in the Member States remain. However, the GDPR also introduces governance structures for administrative cooperation and the production of soft law documents to provide guidance for the interpretations of the GDPR and its core principles. Further, with the introduction of a new legal tool, the code of conduct, private entities and collaborative networks have also been invited to take part in the regulatory work. Thus, it may be argued that the harmonising factors in the area of research will be found in the area of soft law and governance tools rather than in the area of EU and Member State legislation.

This finding can be seen as contrary to one of the general features of fundamental rights law that derogations from a right should be set out in transparent and unequivocal rules enacted in a democratically legitimate manner.⁵⁰ This notion is also recognised in the preamble of the GDPR:⁵¹

Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

Further, as discussed above, the CJEU held in the Schrems case that there are limits to how far the right to data protection can be restricted via legally binding acts.⁵²

Soft law documents and private-public governance tools can generally be said to lack the qualities of democratic legitimacy and transparency in comparison to legislative acts enacted by a parliament.⁵³ However, the combination of practical need and lack of political will and/or legislative competence within the EU seems to have paved the way for these types of non-law solutions. One of the benefits of this softer form of developing a common understanding of law is that it does not call into question the formal transfer of powers from the national level to the supranational level, and therefore entails less of a commitment for the involved states.⁵⁴ Moreover, as held by Mayrhofer and Prainsack, this is a common way of regulating international biobanking as non-legally binding agreements and soft law regularly emerge in the absence of a central regulator.⁵⁵ Following the conclusions in the pan-European survey, chapter ‘Biobanking Across Europe Post-GDPR: A Deliberately Created Fragmented Landscape’ in this book, the assessment of the legal and ethical requirements will in the end be a question for RECs to resolve within their adjudication. The transparency and legal certainty of this adjudication would have benefitted from a fulfilment of the recommendation put forward in the 2012 Commission report, that the EU and its Member States ought to develop a consistent and coherent legal framework for biobanking that should protect participants’ fundamental rights, in particular in the areas of privacy, data protection and the use of human tissue in research.⁵⁶