The term ‘genome’ is defined by the scientific community as the entirety of the genetic material (genes) found in a cell or carried by a person. The genome determines a person’s characteristics, such as hair and eye color, or even his/her predisposition to certain diseases, such as diabetes, cancer, asthma and many other illnesses and health conditions. The genome directly affects the production and function of proteins, and any change in them can lead to physiological changes or disease, making research into the genome very important for the advancement of medicine and for public health. The first attempt to decode and map the sequence of human DNA and the identification and mapping of all genes of the human genome began in 1990 and was completed in 2003. Since then, medicine and, more specifically, genetic and genomic research have seen rapid growth. The results of such studies improve scientists’ ability to understand the role of the genome in terms of health and well-being in general, and give rise to the development of new, more efficient and more cost-effective health services.
However, genomic data can hardly be anonymized and contain information on a variety of factors, including information on race and ethnic origin, predisposition for illness and other phenotypic characteristics and for this reason genomic data can be considered highly personal and sensitive. Also, genomic data refer not only to one person but also to his/her family because of their hereditary nature; hence, the disclosure of one person’s genomic data affects the privacy of others who may not have consented to such disclosure. Therefore, an important question arises as to whether (and how) the collection, processing and dissemination of such data should be regulated so as to better protect the privacy and security rights of the data subject (and the rights of others who are related to the data subject), especially taking into account both the Greek legislation and the requirements of the General Data Protection Regulation 679/2016 (hereafter GDPR), which has been in force since 25th May 2018. This exploration is particularly important and timely due to Greece’s signing of the European Declaration on Cross-border Access to the Genomic Database on 6th September 2018 (see: https://ec.europa.eu/digital-single-market/en/news/eu-countries-will-cooperate-linking-genomic-databases-across-borders).
Genomic data and the GDPR
The GDPR sets specific rules for the processing of personal data, and in particular health data. Data collection must be done for a specific, explicit and legitimate purpose and is subject to the subject’s consent. The data must be processed fairly, legally and transparently (principle of legality, objectivity and transparency of processing) and be limited to the absolute necessary processing for the attainment of the specified aim (principle of limitation of processing). The GDPR provides data subjects with some important and broad (in relation to the previous legal framework) rights, such as:
- the right to be informed about who processes their personal data, including his/her name and contact details (Articles 12, 13 and 14 GDPR);
- the right to access the data (Article 14 GDPR);
- the right to data correction (Article 15 GDPR),
- the right to deletion (Article 16 GDPR);
- the right to limit the processing (Article 18 GDPR);
- the right to data portability (Article 20 GDPR);
- the right to object / challenge the data processing (Article 21 GDPR);
- the right to object to profiling (Article 22 GDPR).
However, under Article 23 GDPR, a national legislature may restrict the above-mentioned rights if the restriction respects the essence of fundamental rights and freedoms and constitutes a necessary and proportionate measure for safeguarding certain legitimate goods, including the safeguarding of the public interests of the Union or a Member State. In addition, the GDPR (Article 9 paragraph 4) “upgrades” biometric and genetic data (including genomic data) and differentiates them from simple personal data and from “special category personal data” (i.e. sensitive data, such as health data), thus considering them as in need of special protection, therefore requiring the adoption of pseudonymization techniques when processing such data (Article 4 paragraph 5). In addition, when conducting research on the human body (as for example human genome research), both the GDPR and the Clinical Testing Regulation 536/2014 should apply, as well as Article 179 of the EC Treaty for the operation of the EU (TFEU), which aims to create a ‘European research area in which researchers, scientific knowledge and technologies are circulating freely’.
Based on the above, genomic data fall within the data categories protected by the GDPR and, therefore, their collection and processing takes place only after the subject’s consent, and any processor is bound by the limitations of the GDPR, while the subjects of such data have all the rights set forth by the GDPR. However, since genomic data can help optimize health services, which are a particularly important public interest objective, it is possible that the above rights of the data subjects will be limited and derogations from those right may be allowed if these rights are likely to make it impossible or indeed pose significant barriers to the attainment of the research aim (Article 89 GDPR). In addition, as mentioned above, anonymization and pseudonymization is not entirely possible in the case of genomic data, since genomic data are the most personal and sensitive data of one person but also of other individuals related to the data subject.
Additionally, based on Article 179 TFEU, research data can be disseminated and circulate freely within EU, and due to the European Declaration on Cross-Border Access to the Genomic Database, to which Greece subscribed a few days ago, Greece has now committed to providing access to the genomic data found in national genetic databases and to sharing the results of genomic research with other Member States. It is therefore likely that some legitimate interests of genomic data subjects will be endangered, while no specific measures that sufficiently and effectively protect these highly sensitive and personal data have been adopted and implemented.
Our Team’s Conclusion:
Human genome research, as well as the exchange of relevant information between the Member States that have subscribed to the European Declaration, including Greece, can make a significant contribution to the advancement of medicine and to the development of better and more personalized healthcare. The GDPR contains a rigorous and broad framework with direct implementation. Although it offers more legal certainty in respect of the recognition and protection of personal data and although it places genetic-genomic data in a special category, it does not currently lay down any specific measures to effectively protect the rights of the genomic data subjects, especially considering the exception set in regards to the public health interest as a legitimate reason for limiting the rights of data subjects. However, it should be recognized that both the GDPR and the European Declaration on Cross-Border Access to the Genomic Database are positive developments and provide a solid foundation for the advancement of science and medicine and for the recognition and protection of personal data, including genomic data. In our opinion, it is necessary though to create a European framework that will offer greater protection to the subjects of genomic data.