Note to users: Articles in the ‘Epubs ahead of print’ (EAP) section are peer
reviewed accepted articles to be published in this journal. Please be aware
that although EAPs do not have all bibliographic details available yet, they
can be cited using the year of online publication and the Digital Object
Identifier (DOI) as follows: Author(s), ‘Article Title’, Journal (Year),
Volume(Issue), EAP (page #).
The EAP page number will be retained in the bottom margin of the printed
version of this article when it is collated in a print issue.
ISSN-0729-1485
Copyright 2017 University of Tasmania
All rights reserved. Subject to the law of copyright no part of this publication
may be reproduced, stored in a retrieval system or transmitted in any form or
by any means electronic, mechanical, photocopying, recording or otherwise,
without the permission of the owner of the copyright. All enquiries seeking
permission to reproduce any part of this publication should be addressed in
the first instance to:
The Editor, Journal of Law, Information and Science, Private Bag 89, Hobart,
Tasmania 7001, Australia.
editor@jlisjournal.org
http://www.jlisjournal.org/
Challenges of the EU General Data Protection
Regulation for Biobanking and Scientific Research
CHIH-HSING HO*
Abstract
This paper discusses challenges arising from the application of the EU General Data
Protection Regulation (GDPR) in the context of biobanking and biomedical
research. Medical and health research has increasingly relied on processing and
linking vast amounts of genetic- and health-related data. The traditional, highly-
specific consent form and anonymisation required for privacy protection may not be
appropriate for data-intensive longitudinal population-based research. After long
debates and lobbying efforts from the health and research communities in the EU, the
GDPR has been revised to adopt a more research-friendly approach by including
several derogations for consent and processing of data for secondary purposes.
However, challenges remain in that the scope of scientific exemptions is as yet
unclear, and the rules adopted by EU Member States have yet to be harmonised.
Setting up a more accountable governance framework that can work with existing
ethics review mechanisms to allow for biomedical research, especially when privately
funded research entities are involved, poses questions worthy of further analysis. This
paper elucidates these challenges and attempts to provide a suitable resolution for
making exemptions so that research can be carried out in the public interest.
Introduction
On 14 April 2016, after a long process of debate and negotiation, the European
Parliament adopted the European Union (‘EU’) General Data Protection
Regulation, 1 a reform proposed by the European Commission in 2012 to
address EU Member States’ fragmented EU data protection rules derived
Sinica, Taipei, Taiwan. LLM (Columbia), JSM (Stanford), PhD in Law (London
School of Economics). E-mail: chihho@sinica.edu.tw. The author appreciates the
research assistance provided by Janos Meszaros and anonymous referees for
comments. This paper was presented at the APSN 2016 annual conference held at
the University of Auckland. The author would like to thank the conference
organisers, and the helpful comments and discussions raised by the APSN
members and participants.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing Directive
95/46/EC (General Date Protection Regulation) [2016] OJ L 119/1 (‘GDPR’).
EAP 1
Journal of Law, Information and Science Vol 25 2017–18
from the Data Protection Directive (95/46/EC).2 The main purpose of this GDPR
is to set out an EU-wide legal framework for the protection of personal data
that at the same time facilitates the free flow of such data within the European
Union. The GDPR’s predecessor, the EU Data Protection Directive, defined the
basic elements of data protection, upon which EU Member States enacted
individual national legislation. Contrastingly, the GDPR will apply directly to
each Member State and will override national data protection laws in the EU.
The GDPR will be applicable two years after adoption, and will be effective
from 25 May 2018.3
The GDPR sets forth a number of key changes to the EU Data Protection
Directive and several principles relating to enhanced rights for individuals
who are data subjects: for example, the right to be forgotten; the right to data
portability; the processing of personal data; the obligations of data controllers
and processors, such as the mandatory appointment of a Data Protection
Officer; and carrying out mandatory data protection impact assessments. The
GDPR stipulates that personal data need to be processed ‘lawfully, fairly, and
in a transparent manner in relation to the data subject’.4
EAP 2
Challenges of the EU General Data Protection Regulation
6 See the joint statement released by the Wellcome Trust and other research
organisations: Wellcome Trust et al, Impact of the draft European Data Protection
Regulation and proposed amendments from the rapporteur of the LIBE committee
on scientific research, (May 2013)
<https://wellcome.ac.uk/sites/default/files/wtvm054713.pdf>.
7 Ibid.
8 GDPR [2016] OJ L 119/1, arts 5, 6, 9, 89.
9 Helen Swede, Carol L Stone and Alyssa R Norwood, ‘National population-based
biobanks for genetic research’ (2007) 9 Genetics in Medicine 141.
10 M G Hansson et al, ‘Should donors be allowed to give broad consent to future
biobank research?’ (2006) 7(3) The Lancet Oncology 266.
EAP 3
Journal of Law, Information and Science Vol 25 2017–18
This paper focuses on challenges arising from the GDPR, particularly those
relating to the consent and anonymisation approach for data-intensive
biomedical research. It analyses the GDPR’s conditions and elucidates why
some rules in the GDPR may not be suitable in the context of biomedical
research, given the different types of risks involved and the nature of the
scientific studies. Further, this paper illustrates the remaining challenges for
harmonisation for the GDPR after the adoption of the scientific exemptions,
including the involvement of privately funded research entities in a broad
interpretation of ‘research’. Finally, it attempts to provide a possible
resolution to address these challenges to balance the requirements of data
protection and the need to carry out scientific research for the benefit of the
public.
EAP 4
Challenges of the EU General Data Protection Regulation
The collection and storage of human tissue samples for medical research has a
decades-long history. However, biobanks are a sophisticated technological
innovation, which facilitates the continuous collection of all types of human
samples and making of linkages with associated epidemiological, clinical and
research data. 14 The wide use of biobanks and associated data creates
difficulties, as the different types of collections with different structures and
purposes may give rise to different technological, ethical and legal
considerations. 15 According to OECD Guidelines, the extent and type of
consultations necessary for the establishment of human biobanks must take
into consideration the nature, purpose and scope of biobanks. The greater the
variety of invited participants, the more numerous the tissue samples and
data to be collected, which may cause greater risks in samples and data
sharing.16
Although a number of significant variables, such as the size, scale and nature
of the samples, will influence the range of biobank activities, including
recruitment, consent practices and governance arrangements, human
biobanks typically share a number of common features. 17 For instance, they
usually anticipate unspecified future research and so have an ongoing and
open-ended nature that challenges the traditional practice of specific
informed consent. Furthermore, in order to link collected biospecimens with
phenotypic data, the banked samples and data may need to be re-identifiable
13 When it is used in this article, the term biobank refers to large collections of human
biological materials that may be linked with personal and health information for
use in health and medical research as in the definition given by the OECD. See also
Mark Stranger and Jane Kaye, ‘Governing Biobanks: An Introduction’ in Jane Kaye
and Mark Strange (eds), Principles and Practice in Biobank Governance (Ashgate,
2009) 2.
14 Ibid.
15 Margaret Otlowski, Dianne Nicol and Mark Stranger, ‘Biobanks Information
Paper’ (Information Paper E110, National Health and Medical Research Council,
2010) 9
<https://www.nhmrc.gov.au/_files_nhmrc/publications/attachments/e110_biob
anks_information_paper_140520.pdf>.
16 Organisation for Economic Co-operation and Development, OECD Guidelines on
Human Biobanks and Genetic Research Databases (22 October 2009) 1
<http://www.oecd.org/dataoecd/41/47/44054609.pdf>.
17 Mats G Hansson, ‘Ethics and Biobanks’ (2009) 100 British Journal of Cancer 8.
EAP 5
Journal of Law, Information and Science Vol 25 2017–18
by biobank custodians even though that data may have been encrypted and
the means of identification removed. Since it is not possible to ensure that the
samples and data are completely secure against identification, appropriate
mechanisms need to be set for data management to minimise the risk of
individuals being identified. 18 In addition, as biobanks are more concerned
with the public benefit for future generations than with the individual benefit
of participants themselves, they focus on the common good and as a result
their proper governance needs to balance individual and collective interests.
EAP 6
Challenges of the EU General Data Protection Regulation
In the past, medical care was unable to take account of an individual’s genetic
variability. Instead it focused on standards of care based on epidemiological
studies of large cohorts. Traditionally, clinical diagnosis and treatments were
based on patients’ symptoms and their medical and family histories. As such,
medical treatment was reactive rather than prospective. In other words,
clinics offered medication only after symptoms appeared.
20 It refers to the notion that all medical decisions and treatment, including
preventive and therapeutic care can be tailored to adapt to each individual’s
particular genetic makeup.
21 A genome-wide association study is a new method for scientists to strategically
search genetic markers that involves rapidly scanning SNPs across the complete set
of human genomes to find genetic variations associated with a particular disease.
See National Human Genome Research Institute, Genome-wide Association Studies
(27 August 2015) <http://www.genome.gov/20019523>.
22 For more information about the application of the genome-wide association
studies, see National Human Genome Research Institute, Genome-wide Association
Studies (27 August 2015) <http://www.genome.gov/20019523#gwas-3>.
EAP 7
Journal of Law, Information and Science Vol 25 2017–18
Concerns were raised that the proposed GDPR did not proportionately
reconcile these rights, nor appropriately distinguish between the commercial
and academic environments in which medical and health research are
performed.24 Similarly, the term ‘high public interest’,25 used in the proposed
GDPR for the processing of sensitive data, had been criticised in the BBMRI-
EAP 8
Challenges of the EU General Data Protection Regulation
2 Consent
The GDPR provides a clear definition of consent. Article 4(11) stipulates that a
valid consent obtained from the data subject needs to be ‘freely given,
specific, informed and unambiguous’. In addition, such consent must take the
form of a clear affirmative action, indicating the data subject’s agreement to
the processing of his or her personal data. This definition of consent is based
on the dominant specific consent model that brings challenges to biobanking
activities, which mainly rely on broad consent. When consent was obtained
for data collection for the establishment of existing biobanks, it was not
possible to predict what kinds of research would be possible in the future.
The same is true of new collections; we cannot anticipate all their potential
future research uses. Moreover, treating biobanks as an important
infrastructure makes them valuable resources for research. They function like
bio-libraries or bio-repositories, continuing the collection and storage of
human specimens and associated data in order to make them available for
unspecific future research. As a result, it has been recognised that the
traditional specific consent model is not practical for biobanking operations.
Broad consent involves consenting to a general governance framework rather
than a specific research purpose. In biomedical practice, this broad consent
provides an alternative and legitimate solution to longitudinal population-
based research, which is reliant on vast amounts of data being processed and
further linked for later research.
EAP 9
Journal of Law, Information and Science Vol 25 2017–18
data for any nonspecific future research purpose. 29 Considering that re-
consent costs are simply too high and burdensome for participants to be re-
contacted every time there is a need to obtain their consent for a new research
purpose, blanket consent has been used to replace specific informed consent
in order to facilitate medical and health research. Concerns about open
consent usually focus on the absence of continuous supervision of the reuse of
tissue samples and data after consent has been given at the time of data
collection. Broad consent is a compromise between the two ends of the
consent spectrum: open consent and traditional specific informed consent.
Broad consent authorises the use of samples for unspecific research purposes,
but it relies on ethics (or user) committees to review applications for access to
biobanks for data processing or linkage. In practice, review by ethics
committees focuses on the governance framework provided by the
biobanks. 30 Such a governance framework provides guidance for various
biobank stakeholders, and covers the rules and guidelines on data protection,
confidentiality and the criteria for access. This provides an important
safeguard to supplement the broad consent model. The UK biobank and
many biorepositories associated with the BBMRI Consortium have adopted
broad consent models as default mechanisms for practicing consent in the
context of biobanking research. It is hoped that a proper balance will be
reached between respect for individual autonomy and facilitating medical
research.
In the proposed draft GDPR, the broad consent model had not yet been
considered a valid form of consent, according to the strict definition of
consent set out in the provisions. This caused major concerns for medical and
health communities in the Europe about the legitimacy of existing biobanking
projects and future biobank activities. After a long process of discussion and
lobbying by scientific communities, in the final version of the GDPR the
legislators recognised that it would be impractical to use specific consent in
longitudinal studies and they took a more research-friendly position by
including scientific exemptions in the GDPR. In recital 33 of the GDPR, it is
acknowledged that it is often not possible to identify fully the purpose, use
and processing of personal data for scientific research at the stage of data
collection. As a result, data subjects should be permitted to give their consent
to certain broad areas of scientific research, rather than being asked to
specifically consent to particular purposes, so long as such practice of consent
29 Dara Hallinan and Michael Friedewald, ‘Open consent, Biobanking and Data
Protection Law: Can Open Consent be ‘informed ’under the Forthcoming Data
Protection Regulation’ (2015) 11(1) Life Sciences, Society and Policy 1.
30 See UK Biobank Ethics and Governance Council, UK Biobank Governance
Framework-Version 3.0 (October 2007) <https://www.ukbiobank.ac.uk/wp-
content/uploads/2011/05/EGF20082.pdf>.
EAP 10
Challenges of the EU General Data Protection Regulation
complies with ethical standards for scientific research.31 Given this flexibility
in consent requirements, personal data can now be repurposed for secondary
use, which is approved by ethics committees. There is no need to obtain
further consent for additional processing of data once broad consent has been
given by data subjects at the time of data collection.
As both the EU Directive 95/46/EC and the GDPR govern only the collection
and processing of ‘personal data’, any information not so defined is therefore
outside of the scope of the data protection rules, and researchers need not pay
heed to data protection principles. As a result, how personal data is defined is
critical to the appropriate application of the GDPR.
EAP 11
Journal of Law, Information and Science Vol 25 2017–18
The processing of sensitive personal data, like genetic and health data, is
prohibited under the GDPR, except in certain defined circumstances. Article
9(2) of the GDPR enumerates the justifications for processing of sensitive data.
This list of legal processing is exhaustive, and the processing of sensitive data
outside of the enumerated situations is considered illegal under the GDPR.
One of the required conditions is the explicit consent of the data subject. 36 As
mentioned earlier, that consent, according to the definition in the GDPR, must
be given freely, and must be specific, informed and unambiguous. 37 In
addition, the consent needs to satisfy the ‘purpose limitation’ requirement. As
a result, consent to processing sensitive data cannot be permitted for
prospective unknown purposes, as is the practice under the broad consent
model in biobanking research. However, the GDPR permits derogations for
research, and Member States can delineate under what circumstances the
prohibition against processing sensitive data may not be lifted by the specific
consent requirement. 38
The GDPR also permits the processing of sensitive data when it is in the
public interest for reasons of public health.39 Examples of the public health
exemption include ‘protecting against serious cross-border threats to health’
or ‘ensuring high standards of quality and safety of health care and of
medicinal products or medical devices’. 40 Under these circumstances,
processing of sensitive data can be permitted if it is on the basis of EU or
Member State law that provides suitable measures to safeguard the rights and
freedoms of the data subject. 41
35 Ibid.
36 Ibid art 9(2)(a).
37 Ibid art 4(11).
38 Ibid art 9(2)(a).
39 Ibid art 9(2)(i).
40 Ibid.
41 Ibid.
42 Ibid art 89(1).
EAP 12
Challenges of the EU General Data Protection Regulation
that technical and organisational measures are in place to comply with the
principle of data minimisation.43 According to the GDPR, such measures may
include techniques of pseudonymisation. However, if anonymisation rather
than pseudonymisation can satisfy the purpose of processing sensitive data,
that technique should prevail.44
As the EU Directive 95/46/EC and the GDPR apply only to personal data, data
that can no longer be connected to, or under any circumstance be associated
with a particular individual, are considered anonymised data that falls
outside of the application of data protection rules. As the anonymisation of
data is irreversible, it cannot be used to identify data subjects by any method.
Thus the processing and reuse of such data do not need to comply with data
protection principles. Several researchers have studied the effectiveness of
various anonymisation techniques. In reality, it may not be possible to claim
any technique is absolutely effective at anonymisation, especially considering
the advances in big data applications that make it easier to single out a
particular individual through data mining. Under the GDPR, however, data
can be considered anonymised so long as such data can no longer identify an
43 Ibid.
44 Ibid.
45 Ibid art 89(2).
46 Ibid.
47 Ibid art 89(4).
EAP 13
Journal of Law, Information and Science Vol 25 2017–18
EAP 14
Challenges of the EU General Data Protection Regulation
Even though the medical and health research communities have been
delighted to see EU institutions take a more open position to welcoming data-
intensive research, several challenges remain in the application of scientific
exemptions under the GDPR. The first, and most important, concerns the
unclear scope of scientific exemptions and their interpretation. According to
recital 159, the GDPR adopts a broad definition of ‘research’ regarding the
processing of personal data that includes not only fundamental and applied
research, but also privately funded research. 53 Given the broad interpretation
of research, there is little room to distinguish between research carried out by
public or private entities, so long as ‘data processing’ satisfies the purpose of
scientific research. It brings an immediate challenge to the issue of privately
funded research. For example, it is unclear whether commercial market
research may be classified as scientific research and therefore be covered by
the exemptions under the GDPR.54
52 Ibid.
53 GDPR [2016] OJ L 119/1, recital 159, [1].
54 Michelle Goddard, ‘The Changing Face of Compliance: Preparing Healthcare
Researchers for EU Data Protection Reforms’ (Speech delivered at the British
Healthcare Business Intelligence Association Annual Conference, London, 9 May
EAP 15
Journal of Law, Information and Science Vol 25 2017–18
Generally, under the GDPR, the processing of personal data for secondary
uses or purposes cannot be permitted except under such circumstances that
the processing is compatible with the purposes for which the personal data
were initially collected.55 However, this restriction on secondary processing of
personal data may be exempted for data controllers who process personal
data for the purpose of research. 56 Article 5(1)(b) of the GDPR reverses this
general presumption on the purpose of limitation. Under such an exemption,
where technical and organisational measures are in place, secondary uses of
data are possible even without considering if the purpose of the process is
compatible with the original purpose for which data were collected. 57 This
raises concerns about the consent given by the data subjects, as they might not
be willing to give the same consent had they known that the entities of the
data controllers or processors would change in the future.
2016) 8
<
https://www.bhbia.org.uk/downloads/4162/0/BHBIA_Keynote_Speech_Changi
ng_Face_of_Compliance_-_Formatted_Handout_v1.0.pdf.aspx..
55 GDPR [2016] OJ L 119/1, art 6(4), rec 50.
56 Ibid art 5(1)(b).
57 Ibid: ‘[F]urther processing for archiving purposes in the public interest, scientific
or historical research purposes or statistical purposes shall, in accordance with
Article 89(1), not be considered to be incompatible with the initial purposes’.
58 See Royal Statistical Society, ‘Royal Statistical Society research on trust in data and
attitudes toward data use / data sharing’ (Briefing Note, 22 July
2014) <http://www.statslife.org.uk/images/pdf/rss-data-trust-data-sharing-
attitudes-research-note.pdf>.
59 Ibid 26.
60 Ibid.
EAP 16
Challenges of the EU General Data Protection Regulation
61 See Ipsos MORI Social Research Institute, ‘The One-Way Mirror: Public attitudes to
commercial access to health data’ (Report prepared for the Wellcome Trust, March
2016) <https://www.ipsos.com/sites/default/files/publication/5200-03/sri-
wellcome-trust-commercial-access-to-health-data.pdf>.
62 Ibid 10. However, the extent to which this higher trust remains is not without
debate. On March 2017, for example, there was a devastating security breach of one
of the major computer systems used by GPs. This breach involved over 26 million
NHS patients’ medical records and triggered the Information Commissioner (ICO)
to start an investigation. At the end of August 2017, the ICO announced that the IT
system’s provider was required to address the need to improve security measures
to guarantee the fair and lawful process of patient data on the system. See
Information Commissioner’s Officer, ‘ICO updated statement in relation to the
potential risk to patient medical records held by GPs on TPP SystmOne’ (Media
Release, 30 August 2017) <https://ico.org.uk/about-the-ico/news-and-
events/news-and-blogs/2017/08/ico-updated-statement-in-relation-to-the-
potential-risk-to-patient-medical-records-held-by-gps-on-tpp-systmone/>.
63 Ibid 10–11.
EAP 17
Journal of Law, Information and Science Vol 25 2017–18
individuals might have been targeted for direct marketing through big data
application.64 With regards to third party access, the survey illustrates public
unease with passing data on to others beyond the original use, especially fear
that data subjects will lose control when third party access is allowed but
proper safeguards are yet to be established. 65 Indeed, commercial companies
frequently seek to profit from re-selling data. However, most of these
companies have inadequate mechanisms to ensure transparency and data
security.
64 Ibid 11.
65 Ibid.
EAP 18
Challenges of the EU General Data Protection Regulation
Conclusion
The GDPR has been viewed as a milestone in data protection reform as it aims
to harmonise the existing fragmented data protection rules in Europe. Its
implementation in May 2018 will require widespread standardisation and
unification of data privacy requirements, and will have a broader impact on
cross-border data transfers. However, to what extent both the ambition for the
protection of consumers and the promotion of innovation can be achieved
EAP 19
Journal of Law, Information and Science Vol 25 2017–18
will be a challenge for the implementation of the GDPR. After a long process
of lobbying and debate, the derogations for research have been accepted by
policy makers in the EU, but the adoption of scientific exemptions remain
challenging under the GDPR.
This paper has discussed these challenges in the biobanking and biomedical
research context. It elucidated why dominant mechanisms such as specific
consent and anonymisation, as requested by privacy protection rules, may not
be appropriate for biomedical research, which generally is of a data intensive
nature, open to unspecific future research, and requires the linkage of
different datasets for longitudinal population-based research. The derogations
permitted under the GDPR allow for broad consent and processing of
sensitive data without considering if the secondary use is compatible with the
consent obtained for the initial data collection. Given the broad definition of
‘research’ adopted by the GDPR, these exemptions will question the proper
scope of the secondary use of data from privately funded research entities,
and further harmonisation of implementation rules enacted by each Member
State may be required. This paper suggested that a transparent and
accountable governance framework including privacy impact assessments,
notification and an opt-out option should be set up. The framework should
build upon the existing ethics review safeguards, which allow for scientific
research to meet the requirement of doing good science while benefitting
public interest.
EAP 20