NEW YORK – Questions raised by the EU's General Data Protection Regulation around genomic data sharing could be resolved via several measures, including new regulatory guidance as well as the setting of community standards to ensure that data privacy is protected.
These were some of the findings described by Colin Mitchell, a senior policy analyst in law, regulation, and digital health at the PHG Foundation, during a talk at the European Society of Human Genetics meeting, held online this week.
Housed within the University of Cambridge in the UK, the PHG Foundation serves as a health policy think tank. The foundation is focused on policy development and policy-focused research to support the application of genomic and other technologies in healthcare.
Last year Mitchell and colleagues published a 204-page report on the impact of the GDPR, the sweeping data protection and privacy reform enacted by the EU in 2018 which also covers the transfer of personal data outside of the EU. The GDPR enables the EU's data protection authorities to levy fines up to €20 million ($24.1 million) if parties are found to be guilty of violating the law.
However, as Mitchell noted during his ESHG talk, it is unclear in what circumstances de-identified genomic data or associated patient data are considered personal data, and regulators themselves — not to mention the community — are still grappling with this issue. This remaining uncertainty, even three years after the GDPR came into force, was one of the reasons the UK Information Commissioner's Office supported PHG's research, Mitchell acknowledged in a follow-up email. The office is charged with national data protection in the UK.
As noted in the talk, Mitchell and colleagues have looked into four main questions: to what extent genomic data counts as personal data under the GDPR; if it does, what impact might that have on research; how this potential impact could be reduced; and what are the consequences for data processing.
In general, they found that uncertainty exists over the issue of when genomic data constitutes personal data. To better protect themselves under the GDPR, Mitchell pushed for the genomics community to set its own standards in terms of codes of conduct and mechanisms for secure data sharing. This could involve legal and organizational measures, he said, as well as data access controls, such as agreements between those sharing data, as well as creating tools that can analyze data where it is stored, rather than transferring data for analysis. Researchers could therefore bring the analysis to the data, Mitchell underscored, instead of bringing the data to the analysis.
While the threat of a hefty fine from data protection authorities hangs over the genomics community, this continued uncertainty has also prevented interference in genomics data sharing to date, as institutions have opted to not transfer out of concern of violating privacy law. The European Data Protection Board, an independent, Brussels-based body that ensures consistent application of the GDPR by authorities, meantime has not addressed these issues.
"To my knowledge, there have been no interventions," said Mitchell, "although the EDPB has in passing strongly recommended that genetic data is treated as personal data," he reiterated.
He noted that the EDPB is still weighing the matter, and that individual European member states have various approaches in existence for ensuring secure genomic data sharing that predate the GDPR. At the moment, a "range of questions around the scope of personal data, anonymization, and genomic data all remain subject to interpretation and open to debate," Mitchell noted.
The EDPB has been working on guidance in relation to scientific research, though, and has engaged the research community as it drafts that guidance, Mitchell confirmed. One forum for EU-level discussions has been the 1+ Million Genomes project, which aims to make data from a million genomes accessible to researchers across the region by 2022, as well as Beyond 1 Million Genomes, an EU-funded effort to develop the mechanisms to share that data.
There has been no consensus on genomic data yet, though, Mitchell said, given the scope of the GDPR and its application. "The main challenge for everything is that the EDPBs remit and the GDPR itself is so broad that they have to cover all forms of processing of personal data," he said.
Another challenge is Brexit, the UK's exit from the EU, which has raised questions about how the UK might manage genomic data transfers between the island nation and the EU in the future. Mitchell noted that the European Commission in June decided that the UK provided protection of data equivalent to the GDPR, allowing transfer to continue between the two entities under an adequacy decision. Mitchell called this the "best possible outcome" for the UK for now, though if the UK diverges from the EU in future data protection law, that decision could be reconsidered.
The challenge therefore at the moment is not about UK-EU data transfers, but rather sharing that data with those outside of Europe, particularly the US, where federal bodies like the National Institutes of Health are barred from signing up to some of the terms required by the EDPB. Mitchell said that codes of conduct or certification schemes could potentially remedy these impasses in the future, but that arriving at such solutions will require time, resources, and a "difficult-to-reach" consensus from the genomics community.
Mitchell added that he and researchers have updated their findings since the original report on the GDPR's impact on genomics was launched last year. Their scientific work includes legal research and interviews, and they also held an expert meeting to obtain information. They found that legal interpretations of parts of the GDPR concerning data transfer are variable, and that parts of the regulation that set out data subject rights, for example, are ambiguous in the genomics context.
For example, it would be complicated for someone to claim the right to access genomic data, because multiple members of the same family could claim it as their own. Also reaching an agreement on how to undertake a risk assessment of how data could lead to identification, as delineated in the GDPR, are challenging for the genomics community. The use of ancestry websites, GEDmatch especially, where one could hypothetically upload a person's genomic data and infer someone's identity through genetic genealogical connections, is an example of technological developments that complicate matters further.
A view from Oslo
Heidi Beate Bentzen, a researcher in the department of private law at the University of Oslo, also spoke about the GDPR in a separate session at ESHG. She said in a follow-up email that she is familiar with the PHG report, and that while "well written," it approaches the issue of genomic data sharing from a UK legal perspective, rather than an EU legal perspective.
As an example of this, she noted that prior to the GDPR, individual EU member states, including the UK, applied the EU's predecessor directive regulating data protection in different ways. This meant that each state, effectively, implemented and interpreted EU law differently. In the UK, pseudonymized data was considered to fall outside the directive, but when the GDPR came into force, it clearly stated that pseudonymized data was personal data. She said this set up an eventual conflict between UK data protection law and the GDPR which has not been resolved.
Like Mitchell, Bentzen pointed out issues involving data transfer to the US. She drew to attention a recent ruling by the Court of Justice of the European Union, dubbed Schrems II, which invalidated the mechanism for transferring data from the European Economic Area to private companies in the US that had self-certified to the US Department of Commerce via a framework called Privacy Shield to ensure data protection. The mechanism was invalidated, she noted, because US surveillance agencies might still be able to access the data under US legislation, without the opportunity for individual redress.
In the same decision, the court decided that data could be transferred to a country outside the EEA, so long as a contract was in place that ensured a standard of protection equivalent to protection in the EU under the GDPR.
"Basically, the EU data protection should travel with the data," said Bentzen. "To achieve this level of protection, one may need to add supplementary measures to the appropriate safeguard."
After the Schrems II judgement, the EDPB issued further guidances on how to achieve this, which were originally issued in draft form, and the Nordic Society of Human Genetics and Precision Medicine, or NSHG-PM, made recommendations to the EDPB regarding its supplementary guidance. NSHG-PM provides a network for genetic researchers in Denmark, Estonia, Finland, Iceland, Norway, and Sweden.
"We were concerned that the suggested measures were not suitable for medical research, and genomic research in particular," said Bentzen via email. The only solution presented by the EDPB for transfers of scientific data was pseudonymization, she said, which was difficult to achieve when it came to genomics data.
"As you know, data is always pseudonymized in genomic research," said Bentzen. "However, the EDPB went further, requiring that individuals could not be identifiable in the transferred dataset, which is impossible to achieve in genomic research," she said.
Overall, the NSHG-PM proposed 22 technical, organizational, and legal supplementary measures that could be useful to support the secure data transfer under the GDPR. "Our view is that a combination of measures will respect the research participants' fundamental rights while making it possible to continue genomic data transfers," she said. However, the final version of the supplementary guidance did not address the NSHG-PM's suggestions, leaving it to data exporters to address measures on a case-by-case basis.
The EDPB is drafting a guidance for developing a code of conduct for such transfers, though, and other organizations are involved in similar efforts. BBMRI-ERIC, the Biobanking and Biomolecular Resources Research Infrastructure – European Research Infrastructure Consortium, based in Graz, Austria, is one of them. Bentzen said that she is also contributing to the BBMRI-ERIC's efforts.
She added that an independent monitoring body must be set up to govern these kinds of data transfers, and that data protection authorities within the EU will neither set up such a body or fund one, leaving it to the community to band together to create one. Any such body will have the ability to act via binding and enforceable commitments by participating members, and any code of conduct covering such a body will require European Commission approval, she added.
As she noted in her ESHG talk and reiterated in her email, creating such a body is no easy solution. However, it still may be a "good appropriate safeguard" to use in the future, once the process of setting up a body is completed, the parties have sufficient funding, and the recipient is able to ensure adherence to the body's binding and enforceable commitments for data transfer.