Genetic Material and Sequence Data to Protect Global Health in the Light of Pandemic Outbreaks: Mapping the Legal Landscape under European and International Law.

The current pandemic outbreak of corona virus SARS-CoV-2 shows the need for comprehensive European cooperation in drug development and the importance of genetic material and sequence data in research concerning this unknown disease. As corona virus SARS-CoV-2 is spreading across Europe and worldwide, national authorities and the European Union (EU) institutions do their utmost to address the pandemic and accelerate innovation to protect global health. In order to be prepared and to be able to respond immediately to serious epidemic and pandemic diseases, the EU has already adopted the Decision No (EU) 1082/2013 on serious cross-border threats to health. The World Health Organization (WHO) has established a global system to collect genetic material and information to protect a global influenza pandemic outbreak. The article describes the current legal landscape under EU and international law.

Who Owns the Data in a Medical Information Commons?

In this paper, we explore the perspectives of expert stakeholders about who owns data in a medical information commons (MIC) and what rights and interests ought to be recognized when developing a governance structure for an MIC. We then examine the legitimacy of these claims based on legal and ethical analysis and explore an alternative framework for thinking about participants' rights and interests in an MIC.

Patients v. Myriad or the GDPR Access Right v. the EU Database Right.

In 2016, four US cancer patients legally challenged Myriad by claiming full access to all genomic information produced in the course of Myriad's testing of their risks for a variety of cancers. Asserting that Myriad's refusal to provide them with this information violated the HIPAA Privacy Rule, the patients sought a determination of a right to access all their genetic information from testing laboratories. Such access would not only serve their own care, but also enable them to share their genetic data with the scientific community which they alleged Myriad failed to do. A similar case may be brought in Europe under the novel EU GDPR. Specifically, it would put the GDPR right of access to personal data against Myriad's database right under the EU Database Right Directive. The outcome of this case could impact the fate of personalized medicine, which depends on the one hand on patients' having control over their genetic data, and on the other hand on incentives for genetic testing companies to generate these data. We first address the issue of whether the GDPR applies to medical records. We then analyse how GDPR rights could play out in the context of clinical genetic testing and conclude that the GDPR access right stops short of granting unconditional access to all data generated in the process of testing, to the extent that its exercise would result in the violation of medical-professional norms, expose the testing company to potential liability, or compromise normal exploitation of the database of which the personal data form part.

United Kingdom: transfers of genomic data to third countries.

In the United Kingdom (UK), transfer of genomic data to third countries is regulated by data protection legislation. This is a composite of domestic and European Union (EU) law, with EU law to be adopted as domestic law when Brexit takes place. In this paper we consider the content of data protection legislation and the likely impact of Brexit on transfers of genomic data from the UK to other countries. We examine the advice by regulators not to rely upon consent as a lawful basis for processing under data protection law, at least not when personal data are used for research purposes, and consider some of the other ways in which the research context can qualify an individual's ability to exercise control over processing operations. We explain how the process of pseudonymization is to be understood in the context of transfer of genomic data to third parties, as well as how adequacy of data protection in a third country is to be determined in general terms. We conclude with reflections on the future direction of UK data protection law post Brexit with the reclassification of the UK itself as a third country.

United States: law and policy concerning transfer of genomic data to third countries.

This paper provides an overview of US laws and related guidance documents affecting transfer of genomic data to third countries, addressing the domains of consent, privacy, security, compatible processing/adequacy, and oversight. In general, US laws governing research and disclosure and use of data generated within the health care system do not impose different requirements on transfers to researchers and service providers based in third countries compared with US-based researchers or service providers. Of note, the US lacks a comprehensive data protection regime. Data protections are piecemeal, spread across bodies of law that target specific kinds of research or data generated or held by specific kinds of actors involved in the delivery of health care. Oversight is also distributed across a range of bodies, including institutional review boards and data access committees. The conclusion to this paper examines future directions in US law and policy, including proposals for more comprehensive protections for personal data.

Germany: a fair balance between scientific freedom and data subjects' rights?

With the German Bundestag's adoption of the Data Protection Adaptation and Implementation Act EU (DSAnpUG-EU) on 30 June 2017, the adaptation of German law to the General Data Protection Regulation (GDPR) has begun (Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) 2016/679 und zur Umsetzung der Richtlinie (EU) 2016/680 (Datenschutz-Anpassungs- und -Umsetzungsgesetz-DSAnpUG-EU) v. 30. Juni 2017, BGBl. 2017 I p. 2097 et seq.). Despite being directly binding on all EU member states, the GDPR does not render national data protection provision obsolete-they are covered by the GDPR's opening clauses which include regulatory mandates and room for derogation. This creates considerable need for national legislative adaptation. Art. 1 DSAnpUG-EU contains the necessary amendments to the Federal Data Protection Law (BDSG(neu)), thus creating the second major building block of future German data protection alongside the GDPR itself. Nevertheless, there are still numerous sector-specific regulations in other federal laws and the data protection laws of the 16 states also need amendments. Adjustment in Germany is well on its way, but implementation in general is still ongoing, with further consequences for data processing and sharing.

South Korea: in the midst of a privacy reform centered on data sharing.

With rapid developments in genomic and digital technologies, genomic data sharing has become a key issue for the achievement of precision medicine in South Korea. The legal and administrative framework for data sharing and protection in this country is currently under intense scrutiny from national and international stakeholders. Policymakers are assessing the relevance of specific restrictions in national laws and guidelines for better alignment with international approaches. This manuscript will consider key issues in international genome data sharing in South Korea, including consent, privacy, security measures, compatible adequacy and oversight, and map out an approach to genomic data sharing that recognizes the importance of patient engagement and responsible use of data in South Korea.

Canada: will privacy rules continue to favour open science?

Canada's regulatory frameworks governing privacy and research are generally permissive of genomic data sharing, though they may soon be tightened in response to public concerns over commercial data handling practices and the strengthening of influential European privacy laws. Regulation can seem complex and uncertain, in part because of the constitutional division of power between federal and provincial governments over both privacy and health care. Broad consent is commonly practiced in genomic research, but without explicit regulatory recognition, it is often scrutinized by research or privacy oversight bodies. Secondary use of health-care data is legally permissible under limited circumstances. A new federal law prohibits genetic discrimination, but is subject to a constitutional challenge. Privacy laws require security safeguards proportionate to the data sensitivity, including breach notification. Special categories of data are not defined a priori. With some exceptions, Canadian researchers are permitted to share personal information internationally but are held accountable for safeguarding the privacy and security of these data. Cloud computing to store and share large scale data sets is permitted, if shared responsibilities for access, responsible use, and security are carefully articulated. For the moment, Canada's commercial sector is recognized as "adequate" by Europe, facilitating import of European data. Maintaining adequacy status under the new European General Data Protection Regulation (GDPR) is a concern because of Canada's weaker individual rights, privacy protections, and regulatory enforcement. Researchers must stay attuned to shifting international and national regulations to ensure a sustainable future for responsible genomic data sharing.

Perceptions of legislation relating to the sharing of genomic biobank results with donors-a survey of BBMRI-ERIC biobanks.

Biobanks accumulate huge amounts of research findings, including participants' genomic data. Increasingly this leads to biobanks receiving research results that could be of clinical significance to biobank participants. The EU Horizon 2020 Project 'Genetics Clinic of the Future' surveyed European biobanks' perceptions of the legal and regulatory requirements for communicating individual research results to donors. The goal was to gain background knowledge for possible future guidelines, especially relating to the consent process. The Survey was implemented using a web-based Webropol tool. The questionnaire was sent at the end of 2015 to 351 European biobanks in 13 countries that are members of BBMRI-ERIC (Biobanking and Biomolecular Resources Research Infrastructure-European Research Infrastructure Consortium). Seventy-two biobanks responded to the survey, representing each of the 13 BBMRI Member States. Respondents were mainly individuals responsible for the governance of biobanks. The replies indicate that the majority of the respondents thought that their national legislation allowed them to contact participants to communicate results, and that research participants had the right to request their results. However, respondents' understanding of their national legislation varied even within member states. Our results indicate that legislation applied to biobanks in many countries may be scattered and difficult to interpret. In BBMRI-ERIC, there is an ongoing discussion about the need for European recommendations on sharing genomic biobank results with donors, which may pave the way for more coherent global guidelines. Our results form a basis for this work.

The U.S. Culture Collection Network Responding to the Requirements of the Nagoya Protocol on Access and Benefit Sharing.

The U.S. Culture Collection Network held a meeting to share information about how culture collections are responding to the requirements of the recently enacted Nagoya Protocol on Access to Genetic Resources and the Fair and Equitable Sharing of Benefits Arising from their Utilization to the Convention on Biological Diversity (CBD). The meeting included representatives of many culture collections and other biological collections, the U.S. Department of State, U.S. Department of Agriculture, Secretariat of the CBD, interested scientific societies, and collection groups, including Scientific Collections International and the Global Genome Biodiversity Network. The participants learned about the policies of the United States and other countries regarding access to genetic resources, the definition of genetic resources, and the status of historical materials and genetic sequence information. Key topics included what constitutes access and how the CBD Access and Benefit-Sharing Clearing-House can help guide researchers through the process of obtaining Prior Informed Consent on Mutually Agreed Terms. U.S. scientists and their international collaborators are required to follow the regulations of other countries when working with microbes originally isolated outside the United States, and the local regulations required by the Nagoya Protocol vary by the country of origin of the genetic resource. Managers of diverse living collections in the United States described their holdings and their efforts to provide access to genetic resources. This meeting laid the foundation for cooperation in establishing a set of standard operating procedures for U.S. and international culture collections in response to the Nagoya Protocol.

A Lens for Evaluating Genetic Information Governance Models: Balancing Equity, Efficiency and Sustainability.

This paper draws from the literature on collective action and the governance of the commons to address the governance of genetic data on variants of specific genes. Specifically, the data arrangements under study relate to the BRCA genes (BRCA1 and BRCA2) which are linked to breast and ovarian cancer. These data are stored in global genetic data repositories and accessed by researchers and clinicians, from both public and private institutions. The current BRCA data arrangements are fragmented and politicized as there are multiple tensions around data ownership and sharing. Three key principles are proposed for forming and evaluating data governance arrangements in the field. These principles are: equity, efficiency and sustainability.

Public variant databases: liability?

Public variant databases support the curation, clinical interpretation, and sharing of genomic data, thus reducing harmful errors or delays in diagnosis. As variant databases are increasingly relied on in the clinical context, there is concern that negligent variant interpretation will harm patients and attract liability. This article explores the evolving legal duties of laboratories, public variant databases, and physicians in clinical genomics and recommends a governance framework for databases to promote responsible data sharing.Genet Med advance online publication 15 December 2016.

Who should have access to genomic data and how should they be held accountable? Perspectives of Data Access Committee members and experts.

Facilitating the responsible access to genomic research data is an emerging ethical and scientific imperative. Data Access Committees (DACs) assess the ethical footing and scientific feasibility of the data access requests and evaluate the qualification of applicants to ensure they are bona fide researchers. Through semi-structured interviews, we explored the opinions and experiences of 20 DAC members and experts concerning the users' qualification criteria and mechanisms to hold users accountable. According to our respondents, such evaluation is necessary to ensure applicants are trustworthy, meet a certain level of expertise or experience and are aware of the rules and the associated concerns with genomic data sharing. The respondents noted, however, that the qualification criteria are fragmented or are poorly delineated at times. Thus, developing qualification criteria seems vital for an objective, fair and responsible access procedure. Similarly, the access review will benefit from using common ways of verifying the users' affiliations. Furthermore, some DAC members expressed concern over the uncertain oversight of downstream data use, in particular where data are shared across borders. DAC members and experts did not consider current sanctions and enforcement procedures to be crystal clear. Therefore, data sharing policies should address this gap by establishing proportionate sanctions both against data producers and data users' non-compliance. Users' home institutes will need to have an active role in keeping oversight on the downstream data uses, considering their ultimate responsibility if wrongdoings happen.

"The Google of Healthcare": enabling the privatization of genetic bio/databanking.

PURPOSE: 23andMe is back on the market as the first direct-to-consumer genetic testing company that "includes reports that meet Food and Drug Administration (FDA) standards…." But, whereas its front-end product is selling individual genetic tests online, its back-end business model is amassing one of the largest privately owned genetic databases in the world. What is the effect, however, of the private control of bio/databases on genetic epidemiology and public health research? METHODS: The recent federal government notices of proposed rulemaking for: (1) revisions to regulations governing human subjects research and (2) whether certain direct-to-consumer genetic tests should require premarket FDA review, were reviewed and related to the 23andMe product, business model, and consumer agreements. RESULTS: FDA regulatory action so far has focused on the return of consumer test reports but it should also consider the broader misuse of data and information not otherwise protected by human subjects research regulations. CONCLUSIONS: As the federal government revises its decades-old human subjects research structure, the Executive Office of the President (EOP) should consider a cohesive approach to regulating private genetic bio/databanks. This strategy should allow the FDA and other agencies to play a role in expanding current regulatory coverage.

Providing scientific guidance on DNA to the judiciary.

A series of short documents have been written in response to a request from the UK Judiciary for explanations of research that was commissioned in response to questions they had raised. These related principally to the potential impact of primer binding site mutation (PBSM) but it became clear at an early stage that it was necessary to explain related issues. The three scientific guidance papers (SGPs) that have been prepared thus far are presented in their entirety so that UK scientists may be aware of what has been presented to judges. Suggestions for further work, including possible communication to jurors are discussed.