Genetic Material and Sequence Data to Protect Global Health in the Light of Pandemic Outbreaks: Mapping the Legal Landscape under European and International Law.

The current pandemic outbreak of corona virus SARS-CoV-2 shows the need for comprehensive European cooperation in drug development and the importance of genetic material and sequence data in research concerning this unknown disease. As corona virus SARS-CoV-2 is spreading across Europe and worldwide, national authorities and the European Union (EU) institutions do their utmost to address the pandemic and accelerate innovation to protect global health. In order to be prepared and to be able to respond immediately to serious epidemic and pandemic diseases, the EU has already adopted the Decision No (EU) 1082/2013 on serious cross-border threats to health. The World Health Organization (WHO) has established a global system to collect genetic material and information to protect a global influenza pandemic outbreak. The article describes the current legal landscape under EU and international law.

La protección de los datos genéticos en virtud del Reglamento General de Protección de Datos / The protection of genetic data under the General Data Protection Regulation

El presente artículo presenta un panorama general de la base jurídica introducida por el Reglamento General de Protección de Datos (RGPD) en relación con la protección de los datos genéticos. El objetivo de este artículo es examinar críticamente la definición del término "datos genéticos" que proporciona el Reglamento con el fin de analizar la protección que este instrumento otorga a tal categoría especial de datos personales. El artículo ofrece una visión general de las partes de tal definición que la autora considera "problemáticas" para una adecuada y suficiente protección de este tipo de datos y resume las cuestiones planteadas por el enfoque adoptado por el RGPD para la protección de los datos genéticos. La finalidad principal de este artículo es, por tanto, contribuir a un debate más amplio que aborde los desafíos identificados y permita encontrar formas viables de proteger esta categoría única de datos personales

The present article presents an overview of the legal background introduced by the General Data Protection Regulation (GDPR) with regard to the protection of genetic data. The aim of this article is to critically examine the definition of the term "genetic data" provided by the General Data Protection Regulation in order to achieve a better understanding of the protection afforded to this special category of personal data by the Regulation. The article offers an overview of the parts of such definition that the author considers "problematic" and summarizes the questions raised by the General Data Protection regulation's approach to the protection of genetic data. The main objective of this article is therefore, to contribute to a wider debate that would address the identified challenges and bring us closer to finding viable ways of protecting this unique category of personal data

Who Owns the Data in a Medical Information Commons?

In this paper, we explore the perspectives of expert stakeholders about who owns data in a medical information commons (MIC) and what rights and interests ought to be recognized when developing a governance structure for an MIC. We then examine the legitimacy of these claims based on legal and ethical analysis and explore an alternative framework for thinking about participants' rights and interests in an MIC.

Patients v. Myriad or the GDPR Access Right v. the EU Database Right.

In 2016, four US cancer patients legally challenged Myriad by claiming full access to all genomic information produced in the course of Myriad's testing of their risks for a variety of cancers. Asserting that Myriad's refusal to provide them with this information violated the HIPAA Privacy Rule, the patients sought a determination of a right to access all their genetic information from testing laboratories. Such access would not only serve their own care, but also enable them to share their genetic data with the scientific community which they alleged Myriad failed to do. A similar case may be brought in Europe under the novel EU GDPR. Specifically, it would put the GDPR right of access to personal data against Myriad's database right under the EU Database Right Directive. The outcome of this case could impact the fate of personalized medicine, which depends on the one hand on patients' having control over their genetic data, and on the other hand on incentives for genetic testing companies to generate these data. We first address the issue of whether the GDPR applies to medical records. We then analyse how GDPR rights could play out in the context of clinical genetic testing and conclude that the GDPR access right stops short of granting unconditional access to all data generated in the process of testing, to the extent that its exercise would result in the violation of medical-professional norms, expose the testing company to potential liability, or compromise normal exploitation of the database of which the personal data form part.

Germany: a fair balance between scientific freedom and data subjects' rights?

With the German Bundestag's adoption of the Data Protection Adaptation and Implementation Act EU (DSAnpUG-EU) on 30 June 2017, the adaptation of German law to the General Data Protection Regulation (GDPR) has begun (Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) 2016/679 und zur Umsetzung der Richtlinie (EU) 2016/680 (Datenschutz-Anpassungs- und -Umsetzungsgesetz-DSAnpUG-EU) v. 30. Juni 2017, BGBl. 2017 I p. 2097 et seq.). Despite being directly binding on all EU member states, the GDPR does not render national data protection provision obsolete-they are covered by the GDPR's opening clauses which include regulatory mandates and room for derogation. This creates considerable need for national legislative adaptation. Art. 1 DSAnpUG-EU contains the necessary amendments to the Federal Data Protection Law (BDSG(neu)), thus creating the second major building block of future German data protection alongside the GDPR itself. Nevertheless, there are still numerous sector-specific regulations in other federal laws and the data protection laws of the 16 states also need amendments. Adjustment in Germany is well on its way, but implementation in general is still ongoing, with further consequences for data processing and sharing.

South Korea: in the midst of a privacy reform centered on data sharing.

With rapid developments in genomic and digital technologies, genomic data sharing has become a key issue for the achievement of precision medicine in South Korea. The legal and administrative framework for data sharing and protection in this country is currently under intense scrutiny from national and international stakeholders. Policymakers are assessing the relevance of specific restrictions in national laws and guidelines for better alignment with international approaches. This manuscript will consider key issues in international genome data sharing in South Korea, including consent, privacy, security measures, compatible adequacy and oversight, and map out an approach to genomic data sharing that recognizes the importance of patient engagement and responsible use of data in South Korea.

United Kingdom: transfers of genomic data to third countries.

In the United Kingdom (UK), transfer of genomic data to third countries is regulated by data protection legislation. This is a composite of domestic and European Union (EU) law, with EU law to be adopted as domestic law when Brexit takes place. In this paper we consider the content of data protection legislation and the likely impact of Brexit on transfers of genomic data from the UK to other countries. We examine the advice by regulators not to rely upon consent as a lawful basis for processing under data protection law, at least not when personal data are used for research purposes, and consider some of the other ways in which the research context can qualify an individual's ability to exercise control over processing operations. We explain how the process of pseudonymization is to be understood in the context of transfer of genomic data to third parties, as well as how adequacy of data protection in a third country is to be determined in general terms. We conclude with reflections on the future direction of UK data protection law post Brexit with the reclassification of the UK itself as a third country.

United States: law and policy concerning transfer of genomic data to third countries.

This paper provides an overview of US laws and related guidance documents affecting transfer of genomic data to third countries, addressing the domains of consent, privacy, security, compatible processing/adequacy, and oversight. In general, US laws governing research and disclosure and use of data generated within the health care system do not impose different requirements on transfers to researchers and service providers based in third countries compared with US-based researchers or service providers. Of note, the US lacks a comprehensive data protection regime. Data protections are piecemeal, spread across bodies of law that target specific kinds of research or data generated or held by specific kinds of actors involved in the delivery of health care. Oversight is also distributed across a range of bodies, including institutional review boards and data access committees. The conclusion to this paper examines future directions in US law and policy, including proposals for more comprehensive protections for personal data.

Canada: will privacy rules continue to favour open science?

Canada's regulatory frameworks governing privacy and research are generally permissive of genomic data sharing, though they may soon be tightened in response to public concerns over commercial data handling practices and the strengthening of influential European privacy laws. Regulation can seem complex and uncertain, in part because of the constitutional division of power between federal and provincial governments over both privacy and health care. Broad consent is commonly practiced in genomic research, but without explicit regulatory recognition, it is often scrutinized by research or privacy oversight bodies. Secondary use of health-care data is legally permissible under limited circumstances. A new federal law prohibits genetic discrimination, but is subject to a constitutional challenge. Privacy laws require security safeguards proportionate to the data sensitivity, including breach notification. Special categories of data are not defined a priori. With some exceptions, Canadian researchers are permitted to share personal information internationally but are held accountable for safeguarding the privacy and security of these data. Cloud computing to store and share large scale data sets is permitted, if shared responsibilities for access, responsible use, and security are carefully articulated. For the moment, Canada's commercial sector is recognized as "adequate" by Europe, facilitating import of European data. Maintaining adequacy status under the new European General Data Protection Regulation (GDPR) is a concern because of Canada's weaker individual rights, privacy protections, and regulatory enforcement. Researchers must stay attuned to shifting international and national regulations to ensure a sustainable future for responsible genomic data sharing.

Perceptions of legislation relating to the sharing of genomic biobank results with donors-a survey of BBMRI-ERIC biobanks.

Biobanks accumulate huge amounts of research findings, including participants' genomic data. Increasingly this leads to biobanks receiving research results that could be of clinical significance to biobank participants. The EU Horizon 2020 Project 'Genetics Clinic of the Future' surveyed European biobanks' perceptions of the legal and regulatory requirements for communicating individual research results to donors. The goal was to gain background knowledge for possible future guidelines, especially relating to the consent process. The Survey was implemented using a web-based Webropol tool. The questionnaire was sent at the end of 2015 to 351 European biobanks in 13 countries that are members of BBMRI-ERIC (Biobanking and Biomolecular Resources Research Infrastructure-European Research Infrastructure Consortium). Seventy-two biobanks responded to the survey, representing each of the 13 BBMRI Member States. Respondents were mainly individuals responsible for the governance of biobanks. The replies indicate that the majority of the respondents thought that their national legislation allowed them to contact participants to communicate results, and that research participants had the right to request their results. However, respondents' understanding of their national legislation varied even within member states. Our results indicate that legislation applied to biobanks in many countries may be scattered and difficult to interpret. In BBMRI-ERIC, there is an ongoing discussion about the need for European recommendations on sharing genomic biobank results with donors, which may pave the way for more coherent global guidelines. Our results form a basis for this work.

The U.S. Culture Collection Network Responding to the Requirements of the Nagoya Protocol on Access and Benefit Sharing.

The U.S. Culture Collection Network held a meeting to share information about how culture collections are responding to the requirements of the recently enacted Nagoya Protocol on Access to Genetic Resources and the Fair and Equitable Sharing of Benefits Arising from their Utilization to the Convention on Biological Diversity (CBD). The meeting included representatives of many culture collections and other biological collections, the U.S. Department of State, U.S. Department of Agriculture, Secretariat of the CBD, interested scientific societies, and collection groups, including Scientific Collections International and the Global Genome Biodiversity Network. The participants learned about the policies of the United States and other countries regarding access to genetic resources, the definition of genetic resources, and the status of historical materials and genetic sequence information. Key topics included what constitutes access and how the CBD Access and Benefit-Sharing Clearing-House can help guide researchers through the process of obtaining Prior Informed Consent on Mutually Agreed Terms. U.S. scientists and their international collaborators are required to follow the regulations of other countries when working with microbes originally isolated outside the United States, and the local regulations required by the Nagoya Protocol vary by the country of origin of the genetic resource. Managers of diverse living collections in the United States described their holdings and their efforts to provide access to genetic resources. This meeting laid the foundation for cooperation in establishing a set of standard operating procedures for U.S. and international culture collections in response to the Nagoya Protocol.

Derechos fundamentales en el contexto de las bases de datos forenses: revisión y análisis de la Ley 78/2015 de Kuwait / Fundamental rights regarding forensic databases: review and analysis of Kuwait's law 78/2015

El desarrollo de la genética forense y la creación de bases de datos de ADN para la identificación humana constituyen herramientas de gran utilidad en la investigación criminal. Sin embargo, la protección de los derechos fundamentales debe establecer límites intraspasables en el ámbito de aplicación de estos avances. La Ley 78/2015 de Kuwait, recientemente aprobada, es la primera en el mundo que recoge la obligación de que todos los ciudadanos, residentes y visitantes del país proporcionen muestras de ADN a las autoridades para que sean incluidos en la base de datos policial con el fin de colaborar con el Ministerio de Interior. En el presente trabajo se analizan las características de las regiones del ADN que se incluyen en las bases de datos y los derechos fundamentales que se pueden ver afectados en el proceso, empleando como marco la legislación española al respecto, para finalizar estudiando la ley de Kuwait y sus implicaciones (AU)

The development of forensic genetics and the creation of DNA databases for human identification are highly useful tools in criminal investigations; however, the protection of fundamental rights must establish inalienable limits in the application of these advances. Law 78/2015 in Kuwait, passed recently, is the first in the world which includes the requirement that all citizens, residents and visitors must provide DNA samples to the authorities to be included in the police database in order to cooperate with the Ministry of Interior. This paper studies the characteristics of the DNA regions that are included in the databases and the fundamental rights that may be affected in the process, using Spanish Law as a reference framework. Finally, it analyses Kuwait's DNA law and its implications (AU)

A Lens for Evaluating Genetic Information Governance Models: Balancing Equity, Efficiency and Sustainability.

This paper draws from the literature on collective action and the governance of the commons to address the governance of genetic data on variants of specific genes. Specifically, the data arrangements under study relate to the BRCA genes (BRCA1 and BRCA2) which are linked to breast and ovarian cancer. These data are stored in global genetic data repositories and accessed by researchers and clinicians, from both public and private institutions. The current BRCA data arrangements are fragmented and politicized as there are multiple tensions around data ownership and sharing. Three key principles are proposed for forming and evaluating data governance arrangements in the field. These principles are: equity, efficiency and sustainability.

Public variant databases: liability?

Public variant databases support the curation, clinical interpretation, and sharing of genomic data, thus reducing harmful errors or delays in diagnosis. As variant databases are increasingly relied on in the clinical context, there is concern that negligent variant interpretation will harm patients and attract liability. This article explores the evolving legal duties of laboratories, public variant databases, and physicians in clinical genomics and recommends a governance framework for databases to promote responsible data sharing.Genet Med advance online publication 15 December 2016.

Who should have access to genomic data and how should they be held accountable? Perspectives of Data Access Committee members and experts.

Facilitating the responsible access to genomic research data is an emerging ethical and scientific imperative. Data Access Committees (DACs) assess the ethical footing and scientific feasibility of the data access requests and evaluate the qualification of applicants to ensure they are bona fide researchers. Through semi-structured interviews, we explored the opinions and experiences of 20 DAC members and experts concerning the users' qualification criteria and mechanisms to hold users accountable. According to our respondents, such evaluation is necessary to ensure applicants are trustworthy, meet a certain level of expertise or experience and are aware of the rules and the associated concerns with genomic data sharing. The respondents noted, however, that the qualification criteria are fragmented or are poorly delineated at times. Thus, developing qualification criteria seems vital for an objective, fair and responsible access procedure. Similarly, the access review will benefit from using common ways of verifying the users' affiliations. Furthermore, some DAC members expressed concern over the uncertain oversight of downstream data use, in particular where data are shared across borders. DAC members and experts did not consider current sanctions and enforcement procedures to be crystal clear. Therefore, data sharing policies should address this gap by establishing proportionate sanctions both against data producers and data users' non-compliance. Users' home institutes will need to have an active role in keeping oversight on the downstream data uses, considering their ultimate responsibility if wrongdoings happen.