'Your genetic data is my genetic data: Unveiling another enforcement issue of the GDPR' by Taner Kuru and Iñigo de Miguel Beriain in (2022) Computer Law and Security Review 105752 comments
The General Data Protection Regulation aims to protect data subjects by granting them control over their data. The shared nature of genetic data causes significant challenges in this framework by posing the question of whether the donor's biological family members can also be considered data subjects or not. In this respect, we have examined both scenarios and concluded that biological family members could indeed be considered in the scope of the data protection framework. However, we highlighted certain shortcomings attached to this interpretation, especially when biological family members exercise their data subject rights. Hence, we explored potential conflicts that might arise when biological family members exercise their right to information, right to access, right to erasure and right to restriction of processing. As a practical solution to this pressing problem, we called on the European Data Protection Board to revisit the 2004 Working Document on Genetic Data in order to develop principles to be applied when solving such conflicts and thus provide certainty and clarity to genetic data processing.
The authors state
Over the last two decades, we have witnessed a significant improvement in our technical ability to sequence genetic information at scale. Nowadays, researchers use this ever-growing available genetic information for various purposes, such as understanding what makes us prone to certain diseases and coming up with more precise treatment methods. In order to capitalize on this development, the European Union kickstarted the “1+ Million Genomes” initiative, amongst others, aiming at sequencing more than one million genomes by the end of 2022. In addition, several infrastructures are planned for storing, using, and sharing genomics data by several stakeholders in Europe to unlock the full potential of genomics.
However, along with its promises, some contested uses of genetic data have also occurred in recent years. For instance, law enforcement officers used genetic information on genealogy websites to solve cold cases. Likewise, border agencies benefited from such resources to establish the nationalities of failed refugee claimants in an attempt to deport these individuals. Furthermore, direct-to-customer genetic testing kits revealed hidden family secrets.6 These are excellent examples of how processing genetic data can lead to infringements of the rights and freedoms of individuals. Moreover, the growing incorporation of new technologies such as artificial intelligence into this field might soon create infringements that cannot be foreseen with our current capabilities. Therefore, it is crucially important to effectively regulate the processing of genetic data.
For this purpose, the General Data Protection Regulation (GDPR) constitutes an essential safeguard, at least at the EU level. Since its enactment in 2016, the GDPR has become a normative frame of reference for data protection, serving as an optimal tool to preserve natural persons’ fundamental rights and freedoms. Hence, the European legislator considers the GDPR an overall success that could meet several expectations. However, various actors have stated the opposite, especially underlining the difficulties in enforcing the GDPR. Besides these shortcomings, some problems also arose in the European data protection framework due to either the wording of the GDPR itself or the authoritative interpretations of its provisions. The unresolved issue regarding the definition of genetic data is one of the most obvious examples of this problem.
Indeed, the fundamental structure of the GDPR, that is, the idea that data is linked to a concrete data subject, does not work so well with genetic data. This is due to a simple reason: contrary to many other types of personal data, genetic data is not exclusively linked to one data subject but to several people who share some part of their biological architecture with that data subject. In other words, since we share a significant percentage of our DNA with our genetic relatives, once our genetic data is processed, it does not only reveal information about ourselves but also about our biological family members. Unfortunately, this feature does not work well with the assumptions made by the GDPR.
Under such a scenario, two main options can be considered. On the one hand, one can assign the data subject status only to the donor of the genetic data in question. Alternatively, one can consider biological family members of the donor as data subjects too, as already been suggested by some authors. Indeed, such an approach might be beneficial to mitigate the risks attached to genetic data processing, as any infringement on such data will also affect these individuals along with the donor. Nevertheless, it might be argued that accepting such ideas might create challenges that are impossible to tackle from the GDPR's perspective.
However, this is not a clear-cut matter. As a matter of fact, one must consider that both alternatives would have different consequences in practice, and none of them is easy to deal with. This paper aims to find out the strengths and weaknesses of each of them, so as to clarify this complex issue. For this purpose, we will first analyse whether genetic data could be considered personal data of biological family members on a conceptual basis. Afterwards, we will explore the issues that this approach might bring. Finally, we will present some tentative ideas about the most promising ways to resolve the issues uncovered.