Skip to main content
SpringerLink
Log in
Book cover

Annual Privacy Forum

APF 2017: Privacy Technologies and Policy pp 3–18Cite as

The GDPR and Big Data: Leading the Way for Big Genetic Data?

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10518))

Abstract

Genetic data as a category of personal data creates a number of challenges to the traditional understanding of personal data and the rules regarding personal data processing. Although the peculiarities of and heightened risks regarding genetic data processing were recognized long before the data protection reform in the EU, the General Data Protection Regulation (GDPR) seems to pay no regard to this. Furthermore, the GDPR will create more legal grounds for (sensitive) personal data (incl. genetic data) processing whilst restricting data subjects’ means of control over their personal data. One of the reasons for this is that, amongst other aims, the personal data reform served to promote big data business in the EU. The substantive clauses of the GDPR concerning big data, however, do not differentiate between the types of personal data being processed. Hence, like all other categories of personal data, genetic data is subject to the big data clauses of the GDPR as well; thus leading to the question whether the GDPR is creating a pathway for ‘big genetic data’. This paper aims to analyse the implications that the role of the GDPR as a big data enabler bears on genetic data processing and the respective rights of the data subject.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Inimgeeniuuringute seadus (Human Gene Research Act), RT I 2000, 104, 685.

  2. 2.

    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.

  3. 3.

    European Commission, ‘The European Data Protection Reform and Big Data’, (Factsheet march, 2016) <http://ec.europa.eu/justice/data-protection/files/data-protection-big-data_factsheet_web_en.pdf> accessed 31 January 2017.

  4. 4.

    Art. 9, GDPR.

    Art. 10, Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA [2016] OJ L119/89.

  5. 5.

    Art. 8, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/131.

  6. 6.

    Data Protection Working Party. Working document on genetic data. Adopted on 17 March 2004, 12178/03/EN WP 91, p. 5. Accessible online at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2004/wp91_en.pdf [last accessed on May 25th 2016].

  7. 7.

    Ibid.

  8. 8.

    Ibid., p. 6.

  9. 9.

    Ibid.

  10. 10.

    When describing genetic data the DPWP refers to the fact that genetic data “are likely to provide, in the future, scientific, medical and personal information relevant throughout the life of an individual.” Ibid., p. 4.

  11. 11.

    Ibid., p. 11.

  12. 12.

    See, e.g., D. Hallinen et al. “Genetic Data and the Data Protection Regulation: Anonymity, multiple subjects, sensitivity and a prohibitionary logic regarding genetic data?” Computer Law & Security Review 29 (2013) 317–329, at 318.

  13. 13.

    The table is drawn for purposes of offering a brief introductory comparative overview. For the full and exact wording of the exceptions please see respectively Art. 8(2) of the 1995 Directive, and Art. 9(2) of the GDPR.

  14. 14.

    As stated on the official website of the European Commission: http://ec.europa.eu/justice/data-protection/ [last accessed on May 25th 2016].

  15. 15.

    D. Korff. Working Paper No. 2: Data protection laws in the EU: The difficulties in meeting the challenges posed by global social and technical developments European Commission Directorate-General Justice, Freedom and Security. Center for Public Reform, 20 January 2010, p. 73; accessible online at http://ec.europa.eu/justice/data-protection/document/studies/files/new_privacy_challenges/final_report_working_paper_2_en.pdf [last accessed on 3 June 2016].

  16. 16.

    This conclusion is based merely on the rules and requirements of the 1995 Directive and does not take into account the practical implementation by Member States, which might have not met such minimum requirements. Thus, making the minimum requirements directly applicable in all Member States via a regulation is certainly a step forward in the general protection of personal data.

  17. 17.

    See supra note 12, at 325. D. Hallinen et al. bring as examples of these strengthening mechanisms, amongst others, the obligation of the controller to carry out a data protection impact assessment as prescribed in Art. 35 of the GDPR (at 324) and the introduction of administrative fines up to 10 000 000 EUR under Art. 83 (at 325).

  18. 18.

    Art. 4(1): “[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person[.]”.

  19. 19.

    See Recital 26 of the GDPR.

  20. 20.

    Ibid.

  21. 21.

    See supra note 12, at 322.

  22. 22.

    See, e.g., A.J. Pakstis et al. “SNPs for a universal individual identification panel”, Human Genetics, Vol. 127, 2010, pp. 315–324. See also R. Wang et al. “Learning Your Identity and Disease from Research Papers: Information Leaks in Genome Wide Association Study”, 16th ACM Conference on Computer and Communications Security, ACM 2009, pp. 534–544. See also N. Homer et al. “Resolving Individuals Contributing Trace Amounts of DNA to Highly Complex Mixtures Using High-Density SNP Genotyping Microarrays”, PLOS Genetics, Vol. 4(8), 2008.

  23. 23.

    C-291/12 Schwarz v. Bochum [2013] ECLI:EU:C:2013:670, para 27.

  24. 24.

    S. and Marper v. United Kingdom (2008) ECLI:CE:ECHR:2008:1204JUD003056204, paras 68 and 84.

  25. 25.

    Ibid. para 84.

  26. 26.

    Ibid., para 86.

  27. 27.

    Federal Policy for the Protection of Human Subjects. A Proposed Rule by the Homeland Security Department, the Agriculture Department, the Energy Department, the National Aeronautics and Space Administration, the Commerce Department, the Social Security Administration, the Agency for International Development, the Justice Department, the Labor Department, the Defense Department, the Education Department, the Veterans Affairs Department, the Environmental Protection Agency, the Health and Human Services Department, the National Science Foundation, and the Transportation Department on 09/08/2015. Accessible online at https://www.federalregister.gov/documents/2015/09/08/2015-21756/federal-policy-for-the-protection-of-human-subjects [last accessed 21 October 2016].

  28. 28.

    Federal Policy for the Protection of Human Subjects. A Rule by the Homeland Security Department, the Agriculture Department, the Energy Department, the National Aeronautics and Space Administration, the Commerce Department, the Social Security Administration, the Agency for International Development, the Housing and Urban Development Department, the Labor Department, the Defense Department, the Education Department, the Veterans Affairs Department, the Environmental Protection Agency, the Health and Human Services Department, the National Science Foundation, and the Transportation Department on 01/19/2017. Accessible online at https://www.federalregister.gov/documents/2017/01/19/2017-01058/federal-policy-for-the-protection-of-human-subjects [last accessed 23 January 2017].

  29. 29.

    For an in-depth analysis on the privacy implications regarding the use of genetic data, see M. Taylor. Genetic Data and the Law: A Critical Perspective on Privacy Protection. Cambridge University Press, 2012.

  30. 30.

    E. Vayena and U. Gasser. “Strictly Biomedical? Sketching the Ethics of the Big Data Ecosystem in Biomedicine”. The Ethics of Biomedical Big Data. B.D Mittelstadt and L. Floridi (eds.). Springer, 2016, p. 18.

  31. 31.

    See in the online English dictionary Oxford Living Dictionaries of Oxford University Press at https://en.oxforddictionaries.com/definition/big_data [last accessed 12 April 2017].

  32. 32.

    See Merriem-Webster online dictionary at https://www.merriam-webster.com/dictionary/big%20data [last accessed 12 April 2017].

  33. 33.

    Article 29 Data Protection Working Party. Opinion 03/2013 on purpose limitation. Adopted on 2 April 2013, 00569/13/EN WP 203, p. 35. Accessible online at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf [last accessed 12 April 2017].

  34. 34.

    B.D. Mittelstadt and L. Floridi (eds.). The Ethics of Biomedical Big Data. Springer, 2016, p. 2.

  35. 35.

    The phrase “small data” has been used in regard to “conventional health care data” by N.P. Terry. “Big Data Proxies and Health Privacy Exceptionalism”, Health Matrix: Journal of Law-Medicine, 24 (2014), 65–108, at 66. The phrase has also been used as referring to personal data by M.M. Hansen. “Big Data in Science and Healthcare: A Review of Recent Literature and Perspectives”, IMIA Yearbook 9 (2014), 21–26. Accessible online at https://works.bepress.com/margaret_hansen/22/ [last accessed 13 April 2017].

  36. 36.

    European Parliament, Committee on Civil Liberties, Justice and Home Affairs. Report on fundamental rights implications of big data: privacy, data protection, nondiscrimination, security and law-enforcement (2016/2225(INI)). 17.02.2017, A8-0044/2017, p. 4.

  37. 37.

    M. Oostveen. “Identifiability and the applicability of data protection to big data”, International Data Privacy Law 6(4) (2016), 299–309.

  38. 38.

    Ibid., pp. 300–301.

  39. 39.

    Ibid.

  40. 40.

    This is arguably the case for any biomedical data, not just genetic data. See G.M. Weber et al. “Finding the Missing Link for Biomedical Data”, JAMA 311(24) (2014), 2479-2480.

  41. 41.

    See Recital 26 of the GDPR, which states that, “Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.”.

  42. 42.

    Z.D. Stephens et al. “Big Data: Astronomical or Genomical?” PLoS Biol 13(7): e1002195.

  43. 43.

    B.D. Mittelstadt and L. Floridi (eds), supra note 34, p. 2.

  44. 44.

    J. Frizzo-Barker et al. “Genomic Big Data and Privacy: Challenges and Opportunities for Precision Medicine”. Computer Supported Cooperative Work (CSCW) 25(2) (2016), 115–136, at 118.

  45. 45.

    Supra note 3, p. 2.

  46. 46.

    European Data Protection Supervisor. Opinion 7/2015, “Meeting the Challenges of Big Data: A call for transparency, user control, data protection by design and accountability”, 19 November 2015, p. 4. Accessible online at https://edps.europa.eu/sites/edp/files/publication/15-11-19_big_data_en.pdf [last accessed 12 April 2017].

  47. 47.

    It can be argued that in terms of personal data that is not sensible, i.e. not listed in Article 9(1) of the GDPR, consent does not constitute a true means of control since the grounds for personal data processing laid out in Article 6(1) are so broad that consent effectively no longer plays a relevant role. Most notably, Article 6(1)(f) allows personal data processing for the “legitimate interests pursued by the controlled or a tird party”.

  48. 48.

    Supra n 36, p 5.

  49. 49.

    For an in-depth analysis of the Article 9(2)(j) and the research exemption in regard to genetic data, see K. Pormeister. “Genetic Data and the Research Exemption: Is the GDPR going too far?”, International Data Privacy Law (2017) 7(2): 137–146.

  50. 50.

    See, e.g., J. Kühling and B. Buchner (eds.). Datenschutz-Grundverordnung: DS-GVO. Kommentar. C.H. Beck (2017), p 383.

  51. 51.

    For a thorough overview on the privacy implications regarding the use of genetic data, see M. Taylor (2012), supra note 29.

  52. 52.

    For an analysis regarding de-identification within the meaning of Article 11 of the GDPR, see M. Hintze. Viewing the GDPR Through a De-Identification Lens: A Tool for Clarification and Compliance; accessible online at https://fpf.org/wp-content/uploads/2016/11/M-Hintze-GDPR-Through-the-De-Identification-Lens-31-Oct-2016-002.pdf [last accessed on June 29th 2017].

Author information

Authors and Affiliations

  1. University of Tartu, Tartu, Estonia

    Kärt Pormeister

Authors
  1. Kärt Pormeister
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kärt Pormeister .

Editor information

Editors and Affiliations

  1. Centre for Legal Informatics, University of Vienna, Vienna, Austria

    Erich Schweighofer

  2. A-SIT, Graz, Austria

    Herbert Leitold

  3. European Union Agency for Network and Information Security, Heraklion, Greece

    Andreas Mitrakas

  4. Goethe University Frankfurt, Frankfurt, Hessen, Germany

    Kai Rannenberg

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Pormeister, K. (2017). The GDPR and Big Data: Leading the Way for Big Genetic Data?. In: Schweighofer, E., Leitold, H., Mitrakas, A., Rannenberg, K. (eds) Privacy Technologies and Policy. APF 2017. Lecture Notes in Computer Science(), vol 10518. Springer, Cham. https://doi.org/10.1007/978-3-319-67280-9_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-67280-9_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-67279-3

  • Online ISBN: 978-3-319-67280-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation