In this chapter, an analysis is undertaken of the division of legislative power in the space created by the GDPR, regarding the balancing of individual rights, the public interest and biobank research. The legislative competences of the EU, international obligations within bioethics, and the regulatory space left for Member States are all examined. The conclusion of the chapter is that in spite of the aim of the GDPR to further legal harmonisation, it is more likely that unity will be brought about through administrative cooperation and soft law tools.
In this chapter, an analysis is undertaken of the division of legislative power in the space created by the GDPR, regarding the balancing of individual rights, the public interest and biobank research. The legislative competences of the EU, international obligations within bioethics, and the regulatory space left for Member States are all examined. The conclusion of the chapter is that in spite of the aim of the GDPR to further legal harmonisation, it is more likely that unity will be brought about through administrative cooperation and soft law tools.
Sweden and the EU have quite different traditions when it comes to freedom of the press, freedom of expression and transparency on the one hand, and the protection on privacy and data protection on the other. One way these differences manifest themselves is in the choice of territorial scope of the respective legal framework. The two Swedish basic acts, the Freedom of the Press Act (FPA) and the Fundamental Law on Freedom of Expression (FLFE),have a rather strict national approach; they aim at protecting Swedish freedom of press, including the right to public documents, and freedom of expression within the borders of Sweden. For examples, according to the FPA, all limitations of the right to access to documents must be set out clearly in a Swedish law, the Public Access to Information and Secrecy Act. Any other interest that might deserve an exception from the right to access to documents held by Swedish authorities that is not listed in this act will therefore not be protected. The Swedish freedom of the press act can be contrasted to the EU data protection law, which has a wide scope of application, which may even be described as extraterritorial. EU data protection law also directs itself to processors outside the sphere of application of the specific EU acts, by only permitting transfer of personal data if one of the mechanisms in the acts are followed; under an adequacy decision of the Commission, with the availability of adequate safeguard, or, if none of the above, closely defined exceptions to the rules. From the Safe Harbor verdict of the Court of Justice of the European Union, and the aftermath of the EU-US privacy shield, it is clear that the EU has high demands on those wanting to process EU data in third countries. In this chapter I will contrast the nationally based approach on regulating the Swedish FPA and FLFE to the farreaching protection law, where the main goal seems to be the protection of EU personal data according to an EU standard wherever it is processed in the world. The question posed is how to understand the territorial restrictions of a legal order, and lawmakers wishes to protect the individuals within this territory.
There are two core principles in the law and ethics of biomedical research that could be considered universally accepted: first, all handling of personal data and human biological samples is conditioned by the informed consent of the individual involved; second, all medical research on human biological samples and personal data should be placed under the review of research ethics committees. These concepts are included in international, regional and national guidelines, rules and regulations for processing of data and biobanking. However, the legal implementations are carried out within each national legal order, by national organs enacting administrative decisions applicable within the state. In order for the research project to function in a multinational setting, the EU has developed soft law tools and governance mechanisms to facilitate European biomedical research. The question is whether this can be considered valuable and legitimate on the grounds of enhancing conditions for medical research.
Sweden has a long tradition of transparency and keeping public archives and registries for the benefit of the society at large . Access to comprehensive public information, including registries containing individualised data, has been an integral part in the building of the Swedish welfare state . An important explanatory factor for its acceptance is the high level of social trust in the Swedish society, in that citizens to a large extent trust each other, the government and the public authorities and other institutions in the society . Over the last few decades, changes have taken place connected to digitalisation of the society and an increased awareness of the possible privacy intrusion that may follow . A number of Swedish "register scandals" have been unearthed in media, involving both private and public entities . In order to protect the Swedish cultural heritage of accessible archives and public information and retain social trust, the Swedish legislator should carefully balance the interest in transparency against the right to privacy and data protection following the case law of the European Court of Human Rights and EU law .
The Swedish response to the coronavirus crisis has, at least initially, deviated from those in most other comparable countries and the Swedish strategy has gained attention worldwide. Only a few binding restrictive measures have been enacted and the Swedish model has, at least initially, been to mostly rely on informal and voluntary measures based on recommendations from the Public Health Agency (PHA). No lockdowns, as in mass quarantines or stay-at-home orders, or mandatory mask wearing have, as of February 2021, been introduced. However, during the 'second wave' of the pandemic, in Autumn 2020, the strategy somewhat changed and new restrictions have gradually been introduced. The development brought to light the need for new legislative tools and at the beginning of 2021 the Swedish Parliament, the Riksdag, enacted the temporary COVID-19 Act, delegating further powers to the Government. It may be submitted that the constitutional framework, in essence, has been respected. However, the strong position of Swedish public authorities in the area of communicable diseases, together with the vast delegation of powers to the Government, has in practice impacted on the traditional division of tasks for implementing policies in a manner unprecedented in modern Swedish constitutional history.
Sweden has a long tradition of transparency and keeping public archives and registries for the benefit of the society at large. Access to comprehensive public information, including registries containing individualised data, has been an integral part in the building of the Swedish welfare state. An important explanatory factor for its acceptance is the high level of social trust in the Swedish society, in that citizens to a large extent trust each other, the government and the public authorities and other institutions in the society. Over the last few decades, changes have taken place connected to digitalisation of the society and an increased awareness of the possible privacy intrusion that may follow. A number of Swedish "register scandals" have been unearthed in media, involving both private and public entities. In order to protect the Swedish cultural heritage of accessible archives and public information and retain social trust, the Swedish legislator should carefully balance the interest in transparency against the right to privacy and data protection following the case law of the European Court of Human Rights and EU law
Two purposes of the GDPR are to provide effective remedies for ensuring extensive personal data rights and to change practices and policies of controllers and processors so that they become more aware of privacy protection. Article 58 GDPR lays down the investigative and corrective powers of the national supervisory authorities, such as issuing warnings or imposing new administrative fines. Article 79 GDPR states that every data subject whose rights according to the regulation have been infringed shall have access to an effective remedy. The two measures in focus here are those with the largest economic impact: Article 82 on damages and Article 83 on administrative fines. These articles target different areas and subjects – while the first has a compensatory purpose and is designed for use by individuals, the second has a preventive character and is implemented by Data Protection Authorities vis-á-vis controllers and processors. Considering these two profiles, an interesting question arises: Why are the provisions of Article 83 for imposing fines on companies and organisations so detailed, while the wording of Article 82 and hence the liability for controllers and processors is open to interpretation? What does this difference lead to in the application of the regulation, and more precisely, is it likely that the development in regards to administrative fines could spill over to the application of rules on damages? ; Forthcoming Mississippi Law Journal, 2020.
Part I Setting the scene -- Introduction: Individual rights, the public interest and biobank research 4000 (8) -- Genetic data and privacy protection -- Part II GDPR and European responses -- Biobank governance and the impact of the GDPR on the regulation of biobank research -- Controller' and processor's responsibilities in biobank research under GDPR -- Individual rights in biobank research under GDPR -- Safeguards and derogations relating to processing for archiving purposes in the scientific purposes: Article 89 analysis for biobank research -- A Pan-European analysis of Article 89 implementation and national biobank research regulations -- EEA, Switzerland analysis of GDPR requirements and national biobank research regulations -- Part III National insights in biobank regulatory frameworks -- Selected 10-15 countries for reports: Germany -- Greece -- France -- Finland -- Sweden -- United Kingdom -- Part IV Conclusions -- Reflections on individual rights, the public interest and biobank research, ramifications and ways forward. .
This open access book focuses on the discrepancies in biobank research regulations that are among the most significant hurdles to effective research collaboration. The General Data Protection Regulation (GDPR) has established stringent requirements for the processing of health and genetic data, while simultaneously allowing considerable multi-level exceptions for the purposes of scientific research. In addition to directly applicable exceptions, the GDPR places the regulatory responsibility for further defining how the Member States strike a balance between the individuals' rights and the public interest in research within their national legal orders. Since Member States' approaches to the trade-off between data subjects' rights on the one hand, and appropriate safeguards on the other, differ according to their ethical and legal traditions, their data protection requirements for research also differ considerably. This study takes a comprehensive approach to determine how the GDPR affects regulatory regimes on the use of personal data in biobanking research, with a particular focus on the balance between individuals' rights, public interest and scientific research. In this regard, it has two main goals: first, to scrutinize the GDPR research regime, its objective and constitutive elements, the impact it has on biobanking, and its role in a changing EU landscape post-Brexit; and second, to examine how various exceptions have been operationalized nationally, and what challenges and opportunities this diversification entails. The book not only captures the complexity GDPR creates for biobanking, but also sheds light on various approaches to tackling the corresponding challenges. It offers the first comprehensive analysis of GDPR for biobanking, and the most up-to-date overview of the national biobank regulatory frameworks in Europe.
This chapter describes the regulatory and organisational infrastructure of biobank research in Sweden, and how the introduction of the GDPR affects the possibilities to use biobank material in future research. The Swedish legislator has chosen a rather minimalistic approach in relation to the research exception in Article 89 GDPR and has only enacted limited general exceptions to the data protection rules. This may be partly explained by the comprehensive right to public access to official documents which gives researchers vast access to information held in registries, albeit conditioned on abiding by secrecy and confidentiality rules. The Swedish legislation implementing the GDPR includes a general exception from the data protection rules in relation to the right to access to official documents, which researchers also benefit from. However, confidentiality rules for different categories of information differ between sectors, which hinders an effective use of the registries in research. The regulatory regime for using biobank and registry data in Sweden thus involves both data protection and secrecy rules, which makes the legal landscape permissible but complex. The operationalisation of the research exception in Article 89 GDPR is analysed against this background. Special attention is given to the possibility to link personal information derived from biobanks with personal information from other data sources, including large national population based statistical registries as well as information from national clinical registers.