A.             Personal Information

The GDPR defines personal data as information that can identify a person, such as “identification number” or “genetic information”.[1] The health and identity information collected during a virus test seems to fulfil the criteria of personal data as set out in the GDPR, since it can be used to identify an individual. In addition, the company performing the test may not be able to entirely remove the genetic data from its database after assessing the samples, as data might be stored digitally and shared with multiple laboratories. If this is the case, the collection and processing of personal data is protected by the GDPR.

B.             Special Category of Genetic and Health Data

The GDPR explains that genetic and health data falls under a special category[2] and deserves extra protection.[3]Based on a biological sample, genetic data provides the genetic characteristics of an individual and includes DNA and RNA information, as well as other biological data.[4] However, biological information does not automatically qualify as data under the GDPR. For example, genealogical information is not considered as genetic data.[5] To meet the special criteria, the information must be analysed and have genetic characteristics. As such, there are concerns over whether biological samples containing genetic information falls within the scope of the GDPR.[6]

Genetic information is protected by the GDPR, since its objective is to protect individual privacy. Personal data should also include genetic samples,[7] given that genetic data contains unique elements that can be used to identify an individual[8] and is neither anonymised nor comprised of only partial genetic sequence information.[9]

C.             Pseudonymisation

The GDPR defines anonymised information as being data that is disassociated from an individual by any means using current technology. According to the European Data Protection Board (EDPB), anonymised data means that a party takes all reasonable steps to remove the identity of a person in the data.[10] Reasonable steps comprise an objective test based on actual environmental conditions.[11] The test takes into consideration whether application of the test affects the interests of the individual. Since it is not possible to anonymise genetic data, it is therefore still subject to the GDPR.

As technology develops, there is a high chance of being able to re-identify and associate the data with a person.[12] As such, while data could be anonymised today, it might be possible to re-identify someone in the future.[13] Therefore, governments and testing companies cannot guarantee that data is anonymised; although they can aim to reduce the risk of re-identifying a person using genetic data. Data such as this falls into the category of pseudonymisation, which refers to “personal data that can no longer be attributed to a specific data subject without the use of additional information”.[14] This additional information is separate from personal information, which requires “technical and organisational”[15] effort to identify the subject.[16]

Testing companies that collect genetic samples for research purposes are required to obtain consent from the data subjects. Researchers might adopt broad consent parameters as it is sometimes difficult to specify the research purposes at the time of collection.[17] Broad consent covers three aspects: collection of the genetic samples for the original purpose, storage of the samples,[18] and subsequent research.[19] The following section will look into the legitimate basis of using genetic data for health research purposes under the GDPR, as well as the potential difficulties of informed consent in practice.

[1] GDPR of 2018, Article 4(1).

[2] GDPR of 2018, Article 9.

[3] GDPR of 2018, Article 4(13).

[4] GDPR of 2018, Recital 34.

[5] Chassang G “The impact of the EU general data protection regulation on scientific research” Ecancermedical science (2017) 11:709.

[6] Mahsa Shabani and Pascal Borry “Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation” European Journal of Human Genetics (2018) 26:149-156 at p152.

[7] Ibid.

[8] UK Information Commissioner’s Office, ‘Lawful basis for processing Special category data – GDPR’, [2019] at p5-6.

[9] UK Information Commissioner’s Office, ‘Lawful basis for processing Special category data – GDPR’, [2019] at p6. It set out some exceptions that genetic data is not subject to GDPR if it is unable to identify individual. This exception includes ‘where you have anonymised or aggregated partial genetic sequences or genetic test results (eg for statistical or research purposes), and they can no longer be linked back to a specific genetic identity, sample or profile; a patient record; or to any other identifier.’

[10] European Data Protection Board, ‘Guidelines – Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak’, [2020] at p5.

[11] Ibid.

[12] Alexandre de Montjoye et al., Evaluating COVID-19 Contact Tracing Apps? Here Are 8 Privacy Questions We Think You Should Ask, Computational Privacy Group, [2020], < https://cpg.doc.ic.ac.uk/blog/evaluating-contact-tracing-apps-here-are-8-privacy-questions-we-think-you-should-ask/>.

[13] Class Action Complaint and Demand for Jury Trial, Dinerstein v. Google, LLC Case [1:19-cv-04311 5-6, 2/26/19].

[14] GDPR of 2018, Article 4(5).

[15] Ibid.

[16] Ibid.

[17] Hallinan Hallinan, Dara, and Michael Friedewald “Open consent, biobanking and data protection law: Can open consent be ‘informed’ under the forthcoming data protection regulation?” (2015) Life Sci Soc Pol 11 (1): 1–36 at <https://doi.org/10.1186/s40504- 014-0020-9>.

[18] Dara Hallinan “Broad consent under the GDPR: an optimistic perspective on a bright future” (2020) Hallinan Life Sciences, Society and Policy 16:1 at < https://doi.org/10.1186/s40504-019-0096-3>.

[19] Hallinan Hallinan, Dara, and Michael Friedewald “Open consent, biobanking and data protection law: Can open consent be ‘informed’ under the forthcoming data protection regulation?” (2015) Life Sci Soc Pol 11 (1): 1–36 at <https://doi.org/10.1186/s40504- 014-0020-9>.