GDPR Brief: familial genomic data and the GDPR

7 Jun 2021

In this brief, we discuss the provisions that allow for balancing of individual and familial interests under the GDPR and EU Member State law, and the legal uncertainty that remains. 

The GDPR maintains EU data protection law’s focus on the individual data subject. However, in the genomics context, multiple individuals may be able to claim an interest (and data subject rights) in the same genetic data. In this brief, we discuss the provisions that allow for balancing of individual and familial interests under the GDPR and EU Member State law, and the legal uncertainty that remains. 

Balancing data subject rights with relatives’ interests under the GDPR

Although not specific to the genomic context, various provisions within the GDPR recognise that there may be competing interests which require balancing, including:

• an exception to the provision of information to data subjects (but only where data have not been directly collected from those data subjects) insofar as ‘the data must remain confidential’ under Union or Member State Law (art 14 (5) (d));
• explicit limits to the data subject right of access (art 15) and the right to portability (art 20) where their fulfilment would ‘adversely affect the rights and freedoms of others’, and, more sweepingly;
• article 23 allows Member States to restrict all data subject rights (arts 12-22), data breach notifications (art 34) and even the principles for data processing in article 5 where they relate to data subject rights, for the protection of the ‘rights and freedoms of others’ (art 23(1)(i)), where necessary and proportionate.

For example, the UK has limited the disclosure of information under article 15 either if it is likely to cause serious harm to another individual or ‘to the extent that this would involve disclosing information relating to another individual who can be identified from the information’, unless the other individual has consented or ‘it is reasonable to disclose the information to the data subject without their consent’. There are a range of factors to be taken into account in assessing reasonableness, including the nature of the of information, steps taken to seek consent and any express refusal of consent by the other individual.¹

Internationally, a variety of approaches have been adopted to reconciling familial contexts, individual preferences, and privacy in the genomics context. The GDPR enables this by providing Member States with the scope to set their own appropriate standards. 

Limitations and remaining uncertainty 

However, there are three notable causes of uncertainty and challenge with respect to balancing data subject rights with relatives’ interests:

First, data controllers must navigate a varied terrain of Member State law rather than a clear set of consistent and harmonised standards. This challenges international data sharing efforts and raises compliance costs.

Second, in countries such as the UK, such competing interests only need to be balanced in the case of a request to access data (or in provision of information under art 14). However, there is arguably a need to consider the potential rights and interests of relatives in relation to a much wider range of data subject rights and duties owed by data controllers and processors. For example, deletion of data or restriction of processing could have significant consequences for relatives if it impedes medical research and its consequent feedback into clinical care. 

Third, the GDPR’s current approach doesn’t address the fundamental question of whether multiple relatives could be considered to be ‘data subjects’ in their own right in relation to the same genetic data and, if so, how competing rights and interests should be negotiated. 

Are relatives also ‘data subjects’?

As scholars identified under the GDPR’s predecessor, it may be possible to connect the same genetic data to different members of a family in a way which would identify and relate to each of them in turn.  For example, where the same rare variant is present in the genome of multiple family members cared for by the same service, each person’s medical records may be reasonably likely to be used to connect them with data about that variant. This could constitute their ‘personal data’ if the data can be said to ‘relate’ to them by “content”, “purpose” or “effect”. For example, as content which provides information about the health and physiology of that person; through their purpose in informing care and treatment, or; through their effect, leading them to be treated differently to others due to this information.  

Were genetic data seen to be as applicable to more than one individual data subject and also include familial relatives, data subject rights and obligations with respect to the same data would simultaneously be allocated to multiple family members. Neither the GDPR nor guidance from the European Data Protection Board address this conundrum.

A way ahead?

One approach to obtaining greater consistency and clarity could be by developing best practice as a sector, for example, in the form of a code of conduct. This could first seek to address balancing rights and interests where required by the GDPR and Member State law. Second, it may be helpful to revisit the question of whether relatives may themselves be considered data subjects in relation to the same genetic data and if so, how competing views about processing of ‘their’ personal data can be reconciled. In the interim, genomics professionals should ensure they have processes in place to conduct the balancing required by the GDPR and relevant Member State laws. These may be slightly different to the requirements of other parts of the legal framework (e.g. confidentiality laws), meaning that existing systems may require some updating. 

¹ Data Protection Act 2018, sch 2 para 16; sch 3 para 3(3). This is discussed more fully in the PHG Foundation’s report, The GDPR and Genomic Data, at pp. 91–93.

² Taylor, M. (2012). Data in common. In Genetic data and the law: critical perspective on privacy protection (pp. 103–130).

Further reading

• GA4GH GDPR Brief: The Concept of Personal Data in the GDPR
• Knoppers, B. M., & Kekesi-Lafrance, K. (2020). The Genetic Family as Patient? American Journal of Bioethics, 20(6), 77–80.
• Taylor, M. (2012). Data in common. In Genetic data and the law: critical perspective on privacy protection (Cambridge, UK: Cambridge University Press) (pp. 103–130).
• Purtova, N., ‘The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law’ (2018) 10 Law, Innovation and Technology.
• Mitchell, C., Ordish, J., Johnson, E., Brigden, T. & and Hall, A. “The GDPR and Genomic Data – the Impact of the GDPR and DPA 2018 on Genomic Healthcare and Research.” Cambridge, United Kingdom: PHG Foundation, May 2020.

Relevant GDPR provisions

• Article 4(1) – Definition of personal data
• Article 14 – Information to be provided where personal data have not been obtained from the data subject
• Article 15 – Right of access by the data subject
• Article 23 – Restrictions

Colin Mitchell and Alison Hall work for the PHG Foundation, a think tank with a special focus on genomics and personalised medicine that is a part of the University of Cambridge.

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.