There were numerous reasons for enacting the first data protection laws in the 1970s. Among the most important factors was a public fear and disempowerment engendered by greater dissemination, use, and re-use of personal data across organizational boundaries facilitated by new technology in the form of electronic data processing. The latter has also created a sense of loss of control over technology and automation of societal processes. [1] In addition to rapidly increasing capacity to store data, computers permitted information to be searched and organized by multiple attributes, rather than through a single index (for example, first and last name only). This capacity changed the way information could be linked to an individual [2] which led to data protection laws focused on protecting “personal data” in the EU and “Personally Identifiable Information (PII)” in the United States of America. [3] The definitions of these key concepts delimit the scope of application of data protection laws. Since those early days one of the major changes in the EU has been the recognition of data protection as a fundamental right in itself, independent from the right to respect for private life. [4]
Today, more than 40 years since the early data protection laws [5] and two decades after the EU Data Protection Directive was adopted, the technological landscape has dramatically changed. Computer power continues to grow [6] with additional capacities and data processing capabilities. The growth in computer power has aided a significant transformation in many fields of study including molecular biology and nano-technology. Consequently, there is strong criticism on sustainability of the definition of personal data [7] maintained in the EU data protection laws. According to this definition personal data is, in essence, information which is capable of identifying living human data subjects. Other elements [8] of the definition have gotten a fairly detailed analysis except the phrase ‘any information.’ I seek to analyze and challenge the conceptual predispositions behind this criterion: the notion that data protection laws apply to ‘data and/or information.’
The propriety of data as exclusively ‘informational’ is being put to test as advancements in bio-technology and ICT continue to blur the distinction between the human biological materials [9] on the one side and information derived from them on the other. [10] The fear is that such distinction may arbitrarily undermine the protections offered under the right to privacy in general.
The terms ‘data’ and ‘information,’ though key legal terms, are often taken for granted and insufficiently, if at all, defined in data protection discourse. [11] Data is habitually used as synonymous with information. Scholars attribute this dearth in clarity, specifically in laws directly dealing with information concepts, to various factors and contestable assumptions ranging from a simple oversight, to an assumption of obviousness, and to pessimism that the terms are incapable of definition, at least a legally workable one. [12]
While it might have worked reasonably well in the past, the paucity in clearly defining [13] the two terms appears to have reached an unsustainable stage. The most germane reason for the purpose of this study is the challenge scientific and technological developments [14] introduce to the boundary between information and biological materials — and, in effect, traditional distinction between the message and the medium — which can also trigger application of laws that employ information concepts to biological material. [15]
Outside of the legal world, the day-to-day usages of the two terms seem to draw no clear line of distinction; neither is there a need to make a major differentiation between the two. In their normal parlance, Oxford English Dictionary defines ‘data’ as ‘facts and statistics collected together for reference or analyses’ [16] and ‘information’ as ‘facts provided or learned about something or someone.’ [17] Even though a first glimpse at these definitions tells us that information is a result of analysis carried out on data, one can also see the usage of the word ‘facts’ in both definitions which suggests that no serious distinction is aimed to be made. Besides, the thesaurus [18] section of the same dictionary puts ‘information’ and ‘data’ as synonyms. [19]
In the fields of Informatics and Computer Science, however, a more systematic distinction is drawn between data and information. In these fields, the notion of ‘data’ usually denotes signs, patterns, characters or symbols which potentially represent something (a process or object) from the ‘real world’ and, through this representation, may communicate ‘information’ about that thing. [20]
Expectedly, compared to the nebulous day-to-day and, even, legal usage the distinction made in Informatics appears to be more logical and coherent. The question, however, is would these conceptual walls built in the fields of Informatics and Computer Science be sustainable in the face of the current development in ITC and bio-technology? And, even if they continue to work, should the same distinction be made in legislating new or interpreting the existing laws dealing with information concepts? By focusing on data protection law among the latter types of laws, the following sections will strive to address these questions.
A brief glimpse at the EU Data Protection Directive (DPD) not only fails to answer whether biological materials are considered to be personal data but makes the answer even fuzzier by its interchanging usage of the words ‘data’ and ‘information.’ [21] However, a closer look at the provisions of the DPD indicates absence of intention by its architects to consider biological materials to be personal data. Though absence of intention to cover biological materials appears clear, for reasons discussed below, one cannot, at the same time, plausibly argue that that was an intentional exclusion either.
First, nonexistence of a clear intention to consider biological materials as personal data is rooted on how the law and policy in this area generally operates. Professor Bygrave observes:
“[T]he law and policy on data protection have generally tended to operate on the assumption that a distinction exists between data/information on the one hand, and, on the other, the person(s) to which the data/information can be linked.” [22]
We see this in the definitions of ‘personal data’ and/or ‘personal information’ given in data protection laws. [23] Therefore, paucity of a good indication to treat biological materials as personal data begins from the very definition under Article 2(a) of the DPD. The definition portrays ‘humans’ as data subjects to which information relates; not humans, or a sample taken from them, as information by themselves. It is worth noting, though, that when it tries to further define ‘an identifiable person’ the directive employs terminologies that relate to the human body. It provides that, in addition to information like a person’s identity number, a person can be identified by his physical, physiological or mental identity. Yet, a reference to, say, physical identity of a person to identify him, quickly winds up being an information about his physique, like his appearance, and not the physical self as such. The same is implied by the preparatory materials towards adoption to the directive. [24] The then EC Commission’s commentary [25] to this part of Article 2(a) of the directive, after indicating the typical numerical information [26] as identifying factors, mentions that the definition would also cover data such as appearance, voice, fingerprints and genetic characteristics. [27]
Secondly, other key provisions of the DPD are also indicative of the absence of a positive intention [28] by the legislature to treat biological materials as personal data. Some vital words and phrases used throughout the directive cannot semantically accommodate human biological materials. Words like ‘recording’ and ‘alteration’ as set of operations to be performed on personal data under Article 2(b) of the DPD epitomize such inhospitable accommodation. Other instances are under Article 6 whereby personal data is required to be ‘accurate’ and ‘up to date’ which presupposes that data could be ‘inaccurate’ and/or ‘out of date’, which a biological material cannot be. Similarly, the right to ‘rectify’ under Articles 10 and 11 presuppose some form of error in recording.
Thirdly, and perhaps more importantly, the crafting of the scope of application of rules of the DPD, under Article 3, cannot comfortably accommodate application of rules of the directive to human biological materials. The directive applies to the processing of personal data in two scenarios: wholly or partly by automatic means, and to manual processing of personal data which form/intended to form part of a filing system. At least partly-automatic processing of data, which the directive requires under the first scenario, has in mind the use of a device, computers mostly, to process information electronically, i.e. when data is computerized. This is exactly what is referred to by the Commission’s commentary on this provision. [29] As far as biological materials are concerned, one may not, right away, use computers to process blood samples or a swab of specimen of a person. An exposure to a different interpretative framework may be required. The same holds true for the second scenario, i.e., filing system: a file literally presupposes recorded information.
Having been invited by the European Council to evaluate the functioning of EU instruments on data protection, as part of the Council’s Stockholm Program Notices [30] , the EU Commission came up with a proposal for the GDPR in December, 2012. [31] On 12 March, 2014, European Parliament made its formal First Reading vote confirming the text of the draft Regulation. [32] EU Justice and Home Affairs ministers reached a general approach on the Regulation at their Council meeting on 15 June, 2015. [33] After months of “trilogue” negotiations, the EU Commission, Parliament and Council of Ministers reached agreement on the GDPR on 15th December, 2015. [34] Following political agreement reached in the “trilogue” the official texts of the Regulation was published in the EU Official Journal on 4 May, 2016. While the regulation will enter into force on 24 May, 2016, it shall be applicable from 25 May, 2018 onward. [35]
To examine the position taken by the GDPR on the issue of human biological material, I will analyze, mainly, the official text (of 4 May, 2016). However, in order to trace the developments on this issue, I will also make references to the Commission Proposal (of January 2012), Parliament’s first reading (of March, 2014), the Council’s general approach (of June, 2015) and the compromise text that resulted from the final trilogue.
The Commission’s proposal explicitly mentions the term ‘biological samples’ [36] in recital 26 of the preamble to the proposed regulation. The mention is made as part of enumerating the constituents of personal data relating to health. It reads:
“Personal data relating to health should include... information derived from the testing or examination of a body part or bodily substance, including biological samples...” [37]
Whilst a bold step in separately and explicitly bringing up ‘biological samples’ which creates a tempting syntax to consider ‘biological samples’ as personal data relating to health, a closer examination of the recital as a whole shows that it is dealing with information derived from testing or examination of biological samples, not biological samples in and of themselves. In other words, the recital conveys the following meaning: personal data relating to health should not be limited to the information derived from testing/ examination of body part or bodily substance (which require the physical presence of the examinee) but should also include the result of examination of samples when it is taken from examinees, the presence of whom is no longer required for examination.
While the same ambiguous syntax is employed in other language versions such as Danish, Swedish and French, Professor Bygrave observes that the German version rules out such ambiguity. [38] In that case, it comes down to a question of interpretation: which language version takes precedence? Recourse to the jurisprudence of the Court of Justice of the EU tells us that the different language versions are all equally authentic and that the interpretation of a provision of Community law involves a comparison of the different language versions. [39] The court further notes that every provision of Community law must be placed in its context and interpreted in the light of the provisions of Community law as a whole, regard being had to the objectives thereof and to its state of evolution at the date on which the provision in question is to be applied. [40] Therefore, the task of ascertaining the true meaning of deferring language versions is not simply mechanical, i.e. it does not depend on the comparison of the number of versions that avoid the problematic syntax against those which contain such syntax. It should be rooted in the context in which the words are placed, its evolution and the objective of the law as a whole. Seen from this angle, it is difficult to claim that the proposed Regulation, indeed, considers biological materials as personal data related to health.
The European Parliament’s first reading did not introduce changes to the Commission’s proposal in this regard. A small alteration with additional mentions [41] of ‘biological samples’ came with, first, consolidated text of the Council and the Commission and, latter, with the compromise text. In these versions, recital 26 to the preamble of the regulation reads:
“Personal data concerning health should include... information derived from the testing or examination of a body part or bodily substance, including genetic data and biological samples....” [42]
As can be discerned, in this version of the regulation the phrase ‘genetic data’ is added to the original script. The overall reading of this part of recital 26 would not offer the exact same meaning that the corresponding sentence in the Commission’s version did. In that version, the phrase ‘biological samples’ can be meaningfully read back to the phrase: ‘Information derived from testing or examination of...’ That makes sense because like body parts or body substances, biological samples can also be subjects of said testing/examination, and, thus, be carriers of personal information to be derived from them. In addition, referring the phrase ‘biological samples’ to the ‘information derived from testing or examination of…’ would be repeating oneself as ‘examination of a body part or bodily substance’ is already mentioned and biological samples can be considered to be body parts/ bodily substance.
However, the same interpretation wouldn’t be logical with the addition of ‘genetic data’ in the later versions of the regulation. That is mainly because genetic data is already a result of analysis of biological materials. [43] Genetic data is generally understood to be information by itself, and while possible, it is usually not a subject of testing or examination to derive information, as we frequently do from body parts/ bodily substances. Therefore, it creates a temptation to read ‘genetic data’ and ‘biological samples’ back to the phrase with which the recital begins: ‘personal data concerning health should include...’ Otherwise, referring it back to the inner phrase which reads: ‘Information derived from testing/examination of...’ would end up being, ‘information derived from testing/examination of information about heritable characteristics of individuals. That, in turn, ends up being ‘Information derived from testing/examination of information.’
While not particularly strong, this can be taken as a reasonable interpretation of the wordings of the compromise text. But, it still remains ambiguous at this point. This interpretation also advances the attainment of the general objectives [44] of the regulation set out by the Commission, particularly the first objective: helping citizens to be in control of their data. [45] After all, the very conception of privacy is ingrained in the protection of personal integrity, which, at some level, requires extending protection to our biological materials.
However, towards the end of writing this study, the official text of the Regulation was published in the EU Official Journal on 4 May, 2016. [46] Recital 35 in the preamble to the official text of the regulation clarifies some of the issues raised with in recital 26 of the previous versions. The relevant part of the recital reads:
“Personal data concerning health should include … information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples…” [47] (emphasis added)
The addition of the preposition ‘from’ now makes it difficult to read ‘biological samples’ back to the beginning of the recital. It should be read with the phrase ‘information derived from testing or examination of...’ This implies the absence of positive intention by the architects of the regulation to consider biological samples to be personal data. The previous version can, therefore, be considered a result of poor draftsman-ship.
Having said this much about the DPD and the GDPR, I will now briefly turn to the status of biological materials under European case laws, and national legislations. The focus of the study being on the legal regime at the European level, the coverage of national legislation will be brief. As far as national laws are concerned, they appear to be divided along geographic lines. Many western European countries tend to adopt the view that biological materials are not personal data while some eastern European countries have taken the opposite stance. Bulgaria, Estonia, Latvia and Romania are among eastern European countries that recognize body samples as data in contrast with other western European countries like Spain, Portugal and Germany. [48] Outside Europe, the Australian state of South New Wales’s privacy and information legislations clearly include bodily samples in their definition of personal information. [49]
As was the case for data protection in general, case law on the issue of ‘biological materials as data’ has not been abundant. While there is a considerable number of case law relating to data protection today, many of them have hardly shed any light on the issue of bio-materials as data. That could be attributed, at least in part, to the level of awareness of the European population regarding the systemic accumulation and use of biological materials in general. For instance, it is not only unclear what bio-banks are used for or how their use may affect the status of fundamental rights but it also is not widely-known that they even exist. One study of the European Commission found that more than two-thirds (67%) of Europeans have never even heard of the term itself. [50] Only 2% of the population has actively inquired into and searched for bio-banks. [51] As awareness rises on what bio-banks are, how they are used, and their adverse effects on privacy, it can be expected to lead to privacy litigations which would involve biological materials.
Among the few instances in which courts dealt with this issue are the cases of S and Marper v United Kingdom [52] handed down by the European Court of Human Rights and the decision of Norwegian Data Inspectorate.
In Marper the European Court of Human Rights essentially ruled that the retention of fingerprints, cellular samples and DNA profiles of individuals arrested but who are later acquitted or have charges against them dropped is a disproportionate interference to their right to privacy under Article 8 of the European Convention on Human Rights. That being the chief finding of the court in this judgment, the court has also directly, though scarcely, addressed the issue of human tissue samples. It found that cellular samples constitute personal data within the meaning of Data Protection Convention:
“The Court notes at the outset that all three categories of the personal information retained by the authorities in the present cases, namely fingerprints, DNA profiles and cellular samples, constitute personal data within the meaning of the Data Protection Convention as they relate to identified or identifiable individuals. The government [UK] accepted that all three categories are “personal data” within the meaning of the Data Protection Act 1998 in the hands of those who are able to identify the individual.” [53]
While a remarkable judicial activism, the effect of this view in the judgment is limited in a number of ways. It figured only marginally in the judgment because the court did not need to delve in to the issue of biological material as application of Article 8 ECHR, on which the judgment is based, does not turn upon whether ‘data’ or ‘information’ are/is processed but on whether or not there is interference with the right privacy. Also, the court does not have a legal mandate of interpreting the Data Protection Convention. [54]
It is also worth mentioning here that in prior litigation of the case in the UK by the House of Lords, the issue of bio-samples as data is directly touched upon by Baroness Hale. She argued that the same privacy principles should apply to all the three (fingerprints, DNA profiles and cellular samples), essentially, because they are all kept for and as ‘information.’ Those are her words:
“But the only reason that they [samples] are taken or kept is for the information which they contain. They are not kept for their intrinsic value as mouth swabs, hairs or whatever. They are kept because they contain the individual's unique genetic code within them. They are kept as information about that person and nothing else. Fingerprints and profiles are undoubtedly information. The same privacy principles should apply to all three.” [55]
As will be discussed in the next section, Hale’s point forms one of the basic arguments put forth in favor of considering bio-samples to be data/information.
There is no consensus on the issue of whether human biological materials should be treated as personal data. Some scholars, commentators and agencies enforcing data protection laws have taken the view that personal data should not be seen to include biological materials for the purposes of data protection laws. The Article 29 Working Party [56] and the UK’s Information Commissioner’s Office (ICO) [57] are cases in point. In its opinion where it clarifies the concept of personal data under the DPD, the Working party makes a clear distinction between biometric data — which it rightly considers as personal data — and human tissue samples from which biometric data is extracted, which it is opined not to constitute personal data. In the Working Party’s words:
“Human tissue samples (like a blood sample) are themselves sources out of which biometric data are extracted, but they are not biometric data themselves (as for instance a pattern for fingerprints is biometric data, but the finger itself is not). Therefore the extraction of information from the samples is collection of personal data, to which the rules of the Directive apply.” [58]
In a similar way, the official view from the UK’s Information Commissioner is reported to be analogous: a sample is not treated as personal data, ‘because it is physical material’. [59]
On the other hand, even though much of the data protection law and policy have been operating on such distinction, scholars [60] have questioned the logic underlying the distinction between human biological materials on the one hand and personal data on the other. Those pushing the view that biological material may be personal data or information tend to pay more regard to pragmatic considerations, such as the need to fill lacunae in bio-bank regulation, the growing ease with which persons can be identified from biological material, and the fact that such material is often only stored for generating information. [61] Others who take the view that biological material does not constitute personal data depend on conceptual logic claiming that “data is a formalized representation of objects or processes, while information comprises a cognitive element involving comprehension of the representation.” [62] In the following sections I will analyze whether such conceptual distinction still makes sense, at least as far as (human) biological materials are concerned, in relation to recent developments in the field of bio-technology.
The discovery of the structure and basic nature of DNA (deoxyribonucleic acid) as carrier of human genetic information around mid-20th century [63] brought about significant development of how we understand the code of life. It has been argued that the discovery of DNA, as well as our understanding of its structure and functioning, may well be the most important discovery of the last century. [64] The effect of the discovery of DNA on scientific and medical progress has been enormous, whether it involves the identification of our genes that trigger major diseases or the creation and manufacturing of drugs to treat these devastating diseases. [65]
Among the noteworthy effects of this discovery (reinforced later by the genome project [66] ) is the characterization of DNA as a recipe of life; a carrier of information based on which our cells make the necessary protein. That means the very essence of all living cells which make up a human person are the products of those information. But before that analysis, it will be important to say few words on the nature and meaning of DNA to put the discussion in context.
Our bodies are made from billions of individual cells, and DNA is the control center of each and every cell. [67] DNA is the hereditary material in humans and almost all other organisms. Nearly every cell in a person’s body has the same DNA. [68] Therefore, almost every cell in our body houses a complete set of our hereditary materials, i.e., the genome.
On a deeper level, DNA consists of a strand of four nucleotides called adenine, guanine, cytosine, and thymine, commonly abbreviated to A, G, C, and T, respectively. [69] A particular arrangement of these nucleotides forms a gene. Genes specify the kinds of proteins that are made by cells. [70] That means, the sequence of the nucleotides are read to make a particular type of protein that our body needs. It is from that information that proteins are made.
Almost everything in the body, from hair to hormones, is either made of proteins or made by them. [71] Therefore, as a protein forms the building blocks of our body, it literally means that we are made up of information read from our DNA, the arrangement of nucleotides. That is why Matt Ridley wrote “the idea of the genome as a book is not, strictly speaking, even a metaphor. It is literally true.” [72]
This striking scientific discovery about our body is at odds with the traditional conception of distinguishing data as (medium representing reality) opposed to information (comprehension of the representation), at least as far as the body is concerned. The human body itself is a construct of information; information which instructed the formation of proteins, which, in turn, make up our body. [73] The conceptual rigor, thus, begins to crumble when we closely scrutinize the human DNA.
In addition to being a source of our genetic code, it is now understood that DNA also possesses a capacity to carry external information; a scientific breakthrough has discovered that it can carry external large size information for a long time. [74] But, that development still remains nascent.
In addition to the scientific facts revealed about our DNA, the conceptual distinction between data and information is also challenged by multiple other developments that blur the clear boundary between biology and technology.
First, after the Human Genome Project, another initiative labelled ‘America’s next big thing’ [75] in neuroscience research, called the ‘BRAIN’ (Brain Research through Advancing Innovative Neuroethologies) was announced by President Obama in his State of the Union address of January 2013. [76] The BRAIN initiative aims to decode the tens of thousands of connections between each of the ~86 billion neurons [77] that form the basis of human brain. [78] That means, as the Human Genome Project sequenced all our genes, the BRAIN initiative will map all of our neurons. That can be said to be the general goal of the initiative.
The unstated goal of this initiative, the part directly germane to this study, is eloquently described by Dr. Michio Kaku, Professor of Theoretical Physics at City University of New York in his 2014 book titled ’The Future of the Mind.’ [79] The ambitiously expected main output of this project is what scientists call a connectome: a comprehensive map of neural connections in the brain which encodes all our memories, dreams, hopes and desires, perhaps, on a CD. This raises very important questions: by putting together a CD of a person’s connectome with their genome, are scientists creating, in some sense, immortality? [80] Because even after people are dead, their body could be revived from their genome and their consciousness can be restored from their connectome. That means that we can continue to live, even after we are dead, as information. That possibility that we can still continue to live as information tempts us to conclude that we are nothing but information.
Secondly, the undergoing various forms of ‘human enhancement projects [81] ’ are clouding the boundary between human body and technology. Our body may no longer be limited to what it is today; [82] its shape, composition and, as a result, its capabilities are radically changing. It is now clear that "human enhancement" is a reality and not just a product of science fiction. [83] Even more so as technological advances will imminently provide various devices that will interface with the human body in various ways. [84]
Thirdly, the steadily growing accumulation of human biological samples in bio-banks [85] , and the increased deployment of biometric technologies in every sector are also ‘informationalizing’ the human body by converting features of it in to processable digital data.The upsurge in the proliferation, coverage, sophistication and uses of bio-banks is spurred in large part due to the advances in genetic science. [86] The need for identification/verification of persons in both public (like in forensic investigations) and private (such as private security) is largely the reason for the expansion in deployment of biometric technologies. Regardless of the reasons for their upsurge they have a clear common effect: conversion of particular aspects of physical existence into electronic data and digitally processable information.
All of these developments — from the sequencing of our genome, to the future mapping of our neurons, to the various human enhancement initiatives, and to our continued existence in the form of biometric information—undoubtedly challenge the conceptual separation between the human body, on the one hand, and information about it, on the other.
Dr. Irma Ploeg convincingly suggests that this should be seen as something more profound than constituting yet one more instance of the collection of “personal information”, as is more commonly done. Rather, the human body is implicated in a process of co-evolution with technology, information technologies in particular. [87] A new conceptualization of bodily existence; an emergence of new body ontology: body as information. [88]
In the previous section it is argued that the conceptual distinction between biological material and information can no longer be logically defended for all the reasons discussed therein. In this section, I will turn to the more pragmatic, and more importantly persuasive, reasons for extending the definition of ‘personal data’ to have a room for biological materials.
4.2.1. Indistinguishable Interpretive Potential [89]
If one is concerned about practically preventing adverse effects on the right to privacy, what matters most is the interpretive potential of data/source i.e. the ability to generate information that can be linked, not just the assumed availability of identifiable information. If any concerning, from a privacy-related viewpoint, identifiable information can easily and readily be generated from a given source — which more often is the case for biological samples — then that raises as much privacy concerns as the information derived from them would. We can consider two important, but related, reasons to substantiate this sameness in interpretation potential between the two.
First, if interpretation [90] is the reason for the distinction, even recorded information will undergo an interpretation before it informs. Taylor observes that: it remains the case that data (as recorded information) must always be interpreted before its meaning can be understood: records must be read. If the privacy protection established by the Directive extends to include the physical record of information, then the viability of any division between (biological) sample and information built upon the former’s need for subsequent interpretation crumbles. [91]
Secondly, even if recorded information might be said to have an imminent and easy potential to inform than a biological material before it is interpreted, this would not lead to the conclusion that the relative ease in accessibility of recorded information puts right to privacy any more vulnerable than biological materials. It all depends on the availability of the necessary interpretive framework to derive readily accessible information from the samples. A western person, born and raised in the west, may not be able to be informed by having access to ‘information’ written in an eastern script — say Mandarin. But that does not, in any way, mean that the ‘Mandarin text’ is not recorded information. It just means that, for that text to inform, the necessary framework should be in place: the skills to read and understand Mandarin.
Thus, recorded information and biological samples have an indistinguishable potential of putting right to privacy in jeopardy. In some situations, however, a concern from biological samples could be much worse. Interpreted information may be manipulated, if necessary, to meet certain privacy standards while biological materials will always be available to give away any information in the open. While the manipulation of data may seek to make certain information more accessible, it might also seek to obscure it (e.g. through coding), and the source data may remain interpretable in any event. [92] In this regard, Taylor argues that even information, not just samples, can be subjected to new interpretation, thus, sharp distinction should not be drawn between recorded information and bio-samples. [93]
While Taylor’s argument is valid, it should be noted, however, that bio samples are more susceptible to a new form of interpretation, as they are often kept for interpretation and only for interpretation. That makes, in some situations, biological materials even more worrisome in terms of privacy than information derived from analysis of such materials.
Similarly, the interchangeable usage of the words ‘information’ and ‘data’ both in the law and policy circles — including in the DPD — and in our day-to-day usage is yet another tribute to similar effects that they produce implying absence of a real reason to distinguish the two. Two reasons are worth mentioning for such interchangeability. The first one explains why we, hitherto, use the two words interchangeably, and the second pertains to why we will, perhaps, continue to do so even more in the future.
First, information derived from interpretation of data can then be recast and used as data for another interpretation in a way that we are tempted to use the two words interchangeability. [94] From a given national census, for instance, sex and age ‘data’ can be used to derive ‘information’ about the percentage of the youth in a relevant population which can, in turn, be used as ‘data’ for youth centered policy making. In the same token, information derived from biological materials can be used for another analysis as data.
Secondly, pervasive, repeated and systematic extraction of information from human biological materials would eventually end up making the bio-samples themselves ‘information’ mainly because the extraction is of such extensive nature and the sole reason they are stored is for information. This trend can be paralleled with the gradual change in meaning of the search engine ‘Google’. Because of large scale usage of this service, ‘searching’ on the web by authoring some key words came to be analogous as ‘Googling.’ This development came from the repeated and extensive use of ‘Google’ for indexation even if Google still remains just one search engine provider and the term does not have any semantics indicating ‘search.’ In a similar way, continuous and pervasive derivation of information from biological materials means that it is more and more tempting to use the two words interchangeably. Thus, a time may come when we could call ‘bio-sample’ as information and not just ‘data.’ It all depends on how easily-accessible the interpretative frameworks are and how frequently we use them.
The other major benefit expected from the inclusion of biological materials in to the concept of personal data is the anticipation of filling the regulatory vacuum in bio-banks. What makes this regulatory vacuum all the more germane to data protection discourse is the fact that it is manifested in the incapacity to effectively preserve the fundamental rights of privacy and data protection of participants, even though such is one of the primary objectives of bio-bank regulations. In this regard, an EU Commission’s study on Bio-bank governance notes ‘one of the main challenges has been, and still is, to identify ways to protect the autonomy and dignity of patients and research participants and their fundamental rights (e.g. private life and data protection, especially in case of loss of control on personal data/data misuse, discrimination) with fostering the public interest in carrying out medical research to address the central public health challenges (such as cancer, cardiovascular and metabolic diseases.)’ [95] The same study reiterates absence of clear legal framework governing bio-banks as one of the major problems for the imbalance against protection of fundamental rights. [96] With relatively comprehensive rules and well-established enforcement mechanisms, data protection laws can serve as a better mechanism, even though the latter also have their own limitations. [97]
As it stands today, the existing data protection regime in the EU protects information that relates to us but does not, strictly speaking, protect us. Even by layman standards, leaving out bio-materials may not be considered as the right thing to do. To make full sense of how morally questionable the current system is, one needs only to consider two facts against which this moral claim should be assessed. One is the fact that the starting point of discussions on the right to privacy has usually been a concern for bodily integrity. The division between informational privacy and bodily privacy are made fictitious by technological development, especially since the past decade. In this regard, the Australian Office of Federal Privacy Commissioner, back in 2002, rightly noted:
“... an attempt to maintain a clear demarcation between different types of privacy protection may be problematic in light of new technologies which involve the merging of biology, mathematics and computer science, namely, biometrics and bioinformatics. Such developments give rise to new forms of body templates or records which further blur the distinction between personal information and its source in individual humans, rendering the concepts of information privacy and bodily privacy inherently interrelated.” [98]
Secondly, in the face of such division, the regulatory landscape pertaining to bio-banks has largely been uncoordinated and ineffective, as noted above. Therefore, not only does this fact stand in contrast to the original conception of privacy, thus failing the very essence of its inception, but the human body is also failed by the disarray in the regulation of bio-banks.
Against these two backgrounds alone, is it morally indefensible to protect information about individuals but not individuals themselves, or a sample taken from them. The human body or a sample taken from it is one of the most sacred representations of one self. To argue that a fingerprint represents the finger while a sample doesn’t represent the person is not only morally questionable but also logically weak. Distinction should also be made between the human body/sample as source of data/medium and other sources of data as integrity and privacy is often an issue when human body is involved.
Despite crumbling conceptual rigor that distinguishes human biological materials from data/information, and various pragmatic considerations that increasingly challenge such distinction, collapsing differences that were maintained in the regulatory discourse for such a long time is not without its own drawbacks.
The inclusion of a new subject matter in to the scope of application of data protection law, to the least, demands a closer look at the existing subjects of the law to see whether it properly fits with the law’s regulatory apparatus. Data protection law already suffers from regulatory overreaching in the sense that its rules tend to apply prima facie to a wide range of activities with relatively scant chance of being respected, let alone enforced. [99] The Data Protection Directive is, for instance, said to have a long arm with application to multiple actors based outside the European Union. [100]
Article 4(1) (c) of the data protection Directive epitomizes one such long arm. This provision subjects any controller located anywhere in the world to European data privacy regime when it utilizes an equipment situated in any member state for the purpose of processing personal data. [101] The General Data Protection Regulation, perhaps, does more than the directive in this regard. [102]
The other problem in the inclusion of biological materials in to the scope of data protection regime comes from the inadequacy of the current rules to meet the normative position of consent in the laws currently concerned with regulation of biological materials. The fundamental principle that underpins the governance framework of human biological materials in general is the need to obtain voluntary and informed consent of participants. The history of how biological materials were governed — such as by the European Convention on Human Rights and Biomedicine, and Declaration of Helsinki [103] show that consent is unequivocally important as it occupies a central normative position. The Convention on Human Rights and Biomedicine stipulates that an intervention in the health field may only be carried out after the person concerned has given free and informed consent to it. This person shall beforehand be given appropriate information as to the purpose and nature of the intervention as well as on its consequences and risks. [104] The interests and welfare of the human being shall prevail over the sole interest of society or science. [105] In addition to securing free and informed consent for the purposes of medical research the convention requires other safe guards like making sure that there is no alternative of comparable effectiveness to research on humans. [106]
In this regard, the Data Protection Directive or the Regulation are too liberal to accommodate what is customarily and legally expected if biological materials were to be governed by these regimes. That requires the role of consent under the directive and the General Data Protection Regulation to be seen more closely.
-
Does Consent Play Central Role under the Current EU Data Protection Regime?
Broadly speaking, data subject’s consent is one of many control mechanisms [107] in which data subjects, as active actors in data protection laws [108] , influence the data processing operations of controllers. Though there are some non-negligible reasons, in particular for sensitive personal data, more convincing evidences suggest that consent does not play any central role in the existing data protection regime. There are, however, more stringent requirements for consent of the data subject with regard to processing sensitive data. In principle, processing sensitive personal data is prohibited. In addition, the jurisprudence of the European Court of Human Rights (ECtHR) in some of the cases — such as Z v Finland and MS v Sweden — suggest normative importance of data subjects’ consent regarding sensitive data, particularly, medical information. Thus, the problem can, somehow, be mitigated by the fact that consent enjoys relative central role under the directive with regard to sensitive data. That is because biological materials would most probably belong to the category of sensitive data as data concerning health under article 8(1) of the directive.
Generally, however, under articles 7 & 8 of the DPD, consent is not only just one precondition among the alternatives for legitimate processing, member states are also allowed to introduce new grounds for reasons of substantial public interest. [109] Similarly, the EU Charter of Fundamental Rights provides: personal data can be processed “on the basis of the consent of the person concerned or some other legitimate basis laid down by law.” [110] While consent is expressly mentioned, the Charter makes it clear that personal data can be processed on the basis of other legitimate grounds laid by law.
In addition, from a pragmatic viewpoint, the DPD incentivizes data controllers to first utilize other preconditions — such as the one under article 7(f) — and employ consent when a processing exercise can’t be justified under those grounds. This flows from the cost and delay involved from securing consent and, the desire to avoid the possibility of refusal by the data subject.
Though all these facts demonstrate absence of normative priority, a closer look at at-least some of the preconditions tells us that they are framed on the assumption that ‘if the data subjects were asked to consent, they would have agreed to the processing.’ The preconditions like ‘necessary to protect vital interests of the data subject’ and ‘necessary for performance of contract in which the data subject is a party’ are examples in point. Therefore, I would argue, that the other preconditions also aren’t completely devoid of an element of consent. Consent can still be read in to them in its broadest and indirect/implied sense.
However, what is problematic is not just that consent does not play a central role under the existing regime; there are also convincing arguments against a central role of consent as a precondition for data processing. First, there are legal problems in properly delineating the requirements of consent, for instance, how informed should consent be under article 2(h) of the DPD. Secondly, the degree of choice presupposed by consent mechanisms will often not be present for certain services or products, particularly those offered by data controllers in a monopoly (or near-monopoly) position. [111] Thirdly, despite the requirements of informed consent and notification (for instance articles 10&11 of DPD) controllers will typically have greater knowledge about their data processing operations than will the subjects. [112] The asymmetry will further weaken the ‘informed’ nature of data subject’s consent. Finally, problems of consensual exhaustion, laxity and apathy – in addition to ignorance and myopia – can reduce the amount of care that data subjects invest in their decisions of whether or not to consent. [113]
Therefore, not only is it doubtful that consent plays a central role in the processing of personal data — including sensitive data — but it is also, arguably, not desirable that it plays such a central role. Yet, it remains central in other laws traditionally concerned with human biological materials. Thus, the extension of the DPD or the GDPR [114] to biological materials only poorly meets the central normative position of ‘consent’ in laws currently governing biological materials. As indicated earlier, this problem can, somehow, be mitigated by the fact that consent enjoys relative central role under data protection laws when it comes to sensitive data, the category to which biological materials would most probably belong.
Yet another major concern in trying to extend the scope of data protection regime is the fear that the enforcement of the law, that includes biological materials, would require strong data protection authorities with additional competence to handle the particularities of biological materials. This problem gets even more alarming because the ability of data protection authorities to ensure effective compliance of the law is already under pressure as they are chronically under-resourced. [115] The addition of biological materials in their task sheet, thus, fuels the difficulty. Not only will the authorities need additional material resources, but they may also want personnel with broad and interdisciplinary professional background.
The analysis in this article is made in an endeavor to challenge the conceptual predispositions behind one of the building blocks of the definition of personal data under the current and en route EU data protection rules: the terms ‘information/data.’ Despite their importance, these terms are often taken for granted and insufficiently, if at all, defined in data protection discourse. As technology, particularly in the field of bio technology develops, however, a workable definition is increasingly needed because the blurring of the boundary between human body and technology may trigger application of laws intended for the informational world — such as data protection — to the biological world.
A close look at the Data Protection Directive, in this regard, reveals the absence of a positive intention by the architects of the directive to consider biological materials as data/information. While it makes mention of ‘biological materials,’ it does not appear that the General Data Protection Regulation is intended to be applicable to such materials. The DPD and its preparatory materials indicate that the architects did not have the issue of biological materials on the table. The same assumption, however, can’t be made about the General Data Protection Regulation as it introduces numerous tempting terminologies. By introducing proper terminologies such as — biological materials and genetic data — the architects of the regulation tried to create an appearance that the regulation applies to biological materials without providing any real substance in this regard.
The question of whether biological materials should be treated as personal data is far from consensus. Scholars who pay more attention to pragmatic considerations have forwarded the view that biological materials should be regarded as personal data/information. Other scholars, commentators and data protection enforcement authorities have opposed this view mainly based on conceptual logic, arguing that data is a formalized representation of objects while information comprises cognitive elements involving comprehension of that representation. [116]
However, a range of developments in molecular biology and nano-technology, largely mediated by advances in ICT, are at odds with the conceptual distinction between data and information. First, proteins — which make up the basis for almost everything in the human body — are made as per ‘the information’ obtained by reading the order of strands of nucleotides in our DNA. Thus, information lies at the very origin of life. Secondly, ambitious scientific initiatives such as the BRAIN (Brain Research through Advancing Innovative Neuroethologies) — which intends to decode neurons in our brain much like the Human Genome Project did for our genome — may lead to our continued existence as information. Thirdly, the ongoing human enhancement projects (HEP) are clouding the distinction between the human body and technology. Moreover, proliferation of bio-banks and the increasing deployment of biometric technologies are converting aspects of our bodies in to processable digital data.
In addition, multiple pragmatic considerations beseech the collapse of the distinction between data, as carrier, and information, as a result of processing data. First, it is difficult to find distinguishable interpretive potential between data and information; it all turns on availability of the right interpretive framework. Secondly, the lacunae in the regime governing bio-banks might be assisted by the more comprehensive rules under data protection, which also possesses better enforcement mechanisms. And finally, considering biological materials only as a medium may, sometimes jeopardize our fundamental rights even more, thus, making maintenance of the distinction morally indefensible.
Despite a crumbling conceptual rigor that distinguishes human biological materials from data/information and various pragmatic considerations that increasingly challenge such distinction, collapsing differences that have been maintained in the regulatory discourse for such a long time is not without its own drawbacks. First, it will overstretch the rules that are already said to have a long arm which may be counterproductive for their effective enforcement. Secondly, while ‘consent’ enjoys a relatively central role under the directive when with regard to sensitive data—the category to which biological materials would most probably belong — it is doubtful that consent plays or would play a central role in the processing of personal data in general. As consent remains central in other laws traditionally concerned with human biological materials the extension of the DPD or the GDPR to biological materials only poorly meets the normative position of consent maintained by these laws. Finally, extending biological materials to the data protection regime would demand DPAs to have more financial and human resources with the requisite skills to handle the peculiarities of biological materials.
* Worku Gedefa Urgessa, University of Oslo — Norwegian Research Center for Computers and Law, Oslo, Norway. The author would like to thank Professor Lee A. Bygrave for his valuable support and constructive comments on the earlier versions of this work.
[1] Lee Bygrave (2014), Data Privacy Law, an International Perspective, Oxford University Press, Oxford p. 8-15; See also, Article 29 Working Party, “Opinion 4/2007 on the Concept of Personal Data,” Adopted on 20th June, 2007, 01248/07/ENWP 136, p.5. Recital 4 in the preamble to the DPD makes a similar assertion.
[2] Paul Schwartz & Solove Daniel, “The PII Problem: Privacy and a new Concept of Personally Identifiable Information,” New York University Law Review, Vol. 86, (2011), p. 1820.
[3] The U.S., however, lacks a comprehensive set of data protection rules as is available in Europe and relies instead on sector specific rules. (See, Bygrave (2014), p. 110-12).
[4] See Article 16 of the Treaty of the Functioning of the European Union and Article 8 of the Charter of Fundamental Rights of the European Union.
[5] The first national Data Protection law was enacted by Sweden in 1973 (Sweden’s Data Act); repealed and replaced by Personal Data Act of 1998; the first data protection law ever enacted was the Data Protection Act passed by the German Land Hassen in 1970. (See, Bygrave, 2002, p. 179, 187).
[6] According to the notorious ‘Moore’s Law’ (an observation named after Gordon E. Moore of Intel) computer power (i.e. transistor count on an integrated circuit) continues to double every two years at least for another decade.
[7] Article 2(a) of the DPD reads: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified , directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. The definition remains essentially the same in the new General Data Protection Regulation.
[8] For an overview of the elements of the definition, see, Article 29 Working Party’s Opinion no. 4/2007 on ‘the concept of personal data.’
[9] In this article the phrase ‘biological materials’ is used to describe a natural substance taken from a living human — such as blood or tissue — where information contained in the material can be traced back to the individual.
[10] See Lee Bygrave, “Information Concepts in Law: Generic Dreams and Definitional Daylight,” Oxford Journal of Legal Studies, Vol. 35, No.1 (2015): 1-30; Lee Bygrave, “The Body as Data? Bio-bank Regulation via the “Back Door” of Data Protection Law,” Law, Innovation and Technology Vol. 2, issue1 (2010): 1-25; Irma van der Ploeg, “Genetics, biometrics and the informatization of the body,” Ann 1st Super Sanità, Vol. 43, No. 1, (2007): 44-50, and Mark Taylor, Genetic Data and the Law: A Critical Perspective on Privacy Protection, Cambridge University Press, 2012, Chapter 7.
[11] The A29WP as well, in its opinion 4/2007 where it defined the concept of ‘personal data’, took the term ‘data’ for grated and had never even asked the question.
[12] Bygrave (2015), p. 107-111.
[13] By clear definition it is not meant here to necessarily create a distinction between the two terms; clarifying them to be synonyms works well.
[14] As will be discussed further below, these technological developments include: the advancement in ICT and Biotechnology which enabled an ever greater generation of information from biological materials, and making them core constitutive elements of information systems. (Bygrave, 2015, p. 93) In addition, developments in nano-technology and neurology are also blurring the boundaries between technology and human body.
[15] Bygrave (2015), p. 94.
[16] Available at: http://www.oxforddictionaries.com/definition/english/data , last accessed 23 May 2016.
[17] Available at: http://www.oxforddictionaries.com/definition/english/information , last accessed 23 May 2016.
[18] The thesaurus also lists other related words like facts, figures, input, documentation and file as synonyms to data/information.
[19] Available at: http://www.oxforddictionaries.com/definition/english-thesaurus/information , last accessed 23 May 2016.
[20] Paolo Atzeni et al, Database Systems: Concepts, Languages and Architectures (McGraw-Hill, 1999) p. 2; Chrisanthi Avgerou and Tony Cornford, Developing Information Systems: Concepts, Issues and Practice (Macmillan, 2nd eds 1998) p. 115.
[21] For instance, recital 26 in the preamble to the DPD uses both ‘information’ and ‘data’ in the same context when it tries to delimit the application of data protection principles. This is problematic because, even when human biological materials may be considered as ‘data’, along the lines of the conceptual distinction between information on one side and data on the other, the directive does not make sense of such distinction.
[22] Bygrave (2010), p. 13.
[23] Ibid.
[24] Commentary of the Commission, October 1992: COM (92) 422 final—SYN 287, p. 9.
[25] Ibid.
[26] A person can be identified....indirectly by a telephone number, a car registration number, a social security number, a passport number or by a combination of significant criteria.
[27] Commentary of the Commission, October 1992: COM (92) 422 final—SYN 287, p. 9.
[28] By positive intention I mean a deliberate and calculated move from the architects to consider biological materials as personal data.
[29] Commentary of the Commission, October 1992: COM (92) 422 final—SYN 287, p. 12.
[30] The Stockholm Programme — An open and secure Europe serving and protecting citizens, OJ C 115, 4.5.2010, p.1.
[31] COM(2012) 11 final.
[32] Bird & Bird, EU Framework Revision: Overview, at: http://www.twobirds.com/en/practice-areas/privacy-and-data-protection/eu-framework-revision , last accessed 23 May 2016.
[33] Ibid.
[34] Ibid.
[35] European Commission, Personal Data Protection, available at: http://ec.europa.eu/justice/data-protection/ , last accessed 23 May 2016.
[36] The word is mentioned for the first time in EU instruments on data protection.
[37] Recital 26 of the preamble to the Proposed General Data Protection Regulation.
[38] “Informationen, die von der Prüfung oder Untersuchung eines Körperteils oder einer körpereigenen Substanz, darunter biologischer Proben, abgeleitet wurden” (See, Bygrave (2015), p. 6).
[39] Case-283/81, CILFIT v Ministry of Health [1982], Para. 18.
[40] Ibid, Para. 20.
[41] The compromise text mentions the phrase ‘biological samples’ at three different instances in the regulation. The first being in recital 26, the other two are made in relation to elaborating and defining ‘genetic data’ under recital 25(a) and Article 4(10) respectively.
[42] See recital 26 in the preamble to the GDPR (the compromise text).
[43] Recital 25(a) and Article 4(10) of the compromise text of the regulation clearly testify to the fact that genetic data results from the analysis of biological samples.
[44] The Commission sets out three general objectives for the regulation, See The Proposal for GDPR, P. 102.
[45] Some commentators, though, have argued these objectives are based on fallacious assumptions, thus, unattainable. See, Koops, B.J. (2014) “the trouble with European data protection law,” International Data Privacy Law, Vol. 4, No. 4.
[46] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[47] Recital 35 in the preamble to the GDPR (EU Council’s Position with the view of adoption, 6 April, 2016).
[48] See, Bygrave (2010), p. 16-17 for references.
[49] Section 4(2) of Privacy and Personal Information Protection Act 1998, section 5(2) of the Health Records and Information Privacy Act 2002 and the Government Information (Open Access) Act 2009, Schedule 4, clause 4(2).
[50] EU Commission(2012), Bio-banks for Europe: A challenge for governance, P. 24.
[51] Ibid, p. 25.
[52] S and Marper v United Kingdom, European Court of Human Rights, (App no 30562/04 and 30566/04), 4 December 2008.
[53] S and Marper Vs UK, para. 68.
[54] For detailed analysis of this decision, see Bygrave (2010) p. 7-13.
[55] S, Regina (on application of) v South Yorkshire Police, [2004], Para.70.
[56] The Article 29 Working party (A29WP) is an independent advisory body established by the Article 29 of the EU Data Protection Directive.
[57] The ICO is the UK's independent body set up to uphold information rights in general, including those under the UK Data Protection Act.
[58] A29WP, Opinion 4/2007, p. 9.
[59] Beyleveld, Deryck et al., “The UK’s Implementation of Directive 95/46/EC” in, Deryck Beyleveld et al (eds.)Implementation of the Data Protection Directive in Relation to Medical Research in Europe. Ashgate, 2004 P. 428.
[60] Bygrave (2010); Bygrave (2014); Taylor (2012), Chapter 7; Ploeg (2007).
[61] Bygrave (2015) p. 7, Bygrave (2010) p. 8-9.
[62] Ibid, p. 6-7.
[63] The chemical DNA was first discovered in 1869, but its role in genetic inheritance was not demonstrated until 1943. In 1953 James Watson and Francis Crick determined that the structure of DNA is a double-helix polymer, a spiral consisting of two DNA strands wound around each other. (Encyclopedia Britannica: Science and Technology).
[64] Murnaghan (2016), available at Explore DNA, http://www.exploredna.co.uk/the-importance-dna.html , last accessed 23 May 2016.
[65] Ibid.
[66] The Human Genome Project (HGP), undertaken from 1990 - 2003 with billions of dollars involving multiple continents, was an international scientific research project with the goal of determining the sequence of chemical base pairs which make up human DNA, and of identifying and mapping all of the genes of the human genome from both a physical and functional standpoint.
[67] Calladine, Chris, Horace Drew, Ben Luisi and Andrew Travers, Understanding DNA: The Molecule and how it Works. London: Elsevier Academic Press, 2004, p.3.
[68] Some cells, like the red blood cell, do not have nucleus, thus, a DNA (Ridley, Matt. Genome: The Autobiography of a Species in 23 Chapters, New York: HarperCollins Publishers, 1999, P.6).
[69] Amos (2005), p. 6.
[70] Jeremy Berg, John Tymoczko and Lubert Stryer, Biochemistry. New York: W H Freeman, 2002, Chapter 5.
[71] Ridley, (1999) P.7.
[72] Ridley (1999) p.6.
[73] It may be important to note here that my argument is only limited to biological materials. The conceptual distinction, otherwise, still makes full sense elsewhere.
[74] See, Independent, Single DNA molecule could store information for a million years following scientific breakthrough, 17th August, 2015.
[75] Such project, though, is not of interest only in the United States of America; the European Commission has almost simultaneously announced the Human Brain Project with an award of 1.19 billion Euros. (See, Kaku (2014), p. 250).
[76] See, Isabelle Abbey, News and Views: The Brain Activity Mapping Project – What’s the plan? April 24, 2013 . Available at: http://thebrainbank.scienceblog.com/2013/04/24/news-and-views-the-brain-activity-mapping-project-whats-the-plan/ , last accessed 23 May 2016.
[77] Neurons are nerve cell s that carry information between the brain and other parts of the body (Cambridge Dictionaries Online).
[78] Ibid.
[79] Kaku, Michio. The Future of the Mind: The Scientific Quest to Understand, Enhance and Empower the Mind. New York: Doubleday, 2014, p. 252.
[80] Ibid.
[81] In the context of engineering, human enhancement can be defined as the application of technology to overcome physical or mental limitations of the body, resulting in the temporary or permanent augmentation of a person's abilities and features (See, Human Enhancement, Dartmouth Journal of Undergraduate Science, In Fall 2013 ).
[82] As a naturally (biologically) constituted being with natural organs, muscles, bones and bodily fluids.
[83] The Guardian: Yes, nano science can enhance humans – but ethical guidelines must be agreed, Monday 3 June 2013.
[84] Ibid; an article in Science magazine exemplified how machines can interact with living brains to allow wireless changes in behavior by the implantation of devices directly into the brains of mice. These devices could then be remotely controlled to activate different parts of the brain using light. (Science Magazine, Injectable, Cellular-Scale Optoelectronics with Applications for Wireless Optogenetics, 12 Apr 2013 (www.science.sciencemag.org)).
[85] Bio banks may exist in any forms; be it, tissue, blood, cell material, skin, gamete, or embryo banks.
[86] Bygrave (2010), p.3.
[87] Irma (2007), p. 47.
[88] Over the past century developments in the medical Sciences have resulted in various body ontologies like ‘the endocrinological body’ (in the early twentieth century) whereby the body is viewed as just biochemical entity. (Irma 2002).
[89] By ‘interpretive potential’ I am referring to the ability to generate (potentially) identifiable information.
[90] By ‘interpretation’ I mean mechanisms and processes that may be employed to derive information from biological materials.
[91] Taylor (2012), p. 162.
[92] Ibid, p. 163.
[93] Ibid, p. 164.
[94] Taylor (2012), p. 42.
[95] EU Commission(2012), Bio-banks for Europe: A challenge for governance, P. 45.
[96] Ibid, p.46-48.
[97] See, Bygrave (2010), p. 21-22, for details and references on similar problems of some European national bio-banks regulations.
[98] ALRC and AHEC, (2003), Essentially Yours, p.280.
[99] Bygrave(2010), p. 22.
[100] See Lokke Moerel, “The long arm of EU data protection law: Does the Data Protection Directive apply to processing of personal data of EU citizens by websites worldwide?” International Data Privacy Law, Vol. 1, No. 1 (2011): 28-46.
[101] Bygrave (2014), p. 202.
[102] The Regulation applies to controllers not established in the Union when they process personal data of European residents in relation to the offering of goods and services to them and monitoring of their behaviour (Article 3(2)). The Parliament’s version of the regulation, which has also made to the compromise text, even goes on saying that the goods and services need not be offered for consideration (The Parliament’s reading and the Compromise text of the GDPR, Article 3(2)).
[103] World Medical Association (WMA), World Medical Association Declaration of Helsinki: ethical principles for medical research involving human subjects, 2008.
[104] Council of Europe, Convention for the Protection of Human Rights and Biomedicine, Article 5.
[105] Ibid, Article 2.
[106] Ibid, Article 16.
[107] Other control mechanisms in which data subjects can influence processing of personal data can be: opposing a particular processing or withdrawing consent.
[108] We have two additional main actors in the operative sphere: DPAs and controllers (Bygrave 2014, p. 18-19).
[109] DPD, Article 8(4).
[110] EU Charter of Fundamental Rights, Article 8(2).
[111] Lee Bygrave, & Dag Schartum, (2009), “Consent, Proportionality and Collective Power,” In Serge Gutwirth et al. (eds.), Reinventing Data Protection? Springer, p.160.
[112] Ibid. p.160-161.
[113] Ibid. p.161.
[114] With some clarifications on the requirement of ‘consent’ the Regulation remains structurally the same with regard to the normative position of consent as a ground of processing personal data.
[115] Bygrave (2010), p. 22.
[116] Bygrave (2015), p. 6-7.