ABSTRACT
EU law does not regulate genetic research per se, but the latter is governed to a certain extent by data protection law. Regardless of the harmonizing efforts of the General Data Protection Regulation (GDPR), research regulations remain fragmented in the data protection framework. This is mainly due to the vast discretion granted to Member States in this regard in the GDPR.
Albeit the GDPR enabling data flows for research cooperation in the EU, it creates a hurdle for cross-border research by ignoring the intra-EU conflict of laws that inevitably arises in a fragmented regulatory framework. Imagining ways to solve the dilemma of applicable national law under the GDPR generally is not that difficult, but becomes trickier in a research context. Whether the national data protection law of one or the other Member State is to be applied, either the interests of data subjects or those of researchers might end up compromised.
Keywords: genetic research, General Data Protection Regulation, intra-EU conflict of laws, applicable law, rights of data subjects, Article 11 GDPR
I. INTRODUCTION
Research is an area traditionally regulated by ethics rather than law. Even when it comes to research involving humans, there are only few supranational legal rules, though there are plenty of international ethics instruments.1 As to legally binding acts, there is the Oviedo convention2 with its additional protocol governing biomedical research specifically.3 However, the convention itself only touches upon the most basic questions of human research in the few articles that govern it,4 whereas only five EU Member States and total of 11 countries have ratified the additional protocol concerning research.5 Furthermore, both the Oviedo convention and its additional protocol only concern research that entails interventions on humans (ie human subject research), but not human data research (ie research entailing secondary uses of biospecimens and the data derived therefrom).6
In terms of research regulations on the EU level, although EU law does not govern human research per se—other than in regard to clinical trials on medicinal products for human use7—it does so via data protection law. The latter governs certain aspects of the use of personal (including genetic) data in research. Since the General Data Protection Regulation8 (‘GDPR’) was meant to harmonize data protection rules across the EU, one might assume that this would also render the regulatory context for personal data use in research more comprehensive and harmonized than it was under the data protection directive9 (‘Directive 95/46/EC’). However, the outcome seems to be quite the opposite since the rules governing the research use of personal data will in a large part be subject to national laws (or other EU law) and thus remain fragmented, whereas compared to Directive 95/46/EC the rules regarding the issue of a possible intra-EU conflict of laws scenario have been omitted from the GDPR.
This article aims to analyse the question of applicable national law within the data protection framework specifically in the context of genetic research. Unlike the rather broad10 definition provided for ‘genetic data’ under Article 4(13) GDPR, the term ‘genetic data’ within the context of this paper will be used narrowly as referring to human DNA sequencing data. The phrase ‘genetic research’ will be used as referring to research making use of human DNA sequencing data. The focus on genetic research specifically is motivated by two major factors. First, it is the potential privacy implications of human DNA sequencing data that merit this choice, as such data can never be fully anonymized11 and as it has essentially boundless informational potential12 that sets this particular type of sensitive data apart from other types of personal data. Second, genetic research often entails cross-border cooperation13 and exchange of genetic data, thus even more so highlighting the practical relevancy of the issue of applicable law. For example, in rare disease research within the EU there is a highly likely need for genetic data to be collected from individuals from more than one Member State to form a sufficiently big dataset in order to make any scientifically valid conclusions due to the simple fact that the disease to be researched has a low prevalence.
The first part of the article addresses the practical relevancy of the dilemma of applicable national law in the context of genetic research, elaborating on the respective discretionary clauses in the GDPR that render the regulatory picture fragmented. The second part analyses the problem of applicable national law under the GDPR more generally, whereas in the third and final part of the article, it will be examined whether the conclusions made in the previous section in regard to the intra-EU conflict of laws dilemma under the GDPR would be viable in terms of cross-border genetic research as well. Furthermore, it will be argued in the final part that Article 11 GDPR might lessen the relevancy of the question of applicable national law as long as the genetic data is used in research in at least pseudonymized (eg coded) form, provided that one given researcher or research entity does not or no longer has a need to re-identify the individuals concerned, and cannot do so himself or herself (eg does not have access to the key code in case of coded data).
II. THE FRAGMENTED SUPRANATIONAL GOVERNANCE OF GENETIC RESEARCH
As noted in the introductory part of this article, on a European level, genetic research might be subject to the Oviedo convention14 and its additional protocol concerning biomedical research,15 depending on whether these instruments have been ratified and implemented into national law by a given country.16 However, as noted earlier, these legal acts do not concern research making secondary use of biosamples and genetic data. The Oviedo convention does establish a general rule for the secondary use of biosamples under Article 22. However, Article 22 only sets a minimum threshold of due notification,17 and leaves it for national laws to regulate the matter (Art. 1 of the Oviedo convention).18
On a national level, some countries might have specific provisions governing human or even more particularly genetic research,19 whereas others might not have any such provisions in their national laws.20 Thus, what remains is EU law.
II.A. EU law applicable to genetic research
On the EU level, the GDPR and Regulation 536/2014 on clinical trials (estimated to be applied as of 2019)21 both (will) regulate genetic research to a limited extent. It must be noted that Regulation 2017/746 on in vitro medical devices22 (applied as of May 26, 2022) will regulate genetic testing as well, however, only in a healthcare context, and not regarding research (see Article 4 of Regulation 2017/746).
Regulation 536/2014 will apply to genetic research if it is conducted as part of a clinical trial, as the scope of the regulation is limited to clinical trials conducted in the EU (Art. 1 of Regulation 536/2014). However, it will to a limited extent affect genetic research carried out outside of the clinical trial as well. Namely, in Article 28(2) Regulation 536/2014 will govern consent procedures in regard to the (future) uses of the personal (including genetic) data obtained during the clinical trial23 as lex specialis in regard to the GDPR (see Recital 161 GDPR). All processing activities with such data obtained during the trial will nevertheless be subject to data protection rules.24 Hence, as far as applicable law to (genetic) research is concerned, sponsors of clinical trials will face the same questions of applicable national law as any other researcher in the EU conducting cross-border research with genetic data. The major difference between the future research use of genetic data obtained during clinical trials, on the one hand, and that obtained outside of clinical trials, on the other, will be the breadth of consent, ie the legal basis which can be relied upon in order to further use the genetic data in research. Article 28(2) of Regulation 536/2014 will enable sponsors of clinical trials to use the data obtained during the trials in the future for any scientific purposes outside of the trial, provided that they utilize the possibility to obtain such a broad consent as referred to in Article 28(2) of Regulation 536/2014. The GDPR does not specifically regulate consent for the (future) research use of (genetic) data, but does in Recital 33 recognize that Member States may adopt rules to allow consent to be given for ‘certain areas of research’ instead of providing a specific purpose(s) in the consent as required under the general consent rules regarding sensitive data in Article 9(2)(a) GDPR.25
Though some other specific rules can be detected in Regulation 536/2014 concerning data protection rules in the realm of clinical trials, these are not truly impactful. For example, in Recital 76 of Regulation 536/2014, in regard to the effect of withdrawal of consent, it is noted that this ‘should not affect the results of activities already carried out, such as the storage and use of data obtained on the basis of informed consent before withdrawal’. The case is much the same under the GDPR, as the right to erasure and the right to object both have exceptions for research scenarios in Articles 17(3)(d) and 21(6) GDPR, respectively (hence enabling the further use of the obtained data in research, irrespective of possible withdrawal of consent, or desire to object on the part of individuals whose data is being used in research). Thus, the approach to the practical effect of withdrawal of consent in a research context in regard to the research use of already obtained personal data is much alike in both Regulation 536/2014 in terms of clinical trials and in GDPR in terms of any research making use of personal data.
Given the limited effect of Regulation 536/2014 on the research use of personal data, what remains of EU law in terms of genetic research is the GDPR. As a regulation concerning the protection of personal data, the GDPR, of course, is not a legal instrument specifically designed to govern human or genetic research. However, it does, to a certain extent, govern the use of personal data (including genetic data) for research purposes.
II.B. Genetic research under the GDPR
In terms of substantive rules under the GDPR, there are none concerning genetic data specifically, aside from the discretion granted to Member States under Article 9(4), allowing them to ‘maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health’. Although the GDPR contains some significant exceptions in regard to the use of personal data in research, the use of sensitive personal data (eg genetic data) for research purposes will, as prescribed by Article 9(2)(j) GDPR, be subject to Member State or other applicable EU law (eg Regulation 536/2014 on clinical trials).26 The major exceptions that the GDPR does directly create to facilitate research interests are the exemptions from the purpose and storage limitations in Article 5 GDPR. Generally, personal data cannot be further processed for purposes other than those for which it was collected, and cannot be stored any longer than is necessary to fulfill such initial purposes, unless further storage and processing is done for, inter alia, research purposes (see Article 5(1)(b) and (e) GDPR). By lifting the purpose and storage limitations in the research context, the GDPR enables and facilitates the further use and flow of personal data for research and for cross-border cooperation in research within the EU.
The GDPR also recognizes the need for more lax consent rules in the research context; however, it does not establish any consent rules for research directly, but has given guidance in Recital 33 for Member States to do so. There are some other exceptions created for research in the GDPR, like the above-mentioned exceptions to the right to erasure (Art. 17(3)(d)) and the right to object (Art. 21(6)) when it comes to the research use of personal data.
Other than the few specific rules provided in the GDPR directly, the research use of personal data is subject to Member State or other EU law. Although the GDPR as a regulation of the EU is directly applicable and enforceable across all Member States—compared to its predecessor Directive 95/46/EC, which as a directive had to be implemented into national laws—in terms of research specifically, there are only few rules within the GDPR itself. This means that as far as research is concerned, the rules still have to be established under national or other EU law. Essentially, as the GDPR has left many important aspects of data processing in research to be regulated by Member State or other EU law, it has not really harmonized the research use of personal data across the EU, thus leading to the dilemma of applicable national law in cross-border scenarios.
II.C. Discretionary clauses under the GDPR for genetic research
In terms of the discretion granted to Member States under the GDPR for regulating genetic research through the lens of data protection, four major aspects can be detected.
First, as noted above, in terms of genetic, health, and biometric data, Member States can under Article 9(4) GDPR introduce further conditions and limitations, which might include rules regarding the research use of these types of data.
Second, as mentioned in the discussion above regarding clinical trials and Regulation 536/2014, the GDPR allows in Recital 33 for Member States to establish more lenient consent rules than those established under Article 9(2)(a) GDPR. Meaning that in research, consent does not necessarily have to set out a specific purpose(s). According to Recital 33 GDPR, national rules may establish that in research consent can be given more broadly, for ‘certain areas of research’ (though still not as broadly as stipulated under Article 28(2) of Regulation 536/2014 on clinical trials).27
Third, the use of (sensitive) data in research without consent will be determined by national law (ie whether and on what conditions processing without consent is possible).
Fourth, as established in Articles 9(2)(j) and 89(2) GDPR, in regulating research, Member States have the discretion to provide derogations from a number of data protection rights otherwise provided to data subjects under the GDPR, namely the right of access by the data subject (Art. 15), the right to rectification (Art. 16), the right to restriction of processing (Art. 18), and the right to object (Art. 21).
To illustrate the third and fourth points, the examples of Estonian, German, and Austrian law will be used.
Under the Estonian data protection draft law (as of April 2018),28 it will be the controller or processor who shall decide upon restricting the rights of the data subject embedded in Articles 15, 16, 18, and 21 of the GDPR. The controller or processor can restrict the referred rights of data subjects if invoking these rights is likely to render impossible or seriously impair the achievement of the scientific or statistical purpose.29 The explanatory note to the draft law makes no comment on this.30
‘Data controller’ within the meaning of the GDPR refers to the one (be it a natural or legal person, or a public authority, etc.) who determines the purposes of and means for the use of the data (Art. 4(7) GDPR). Whereas ‘data processor’ refers to the one carrying out processing activities as determined by the controller (Art. 4(8) GDPR). In this light, it is highly dubious why the Estonian draft law would grant the processor the power to decide upon restrictions concerning the rights of data subjects. What is more, the data subjects’ rights are established vis-à-vis the controller, and not the processor, making the inclusion of the processor in the referred clause even more illogical.
The Estonian approach resembles the relevant clause in the German implementation act.31 However, Section 27 of the German implementation act provides expressly in the law itself that, ‘The rights of data subject provided in Articles 15, 16, 18 and 21 of [the GDPR] shall be limited to the extent that these rights are likely to render impossible or seriously impair the achievement of the research or statistical purposes, and such limits are necessary for the fulfillment of the research or statistical purposes.’ Section 27 further adds specifically that the right to access under Article 15 of the GDPR does not apply in the research context if the provision of information would involve a disproportionate effort.
Despite the difference in wording—with the Estonian draft law stating that it is the controller or processor deciding upon such limitations, and the German implementation act prescribing these limitations directly in the law—in either case, it will be the data controller who will ultimately have to demonstrate that enabling data subjects to invoke their rights under Articles 15, 16, 18, or 21 of the GDPR would render impossible or seriously impair the achievement of the pursued research purposes.
Unlike the Estonian and German examples, the Austrian data protection law32 does not seem to stipulate limitations to data subjects’ rights when it comes to research uses of (sensitive) personal data, as could have been done according to Article 89(2) GDPR. Furthermore, the Austrian law sets out in § 7(3)33 that special categories of personal data (including genetic data) may only be used for research purposes without the consent of data subjects upon the permission of the Austrian Data Protection Authority and in case there is important public interest in regard to such research (wichtiges öffentliches Interesse an der Untersuchung). Whereas its German counterpart34 approaches this from a slightly different angle, stipulating in Section 27(1) that special categories may be used in research without consent ‘if such processing is necessary for these [scientific research] purposes and the interests of the controller in processing substantially outweigh those of the data subject in not processing the data.’35
Thus, under Austrian law, the assessment to determine the legality of using (sensitive) data in research without consent seems to be an objective one, aimed at determining the existence of an important public interest in the specific research, and it seems that the assessment is carried out by the Austrian Data Protection Authority whilst considering whether to give permission or not. Whereas in the German case, the assessment seems to be a subjective one of weighing the interests of the researcher on the one hand, and those of the data subjects on the other. It seems from the German act that this assessment is to be carried out by the researcher himself.
II.D. Concluding remarks on the governance of genetic research under the GDPR
Essentially, the GDPR regulates the use of personal data in research as far as lifting the purpose and storage limitations in Articles 5(1)(b) and 5(1)(e), and creating further exemptions in certain regards to certain rights of data subjects (Arts. 14(5)(b), 17(3)(d), and 21(6) GDPR), and to the extent of establishing vague safeguard requirements in Article 89(1) and allowing Member States to establish significant derogations from the rights of data subjects in Article 89(2), whilst leaving the use of sensitive data in research to be regulated in Member State or other applicable EU law (Art. 9(2)(j) GDPR). Although the GDPR recognizes in Recital 33 that in terms of research more lax consent requirements might be necessary by allowing consent to be given to ‘certain areas of scientific research’ instead of strictly ‘specific purpose(s)’ (as is the general rule for sensitive data under Art. 9(2)(a) GDPR), a recital cannot establish a binding legal rule, and thus, the matter of the breadth of consent in research will be up to national laws as well.
The above can be summed up in the following scenario to exemplify the dilemma of intra-EU applicable law in a research context under the GDPR. If a research entity in a given Member State wants to incorporate genetic data from people across Europe into their dataset, the following questions are likely to arise. If the data have been obtained for research based on consent, the law of which Member State applies to that consent, and how broad can the consent under the applicable national law be? Does the consent have to comply with the rules of the Member State in which it was obtained, or with those of the Member State in which research is to be conducted (or both)? If these rules differ, which ones should be applied? If the data have been obtained for other purposes (eg healthcare) or the consent does not cover the planned research activities, in order to use the data in research without having to obtain (new) consent, should the researcher follow the rules of the country in which he operates, or those of the Member States in which the data have been obtained from the individuals? Regardless of the legal basis for the use of the data, which individuals could possibly invoke the right to object under Article 21 GDPR? Although Article 21(6) GDPR provides for a directly applicable exception in the research context, this is limited to cases where the processing is necessary for the performance of a task carried out for reasons of public interest. Otherwise, the applicability of the right to object will depend on Member State law (See Arts. 9(2)(j) and 89(2) GDPR). If the law applicable to the research would be the one of the Member State where the research entity carries out its activities, the research entity could rely on that single set of rules. However, if applicable law would depend on where the data were obtained from individuals (ie most likely the Member State of residence of the individual), the research entity would essentially have to apply different rules to one dataset.
Article 11 GDPR might come in handy for the researcher in this example if the researcher does not or no longer needs to re-identify individuals (and disposes of the means to do so). In this case, Article 11 GDPR might relieve the researcher from having to adhere to the rights of data subjects embedded in Articles 15 to 20 GDPR (ie excluding the right to object in Art. 21 GDPR). However, in certain types of research like rare disease research, re-identification is necessary.36 The possibilities associated with Article 11 GDPR in the research context will be further elaborated upon in Section IV of this article.
III. THE INTRA-EU CONFLICT OF LAWS UNDER THE GDPR
Unlike its predecessor Directive 95/46/EC in Article 4, the GDPR does not establish any rules for an intra-EU conflict of laws scenario. In fact, the only reference to applicable national law is hidden in one single recital: Recital 153. The latter addresses exemptions and derogations made in the effort of reconciling the right to the protection of personal data with the right to freedom of expression and information. Recognizing that with the discretion afforded to Member States in this regard such exemptions and derogations might differ across the EU, Recital 153 sets out that ‘the law of the Member State to which the controller is subject should apply’. Which law the controller is subject to is, however, not clear from the GDPR.
The GDPR establishes under Article 3 the territorial scope of the regulation itself, and essentially the conflict of laws rule in regard to the EU and other territories. Under Article 3(1) GDPR, the regulation is applied ‘to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not’. Where there is no such establishment in the EU, under Article 3(2) the GDPR is still applied if the personal data of data subjects who are in the EU is processed in relation to the offering of goods or services (irrespective of payment), or to the monitoring of their behavior taking place within the EU. However, the question of applicable national law in a conflict of laws scenario within the EU remains unanswered.
III.A. National applicable law under directive 95/46/EC
Article 4(1) of Directive 95/46/EC set out in regard to applicable national law that a Member State shall apply their data protection law where ‘the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State’. The Court of Justice of the European Union (CJEU), in 2015 in the Weltimmo37 case, referred to Recital 19 of Directive 95/46/EC, explaining that ‘establishment’ is to be understood as the (at least minimal) effective and real exercise of activity through stable arrangements, and that the legal form of such an establishment, whether simply a branch or a subsidiary with a legal personality, is not the determining factor.38 The same principles in terms of determining the existence of an ‘establishment’ are embedded in Recital 22 GDPR. In the later case of VKI v Amazon39 in 2016, the CJEU reiterated the referred principles and further emphasized in its ruling in regard to ascertaining the existence of an establishment in order to determine applicable national law that, ‘It is for the national court to ascertain whether that is the case.’
Essentially, the Weltimmo judgement made it clear that in regard to the question of applicable national law in data protection, it bears no relevance where a company is formally registered, or what the nationality of the data subjects is. What matters according to the Weltimmo judgement is, real and effective (even if minimal) activity in a given Member State through stable arrangements (ie establishment), in the context of which personal data processing is carried out.40 In the specific case at hand in Weltimmo, the latter was illustrated by the facts that Weltimmo (a company registered in Slovakia) ran a website in the Hungarian language, advertising properties located in Hungary, and had a representative in Hungary ‘responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.’41
III.B. Possible solutions from other sources to the intra-EU conflict of laws dilemma under the GDPR
As noted above, unlike Directive 95/46/EC, the GDPR does not address the question of applicable national law, but only that of the applicability of the GDPR itself (Art. 3 GDPR). Presumably this is due to the fact that the GDPR as a regulation (ie being of a directly applicable and enforceable nature across all Member States) was meant to harmonize data protection laws across the EU, and as such the question of applicable national law could have been presumed to be obsolete. However, that is clearly not the case in a number of aspects, including in the research context, as illustrated in Section II of this article (but also, eg, in the above-mentioned case of the media exceptions, acknowledged in Recital 153 GDPR).
In terms of the lack of rules concerning the intra-EU conflict of laws, some have considered the Rome regulations on applicable law as an alternative regulatory source for establishing conflict of laws rules in data protection as well.42 The possibility of applying the Rome II regulation in regard to non-contractual obligations43 has been negated in terms of data protection, since in Article 1(2)(g) the latter excludes from its scope non-contractual obligations arising out of violations of privacy and rights relating to personality, including defamation.44 The application of the Rome I regulation concerning contractual obligations45 is theoretically possible to the extent of personal data processing within contractual relationships.46
However, this solution is incomplete for obvious reasons as it would only provide an answer in terms of contractual relationships; not to mention that it only concerns the context of private law, and therefore disregards all other scenarios. Furthermore, this does not provide a complete answer for the question of applicable national law in (genetic) research, as there need not be a contractual relationship between the researcher (ie data controller) and the research subject (ie data subject).
On the one hand, in scenarios in which the researcher recruits research participants, obtains informed consent from them, and thereafter retrieves the tissue (and subsequently the data from the tissue) directly from participants, a semicontractual relationship is formed (semicontractual in the sense that the research participant has the right to withdraw at any time and thus unilaterally terminate the relationship at any point, thus going against the binding nature of contracts; but much like a contract in many other aspects, eg in terms of the binding obligations of the researcher, possible confidentiality agreements, etc.). On the other hand, genetic data can be obtained from sources other than the data subject (from a third controller, eg a central research database, a clinical facility, or a commercial testing facility). In these cases, there would clearly be no (semi-)contractual relationship between the researcher and the individuals whose data are concerned.
Hence, the Rome I regulation could theoretically only be a point of reference for applicable national law as far as a (semi-)contractual relationship can be detected between the researcher and the data subject. In such cases, Article 6(1)(b) of Rome I would then likely lead to the conclusion that the law of the country from which the individual was recruited should apply. Even if a choice-of-law clause were to be provided in the informed consent form, this could not deprive individuals of the rights that cannot be derogated from under the law of the country from which they were recruited (Art. 6(2) Rome I).
However, in cases in which no contractual relationship can be said to exist between the researcher and the data subject, there is no source other than the GDPR itself for determining the question of applicable national law. Furthermore, it is arguable whether a fragmented approach to the question of applicable national law under the GDPR depending on the nature of the relationship between the data controller and the data subjects should be desirable. In fact, it could lead to a completely illogical outcome. For example, once the data are made available or transferred to a third party researcher, data subjects still have data protection rights vis-à-vis that third party researcher, but no (semi-)contractual relationship could be argued to exist between the third party researcher and the data subjects. In the latter case, Rome I regulation could no longer apply, and the rules for determining the applicable law and thus the applicable law itself might ultimately differ once the data are transferred from one researcher to the other. This, in turn, would render the matter of applicable law and substantive safeguards as unclear as possible (both from the perspective of researchers and data subjects).
III.C. Possible solutions within the GDPR to the intra-EU conflict of laws dilemma
One method that could be applied in the quest for answers in solving the dilemma of applicable national law is analogy. As noted earlier, Recital 153 GDPR briefly addresses the issue of an intra-EU conflict of laws in the context of exemptions and derogations related to the freedom of expression. Recital 153 GDPR sets out that the national law to be applied should be that to which the controller is subject to (ie the person or entity determining the purposes and means of processing, such as a researcher determining the use of personal data in their research).
The same rule could be followed in terms of exemptions and derogations in regard to the use of personal data in research. ‘The law to which the controller is subject to’ could be determined, again, via analogy, relying on Article 3 GDPR that addresses the territorial scope of the GDPR. The result would be that the national law of a given Member State would be applied to the processing of personal data in the context of the activities of an establishment of a controller or a processor in that Member State, regardless of whether the processing itself takes place in that Member State. This would then much resemble the Weltimmo approach of determining whether an ‘establishment’ can be determined to exist in a certain Member State, ie whether the data controller ‘exercises, through stable arrangements in the territory of that Member State, a real and effective activity—even a minimal one—in the context of which that processing is carried out.’47
Upholding the Weltimmo approach under the GDPR would, of course, depend on respective developments in the case law of the CJEU or relevant guidelines issued by the European Data Protection Board (See Art. 68 ff. GDPR). The above could theoretically be one way of determining the national law applicable to data controllers.
Though the above-proposed approach to solving the intra-EU conflict of laws in data protection might theoretically work on a general scale (as this approach has been established and employed by the CJEU in its case-law already), the next question is, whether the proposed approach would be feasible in specifically the research context as well.
IV. APPLICABLE NATIONAL LAW TO CROSS-BORDER GENETIC RESEARCH WITHIN THE EU
Research making use of genetic data often involves cross-border cooperation, both between certain specific institutions and via central databases. It might entail the exchange of data, or biosamples from which data can be derived from. Furthermore, submission of sequencing data to central databases might be encouraged or even required in regard to scientific publications making use of such data.48 Data protection aspects of, for example, submitting human whole-genome sequencing data to databases such as the European Genome-phenome Archive49 will depend on relevant national laws.
As noted in the introductory part of this article, the nature of human DNA sequencing data with its essentially boundless informational potential warrants for particular considerations in regard to applicable rules and safeguards. Furthermore, as evidenced in Section II of this article, the conditions for using any sensitive data might differ from one Member State to another, but specifically in regard to genetic, health, and biometric data, as these types of data are subject to additional discretion of Member States under Article 9(4) GDPR. Thus, the question of applicable law is highly relevant in cross-border genetic research.
It will be argued in this section that the general rules of applicable national law used in data protection (addressed in Section III of this article) might not be suitable for the research context. Furthermore, an analysis of Article 11 GDPR will show that if genetic data is used in pseudonymized (eg coded) form, without direct identifiers to the individuals, and without a given researcher being able to re-identify the individuals, adherence to the rights of data subjects might be rendered less of a problem.
Before turning to the matter at hand, to clarify, as far as the biospecimens (from which the genetic data is retrieved) are concerned, as noted at the beginning of Section II of the article, one single supranational rule can be determined in Article 22 of the Oviedo convention, laying down the minimum threshold of due notification for the secondary use of biosamples. The determination of the law applicable to the biosamples will not be further elaborated on in this article, and shall be left for future analysis. However, it is important to note that although the data protection framework does not apply to tissue as such (it is not data, but a carrier of data), once data are being retrieved from the tissue, and as soon as the potential of identifiability arises, the personal data protection framework comes into play. Thus, from the perspective of privacy and data protection interests of individuals, the law applicable to the tissue as such is secondary compared to the law applicable to the personal data retrieved therefrom.
IV.A. Applying a general intra-EU conflict of laws rule in the context of genetic research: provision of goods and services vs research
As concluded in Section III of the article, a possible approach to the intra-EU conflict of laws under the GDPR could theoretically be the continuance of the Weltimmo approach of the CJEU applied in regard to Directive 95/46/EC and its Article 4. However, the question is whether this general rule could be successfully applied in genetic research as well. It will be argued here that a general conflict of laws rule would not provide an effective means to guarantee data subjects’ rights and the effective exercise of such rights in a research context without compromising the interests of researchers, or vice versa.
Directive 95/46/EC was designed primarily to enable the free flow of data in an open market whilst safeguarding individuals’ rights in terms of their personal data (see Recital 3 of Directive 95/46/EC). In that light, Article 4 of Directive 95/46/EC along with relevant case law of the CJEU in regard to a possible intra-EU conflict of laws scenario was very much focused on specifically the cross-border provision of goods and services. The provision of goods and services, however, and the processing of personal data in regard to such activities, is inherently different from the use of personal data in research. First, in most cases, the processing of personal data within the context of the provision of goods and services presumes direct involvement of the individuals whose data are processed. Of course, data controllers still have limited options to process the data obtained during the provision of goods and services for other purposes as well. For example, though personal data might be processed based on consent for specified purposes (Arts. 6(1)(a) or 9(2)(a) GDPR), or without consent for the performance of a contract (Art. 6(1)(b) GDPR), the same data might be further processed for purposes of legitimate interests pursued by the controller or by a third party (Art. 6(1)(f) GDPR), as long as the purpose limitation is adhered to (Arts. 6(4) and 5(1)(b) GDPR).
However, as far as research use of personal data is concerned, the storage and purpose limitations are lifted (Art. 5(1)(b) and (e) GDPR).50 This means that personal data can be further used for research regardless of possible initial limitations, such as those laid out in the consent based on which the data were obtained, or limitations established by law in regard to processing without consent (eg in cases where health or genetic data can be processed in a health care context without consent, but only for purposes of providing health care services). The lifting of the purpose limitation further enables cross-border dataflow and essentially unlimited secondary processing of (sensitive) personal data.
It is interesting to note that in terms of cross-border dataflow, the GDPR in most part only addresses data transfers to third countries or international organizations. For example, in terms of the data controller's obligation to provide information to data subjects—both in cases where data have been obtained from data subjects (Art. 13 GDPR) and from other sources (Art. 14 GDPR)—the controller needs to notify individuals about the intent to transfer their data to third countries or international organizations (see Arts. 13(1)(f) and 14(1)(f) GDPR). Transfers to other Member States are not addressed in the GDPR, presumably because in the case of intra-EU data transfer, the GDPR would clearly apply anyway. However, the devil lies in the details, which in this case is the vast discretion given to Member States in regard to regulating the use of personal data in research, thus making intra-EU data transfers relevant as well.
Second, in the case of the provision of goods and services, the interests involved are mainly private interests: those of the party offering goods and services on the one hand, and those of the individuals receiving them on the other. This leads to the simple basic rule that if a party is interested in offering goods or services in a given Member State, the data protection rules of that Member State need to be adhered to. Whereas in the case of research, there are not necessarily any activities directed to individuals in any particular Member State (unless research participants are being recruited), and the interests involved on part of the researchers are not merely private interests of the researchers themselves, but what comes into play is the public interest in gaining new knowledge that could potentially lead to better health and life outcomes. This leads to two crucial differences between the question of applicable national law in research on the one hand, and in ‘business’ (for lack of a better term to indicate all other private relationships within which personal data is being utilized) on the other hand. First, a researcher does not need to have an ‘establishment’ in a given Member State as defined in data protection law in order to utilize personal data for research purposes, as storage and purpose limitations do not apply and further processing beyond initial purposes is possible (subject to national or other EU law). Second, in the research context the ‘one or the other’ choice of applicable national law will lead to a ‘lose-lose’ scenario as ensuring the compliance to data protection rules established in the national laws of concerned individuals might lead to compromising not just private interests, but public interests in certain types of research being conducted (ie first and foremost the types of research in which data of individuals from multiple Member States need to be accumulated).
The specific difficulties of the conflict of laws question in a research setting can be illustrated by the following example. Relying on Article 89(2) GDPR, Member State A (MS A) has established in its national law a derogation from the right to object in the research context. Member State B (MS B) has not done so, and the right to object under Article 21 GDPR can be invoked in terms of processing activities in the research context as well. Researcher in MS B has carried out a research project during which he had the DNA of 500 participants sequenced, having obtained prior informed consent that allows the data to be used in a certain area of scientific research (as referred to in Recital 33 GDPR). The consent does not address data sharing, but only limits the further use of the data by referring to a certain area of research. The researcher from MS B shares the data from the database he has established during that research with a researcher in MS A to be used in research in MS A. The researcher in MS A is not just relying on data received from MS B, but is compiling a dataset containing data of individuals from multiple other Member States as well. Now the question is, could the individuals from MS B object to processing activities that are part of the research carried out by the researcher in MS A? Would then the laws of MS A or MS B have to be applied in this scenario in regard to the rights of data subjects?
The researcher in MS A does not have an establishment in MS B, nor does he direct to or carry out any activities in MS B. He simply makes in his research use of the genetic data obtained by the researcher in MS B from individuals residing in that Member State. Under the Weltimmo criteria, the researcher in MS A would not be subject to the data protection laws of MS B. In this sense, the Weltimmo approach would not be of use for the data subjects who might wish to object to the processing. On the other hand, if the researcher in MS A were to combine genetic data obtained from individuals in multiple Member States, it would be quite difficult if not impossible for him to follow different rules of different Member States in terms of one dataset.
Though, in the case of specifically the right to object, the researcher in MS A might be able to invoke Article 21(6) GDPR, which creates an uniform derogation from the right to object in a research context, provided that ‘the processing is necessary for the performance of a task carried out for reasons of public interest’. However, in order to do so the research would have to be considered a ‘performance of a task carried out for reasons of public interest’ (eg for public health purposes). Furthermore, this exception in and of itself raises a number of questions, eg whether the determination of public interest should be determined on a global, regional, EU, or national level (and in the latter case, the public interest of which Member State should prevail).
IV.B. Article 11 GDPR as part of the discussion of the dilemma of applicable national law
Another factor to be considered in any discussion concerning research regulations under the GDPR is Article 11. The latter stipulates that if a given controller does not or no longer needs to identify individuals, Articles 15–20 GDPR do not apply. Notably, Article 21 GDPR and the right to object are not included in Article 11 GDPR. However, Article 11 GDPR does include the right of access (Art. 15), the right to rectification (Art. 16), the right to erasure or the ‘right to be forgotten’ (Art. 17), the right to restriction of processing (Art. 18), the obligation of controllers to notify recipients of data of requests regarding rectification, erasure or restriction of processing (Art. 19), and the right to data portability (Art. 20). Thus, if a Member State has not used the opportunity provided in Article 89(2) GDPR to create derogations from the rights in Articles 15, 16, and 18, these might still not apply if Article 11 GDPR comes into play.
Generally, the GDPR clearly applies to pseudonymized (eg coded) data (Rec. 26 GDPR); however, Article 11 de-identification is not concerned with whether data could enable identification in general, but whether a specific controller could identify data subjects.51 In other words, with Article 11, the assessment of the possibility of identification is limited to a specific controller (eg one researcher or research entity). For example, if a researcher uses genetic data in pseudonymized (eg coded) form, without being able to re-identify the individuals himself (although a partner institution of central database might hold the relevant keycode), this would trigger Article 11 GDPR.
Hence, pseudonymization in the hands of one controller, who is not able to reverse the pseudonymization process himself or to identify data subjects based on the data available to him, might be enough to trigger Article 11.52 The applicability of Article 11 GDPR in a specific research context, of course, will depend on the nature of the research and the further interests of the researcher in terms of the data, ie whether re-identification by the controller himself would be necessary.53 If Article 11 GDPR could be invoked, the question of applicable national law would become irrelevant as far as possible derogations from data subjects’ rights established under Articles 15 to 20 GDPR are concerned.
V. SUMMARY
As a directly applicable and enforceable legal instrument of the EU, the GDPR was meant to harmonize data protection rules across all Member States. However, it still leaves many nuances of data protection to be regulated in national laws. For one, rules governing the use of personal data in research will remain fragmented (Arts. 9(2)(j) and 89 GDPR), as might the conditions for using (including in research) specifically genetic, health, or biometric data (Art. 9(4) GPDR).
The differences between national laws in regard to genetic research will depend on (1) whether a Member States has adopted specific conditions for the use of genetic data as made possible under Article 9(4) GDPR; (2) whether a Member State has opted for a broader informed consent notion in research than the general consent conditions applicable to sensitive (including genetic) data under Article 9(2)(a) GDPR, in accordance with the guidance provided in Recital 33 GDPR; (3) whether and on what conditions a given Member State allows for the use of genetic data in research without consent; (4) whether and which rights of individuals has a given Member State opted to provide derogations from for purposes of research, as provided under Article 89(2) GDPR. Thus, the question of applicable national law within the EU in cross-border genetic research is of clear practical relevance.
The approach to the dilemma of applicable national law on a general level under the GDPR could theoretically remain the same as it was under Article 4 of Directive 95/46/EC, and as established in the Weltimmo case by the CJEU (subject to development of relevant case law by the CJEU, or respective guidance by the European Data Protection Board). In this case, national applicable law would depend on a data controller having an establishment and (at least) minimal real and effective activity (in the course of which personal data is being processed) in a given Member State for the national law of the latter to apply.
However, this approach would prove difficult to apply in a research context seen as the notions of ‘establishment’ and ‘real and effective activity’ would only arise if a research project would entail the recruitment of research participants from a given Member State. In a research scenario in which individuals are not directly involved, and the necessary data are obtained from other data controllers (eg clinical facilities, research facilities, central research data bases, etc.), the applicable national law in such a research context, if determined in line with the Weltimmo approach, would always be that of the Member State where the researcher carries out his research activities. This, in turn, carries the risk of creating a forum-shopping effect, and, most importantly, might strip individuals of the possible additional guarantees and safeguards provided by the Member States of their residence.
What might have some impact on this dilemma is Article 11 GDPR. The latter is designed to relieve data controllers of certain obligations vis-à-vis data subjects if a given controller does not or no longer needs to identify the individuals. In research, this would be applicable for example if pseudonymized (eg coded) data is utilized in research. Though generally pseudonymized data is clearly covered by the GDPR, it is likely to meet the de-identification standard of Article 11 GDPR if a researcher does not hold the keycode, ie is not able to re-identify the individuals himself (though other parties might be able to do so, eg the party holding the key code or a party holding additional information that could be combined with the de-identified data and thereby enable identification of individuals). This would make the question of applicable national law obsolete as far as derogations from rights under Articles 15 to 20 GDPR are concerned.
Though one could fault the GDPR for not providing answers to the question of applicable national law, it appears that any such rules could not truly provide for a satisfactory outcome. Whether the law of one or the other Member State were to be applied, it would have to be either the interests of data subjects or those of researchers sacrificed in a cross-border research scenario. As such, ultimately, this regulatory challenge would be best solved by creating basic uniform rules on the EU level for the use of personal (and, particularly, sensitive) data in research.
Supplementary Material
Kärt Pormeister holds an LLM in Health Law from the University of Houston, Texas, and is currently a junior researcher and IT law PhD candidate at the School of Law of the University of Tartu, Estonia.
Footnotes
For example, The World Medical Association Declaration of Helsinki – Ethical Principles for Medical Research Involving Human Subjects (2013); the CIOMS International Ethical Guidelines for Health-related Research Involving Humans (2016); the WHO Standards and operational guidance for ethics review of health-related research with human participants (2011); etc.
The Convention for the Protection of Human Rights and Dignity of the Human Being with regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine. Oviedo, 4.IV.1997, CETS No. 164 (hereinafter ‘the Oviedo convention’).
The Additional Protocol to the Convention on Human Rights and Biomedicine, concerning Biomedical Research. Strasbourg, 25.I.2005, CETS No. 195.
See Chapter V (Articles 15–18) of the Oviedo convention, supra note 2.
See the official website of the CoE for the ‘Chart of signatures and ratifications of Treaty 195’, https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/195/signatures?p_auth=MXKewYR9 (accessed Feb. 8, 2018).
The additional protocol on biomedical research follows the Oviedo convention in terms of defining ‘an intervention’, whereas it is made explicitly clear in the explanatory report to the additional protocol that research that makes use of biospecimen or data that have been obtained outside of a research context is not covered by the definition. See Explanatory Report to the Additional Protocol to the Convention on Human Rights and Biomedicine, concerning Biomedical Research. Strasbourg 25.I.2005, CETS No. 195, p 4, para. 17.
Currently regulated under Directive 2001/20/EC of the European Parliament and of the Council of April 4, 2001 on the approximation of the laws, regulations, and administrative provisions of the Member States relating to the implementation of good clinical practice in the conduct of clinical trials on medicinal products for human use. [2001] OJ L121/34. Directive 2001/20/EC will be repealed with the entry into application of Regulation 536/2014 of the European Parliament and of the Council of April 16, 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC. [2014] OJ L158/1. According to the official website of the European Commission, the entry into application of Regulation 536/2014 is currently estimated to occur in 2019. See https://ec.europa.eu/health/human-use/clinical-trials/regulation_en (accessed Feb. 8, 2018).
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). [2016] OJ L119/1.
Directive 95/46/EC of the European Parliament and of the Council of October 24,1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. [1995] OJ L281/131.
Kärt Pormeister, Genetic Research and Consent: On The Crossroads of Human and Data Research, B ioethics (2018), at 3. Available at: https://onlinelibrary.wiley.com/doi/epdf/10.1111/bioe.12475 (accessed Oct. 24, 2018).
G. Laurie. Genetic Privacy: A Challenge to Medico-Legal Norms 109, 115 (Cambridge University Press, 2002).
Or interpretive potential as Mark Taylor puts it, to indicate that it is possible to recognize future potential to interpret certain data before such interpretation is even possible. See Mark Taylor. Genetic Data and the Law: A Critical Perspective on Privacy Protection 41 (Cambridge University Press, 2012). In the context of genetic data, it refers to the fact that the data itself that are available today (eg one's DNA sequence, or a biosamples from which the DNA sequence can be derived) can yield information, the quality and quantity of which is relative to technological and scientific advancements. In other words, the ability to interpret genetic data and thus the meaning of the data can (and, in fact, will) change over time.
For example, in April 2018 it was announced that, ‘13 European countries have signed a declaration for delivering cross-border access to their genomic information’. See official website of the European Commission at https://ec.europa.eu/digital-single-market/en/news/eu-countries-will-cooperate-linking-genomic-databases-across-borders (accessed July 14, 2018).
See Chapter V (Articles 15–18) of the Oviedo convention, supra note 2.
Supra note 3.
It is important to note that the European Court of Human Rights has in its case law referred to the Oviedo convention even where the state party to the dispute has not ratified or even signed the instrument. See eg Glass v. The United Kingdom, ECtHR [2004], Application no. 61827/00, ECLI:CE:ECHR:2004:0309JUD006182700.
Explanatory Report to the Convention for the protection of Human Rights and Dignity of the Human Being with regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine. Oviedo, 4.IV.1997. ETS No 164, 20-21.
Pormeister, supra note 10, at 8.
For example, the Portugese Law n. º 12/2005 of 26 January on Personal genetic information and health information contains in Article 16 a separate clause on research on the human genome, accessible in English at https://www.eshg.org/fileadmin/www.eshg.org/documents/Europe/LegalWS/Portugal_Law-UnofficialEnglishTranslation.pdf (accessed Feb. 9, 2018).
In contrast, eg Estonia has a law named the Human Genes Research Act (RT I 2000, 104, 685); however, the law itself only regulates genetic research carried out by the Estonian Genome Bank (see §1(1) and § 6), and there is no other applicable national law specific to human or genetic research. The Human Genes Research Act is accessible in English at https://www.riigiteataja.ee/en/eli/518062014005/consolide (accessed Feb. 9, 2018).
See supra note 7.
Regulation 2017/746 of the European Parliament and of the Council of April 5, 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU. [2017] OJ L117/76.
Regulation 536/2014 will allow sponsors of clinical trials to obtain essentially open consent for the future scientific uses of the personal data collected during the trial, unlike the GDPR which establishes no such exception for consent in research and as indicated in Recital 33 GDPR, it allows Member Sates only to establish consent as broadly as for ‘certain areas of scientific research’, as opposed to the very broad, essentially open consent (‘exclusively for scientific purposes’) established under Article 28(2) of Regulation 536/2014. See Pormeister, supra note 10, at 8-9.
The last sentence of Article 28(2) of Regulation 536/2014 clearly establishes that use of the data outside of the research protocol of the clinical trial is subject to applicable law on data protection. As to the use of the data in the trial itself, the first sentence of the article refers to Directive 95/46/EC, but should now be understood as effectively referring to the GDPR.
For an in-depth analysis on the issue of consent in genetic research under Regulation 536/2014 and the GDPR, see Pormeister, supra note 10.
See eg Kärt Pormeister, Genetic data and the research exemption: is the GDPR going too far?, International Data Privacy Law 7(2) (2017), 137–146. Available at https://academic.oup.com/idpl/article/7/2/137/3798545 (accessed Oct. 24, 2018).
The Data Protection Working Party has clarified that research consent cannot be as broad as to refer to merely ‘research purposes’; unfortunately, however, they have not unambiguously made it clear how broadly research consent can be formulated to still be compliant with the GDPR. See Guidelines on transparency under Regulation 2016/679. Article 29 Data Protection Working Party, 17/EN WP260, p 9, para. 11, http://ec.europa.eu/newsroom/article29/document.cfm?doc_id=50057 (accessed July 24, 2018).
On June 13, 2018 the draft law was withdrawn from the parliament due to controversy surrounding the ‘media clause’ and the question whether the media should be free to process personal data for reasons of ‘public interest’ or ‘overwhelming public interest’. It is unlikely that the resubmission of the draft law will affect any clauses regulating research, given that the single publicly announced reason for withdrawal was the word ‘overwhelming’ in the media clause.
§ 6(6) of the Estonian draft law for the implementation of the GDPR (as of April 2018), only available in Estonian; accessible in the official Electronic Coordination System for Draft Legislation, http://eelnoud.valitsus.ee/main/mount/docList/1909e111-ca98-4d1b-830a-ee49dea64a97#QS8HabF2 (accessed April 19, 2018).
The explanatory note is available only in Estonian, Id.
The German Act to Adapt Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680, accessible in English at https://www.bmi.bund.de/SharedDocs/downloads/EN/gesetztestexte/datenschutzanpassungsumsetzungsgesetz.html;jsessionid=B2585D2C676A5146196241A1CF631718.2_cid373 (accessed Feb. 15, 2018).
Bundesgesetz zum Schutz natürlicher Personen bei der Verarbeitung personenbezogener Daten (Datenschutzgesetz – DSG). BGBl. I - Ausgegeben am 31. Juli 2017 - Nr. 120, accessible in German at https://www.ris.bka.gv.at/Dokumente/BgblAuth/BGBLA_2017_I_120/BGBLA_2017_I_120.pdfsig (accessed Feb. 15, 2018).
Supra note 32.
Supra note 31.
This approach of the German law has come under critique due to its inconsistency with ethical principles in research. See eg Katrin Schaar, ‘Die informierte Einwilligung als Voraussetzung für die (Nach-)nutzung von Forschungsdaten: Beitrag zur Standardisierung von Einwilligugnserklärungen im Forschungsbereich unter Einbeziehung der Vorgaben der DS-GVO und Ethikvorgaben’ (2017) RatSWD Working Paper Series 264, 19–20.
See eg Mats G. Hansson et al., The Risk of Re-identification versus the Need to Identify Individuals in Rare Disease Research, 24 Eur. J. Hum. Genet. 1553–58 (2016).
Case C-230/14 Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság [2015] ECLI:EU:C:2015:639.
Weltimmo, paras 28 and 31.
Case C-191/15 Verein für Konsumenteninformation v Amazon EU Sàrl [2016] ECLI:EU:C:2016:612.
Weltimmo, para. 41.
Id.
See eg Maja Brkan, Data Protection and Conflict-of-laws: A Challenging Relationship3 Eur. Data Protect Law Rev. 324 (2016); Jiahong Chen, How the Best-Laid Plans Go Awry: The (Unsolved) Issues of Applicable Law in the General Data Protection Regulation, 6 Int. Data Privacy Law 310 (2016).
Regulation (EC) No 864/2007 of the European Parliament and of the Council of July 11, 2007 on the law applicable to non-contractual obligations (Rome II) [2007] OJ L199/40.
For example, Brkan, supra note 42, at 332; Chen, supra note 42, at 319.
Regulation (EC) No 593/2008 of the European Parliament and of the Council of June 17, 2008 on the law applicable to contractual obligations (Rome I) [2008] OJ L177/6.
For example, Brkan, supra note 42, at 332–33; Chen, supra note 42, at 318.
Weltimmo, para. 1 of the ruling.
See eg Steven L. Salzberg, Databases: Reminder to Deposit DNA Sequences, 533 Nature179 (2016).
‘The European Genome-phenome Archive (EGA) is a service for permanent archiving and sharing of all types of personally identifiable genetic and phenotypic data resulting from biomedical research projects.’ See the official website of the EGA at https://ega-archive.org/about (accessed Apr. 10, 2018).
Pormeister, supra note 10 and note 26.
See Mike Hintze, Viewing the GDPR Through a De-identification Lens: A Tool for Compliance, Clarification, and Consistency, Int. Data Protect. Law (2017), https://doi.org/10.1093/idpl/ipx020 (accessed Apr. 19, 2018).
Kärt Pormeister, The GDPR and Big Data: Leading the Way for Big Genetic Data?, in P rivacy P olicies and T echnologies at 16–17 (E. Schweighofer et al. eds., Springer International Publishing 2017).
See eg Mats G. Hansson et al., The Risk of Re-identification versus the Need to Identify Individuals in Rare Disease Research, 24 Eur. J. Hum. Genet. 1553–58 (2016).
Associated Data
This section collects any data citations, data availability statements, or supplementary materials included in this article.