This chapter analyzes the European Union framing of the protection of genetic privacy in the context of the European Commission's 2012 proposal to amend the 95/46/EC Data Protection Directive. This market-driven proposal, fitting a wider European movement with regard to health-related legal framework, takes into account the challenges to privacy protection brought by rapid technological development. Although the proposal is an attempt to clarify the 1995 Data Protection Directive, including the question of genetic data, it also creates some controversial grey areas, especially concerning the extensive regulatory role to be played by the European Commission. With regard to genetic privacy, this chapter takes the opportunity to develop on this paradox, and gives an analysis of the European design on the matter.
TopIntroduction
From floppy disks to digital CDs, flash drives and cloud computing; from ICQ to MSN Messenger and now Facebook and Twitter, the high-speed development of Innovation and Communication Technologies (ICT) has led to the online storage of a vast amount of personal data. With the help of powerful search engines such as Google, fragmented data can potentially be collected and linked back to an individual, a clear danger to her/his privacy. An employee being fired for information posted on her/his Facebook profile is a simple illustration of this potential infringement. A further example is the identification of the supposedly anonymous participants of the 1,000 Genome Project database. Their identity was uncovered through an association of different data available on the Internet (Gymrek et al, 2013). The implication of this last example in particular is that even intimate information, such as health data, can be accessed and used without the data's subject being aware of it. The same threat applies to other kinds of data such as personal or political opinion or involvement in a trade union.
More than simply being a threat to privacy, it is a threat to democracy. A person deprived of the knowledge of how her/his data is being used is unable to foresee the consequences of her/his behavior, nor the reactions of her/his interlocutor (BVerG, 1983). Therefore, she/he will be prevented from engaging in her/his democratic and fundamental rights such as freedom of association or freedom of speech. Indeed, “without self-determination, there is no citizen and without citizen there is no free society” (Caplan, 2010, p.69). As a consequence, the protection of data constitutes a safeguard for both the individual and society. Such a safeguard was implemented in French domestic law as early as 1978. Germany followed suit in 1979. In 1995 the European Community adopted its own text: the Data Protection Directive (DPD 95/46/EC). The two aims were to ensure data protection as a fundamental right across Europe in order to allow a secured flow of personal data between member states which would favor commercial exchanges. In 2012, the European Commission introduced a proposal on the protection of individuals with regard to the processing personal data and on the free movement of such data, to adapt its data protection standards to the latest technological developments. This proposal is a crucial reform for at least three reasons.
Firstly, and unlike the former 1995 Directive, this proposal takes the form of a regulation thereby becoming directly applicable in all EU 27 Members States without the need to be debated and enacted in each State.
Secondly, the adopted text will regulate all situations where data of an EU resident is processed, regardless of the citizenship of the data's subject and of where in the world the processing takes place (Art. 3 GDPR 2012). This wide scope of application is made to ensure that fundamental rights of EU residents will be protected, especially in the case where their data is used for commercial purposes.
Thirdly, the proposal appears to be a change of approach to data protection. It suppresses the obligation for controllers (data processors) to notify the supervisory authority of their intention to process personal data prior to its realization (Art. 18, DPD 95/46/EC). In the proposal, the controller remains responsible for the security of the processing. He will have to comply with the Regulation’s provisions and to notify any breach to the supervisory authority (Art. 5(f), 22, 29 et seq. GDPR 2012). Only afterwards will the supervisory authorities’ control take place. However, this deregulation does not apply to certain special categories of data which “reveal race or ethnic origin, political opinions, religion or beliefs, trade union membership and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures” (Art. 9(1), GDPR 2012). These special categories of data are treated differently to the rest to protect the individual’s privacy. And in comparison to the definition of the “special categories of data” provided in 1995, the Regulation recognizes a new category: genetic data.