More and more biobanks are being set up to facilitate wide ranging, population based genomics research. Such biobanks act as research infrastructure – collecting data and samples from research subjects and making this material available, on application, to researchers. The scope and accuracy of genomic research depends on the size of data sets and the numbers of samples available to researchers who apply. Accordingly, in order to maximize the utility of samples and data collected in biobanks, there should be as few limits on their use as possible. Accordingly, many large scale biobanks collect materials prospectively – they do not state the type of research the materials will be used for at the moment of collection.

In order to conduct medical research on competent adults, researchers have generally been obliged to seek consent before conducting their work. Prior to biobanking, such consent was only regarded as legitimate under certain conditions. These required the research subject to be informed, in advance, as to the specific research which would be conducted. Prospective collection as occurs in the biobanking context is not possible under traditional models of consent. Accordingly, in order to bridge this impasse, alternative consent models were proposed for biobanking research. One such model is that of open consent. In open consent, the participant need only engage with the biobank once. The consent given in this engagement is valid for the extraction of the sample, the storage of the sample and data, and all further research uses of collected materials.

As biobanks process ‘personal data’, European data protection law is applicable to their operation. Despite the clarity that data protection law applies, there are a number of uncertainties as to the precise application of the current piece of overarching legislation – Directive 95/46 (European Parliament & European Council 1995). Whether open consent is legitimate is one such uncertainty.a In particular, the Directive requires that any consent be ‘specific’ and ‘informed’. It seems that biobanks operating with open consent cannot meet these obligations.

However, European data protection law is currently under review. This review has resulted in a Proposed Data Protection Regulation. This Regulation will replace the Directive and will provide a new background to the relationship between biobanks and data protection

This article considers the status of open consent in light of the Regulation.b A number of questions arise: Must biobanks legitimate processing through consent under the Regulation, or are there other possibilities? Which information, and of which specificity, does the Regulation oblige the biobank to provide to the data subject? Can this be provided under an open consent procedure? If open consent cannot find legitimation under the Regulation as it is, what are its prospects moving forward?

The article can be read in 4 parts:

Part 1 describes the open consent process and the obligations laid out by the Regulation relating to biobanks using open consent. It begins by explaining how open consent works and what differentiates it from other modes of consent (section 1). It proceeds by explaining the function of the Regulation, and by explaining its application to biobanks – concluding that the Regulation applies to both samples and data, and continues to apply until they are destroyed, and that biobanks can always be considered to process sensitive personal data (section 2). When sensitive data are processed, this must be justified under one of the grounds in Article 9. The article argues that, while there are a number of grounds which could apply, the most relevant is consent (section 3). The legitimation to process sensitive data following the data subject’s consent is provided by Article 9(2)(a) and can only succeed under a number of conditions – including that consent is ‘specific and informed’. The article then proceeds to elaborate what is meant by ‘specific and informed’ under the Regulation. It explains that certain categories of information must be provided to the data subject by the biobank (section 4), and that this information must be of a certain specificity (section 5).

Part 2 considers whether the open consent process can fulfil the informational obligations laid out in sections 4 and 5. The article suggests that the open consent process cannot provide the relevant specificity of information in relation to 4 categories of information; purpose of processing (section 6); recipients of processing (section 7); the third countries to which data will be transferred (section 8); the type of data which will be processed (section 9). With this analysis, the article concludes that, against the normal framework of informational obligations laid out be the Regulation, open consent cannot succeed.

Part 3 then considers arguments which suggest that the normal framework provided by the Regulation ought not apply. Such arguments suggest that, under the law in the Regulation, open consent could still count as ‘informed and specific’ as there are mechanisms which allow a relaxation of the problematic consent conditions. The first argument suggests that the expectations of the parties to the consent transaction have a performative effect on relevant informational obligations (section 10). The second argument suggests that, as biobanks employ other mechanisms of privacy protection – ‘buffer safeguards’ – these might provide reason for the problematic informational obligations to be relaxed (section 11). The article finds some justification for these arguments in the law. However, such justification is inadequate for open consent to succeed.

Part 4 finally considers a different form of argument supporting open consent. This form of argument suggests the logic behind the conditions laid down by the Regulation does not apply to biobanking. Accordingly, an argument can be made that the applicable conditions should be reconsidered. The article begins this section with an introduction to the concepts behind this form of argument – including pointing out that the conditions of consent are not rights, but are ties to assumptions as to the substance of regulation, the function of consent, and the actors involved (section 12). Two different arguments are put forward. The first argument holds that the specificity of the informational obligations in the Regulation was set with a particular processing context in mind. In this context there was a need to protect the data subject from particular risks in of the consent procedure. The argument suggests that such risks are not nearly so pronounced in the biobanking context and therefore the justification behind the high specificity threshold is limited (section 13). The second argument observes that the Regulation was drafted with a specific concept of ‘data’ in mind. Based on this concept, the legislator has constructed a concept of consent which requires a specific description of the data which have been collected. However, genetic data is better understood as a future source of data, than as data itself. This means that any concept of consent which focuses on defining ‘data’ which have been collected will be of limited applicability (section 14).

In summary, there seems no way open consent can meet the requirement under the Regulation for consent to be ‘specific and informed’. However, there are strong arguments suggesting that the Regulation’s conditions are poorly suited to the biobanking context and to the processing of genetic data. In this regard, the authors feel there should be a political discussion about whether to provide a specific set of consent conditions for biobanking.

Open consent

The site of medical research has traditionally been the human body – whether alive or dead. Modern medical ethics emerged with this concept of research as its template (with the focus of ethical consideration naturally being on research done on living subjects). Such research is characterized by certain features. First, it engages directly with the research subject’s physical person. The risks associated with this form of research are therefore predominantly physical. Second, in each instance invasive research occurred, the purpose of the invasive procedure could be clarified in advance. Conditions for a legitimate consent in medical ethics reflected these characteristics. In particular, as part of any legitimate consent, specific information as to the nature, form and risks of the particular proposed research had to be communicated to the participant in advance, before any research could go ahead (Biggs 2009, pp 17–35).

Genetics, and later genomics opened up new possibilities in how to conduct research. Importantly, genetic research can be conducted on extracted samples, rather than on the research subject’s physical person. In essence, no human subject is required for the act of research (although the sample must still be extracted). However, genetics and genomics research require something else – human samples and data. The scope, quality and effectiveness of such research is predicated on the number of samples and quantity of data used. The more relevant genetic information (and often health and environmental information – information relating to subject lifestyle etc.) used in any study, the more reliable the results of that study will be.c Equally, the more data and samples that are available for reuse, the more total studies that can be conducted and the more studies can be verified for accuracy (Kaye 2012, pp 32–45).

Biobanks – stores of genetic material and information, which can then be used in research projects – form a key part of the infrastructure supporting genetics and genomics research. As the importance of samples and data has grown in research, and as genomics research attempts to analyse ever expanding data sets, biobanks are becoming larger and more prospective – collecting samples with no particular research purpose in mind (Expert Group on Dealing with Ethical and Regulatory Challenges of International Biobank Research (2013)).

However, the stringent conditions of the traditional concept of consent in medical research stand in direct contradiction to the prospective collection approach – the requirement to specify specific research in advance standing in the way of extracting maximum research utility from collected samples.

In response to this obstruction, arguments were put forward suggesting that biobanking was a novel research context. Such arguments agreed that a respect for proband autonomy and self-determination remained an important ethical principle in biobank research, but suggested that the traditional concept of consent was unnecessarily restrictive. On the one hand, it was argued that biobanking held great promise for health research and that maintaining strict consent requirements would hinder the realisation of this promise (Hansson et al. 2006, p 267). On the other hand, it was argued that that the form of physical risk inherent in invasive research is different to (the arguments often suggest that it is also greater than) the informational risk present in biobanking research (Mascalzoni et al. 2008). On the back of these arguments, a number of novel consent modes were proposed as more suitable alternatives for biobanking. For example:

Democratic community consent (also known as presumed consent or opt-out), was employed in Iceland to legitimate the collection and use of the Icelandic population’s samples and data (Árnason and Árnason 2004, pp 164–177). This approach assumed every individual’s consent to the future use of their samples and materials. The individual was not specifically asked for consent at any point, but was given the option to opt out of the projectd.

Dynamic consent imagines a ‘personalised, digital communication interface’ which allows biobank/researchers to establish a continuous communication with research subjects (Kaye et al. 2014, pp 1). Research subjects can be presented with specific projects and information and, in turn, continuously tailor their consent preferences according to their desires and needse.

Sectoral consent imagines a limited extension to the boundaries of specific consent. Whilst specific consent demands that the specifics of the project are given to the research subject in advance, sectoral consent allows a research subject to consent to research in a given area – for example, a data subject would be allowed to consent to all cancer research (American Society of Human Genetics, 1996)f.

However, of all the proposed novel forms of consent, it is ‘open consent’ – also known as ‘broad consent’, ‘general consent’ and even ‘blanket consent’ – which strays furthest from the traditional model of specific informed consentg. Open consent has a history stretching back over a decade (Chadwick and Berg 2001). In this time, multiple definitions have been proposed, for example: Chadwick and Berg (2001), p 320 suggest that: ‘consent could be introduced, such as consent to entry into a sample collection…and to further (more general) research’. ‘Lunshof et al. (2008), p 409 suggest – in relation to the Personal Genome Project – that ‘open consent means that volunteers consent to unrestricted [research] re-disclosure of data originating from a confidential relationship, namely their health records, and to unrestricted [research] disclosure of information that emerges from any future research on their genotype-phenotype data set, the information content of which cannot be predicted’; Nomper (2005), p 83 suggests – in relation to population biobanks – that: ‘Open consent is the research subject’s affirmative agreement to participate in a population genetic database and in research projects that use tissue and data from that database’. Whilst there are minor differences between definitions – and this suggests the concept is still in definitional flux – there are certain core features of open consent which are common across all definitions. These characterise the concept and to differentiate it from all other forms of consent.

1. The research subject actively gives consent (unlike presumed consent) only once to the biobank (unlike dynamic consent). 2. The research subject is not asked to give consent to a specific research project (unlike traditional specific informed consent) or to an area of research (unlike sectoral consent). The subject gives consent to the use of their sample and data for all future research purposes. At the moment of collection, the research projects – nor even research areas – in which tissue samples and data will be used, are not precisely defined. 3. In most biobanks operating open consent, researchers wishing to conduct research on samples will apply to the biobank for the opportunity to use stored tissue and data.h The biobank (or more precisely, the governance systems of the biobank) will then decide whether a research project will be permitted to use the requested material. The research subject plays no role in this decision.

Open consent is also the most prominently used of the novel forms of consent. It is not hard to see why. On the one hand, it allows the maximum research utility to be extracted from each sample – the consent includes no limits to the scope of research uses to which the sample could be put. On the other hand, the consent procedure demands minimal organisational and administrative effort – one meeting with the subject, one form signed and the consent procedure is concluded. Open consent has proven particularly popular with population biobank projects. The donor consent form for the Estonian Geenivaramu states in Article 10: ‘By signing this document, I give my free and informed consent to… 4) Have the tissue sample, description of my state of health and my genealogy entered in the Gene Bank in coded form; 5) The use thereof for genetic research, public health research and statistical and other purposes in accordance with the law’ (TÜ Eesti Geenivaramu 2007). The donor consent form for the UK biobank states: ‘I give permission for long-term storage and use of my blood and urine samples for health-related research purposes (even after my incapacity or death)’ (UK Biobank 2013).

The data protection regulation and its application to biobanking

Since 1995, the key legal instrument elaborating European data protection law has been Directive 95/46 (European Parliament & European Council 1995). However, the role of the Directive in the regulation of biobanks was highly uncertain. On the one hand, the Directive was not designed with biobanks in mind, and it was therefore unclear as to how and when its provisions should be applied. On the other hand, in the absence of European level clarity on the application of the Directive, Member States provided local approaches, which in turn led to a fragmentation of legal approaches across Europe (Schulte in den Bäumen et al. 2010, pp 36).

In the 18 years since the drafting of the Directive, much has changedi. Accordingly, in 2009 the European Commission began an investigation into the reform of data protection law. The reform process took a big step forward in January 2012, when the Commission released a draft Data Protection Regulation proposed as a replacement to Directive 95/46 (European Commission 2012a). This Regulation has since been debated in the Parliament, which, earlier in 2014 approved an amended ‘Consolidated Regulation’ for consideration before the Council (The European Parliament (2013)). The Council have also suggested a number of further amendments to the Commission’s original version. (The Council of the European Union (2013)). If adopted, this Regulation will become the central instrument in European data protection law. As opposed to Directives – which lay out principles to be transposed into Member State law – Regulations are directly applicable as law in each Member State. The direct effect of the Regulation will mean its provisions will replace divergent data protection law in Member States. The Regulation will thus provide a new backdrop against which debates about data protection and biobanking will take place.

The Regulation applies in a broad range of contexts. Article 2(1) of the Commission’s versions outlines the scope of the proposed Regulation stating: ‘This Regulation applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system’ (European Commission 2012a, Article 2(1)).j The Regulation will apply to data processing conducted in relation to research and therefore in the biobanking context.

However, the Regulation does not apply when ‘personal data’ are not being processed. In this regard, there are two situations in which the scope of the concept of ‘personal data’ in relation to biobanking has been unclear – the case of anonymous data, and the case of the physical sample (as opposed to the extracted data). The authors would suggest that the scope of the Regulation should be given a broad interpretation. They believe that the concepts of anonymity (and pseudonymity) are not effectively applicable to genetic data or biobank processing. Accordingly the authors regard biobanks to always be process personal data and believe that the provisions of the Regulation should always apply.k They also believe that the Regulation must apply to both physical samples, and associated data.l In summary, the authors believe that the Regulation must apply to biobanking from the moment of collection of samples and data, and throughout the lifetime of storage and further processing of all samples and data.

When the Regulation is found to apply rationae materiae, it must then be defined how it applies. The Regulation operates a two tiered system of protection. This system classifies data according to how much of an impact processing could have on the fundamental rights of the data subject. The first tier is for ‘normal data’. The second tier is for ‘sensitive data’. A stricter set of conditions and a higher standard of oversight are applied to the processing of sensitive forms of data. A list of sensitive types of data is laid out in Article 9 of the Commission’s version (European Commission 2012a). The categories mentioned in Article 9 of the Commission’s version include; ‘personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures’.m Article 4(10) of the Commission’s version defines genetic data: “genetic data’ means all data, of whatever type, concerning the characteristics of an individual which are inherited or acquired during early prenatal development’ (European Commission 2012a, Article 4(10)). Interestingly, the Parliament suggest an alteration to this definition: “genetic data’ means all personal data relating to the genetic characteristics of an individual which have been inherited or acquired as they result from an analysis of a biological sample from the individual in question, in particular by chromosomal, desoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis or analysis of any other element enabling equivalent information to be obtained’. In turn, the Council suggest that: “genetic data’ means all personal data relating to the genetic characteristics of an individual that have been inherited of acquired, resulting from an analysis of a biological sample from the individual in question’. However, the Council extend this definition in their amendment to Recital 25a which states that genetic data can be obtained not only from analysis of a biological sample, but also; ‘in particular by chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis or analysis of any other element enabling equivalent information to be obtained’.

Under the Commission’s definition, every type of data collected by a biobank might be considered as ‘genetic’. We have already argued that the physical sample should be considered as data, and this would accordingly be considered data which ‘concerned’ inherited characteristics – the genome would be extracted from the raw sample. Any data which were collected through the analysis of the sample would also be data which ‘concerned’ inherited characteristics – the genome itself. Finally, the biobank collects other forms of data from the individual – for example health and lifestyle data. Many phenotypes result from the interaction between the individual’s genetic architecture and environmental factors. The biobank collects these other types of information to study this interaction – how non-genomic factors affect gene expression. Information collected with the intention of analysing gene expression, even if not necessarily ‘genetic’ on its own, would become information ‘concerned’ with genetics through the context of analysis. Under this definition, all data collected by the biobank, from the moment of collection, would be regarded as ‘genetic data’ and therefore must be treated as ‘sensitive data’.

Under the Parliament and Council definition however, it would only certainly be the results of the analysis of the biological sample which would certainly be defined as ‘genetic’. An argument could be made that, when other forms of data are subjected to an analysis which aimed to reveal information about genetics, they could be conceived of as ‘other elements’ allowing information about inherited characteristics to be obtained. In this reading, such data would also, following analysis, be regarded as ‘genetic data’. However under the Parliament and Council definitions, before such an analysis was conducted, no collected data would be regarded as ‘genetic’. Thus the physical sample would not be regarded as ‘genetic’, nor would any of the other information collected.n Nevertheless, even under the Parliament and Council versions of the Regulation, such other information could be conceived of as ‘health data’. Both versions regard health data as any data which relates to the physical or mental health of an individual. As biobanks are part of the health research infrastructure and all data will be used in health research, this information can be regarded as ‘relating’ to health. Accordingly such data should also be regarded as ‘sensitive’.

As data collected and processed by biobanks is classified as ‘sensitive’ under Article 9, ts processing is generally prohibited under 9(1); ‘the processing of [sensitive data] shall be prohibited’, subject only to certain limited exceptions laid out in Article 9(2) (European Commission 2012a, Article 9(2)). Accordingly, for biobanks to legitimately process data, they need to do so under an applicable exception under Article 9(2).o

Consent as the relevant exception for biobanks under article 9(2)

Article 9(2) offers a number of possible exceptions. Article 9(2)(a) states that the consent of the data subject allows the processing of sensitive data.p Article 9(2)(b) – (j) list a number of other justifications. The exceptions under 9(2)(b)-(j) can be loosely categorised as ‘public interest’ exceptions. Public interest exceptions take the decision as to whether data should be processed away from the individual – the normative benefit of processing has already been defined in the political process (Tene & Wolf 2013, pp 3–4). There has been considerable debate as to which form of justification must be relied upon where more than one ground seems relevant. In the case of biobanking, the authors feel that there is a lexical order to legitimating conditions. In this regard, they feel that consent under 9(2)(a) is the relevant exception that ought to be relied upon.

In particular, there are two strong legal theoretical arguments suggesting the primacy of consent over other possible justifications.

First, there is an argument from human rights jurisprudence. One of the main goals – arguably the main goal – of the Regulation is to provide a framework to protect individuals’ rights. Sensitive data listed under Article 9 are those data whose processing constitutes a specific risk to rights. Commentators suggest that such data are, by nature capable of infringing on fundamental rights. Whenever they are processed, there is thus a prima facie infringement of the rights of the data subject (Beyleveld 2004a, pp 10–11). In the European Court of Human Right’s case law, a substantial distinction is thus made between the choices of justification when processing sensitive data. In M.S. v. Sweden, the Court found that the lack of consent of the data subject to the disclosure of certain sensitive data was a key element in the finding of an infringement of Article 8 (the right to privacy). Accordingly, the plaintiff’s consent would have served to waive the existence of an infringement (M.S. v. Sweden, European Court of Human Rights 1997, §34-35). Thus, if consent is relied upon under 9(2)(a), there is no interference with the data subject’s rights. If a public interest is relied upon under 9(2)(b)-(j) there is an interference, it simply has a justification which overrides the right. In human rights law, if the same result can be achieved with less impact on an individual’s rights, this option must be taken. Thus, in relation to the underlying rights at stake, if consent can be obtained – which it can in biobanking – this is the ground under 9(2) which should be relied upon (Beyleveld 2004a, pp 10–11).q

Second, in the ethical and legal tradition of biomedical research, the research subject’s consent – under normal circumstances – is a prerequisite to conducting research. Biobanking falls definitively within the sphere of medical research. Whilst there is argument as to the form of consent necessary, there is little dispute that biobanks collecting samples directly from research subjects should obtain consent. Theoretically, the use of consent in medical research is a reflection of the autonomy, and primacy of decision, of the research subject in the research process. This has a long history, emerging form hard lessons drawn from horrific instances of paternalism and abuse in research.r Given that the desire of the potential research subject plays the central role in contemporary thinking about biomedical research, the use of a public interest exception under data protection law to allow research when the data has been collected from the individual seems awkward.s

It has been established that biobanks ought to rely on the consent of the data subject. However, the Regulation lays out a number of further conditions defining when a consent is legitimate under 9(2)(a). One sub-set of these conditions relates to what the data subject must know about the proposed processing before they can be seen to legitimately consent. Article 4(8) states ‘the data subject’s consent’ means any…specific [and] informed…indication of his or her wishes’ (European Commission 2012a, Article 4).t

Where there is an obligation to inform, there must be a set of criteria against which the discharge of this obligation can be measured. In this regard, Kosta states: ‘Concretising these questions in the area of data protection, it is essential to examine [1] what kind of information and [2] how much of it does the data subject need [− how specific does information need to be]’ (Kosta 2011, p 178). Using these questions as a baseline, it is possible to infer from the text of the Regulation, and from certain relevant jurisprudence, a set criteria which constitute the nuts and bolts of this obligation.

Which categories of information must be provided to the data subject?

In relation to Kosta’s first category, the Articles in the Regulation directly elaborating the conditions of consent do not clarify which kinds of information must be provided to the data subject.

However, elsewhere in the Regulation, general informational obligations (relevant to all processing situations) are elaborated. These obligations must also be met in processing legitimated by the data subject’s consent (Beyleveld 2004b, pp 69–71). The most important Article in this regard is Article 14. Article 14(1) elaborates a number of categories of information which must be given, by the data controller, to the data subject, when data is collected directly from the data subject – as in the case of open consent:u

14(1)(a): ‘the identity and the contact details of the controller and, if any, of the controller’s representative and of the data protection officer’.

14(1)(b): ‘the purposes of the processing for which the personal data are intended’.

14(1)(c): ‘the period for which the personal data will be stored’.

14(1)(d): ‘the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject or to object to the processing of such personal data’.

14(1)(e): ‘the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority’.

14(1)(f): ‘the recipients or categories of recipients of the personal data’.

14(1)(g): ‘where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission’. Importantly, the Parliament’s version adds to that ‘ in case of transfers referred to in Article 42, Article 43, or point (h) of Article 44(1), reference to the appropriate safeguards and the means to obtain a copy of them ’ must also be provided. The Council version removes the necessity to provide any information as to the protection standard in third countries.

14(1)(h): ‘any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected’ (European Commission 2012a, Article 14).

The Parliament’s Consolidated version adds further categories of information to this list:

14(1)(ga): ‘where applicable, information about the existence of profiling, of measures based on profiling, and the envisaged effects of profiling on the data subject’.

14(1)(gb): ‘meaningful information about the logic involved in any automated Processing’.

14(1)(ha): ‘where applicable, information whether personal data was provided to public authorities during the last consecutive 12-month period’.

The Council further add:

14(1a)(b): ‘where the processing is based on point (f) of Article 6(1) [on the grounds of the legitimate interest of the controller], the legitimate interests pursued by the controller’.v

Consent as a legitimate ground to process sensitive data is not new in the Regulation. The same possibility existed in the Directive under Article 8(2)(a). Accordingly, it is legitimate to consider European level interpretation on conditions of consent in the Directive as having continued relevance in understanding similar conditions in the Regulation. Of particular importance is the guidance on consent provided by the Article 29 Data Protection Working Party (2011). They suggest further categories of information which must be provided. In particular, they state: ‘[consent] includes notably which data are being processed’ (Article 29 Data Protection Working Party 2011, p 17).w The Article 29 Working Party also state that consent ‘should refer clearly and precisely to the scope and consequences of processing’ (Article 29 Data Protection Working Party 2011, p 17). The clarity of scope of processing is not a category of information itself. It is a description for the composite of information in all other relevant categories. This is also, to a certain extent, true for the category of ‘consequences’, although it is also possible to consider ‘consequences’ as a separate category in its own right. Known risks or benefits ought to be communicated to the data subject.x

How specific must information provided to the data subject be?

Defining rules, even general rules, for Kosta’s second question – how much information does the data subject need, or how specific should it be – is much more difficult. The Regulation itself is quiet on this point. The core problem in this regard is that specificity of information can only really be measured against a type of information in a given context. However, context cannot be the only relevant factor in the consideration of specificity of information. This would render the provisions of the Regulation meaningless.

In this regard, the Article 29 Working Party have attempted to provide guidance which may be relevant across contexts.y They suggest that the specificity of information should depend on how complex processing is. ‘The more complex data processing is, the more can be expected from the data controller. The more difficult it becomes for an average citizen to oversee and understand all the elements of the data processing, the larger the efforts should become for the data controller to demonstrate that information was provided based on specific…information’ (Article 29 Data Protection Working Party 2011, p 20).

The Article 29 Working Party does not mention the potential rights impact of processing as relevant to the specificity of information. However, the aim of consent is to provide legitimacy for an action which would otherwise infringe an individual’s rights. Accordingly, Dammaan and Simitis interpret the level of specificity of information required as also being dependant on the potential impact on the rights of the data subject (Dammann and Simitis 1997, p 115).

Defining the complexity of biobank processing is difficult. There is little jurisprudential indication as to what aspects of processing need to be taken into account when evaluating complexity. However, the authors feel that there is a strong argument to suggest that biobanking processing should be regarded as comparatively complex. First, the processing is done on a unique form of data – genetic data. Second, the framework used to interpret this data is equally unique – comprising of a complex and esoteric science. In this regard, studies have shown the comprehension of the public of the specificity of genetic data, and the processing of genetic data, as quite limited (Lanie et al. 2004). Third, in an open consent model, the networks through which data will travel are multifaceted. In turn, there is no given limit as to how often a genetic sample/data can be used (although limits may be implicit in the physical quantity of sample collected and in how it is used) nor to how many researchers can apply to use it. Fourth, each of these researchers may be processing the data with different goals in mind and thus process the genetic data to reveal different types of information about the data subject. Accordingly, there is no set limit on how much, or which type of information, might be eventually extracted from initially collected material. Finally, there are only a very limited number of situations in which an individual might have their genetic data processed, and almost no situations in which the individual might have so much genetic data processed. This renders the processing taking place in the biobanking context highly unusual. Accordingly, it is unlikely that many people will have much experience, or a solid frame of reference, through which to interpret and evaluate such processing.

Consideration of the potential impact on the data subject’s rights through processing is a little easier. Here, there are normative reference points which clarify that the processing of genetic data represents a high risk to the rights of the individual. The Regulation – in Article 9 – provides normative clarification of the sensitivity of genetic data, whilst other authoritative legal sources go one step further and suggest that genetic data is data of ‘unique’ sensitivity. For example, the Article 29 consider genetic data as exhibiting characteristics which make it particularly sensitive (Article 29 Data Protection Working Party 2004a, pp 4–5). Equally, In the Marper case, for example, the ECtHR specifically recognized genetic data as ‘intrinsically private’ and gave a number of reasons for genetic data’s specific sensitivity. (S. and Marper v United Kingdom, European Court of Human Rights 2008, § 104).

The above only provides rough guidance. It does not describe the precise level of specificity of the information which must be given by the biobank. However, such guidelines do provide indicators which can be considered comparatively. If it is accepted that biobank processing is both complex, and involves the processing of data of a highly private quality, it is logical to consider that the level of specificity of information required from the biobank ought to be comparatively high in relation to other processing situations. Accordingly, jurisprudence relevant to processing situations with similar, or lower, specificity thresholds can be used to provide relevant points of comparison.

With regard to these framework conditions, the authors see problems for biobanks to provide the relevant specificity of information under an open consent procedure in relation to at least four categories of information; purpose, recipients, third country transfers, type of data and consequences of processing.z

Purpose

Under Article 14(1)(b)aa, the biobank has the obligation to provide the data subject with information as to ‘the purposes of the processing for which the data are intended’ (European Commission 2012a, Article 14(1)(b)).

It is clear that blanket consent is prohibited (requesting consent to all future processing purposes). ‘Open consent’, however, is clearly not ‘blanket consent’. The scope of open consent is not to seek justification for every possible future use of data, but to seek justification for the future use of personal data in research. The UK Biobank, in this regard states: ‘Information and samples from UK Biobank participants will be available only to researchers’ (UK Biobank 2010).

However, simply as a biobank can elaborate a broad purpose of ‘research’, and does not seek ‘blanket consent’ does not mean it has adequately fulfilled its obligations under 14(1)(b). ‘Research’ is not a monolithic description of purpose. In fact, it can be better described as ‘sectoral’ description of purpose (Nomper 2005, pp 172–174). Chapter IX of the Regulation elaborates specific rules for certain forms of data processing. Amongst these situations in the Commission’s version, for example, are health (Article 81), employment (Article 82) and research (Article 83) (European Commission 2012a, Articles 81, 82, 83). ‘Research’ can be further subdivided, along a number of axes, into many sub-categories – for example, aids research, cancer research, stem cell research. Each of these categories could be further sub-divided, and so on.

Unfortunately for biobanks, available guidance related to the specificity of purpose in processing suggests that information only outlining a ‘sectoral’ purpose is insufficient. First, such guidance is available in relation to the concept of ‘purpose limitation’. The concept of ‘purpose limitation’ operates to set limiting conditions on the scope of processing. It is one of the general principles of data processing laid down in Article 5 of the Regulation and is applicable to all processing situations.bb Although it does not directly clarify the conditions of consent, the concept of ‘purpose limitation’ in Article 5 and the concept of ‘purpose specificity’ in relation to 9(2)(a) are tightly linked (Article 29 Data Protection Working Party 2013, pp 13–14). Guidance related to one can act as a guideline as to how to interpret the other. In this regard, the Article 29 Working Party have stated that ‘[v]ague or general purposes such as ‘improving users’ experience’, ‘marketing’, ‘IT-security’ or ‘future research’ will – without more detail – usually not meet the criteria of being ‘specific’ [emphasis added] (Schulte in den Bäumen et al. 2010, p 52). Second, there is relevant guidance directly related to the conditions of consent. Of particular relevance in the case of biobanking, is the exemplary guidance on consent and Electronic Health Records (Article 29 Data Protection Working Party 2007b). This is particularly relevant as it refers to a situation in which data classified as ‘sensitive’ by the Regulation are processed. The Article 29 Working Party state that: ‘consent must relate to a well-defined, concrete situation in which the processing of medical data is envisaged (Article 29 Data Protection Working Party 2007b, p 9). Therefore a ‘general agreement’ of the data subject e.g. to the collection of his medical data for an EHR and to subsequent transfers of these medical data of the past and of the future to health professionals involved in treatment would not constitute consent’.

Future recipients of data

Article 14(f)cc requires the biobank to provide the subject with information as to ‘the recipients or categories of recipients of personal data’. (European Commission 2012a, Article 14(f)).

It is clear that the biobank cannot list, at the moment of consent, the precise set of future recipients. Only after open consent has been given will researchers, and research projects, begin to apply to use the material. However, the biobank can offer information as to ‘the categories of recipients’. As the purpose is ‘research’, the recipients of samples can be described under the category of ‘researchers’. The UK biobank does precisely this when stating that ‘Information and samples from UK Biobank participants will be available only to researchers’ (UK Biobank 2010, p 8).dd

The category ‘researchers’ is, however, very broad. The category of ‘researchers’ could consist of a number of subdivisions – researchers at institution X, researchers in project Y cancer researchers, stem cell researchers etc. Once again, each of these categories could be subdivided, and so on. The question is thus the same as the question that arose in relation to purpose. Can we say that the category ‘researchers’ is sufficiently specific?

The Article 29 Working party opinion on Electronic Health Records provides an indication that it is not. The opinion states: ‘a ‘general agreement’ of the data subject e.g. to the collection of his medical data for an EHR and to subsequent transfers of these medical data…to health professionals…would not constitute consent’ (Article 29 Data Protection Working Party 2007b, p 9). In this example, there is reference to a broad category of recipients – ‘health professionals’ – as part of reason for the failure of consent. From the example it is not conclusive that consent would fail solely due to the breadth of class of recipient. However, in combination with a lack of specificity of purpose, the consent certainly fails.

In another example, the Article 29 Working Party considers the example of passing personal data to third parties for the purposes of direct marketing. They suggest that if user consent is obtained, then data – for example e-mail addresses – may be given to undefined third parties in the future (Article 29 Data Protection Working Party 2007b). This has been used as an argument to suggest that the data subject could consent to the passing of their data to a broad category of undefined future recipients. This would open the door to the biobanks to rely on ‘researchers’ as a category of sufficient precision (Nomper 2005, pp 172–174). However, this analysis is only partially correct. In their Opinion, the Working Party go on to state that, even if the future recipients of data are not specified, ‘the information provided to the data subject should then indicate the purpose(s), the goods and services…for which those parties would send e-mails’ (Article 29 Data Protection Working Party 2004b, p 5). Accordingly, a consent suggesting the passing of personal data to a group of future, undefined, recipients, could only be regarded as legitimate if the purpose for which these recipients would be allowed to process data were specific. As above, this is not possible for the biobank to do.

Third country transfers

Article 14(1)(g)ee of the Commission’s version requires the biobank to provide the data subject with information as to ‘the plans of the controller to transfer data to third countries, which countries and the details as to the adequacy of these countries’ data protection arrangements’ (European Commission 2012a, Article 14(1)(g)). The Parliament’s version adds that reference to other mechanisms allowing cross-border data transfer would also suffice. Interestingly, the Council’s version removes the obligation to provide information on the adequacy of standards of protection in the third country.

Of course, provision of information in this category is not necessarily problematic for an open consent procedure. The requirement to provide information in this category only becomes relevant when transfer of samples or data is envisaged to third countries outside the EU. This means that any EU biobank operating open consent procedures, planning only to provide samples and data to domestic or European researchers, and to prohibit these researchers from further circulating this data to third countries outside the EU, need not worry about this requirement.

However, large scale biobanks, and the research communities they serve, are becoming more international. It is questionable whether such biobanks will operate domestically in reality. The larger the biobank becomes, the more likely this is to be the case. The Geenivaramu supports projects from around the world as does the UK Biobank. The UK biobank explicitly states ‘bona fide researchers working in countries around the world will be able to apply to use the resource’ http://www.ukbiobank.ac.uk/all-faqs/ (last consulted 27.11.2013). In its consent materials the data subject is simply informed, in a broad fashion, that data may be transferred to third countries in the context of future use (UK Biobank 2010, p 8).

Open consent procedures are in place precisely as it is not desirable, at the time of collection, to state recipients of data. If it is not possible to list applicants or recipients of data in advance, then it is equally impossible to list the countries of origin of those recipients. This is problematic under every version of the Regulation.

Needless to say, if the countries cannot be named, then the level of protection (or any relevant adequacy agreements) cannot be named either. This is difficult to reconcile with Article 14(1)(g) of the Commission and Parliament texts. The Council version would seem to be a little more conducive here as it does not mention information as to adequate protection. Nevertheless, jurisprudence on cross-border data transfers from the Article 29 Working Party – which would still be applicable even in the case the Council’s wording was adopted – states; ‘the data controller must be able to prove in all cases that, firstly, he has obtained the consent of each data subject and, secondly, that this consent was given on the basis of sufficiently precise information, including information on the lack of protection in the third country’ (Article 29 Data Protection Working Party 2005, p 5).

Data collected

At the moment of collection, the biobank must give the subject a specific description of the data to be processed. Some data processed by the biobank may be collected through application forms or in discussion with participants.ff This data can be regarded as ‘normal data’ – Manson refers to this as ‘communicative data’ (see section 13). It is in the form of comprehensible information and communicates limited and defined knowledge about the data subject. The biobank can be specific with regard to this data. However, the main source of biobanks’ value is in the biological samples they collect and the genetic data contained therein. The whole genome is contained in this sample. Accordingly, at the moment of collection, the biobank could be no more precise than to state: a source of genetic data, containing the whole genome, has been collected. This raises at least two questions.

First, the possession of an individual’s genome is the possession of a source of further data about the individual. A genome is extracted from DNA. DNA has four different chemical building blocks – bases. The average human genome has approximately 3 billion base pairs. The term ‘genetic data’ could refer to any number of bases, up to the complete genome. Whilst the sequenced bases themselves constitute personal data, a series of letters is largely irrelevant (unless the series can be used as a unique identifier).gg However, when the relevant interpretative frame is applied to a given set of bases, a number of individual characteristics which are seen to have a genetic basis can be analysed. There are a huge number of traits which can potentially be analysed from any given sample. These vary broadly in form, describing not only physical attributes (blue eyes), but also current, or future, medical (has condition A; does not have condition A, is P% likely to contract condition A in the future) or social status (has genetic predisposition toward social characteristic S) (Taylor 2012, pp 41–53).

The only factor serving to group these traits is their source material. Accordingly, whilst ‘genetic data’ is listed as a category of data in the Regulation, the authors do not regard this as a useful, or specific, description of data which has been collected. By claiming that ‘genetic data’ had been collected, a biobank would be doing nothing more than referencing source material. This seems very difficult to reconcile with the obligation to give specific descriptions of data which had been collected and were to be processed.

Second, the content and amount of information capable of being extracted from the genome at any given time, is dependent on the state of genetic science at that time. Accordingly, developments in genetic science will expand the content and form of information about the individual which can be extracted from the sample.

It could be argued that future uncertainty is inherent in all transactions, data based or otherwise, consent based or otherwise. However the significance of the future potential of genetic data has received specific legal recognition. The ECtHR observes this feature of genetic data as integral to its sensitivity and its interaction with individual rights. The court states: ‘Indeed, bearing in mind the rapid pace of developments in the field of genetics and information technology, the Court cannot discount the possibility that in the future the private-life interests bound up with genetic information may be adversely affected in novel ways or in a manner which cannot be anticipated with precision today’ (S. and Marper v United Kingdom, European Court of Human Rights 2008, § 71). Accordingly, this is a feature of genetic data which demands serious consideration in any processing context.

Open consent would allow the continued processing of data into the future, regardless of changes in genetic science. The UK Biobank state: ‘during follow-up over the next few decades, your stored samples will be analysed for approved health-related research’ (UK Biobank 2010, p 3). For consent to provide legitimation to process data, this consent must be based on accurate information. For consent to continue to provide legitimation over time, the information on which it was based must remain accurate. Accordingly, there will be some point at which the science behind processing has so materially changed data which can be extracted from the sample, that the initial consent cannot be held to be valid – if it ever was.hh

The above analysis paints a negative picture for open consent. Under the conditions laid out in the Regulation, open consent looks unlikely to succeed.

However, this is not the end of the road for open consent. Before it can be concluded that open consent is incompatible with data protection law, a further set of arguments must be considered. Proponents of the open consent process have suggested that there are mechanisms in data protection law which may serve to relax the problematic informational obligations outlined in sections 6 to 9. This set of arguments can be related to a third question Kosta asks: ‘to what extent [do] the informational rights of the data subject or obligations of the data controller…influence the information that should be provided’ (Kosta 2011, p 176).

Two arguments in particular have been put forward. First, that the expectations of the data subject can serve to relax informational obligations. Second, that the other protections provided by biobanks can serve as a substitute for the provision of specific information.

Do the expectations of the data subject serve to relax conditions of consent?

This first argument suggests that the data subject has the right to alter the relevant rules on consent. Thus, should the data subject have a certain reasonable expectation of processing which will occur, the data subject has the right to enter into this transaction despite the legal limitations which would otherwise prohibit such a transaction. So, the data subject could allow open consent, even though it may violate the conditions laid down by the Regulation.

Although the idea that the data subject could alter the requisite informational obligations finds no expression in the Regulation itself, it does finds some justification in data protection jurisprudence. The Article 29 Working Party clearly states that the ‘granularity’ – a word often used when referring to specificity – of a given consent should be ‘based on the reasonable expectations of the parties’ (Article 29 Data Protection Working Party 2011, p 17). However, the extent to which conditions can be changed on the grounds of ‘reasonable expectations’ is unsure. The Article 29 working party foresees the expectations of the parties as only one factor relevant in determining the informational obligations of consent – the other half being the objective criteria laid out in sections 4 and 5, above.

In the opinion of the authors, it seems unlikely that the expectations of the parties was ever meant to function as the sole, or main, principle in deciding the relevance of statutory informational obligations in a given situation. This would have the effect of rendering the obligations and conditions laid out in the Regulation, and elsewhere, meaningless. Allowing open consent on the basis of the desire of the data subject would go far beyond taking the data subject’s expectations into account. It would constitute granting the data subject the right to remove statutory conditions on consent.

Do safeguards serve to relax conditions of consent?

As well as obtaining consent to process data, biobanks may employ a number of other ‘buffer safeguards’ which aim at avoiding privacy harms to the individual. These include technical measures, such as data security systems, pseudonymisation and anonymisation of data. They also include organizational approaches. For example, governance systems – including ethics committees – which take data subject’s rights into account when deciding on biobank activity. The argument follows that the presence of such ‘buffer safeguards’ should allow the relaxation of the informational conditions on the initial consent.

Generally speaking, the reduction of risk through technical or organizational measures is well recognized in data protection law. Indeed, risk reduction measures can be relied on as grounds to reduce other obligations in data protection law. For example, anonymisation of data voids the applicability of data protection law. Indeed, the Article 29 Working Party suggests, in relation to pseudonymized data, that ‘the risks at stake for the individuals with regard to the processing of such indirectly identifiable information will most often be low, so that the application of [data protection] rules will justifiably be more flexible than if information on directly identifiable individuals were processed (Article 29 Data Protection Working Party 2007a, p 18).

However, how risk reduction interacts with the requirements for legitimate consent in the Regulation is uncertain. There is clearly some connection. For example, sensitive data represent a greater risk, and therefore it more specific information should be provided be the data controller. Nevertheless, there is little in the current law to support the argument that buffer safeguards should serve to reduce relevant consent requirements.

Formally, there is no reference in the Articles referring to the conditions of consent, nor in Article 14, to a reduced standard of obligation based on risk reduction mechanisms being in place.ii In turn, the authors know of no relevant jurisprudence defining how, or how far, such risk reduction approaches can function to change the relevant conditions of consent. Finally, certain risk reduction mechanisms are statutorily obligated in all processing contexts anyway. For example, in Article 30, the Regulation lays out the conditions on privacy by design. The controller is obligated to institute ‘organizational and technical measures’…‘proportionate to the risks [of processing]’ (European Commission 2012a, Article 30). It is difficult to see why, without specific mention, that the presence of such mechanisms should ever allow a relaxation of other statutory obligations – for example those on consent.

Even if one accepts arguments that risk reduction approaches could reduce the relevant standard of information required, it is not clear that they would always be applicable in the biobanking context. There is doubt as to how effective certain risk reduction approaches can be in the biobanking context. In section 2, we have already discussed our skepticism at the idea of anonymisation and pseudonymisation in genetic data and in biobanking. Lunshof et al. generally suggest that claims as to the effectiveness technical approaches to risk reduction procedures in large scale biobanks may be greatly exaggerated (Lunshof et al. 2008, pp 4–6). Nor are the authors convinced that governance systems, such as ethics committees, can be truly regarded as risk reduction mechanisms. Governance systems are essentially oversight and proportionality mechanisms. In this regard such mechanisms take decisions as to whether processing is justified without the individual’s involvement. Proportionality mechanisms, may, but do not necessarily, reduce overall risk for the individual (Petrini 2010, pp 217–220).

Lex ferenda – a change of consent conditions for biobanks?

The analysis above concludes that open consent cannot meet the standards demanded by the Regulation.

However, the problematic informational obligations are not rights, which prima facie need to be protected. They emerged from the legislative process. They are results of political consideration as to the function of the consent, and the need to balance rights and interests involved in each consent transaction.

The authors would argue that there are a number of features of the biobanking context, and of genetic data, which do not fit the assumptions made in the legislative process. Accordingly, the reasoning behind the approach to, and strictness of, the conditions laid out in the Regulation, may not be relevant to biobanking. In turn, there is ground for the political reconsideration of the conditions relevant to consent in biobanking.

Two arguments are put forward: First, that the specificity threshold has been set in relation to a different context, and set of rights and interests, than those prevalent in biobanking. Second, that the approach taken to consent in the Regulation is poorly applicable to any instance in which a genetic sample, or genetic data, is processed.

De lege ferenda, such argumentation supports a call for a debate on biobank specific consent conditions. The elaboration of such sector specific rules is not only feasible, it is encouraged under the Regulation. Indeed, one of the main driving factors for data protection reform was that the Directive lacked the flexibility to deal with novel processing situations.

In terms of legal procedure, there are a number of ways such a set of rules could be brought into existence. The Regulation is still before the Council and changes can still be made as part of the normal legislative process. Equally, the Regulation conceives of a number of mechanisms for interpretation and adaptation to specific, or novel, processing scenarios – for example the consistency mechanism laid out in Chapter VII and the establishment of the European Data Protection Board. Finally, in the original version of the Regulation, the Commission was given the power, under Article 9(3) to; ‘further [specify] the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2 [of Article 9]’ (European Commission 2012a). The European Data Protection Board is granted a similar power in the Parliament’s Consolidated Version.

Where does the regulation’s concept of ‘specific and informed’ come from: does this remain relevant to biobanking?

In relation to the underlying rights data protection law seeks to protect, the original position is that the data subject has the right to informational self-determination. Without justification, this right should not be limited. In essence, the data subject has ‘the right to take a risk’ and to do whatever they want with their data regardless of uncertainty or potential future risk (Schulte in den Bäumen et al. 2010, pp 39–40; Taupitz & Weigel 2012, pp 265–266). This is exemplified by Article 9(2)(e) which allows the possibility for the data subject to ‘manifestly’ make their data public. The data subject thus has the ability to publicly release their genetic code and all information which the biobank would collect in an open consent procedure. A far more intransparent and risky act.

Consent, however, is a transaction between two parties which allows one party to engage in an action which would otherwise be prohibited. In this regard, it is the manifestation of the right to informational self-determination in the Regulation. A central condition for all consent transactions is that the parties transact on the basis of relevant knowledge and understanding (Beyleveld & Brownsword 2007, pp 145–146). This is the rationale behind the obligation to obtain ‘specific and informed’ consent.

There are two general reasons legislators choose to specify more precise statutory conditions relating to informational criteria in consent transactions. First, these may be necessary to provide a standard framework in which a transaction can take place – a set of rules for a legitimate interaction. Second, they may be necessary to correct for imbalance in the context in which consent takes place. In particular, they may be needed to correct for the danger that that the consent mechanism allows one party to unfairly profit at the expense of the other. In the context of the Regulation, the informational obligations related to ‘specific and informed’ consent are tightly tied to this second justification. In particular, the data subject is seen as a vulnerable party in need to protection.

However, the setting of legislative standards on relevant knowledge and information, must also be considered in the light of the trade off it entails. On the one hand, the more information that must be provided to the data subject, the more ‘informed’ that data subject might be. On the other hand, the harder it will be for any party to fulfil the requirements of a legitimate consent, and the more limited the scope of actions permissible under consent will be – eventually limiting the data subject’s choice, and right to informational self-determination, as well.

In the legislative discussions leading to the drafting of the Regulation, there was a focus on consent, and on the conditions of consent (European Commission 2012b). Such discussions predominantly revolved around the online context – particularly social networks. Of course, this is not the only area covered by the Regulation. However, its prevalence in the legislative discussion is indicative of the perception of the relevant context and interests. Certain important features of the discussion of the online environment stand out as significant. First, the interests of the parties involved in typical data processing activities online – for example social networking or e-commerce – can be expressed in adversarial terms. As personal data form the basis for the business models of many companies, the right to privacy of the data subject may be in direct opposition to the economic interest of the data controller. Second, when personal data are processed in an online environment, they often have value in so far as they can be used, whether directly or indirectly, to leverage benefit against the data subject (or a group of data subjects) (Manson & O’Neill 2008, pp 115–119). Finally, there was much discussion as to the intransparency of the online environment, and how this made it difficult for the data subject to understand what they were consenting to.

In relation to the above, certain conclusions can be drawn as to the concept of uncertainty in consent in the mind of the legislator. First, a lack of information – uncertainty – is to the disadvantage of the data subject as it provides the space for data controller to leverage advantage. Second, uncertainty on the part of the data subject may not imply uncertainty on the part of the data controller. In this case, uncertainty is not neutral, but obscures a power/information imbalance – facebook may have all the relevant information about the context in which it will process, it is unlikely that the data subject has this same information. In turn, this has a substantive bearing on the ability of the data subject to understand the processing and to understand its consequences. Accordingly, the desire of the legislator to protect the data subject uncertainty is understandable. The trade-off in this case shifts toward stricter informational requirements as a response to the dangers of uncertainty, albeit at the expense of informational self-determination.

The biobanking context is rather different. First, the two interests which are directly at stake in biobanking are the privacy of the individual, and the public interest in medical research. There is not the same type of adversarial relationship which exists between these interests as exists in the online context.jj Indeed, given that participants’ trust in researchers, and scientific research in general, is central to effective research, one might even talk of a confluence of interests. Laurie states: ‘this…does not seek to set interest against interest but seeks to bring about a confluence of public and private interests. In this sense it is a unique construct’ (Laurie 2002, pp 165–167). Second, data processing done in biobanking is not aimed at any individual, nor is it done with any intention to have any effect on an individual. In fact, the individual is only relevant as a point of administrative reference – character, identity and personality are irrelevant. The product is impersonal and undirected scientific knowledge (Manson & O’Neill 2008, pp 115–119).

In an open consent procedure, uncertainty might thus be viewed rather differently. First, the lack of information is not necessarily to the disadvantage of the data subject, as it is unlikely to be used to leverage advantage against the data subject. Second – provided that the transaction is governed by truth and transparency – the lack of information does not serve to obscure a relevant power/information imbalance. In turn, the lack of information does not prevent the data subject from making a choice, having been given all current, available and relevant information about the proposed processing. In this reading, there is far less reason to protect the data subject through restrictive informational obligations. Accordingly, one might argue that the trade-off should slide the other way – toward looser informational obligations and a more permissive approach to allowing the data subject to decide what happens to their data.

However, this is not the end of the debate. Whilst it is true that the conflict of interests is qualitatively different in the biobanking context and the online context, this does not automatically mean open consent is legitimate.

First, there are other regulatory spheres in which open consent has received much attention; in particular, in relation to the law (and ethics) on biomedical research. There is still no consensus in this area about the legitimacy of open consent.

Second, there are a series of considerations which are specific to genetics and genomics which extend beyond the particular relationships involved in the consent transaction. For example, genetic data are inherited and are therefore may be held in common with others – for example blood relatives. This means that the processing of other individuals’ genetic data is implied by the processing of one research subject’s genetic data. Further, genomics research raises a number of social and ethical themes – eugenics, for example, looms large. A range of arguments based on consideration of harms to other parties could be put forward as an alternative justification for limiting the scope of consent; to protect against ‘uncertainty’ and ‘possible future harm’ as such.

Finally, the above argument has only functionality in relation to some categories of information. The requirement to provide specific information on international data transfers does not rest on argumentation as to the conflict or confluence of interests between data subject and data controller. Further, even if it was concluded that the current informational obligations ought to be relaxed, the problem of the collection of genetic data would remain. Even if conditions were to be relaxed, the biobank would still be unable to give a description of the data collected.

The focus of consent, communicative data and genetic data

Manson argues that data protection law has been designed to deal with ‘communicative information’ (2009, pp18-21). The Regulation follows in this tradition. Communicative information is information which has already been arranged into a specific linguistic form, which allows transfer of certain knowledge. The knowledge in question in any data processing operation is thus perceived to be, to a large extent, a limitable and definable substance.

When designing rules regarding the scope of consent, the legislator must seek to approach the subject of consent in terms of definable, quantifiable features. To an extent, communicative data can play a role as such a feature. It is possible for a data controller to explain to the data subject the nature of the data which will be processed, and the knowledge it contains. The individual will in turn be able to conceive of the personal and social importance of the information and what processing of such knowledge might mean. Accordingly, the legislator focussed on an ‘act of processing data’ as the subject of consent, and relied on a specific description of the ‘personal data’ being processed as a definable, quantifiable feature of this ‘act’.

Biological samples, or raw genetic data, as collected by biobanks, cannot be classified as ‘communicative information’. Raw genetic material is not information which has been arranged into knowledge. It has only value for the communicative data it may reveal about the data subject in the future. A number of interpretative processes are still required to produce this. Despite its lack of imminent relevance, it potentially contains a large quantity of communicative data – a quantity which grows with scientific progress (section 9) (Article 29 Data Protection Working Party 2004a, pp 4–5).

Thus, raw genetic material is not a definable substance in terms of knowledge, and is not a substance which has a clear social or personal meaning. Accordingly, it is not a definable, quantifiable substance around which a scope of consent can be built. A data subject cannot understand the personal or social significance of an ‘act of processing’ if they do not know which data will be processed. In the same way a consumer might have difficulty in deciding on a purchase if they do not know how much the item costs.

Whilst the above observation does not necessarily support or reject open consent, it opens the door to consideration of alternative approaches to conceiving consent in relation to the processing of genetic data. Certain such approaches may not prove so obstructive to open consent.

Consenting to a specific ‘act’ is only one approach to the subject of consent. Beyleveld and Brownsword observe that ‘the paradigm of private empowerment involves an agent freely and with relevant knowledge consenting to the creation of a new relationship. The change of relationship might involve something as simple as a gift or a promise or the consent might signal a willingness to be bound by the rules of a game or the outcome of a voting process (Beyleveld & Brownsword 2007, pp 145–146).’ In the biobanking context, it has been suggested that, rather than focus on a specific ‘act’, the consent should be to a set of governance and decision making systems – the research/data subject submits to the ‘rules of the game’ (Nomper 2005, pp 83). As far as the authors are aware, there has been little consideration of the compatibility of data protection law with the possibility to provide ‘procedural consent’. Certainly, this seems an unlikely candidate for general application. On the other hand, there is no reason to believe that a procedural approach to consent – limited to the biobanking context and with the correct amount of careful deliberation and transparency – would necessarily be prejudicial to the data subject. Eventually, the focus on ‘data’ and the ‘act of processing’ are simply useful tools for approaching the interaction between consent, data processing and underlying rights. If the focus were to move from the act of processing to the decision making mechanisms defining whether processing occurs, there may be less obstruction to open consent, as the same decision making mechanisms would remain the same regardless of the proposed use, and therefore the consent would remain valid across use purposes.