Harmonising the human biobanking consent process: an Irish experience

Biobanks are repositories of human biological samples and data. They are an important component of clinical research in many disease areas and often represent the first step toward innovative treatments. For biobanks to operate, researchers need human participants to give their samples and associated health data. In Ireland, research participants must provide their freely given informed consent for their samples and data to be taken and used for research purposes. Biobank staff are responsible for communicating the relevant information to participants prior to obtaining their consent, and this communication process is supported by the Participant Information Leaflets and Informed Consent Form (PI/ICFs). PILs/ICFs should be concise, intelligible, and contain relevant information. While not a substitute for layperson and research staff discussions, PILs and ICFs ensure that a layperson has enough information to make an informed choice to participate or not. However, PILs/ICFs are often lengthy, contain technical language and can be complicated and onerous for a layperson to read. The introduction of the General Data Protection Regulation and the related Irish Health Research Regulation presented additional challenges to the Irish biobank community. In May 2019, the National Biobanking Working Group (NBWG) was established in Ireland. It consists of members from diverse research backgrounds located in universities, hospitals and research centres across Ireland and a public/patient partner. The NBWG aimed to develop a suite of resources for health research biobanks via robust and meaningful patient engagement, which are accessible, General Data Protection Regulation/Health Research Regulation-compliant and could be used nationally, including a PIL/ICF template. This open letter describes the process whereby this national biobank PIL/ICF template was produced. The development of this template included review by the Patient Voice in Cancer Research, led by Professor Amanda McCann at University College Dublin and the Health Research Data Protection Network.

Data protection rules applicable to Financial Intelligence Units: still no clarity in sight

Financial information can play a key role in tackling money laundering, terrorist financing and combatting serious crime more generally. Preventing and fighting money laundering and the financing of terrorism were top priorities of the European Union’s (EU) Security Strategy for 2020-2025, which might explain the fast developments regarding legislative measures to further regulate anti-money laundering (AML) and counter terrorism financing (CTF). In May 2020, the European Commission put forward an Action Plan to establish a Union policy on combatting money laundering and shortly afterwards, proposed a new AML Package.Financial Intelligence Units (FIUs) play a crucial role in analysing and exchanging information concerning unusual and suspicious transactions, serving as intermediaries between the private sector and law enforcement authorities (LEAs). Such information includes personal data, which is protected under the EU data protection acquis. The latter is constituted of two main laws, the General Data Protection Regulation (GDPR), which applies to general processing and the so-called Law Enforcement Directive (LED) that is applicable when competent law enforcement authorities process personal data for law enforcement purposes.This Article argues that the current legal framework on AML and CTF legislation is unclear on the data protection regime that applies to the processing of personal data by FIUs and that the proposed AML Package does little or nothing to clarify this dilemma. In order to contribute to the discussion on the applicable data protection framework for FIUs, the assessment puts forward arguments for and against the application of the LED to such processing, taking into account the relevant legal texts on AML and data protection.

USE OF PASSENGER LOCATION CARDS IN THE ERA OF THE COVID-19 PANDEMIC, AND THE PROCESSING OF PERSONAL DATA OF AIR PASSENGERS

Purpose. The aim of the article is to analyse the processing of personal data of air passengers during the SARS-CoV-2 pandemic in the context of doubts that have arisen in connection with the need for these passengers to provide their personal data as part of filling out the Passenger Location Card questionnaire. Method. The research method used in this study is case study. Findings. In the study, it was showed that firstly, the data of air passengers processed in relation to the application of the Passenger Location Card by the State Border Sanitary Inspectorate in Warsaw should be protected under the provisions of the General Regulation on the protection of personal data. Furthermore, their controller, i.e. the State Border Sanitary Inspectorate in Warsaw, did not fulfil its obligations in this regard. This, in effect, justifies the conclusion that the processing process not in accordance with the law on the protection of personal data. Research and conclusions limitations. The analysis concerned only passengers of aircrafts arriving and/or departing from airports located on the territory of the Republic of Poland. Practical implications. The analysis carried out in this study may provide a solution to the issues that have arisen in the public sector with regard to the processing of personal data collected from air passengers on the basis of the Passenger Location Card questionnaire and thus, the conclusions may prove useful for data controllers who should be aware of such problems, but also for air travellers as data subjects who should be protected by the General Data Protection Regulation and their rights in this regard. Originality. This analysis, if only for the reason that it is an analysis of a problem that has come to light relatively recently (March 2020), has so far, only been the subject of consideration in press articles.

A Weaponized Court of Justice in Schrems II

The U.S.-EU conflict over the application of the General Data Protection Regulation (GDPR) to U.S.-based digital platform companies is marked by a startling legal development: the insertion of a constitutional court squarely into the heart of the dispute. The engagement of the EU’s top court - the Court of Justice (CJEU) - in the Schrems I and Schrems II cases - has significantly inflamed the dispute. The CJEU has now twice struck down GDPR accommodations reached between the United States and the European Union. In doing so, the Court has rebuked both U.S. and EU officials. By transfiguring provisions of the GDPR with constitutional (that is, treaty-based) and human rights values, the Court has placed out of reach any accommodation that does not involve significant reform of U.S. privacy and national security provisions. Heated trans-Atlantic disputes involving assertions of extraterritorial extensions of regulatory power is an inappropriate place for a constitutional court like the CJEU to throw its declarative weight around.

Capturing the Basics of the GDPR in a Well-Founded Legal Domain Modular Ontology

The primary goal of the General Data Protection Regulation (GDPR) is to regulate the rights and duties of citizens and organizations over personal data protection. Implementing the GDPR is recently gaining much importance for legal reasoning and compliance checking purposes. In this work, we aim to capture the basics of GDPR in a well-founded legal domain modular ontology named OPPD (Ontology for the Protection of Personal Data). Ontology-Driven Conceptual Modeling (ODCM), ontology layering, modularization, and reuse processes are applied. These processes aim to support the ontology engineer in overcoming the complexity of the legal knowledge and developing an ontology model faithful to reality. ODCM is used for grounding OPPD in the Unified Foundational Ontology (UFO). Ontology modularization and layering aim to simplify the ontology building process. Ontology reuse focuses on selecting and reusing Conceptual Ontology Patterns (COPs) from UFO and the legal core ontology UFO-L. OPPD intends to overcome the lack of a representation of legal procedures that most ontologies encountered. The potential use of OPPD is proposed to formalize the GDPR rules by combining ontological reasoning and Logic Programming.