Sage Journals: Discover world-class research

Abstract

Before the EU General Data Protection Regulation entered into force in May 2018, we witnessed an intense struggle of actors associated with data-dependent fields of science, in particular health-related academia and biobanks striving for legal derogations for data reuse in research. These actors engaged in a similar line of argument and formed issue alliances to pool their collective power. Using descriptive coding followed by an interpretive analysis, this article investigates the argumentative repertoire of these actors and embeds the analysis in ethical debates on data sharing and biobank-related data governance. We observe efforts to perform a paradigmatic shift of the discourse around the General Data Protection Regulation-implementation away from ‘protecting data’ as key concern to ‘protecting health’ of individuals and societies at large. Instead of data protection, the key risks stressed by health researchers became potential obstacles to research. In line, exchange of information with data subjects is not a key concern in the arguments of biobank-related actors and it is assumed that patients want ‘their’ data to be used. We interpret these narratives as a ‘reaction’ to potential restrictions for data reuse and in line with a broader trend towards Big Data science, as the very idea of biobanking is conceptualized around long-term use of readily prepared data. We conclude that a sustainable implementation of biobanks needs not only to comply with the General Data Protection Regulation, but must proactively re-imagine its relation to citizens and data subjects in order to account for the various ways that science gets entangled with society.

Keywords

Big Data biobanks European Union General Data Protection Regulation governance policy analysis

Introduction

In December 2015, the Trialogue of the European Parliament, the European Commission (EC) and the Council of Europe came to an agreement on the final version of the EU General Data Protection Regulation (GDPR). The GDPR was then adopted by the Council and the Parliament; it was finally published on 4 May 2016 and has been applicable in all member states since May 2018 (EC, 2016). This is the preliminary endpoint of a long and controversial policy process, which started much earlier and went through major phases of renegotiation including many more actors.

This paper explores a specific part of this policy process, focusing on the interventions of actors associated with data-dependent fields of health-related sciences, more specifically biobanks, in the drafting of the GDPR. Between 2012 and 2015, these actors called for legal derogations for research that would allow scientists to reuse human-related data based on a one-time informed consent by donors. Such derogations were suggested by the EC in 2012, later opposed by, e.g., the European Parliament, and finally included in the GDPR. We analyse how interventions by actors from data-dependent fields of science to the GDPR negotiations (expressed in public documents such as policy briefs and open letters) aim for shifting the discourse from its key topic ‘data protection’, to a paradigmatic focus on ‘protecting the health’ of individuals and societies at large. We interpret this effort as part of an epistemic transition, where Big Data approaches are increasingly framed as necessary innovative modes for knowledge generation to serve the public good. Analysing such moments of controversy between different actors then opens a window to better understand the new role data-intensive sciences are starting to play, how this challenges the very act of data donation, but also of protection of donors, how data-subjects arise as a new category of actors and shows us the complex balancing acts between individual rights and the promise of collective benefits.

Big Data poses technical challenges not only to research but also to privacy management and research organization more generally (Lehtiniemi and Kortesniemi, 2017). Large-scale health databases cannot be understood simply as up-scaled version of previous collections of data; they generally bring together much larger and more diverse sets of information (and biological materials). This, as we will argue, calls for being attentive to not simply buying into pre-existing ethical, social and legal perspectives but to opening up and being open to new understandings and approaches (e.g. Prainsack and Buyx, 2016). Novel technologies enable the automated and quasi-autonomous collection and analysis of data across different technological domains, connecting different data collections more easily, while storage technologies allow these data to be kept for undefined lengths of time. Some scholars highlight that Big Data conflicts in important ways with individual privacy rights (Kulk and Van Loenen, 2012) because the subjects of the data are said to no longer be aware of the extent to which data are being collected and used (Mittelstadt and Floridi, 2016). Anonymization is also difficult in regard to large data collections as (for example genetic) data may affect not only the privacy rights of individuals but also the rights of whole groups for ethnic or geographic reasons (Lunshof et al., 2008). Furthermore, Big Data approaches ‘challenge established epistemologies across the sciences’ bringing about ‘new forms of empiricism that declare “the end of theory”, the creation of data-driven rather than knowledge-driven science’ (Kitchin, 2014: 1). Researchers increasingly face novel demands for data management and protection as well as for informed consent, which has reinvigorated debates about the relationship of science and society as well as about the modes of inclusion of research subjects more specifically (Starkbaum, 2018).

With the backdrop of these changes, it is not astonishing that actors from data-dependent fields of science were very active in negotiating the GDPR. In particular, actors associated with publicly funded European biobanks strived for forming a ‘discourse coalition’ (Hajer, 2009). Such a discourse coalition is made up of an ‘ensemble of particular storylines (…), the actors who employ them, and the practices through which the discourse involved exerts its power’ (Hajer, 2009: 60), and very often is issue specific. We conceptualize the aggregation of such formations of actors as a ‘policy network’, which shifts our attention to different types of (political) power relations (Marin and Mayntz, 1991). Accordingly, actors with shared system-related interests would create an alliance around a specific issue that is often not formalized but rather materialized through shared discourses and narratives. Related approaches point to epistemic communities that build on shared expertise to inform policy (Zito, 2017), or they emphasize the efforts of framing the issues at stake in order to draw our attention to how interest groups ‘strategically highlight some aspects (…) while neglecting others in order to direct collective attention to their preferred policy option’ (Klüver et al., 2015: 495).

However, in this paper, we will not focus on the actual policy impact of the issue alliance of health-related actors in the broader struggle over the GDPR, as this is hardly possible in such a complex negotiation process. Nor will we analyse the ‘assembly’ of actors as such. Rather, we reflect the argumentative repertories linked to these interventions and how they can be interpreted as an attempt to discursively shift the struggle over the use of personal data in research. We will thus start with reflecting on the governance of health-data infrastructures, more specifically looking into the emergence of (European) health-data infrastructures (following section). This is followed by a genealogy of approaches to biobank governance (subsequent section). Building on this, we will then in fourth section outline how the negotiations over the GDPR opened up a space of intervention for different actors. Finally, we will focus in on narratives performed through public documents which are central to the formation of the aforementioned issue alliance (final section).

The analysis is based on a selection of 27 documents that were collected based on desktop research and snowballing techniques. We sampled public documents that fulfil the following criteria: (1) they explicitly address the GDPR in relation to biobanking or biobank-like research (e.g. cohort studies), (2) they are authored by actors associated with data-dependent fields of science and (3) the authors are affiliated with an entity that is publicly funded (e.g. universities and associations of academics) or are part of the not-for-profit sector (e.g. patient organizations). Out of the 27 analysed documents, only one document is authored by a single institution, 17 of them by institutionalized associations and assemblies, and nine by temporal assemblies of actors, sometimes including entities from both science and patient organizations (e.g. Wellcome Trust et al., 2014). Please see Table 1 in Supplementary material for further details.

The documents were, first, coded following a descriptive approach (Saldaña, 2016), in order to inductively provide an overview on key topics. In a second step, the coded documents were analysed following an interpretive approach to research, framing these as ‘situationally embedded creations’ (Wolff, 2007: 285) produced for particular purposes and audiences. We thus reflected not only the content of the documents but also their position and the context for which they were produced: as elements of a ‘struggle over meaning’ (Braun, 2015) that display perspectives and intentions of its authors (Hammersley and Atkinson, 2007). These documents are in this sense an important source as they are both accounts of specific values and work performed by an actor and accounts for organizational activities, i.e., of how to formally intervene in such debates. We then elaborated key narratives and a greater ‘red threat’ across the 27 documents which provide the empirical basis for this article. We finally discuss how the formation of a discourse coalition, its focus on potential benefits, and the ways how patients and citizens are imagined, can be understood as a ‘reaction’ to potential restrictions for data reuse, as the very idea of biobanking is conceptualized around long-term use of readily prepared data. All this relates to efforts for performing a paradigmatic shift of the GDPR-implementation-discourse away from ‘protecting data’ to ‘protecting health’ of individuals and societies at large. While the exchange of information with data subjects is no key issue in the narratives, we argue that a sustainable implementation of biobanks needs not only to comply with the current legal framework, but must proactively re-imagine and re-conceptualize its relation to citizens and data subjects.

Health-data and biobank infrastructures

At the time of writing this article, we are witnessing multiple efforts to establish (health) data platforms for research, such as Electronic Health Record systems or biobank infrastructures, and these infrastructures seek preferably wide access to and options for the reuse of data. The European e-Health Action Plan (EC, 2012a), for example, targets (digital) data collection and new information and communication technologies as tools to provide cost-efficient and high-quality medical care and treatment across Europe. The Digital Single Market Strategy for Europe (EC, 2015) also aims at harmonizing the health sector. Simultaneously, private health-data platforms are emerging, such as direct-to-consumer genetic testing or private health management (Swan, 2013). These health-related activities have raised a critical debate in regard to issues in particular data privacy, research ethics, and commercialization.

This article specifically examines the actors associated with publically funded human biobanks (and their EU infrastructure). These types of biobanks are typically situated at single locations (e.g. a hospital or university). The banks collect, store, and process human data (e.g. blood or tissue), clinical data (e.g. heartbeats) and lifestyle data (e.g. smoking habits) for research purposes. In most cases, human bodily material is kept deep-frozen or paraffin-fixed, and data may be derived from patient groups or larger segments of populations. The sample sizes of biobanks can range from data on a few hundred donors to data collected from a million or more donors. Countless biobanks exist across Europe and worldwide.

The trend for bigger data in omics research led to the ongoing integration of European biobanks around the turn of the last millennium (Rial-Sebbag and Cambon-Thomsen, 2015). The Biobanking and Biomolecular Resources Research Infrastructure – European Research Infrastructure Consortium (BBMRI-ERIC), a major EU biomedical infrastructure, was gradually developed over the course of the last two decades and inaugurated in 2013. Its declared aim is to improve cooperation between biobanks and other partners (e.g. from policy and industry) and thus promote scientific research across Europe. In 2015, more than 500 European biobanks were part of this EU infrastructure (Starkbaum, 2018). However, biobanks also raised a number of socio-ethical and legal questions, many of them related to data privacy.

Therefore, it is not surprising that biobanks and the BBMRI-ERIC infrastructure felt quite fundamentally affected by the GDPR. Biobanks not only systematically collect large amounts of data from patients or citizens; beyond that role, their declared aim is to be able to use these data for multiple yet currently unknown research purposes. We encounter a field of ‘data-driven innovation’ (Curley and Salmelin, 2018) where different types of data are framed not only as valuable but as key elements of biomedical knowledge generation and thus become a highly politicized resource.

Supporters of a strict data protective framework aimed precisely at restricting data reuse based on a one-time informed consent (i.e. prohibiting broad or blanket consent). This challenged the core reasons why biobanks were created in the first place as well as their very epistemology. In response, various actors connected to biobanks actively engaged in negotiations over the GDPR. However, before shedding light on some of these interventions, it is essential to reflect on earlier debates on biobank governance because many issues addressed in the GDPR-related interventions of biobank-associated actors have a quite long pre-history.

Wider debates around data governance of biobanks

Regarding questions of governance, the field of biobanks experienced – and still experiences – intense ethical, social and legal debates on issues such as ownership, benefit sharing, informed consent, and data privacy (Rial-Sebbag and Cambon-Thomsen, 2015). To understand how these debates emerged and developed, it is noteworthy to look a few decades back to the wider field of biotechnology. With the rise of the Human Genome Project in the 1990s, the role of genetic data with regard to individual autonomy rights was increasingly discussed. The term genetic privacy was promoted by scholars to capture the novel challenges associated with genetic data (data that contains simultaneous information about individuals and collectives) (Lunshof et al., 2008). The leading assumption behind this term was that genetic information is different from other types of information and therefore requires specific policies: thus, specific protection against the misuse of personal genetic data was claimed. However, restrictions to data usage challenge biobanks as the very idea of collecting (human) samples and data is to provide a resource that can be repeatedly used for research in different contexts. Governance debates over biobanks have since then struggled with balancing individual autonomy and privacy rights with demands for ‘open’ research data.

The protests against the Icelandic biobank project at the beginning of this millennium allowed critics to successfully claim more autonomy and protection for individual participants in biobanks (Pálsson, 2008). The Icelandic biobank initiative was mainly criticized for relying on a presumed consent model (opt-out) and for the direct involvement of private industry partners (deCODE Genetics). This highly visible dispute promoted a heightened sensitivity for individual privacy and informed consent based on an opt-in mode in European biobanks (Starkbaum, 2018). At the same time, it led to serious limitation for researchers who were in need of available data and information.

In response, different scholars called for focusing more strongly on the (possible) research benefits of biobanks and the risks that affect wider parts of societies (e.g. genetic discrimination) rather than on individual data protection. Proponents of this new paradigm stressed that narrow informed consent models and unconditional privacy were not compatible with contemporary data regimes (Knoppers and Chadwick, 2005). Furthermore, biobanks were described as a ‘public good’ in the sense of benefiting (future) society, thus pointing to the collective benefit flowing from giving broader access to data. This paradigm shift was labelled as a ‘communitarian turn’, emphasizing more strongly ideals such as equity and solidarity. Building biobanks and using them for research was thus framed less in terms of potential privacy transgressions and more as contributions to the common or public good. In line with these developments, new modes of informed consent became dominant in expert discourses: broad and open consent models that allow the reuse of data in biobanks based on a one-time consent (Lunshof et al., 2008). Many larger biobanks, such as UK Biobank and Biobank Graz, currently practice such models and link these with sophisticated regulatory and technical measures for protecting data of unrestricted access.

This dominance of communitarian values was however opposed by scholars as undermining individual interests, such as in broad consent models, which request agreement to unknown future applications (Caulfield and Kaye, 2009). It was also emphasized that broad consent mainly authorizes and protects those who conduct research and does not enlighten research participants. Some academics therefore advocate for flexible, or dynamic, forms of consent that increase individual autonomy (Kaye et al., 2015). These types of consent are designed to give data subjects the opportunity to stay involved – to follow their data and be able to adjust the form of consent they initially provided in a context-sensitive manner.

More recent approaches to biobank governance aim to dissolve these tensions between individual and collective demands in research environments. Following the challenges of Big Data and precision medicine, Prainsack and Buyx (2016), for example, draw our attention to the importance of a solidarity-based approach to data-related issues that build on notions of communitarian values while aiming to account also for the interests of individuals. While this approach normatively embraces actual practices that constitute solidarity, and thus addresses foremost collective demands, it nevertheless emphasizes considering the needs of individuals by accounting for issues such as individual privacy demands. Erlich et al. (2014) propose a trust-based framework and criticize discourses that frame the value of data as being in opposition to the participants' privacy risks. Instead, they aim for enabling participants and researchers to benefit from data sharing by shifting the focus from privacy to trust-enabling notions such as reciprocity and transparency. These models have, however, not been translated into widespread practice so far – yet, they build on and reinforce the widely established idea of building reciprocal relationships with data subjects.

The idea of creating mutual benefits for ‘all’ stakeholders through reciprocity is not new. Titmuss (1971) explored regimes of blood transfusions in the 1970s and concluded that giving blood as an altruistic act creates reciprocity between strangers, whereas commercial usage creates non-binding relationships and less reciprocity. This view has led to debates about whether commercial and non-commercial practices can be separated so clearly (Rapport and Maggs, 2002). Nevertheless, Titmuss’ ideas have been adapted to the field of biotechnology and biobanks: Waldby (2008: 23) argues that a gift economy, as defined by Titmuss, is unrealistic as ‘at present the gift system often means that donors are simply treated as open sources of lucrative biological material’. Other scholars show that some people indeed frame their donation as a complex give-and-take relationship across time, more specifically ‘as a gift towards the welfare state that, in turn, provides proper treatment’ (Felt et al., 2009: 96). However, while participants may wish to stay (actively) involved in research projects, others may prefer to simply donate a piece of tissue without further active involvement (Tutton, 2002). All of these scenarios point to the fact that the situatedness of the act of donation, and a broader vision of where the donated data and biological materials might go, matters and needs to be considered in constructing health-data infrastructures and providing researchers access to them.

Discussions about reuse of data for research purposes based on one-time consent are thus, in the wider sense, a debate about the modes of involvement of participants. While broad consent models are designed to involve data subjects solely in the process of data collection and open up further data use for purposes not imagined at the time of donation, narrow or dynamic consent models would require the repeated involvement of those persons who have given data for research. Recent debates that surrounded the implementation of the GDPR touch exactly on these questions.

Opening up a space for negotiating the GDPR

The policy process that led to the final version of the GDPR allowed various actors to engage in a struggle over the precise content of this legal key document. This chapter sketches the major elements of the genealogy of this process and maps the larger policy network without referring to internal negotiations of larger actors such as the EU Parliament.

In reference to the increasing quantities and qualities of globally available data and the novel possibilities for retrieving and processing them, approximately a decade ago multiple voices (e.g. EU officials and NGOs) started to raise the issue of the 1995 European Data Protection Directive (95/46/EC) being outdated. As certain types of data began to be framed as crucial resources (e.g. for industry and science), concerns were expressed that the 1995 Directive might harm the European economy because it did not offer a clear EU-wide framework (Ciriani, 2015). Others pointed to the fact that online data regimes produce novel risks for EU citizens. International corporations that process large amounts of data, such as Google and Facebook, were named in debates on the GDPR and linked to fears about transnational surveillance or challenges associated with EU-US data transfer (Krystlik, 2017). These elements fostered the policy process around data protection to become quite contested.

In 2012, after lengthy consultations, the EC proposed a comprehensive reform of the current data protection rules across the EU. The EC explanatory memorandum to the proposal named legal uncertainty and public perception of risk as major reasons why a novel data protection framework was needed:

The current [legislative] framework (...) has not prevented fragmentation in the way personal data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant risks associated notably with online activity. This is why it is time to build a stronger and more coherent data protection framework (...) that will allow the digital economy to develop across the internal market, put individuals in control of their own data and reinforce legal and practical certainty for economic operators and public authorities. (EC, 2012b)

The broader public was thus constructed as concerned (which is quite a general trope in EU policy documents in regard to providing justification for action) and as a major reason why policymakers had to act. It was promised that the new GDPR would provide individuals with control over their personal data, harmonize EU law, and, in the end, strengthen the economy.

However, the EU Parliament's Committee for Civil Liberties, Justice and Home Affairs (LIBE) disagreed on some major points of the proposed reform that, from their perspective, did not provide sufficient protection for European citizens. LIBE stressed the need for significant amendments to the 2012 draft version of the EC. One major source of conflict was the proposal by the Commission to grant specific derogations for data processing to scientific, statistical, and historical purposes that would allow science to reuse data for research based on a one-time informed consent. The LIBE Committee opposed these derogations and pledged for unified rules for all types of data and applications. As we will see, the subsequent struggle involved more than just these two actors.

This official EU procedure was accompanied by a vast amount of input from various actors from fields such as industry, human rights, or science with over 3000 amendments from the first draft to the final piece. Thus, many observers claim that the GDPR is one of the most heavily lobbied pieces of EU legislation in history (International Association of Privacy Professionals (IAPP), 2015; League of European Research Universities (LERU), 2016). From the first round of the proposed regulation by the EC in January 2012, it took until March 2014 to agree on an initial draft version from the EU Parliament (Townend, 2016: 137). Initiatives such as LobbyPlag¹ or Statewatch² claimed that actors from industry and civil society as well as national governments successfully influenced the content of different EC and Parliament draft versions. Topics of debate ranged from the rights extended to citizens (such as the right to be forgotten) to specific derogations for research purposes.

Stakeholders from (data-dependent fields of) science reacted most intensely to the proposals by the LIBE committee rejecting legal exceptions for data use for scientific purposes. As Jan Albrecht, Vice-Chair of the LIBE Committee, puts it: ‘Processing of sensitive data for historical, statistical and scientific research purposes is not as urgent or compelling as public health or social protection. Consequently, there is no need to introduce an exception’ (European Parliament, 2012: 24f). The Vice-Chair of the LIBE Committee therefore framed the protection of individual citizens as being more important than the interests of science, seemingly disconnecting research from public health. The proposed Article 83 of the Parliaments’ legislative resolution of March 2014 (European Parliament, 2014: 314f) thus cancelled the EC-suggested exceptions, allowing data reuse for scientific purposes based on a one-time informed consent.

In June 2015, the European Parliament, the EC and the Council of Europe started the final ‘Trialogue’ negotiations. At this time, many central elements were still up for debate (Hallinan and Friedewald, 2015), and, as the next section will show, different actors continued to intervene during these final negotiations. The Trialogue reached a compromise in December 2015, with the final text formally approved by the Parliament and the EC in April 2016. This ultimate version includes the contested derogations for statistical, historical, and scientific purposes (e.g. Article 89), allowing individuals to give a one-time consent for their data to be used for multiple scientific research projects across time, condensed by Recital 33 of the GDPR:

It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research … (EC, 2016: 6)

The response to the final version was comprehensive. Mass media declared the novel Regulation as ‘ground-breaking’ and as a ‘milestone’ as it replaced the former patchwork of national rules with a rule that was legally binding for all member states (Deutsche Presse Argentur, 2016; Gibbs, 2016). EU officials stated in early 2016 that this Regulation ‘gives citizens back control over of their personal data’ and that it aims to ‘simplify the regulatory environment’.³ However, there were also critical voices. Lawyer and privacy activist Maximilian Schrems, who had gained prominence by criticizing the Safe-Harbour Agreement between the US and the EU, called the quasi-final version agreed upon late in 2015 by the Trialogue a complicated, diplomatic text that provides derogations for individual member states and thus will not guarantee the often-claimed legal certainty (Wimmer, 2015).

Actors from science widely embraced the final version of the GDPR most notably because it includes the repeatedly called-for derogations that allow the reuse of data for statistical, historical, and scientific purposes. Immediately after the Trialogue agreement was reached, an editorial published by Nature quoted the senior project manager of BBMRI-ERIC as saying, ‘This is very positive for us – the biggest threats are over’ (Abbott, 2015: 1), a reaction in line with the hopes the data-dependent fields of science had expressed in the negotiations of the GDPR.

The biobanking agenda for the GDPR

Zooming into the biobank-related actors, we can see that between 2012 and 2015 they contributed quite actively to the struggle over the GDPR by organizing discussion events, having conversations with Members of the European Parliament (MEPs) and their staff, or by publishing position papers and open letters including quite comparable narratives. Interestingly, this group comprised not only researchers, science associations and university representatives but also patient organizations for rare diseases (e.g. Wellcome Trust et al., 2014). Considerably increasing the sample size of biobanks indeed offers novel possibilities for systematically studying diseases where data is scarce, which might explain why these actors co-constitute this issue alliance.

The interventions into the debate followed a quite similar agenda with regard to the topics identified and the lines of argument. In doing so, they widely embraced the EC's suggestions for the GDPR, in particular the derogations for data usage for scientific, historical, and statistical purposes. These actors, linked to data-dependent fields of research, were most concerned about whether the reuse of data for scientific purposes was legally possible based on a one-time consent (broad or blanket consent). In a newsletter published during the final Trialogue, the European infrastructure for biobanks, BBMRI-ERIC, called for:

… alerting EU policy-makers to the unintended but harmful effects the GDPR could have on statistical, scientific, and historical research and healthcare if strict restrictions – including a requirement for specific consent in science and health research, with only narrow exceptions – are introduced. (BBMRI-ERIC, 2015a: 5)

A collaboration of patient associations from the field of rare diseases explicitly stressed that ‘it is essential that Article 83 on processing for historical, statistical and scientific research purposes and the associated derogations that facilitate research are maintained within the Regulation’ (EURODIS, 2013: 7). Due to the limited data available for rare diseases, (biobank) research in this field depends even more on the exchange and reuse of data. Any restrictions on data usage would, in their view, result in delays to the improvement of health care and represent discrimination against patients with rare diseases.

Various actors framed data as a vital resource for science and the Parliament's rejection of data reuse for scientific purposes as a direct threat to scientific research and advances in the field of medicine. The Karolinska Institute, one of the world's most renowned medical universities, together with Stockholms Lans Landsting published an open letter that called data crucial for improving public health and a vital resource for research that benefits society and saves patients' lives (Karolinska Institute and Stockholms Lans Landsting, 2014). In this line of argument, as in many others, the reuse of data is explicitly seen as a central precondition for medical progress and public benefits. The latter were not solely seen as improvements in health care but also as links to economic aspects of society.

The Wellcome Trust, a global charitable foundation that supports research, claimed in an open letter with others that the proposed legislation of the Parliament ‘jeopardize[s] millions of Euros of investment in scientific infrastructure, including cancer registries, cohort studies and biobanks’ (Wellcome Trust et al., 2014: 1). In line with this argument, Science Europe, a Brussels-based association of 51 European national research funding and performing organizations with the declared aim of promoting the collective interests of its members, stressed in their position paper the importance of keeping open the possibilities of sharing and processing data for the sake of societal benefits:

Scientific researchers across Europe, in particular in the social sciences, medical sciences, life sciences and humanities, produce high-impact, world-leading research results with huge societal benefit, which heavily depend on sharing and processing of datasets which include personal data. (Science Europe, 2013: 3)

A position paper by BBMRI-ERIC, which involved the input of 18 National Nodes of BBMRI-ERIC and the ethical, legal, and societal experts of the internal Common Service ELSI, warned that the Parliament's versions of the Regulation ‘could seriously hamper pan-European research’ (BBMRI-ERIC, 2015b: 3) by introducing ‘overly specific consent with only a narrow exception in science and health research’ (BBMRI-ERIC, 2015b: 5). BBMRI-ERIC also emphasized that biomedical research has a ‘substantive public interest’ (BBMRI-ERIC, 2015b: 3) because it furthers knowledge about health and helps to develop new treatments and therapies. It thereby underlined the importance of access to high-quality samples and (Big) Data that could be shared across Europe. The biobank infrastructure thus named the possible negative impacts for European research:

In order to achieve reliable and reproducible results, health research depends on high quality samples and Big Data, which will often need to be shared across borders in order to achieve the best. The GDPR could greatly ease transnational health research and cross-border exchange of data to further biomedical innovation for the benefit and wellbeing for European citizens and patients. At the same time, wrongly aimed provisions could seriously hamper pan-European research as well. (BBMRI-ERIC, 2015b: 5)

When the modes of informed consent were addressed, this topic was entangled with the interests of patients and wider publics in a variety of ways. Science Europe (2013: 5) explicitly named broad consent as the standard mode in cohort studies and biobanks, which minimizes the burden on participants because there is no need to re-consent for each new study in which their data are used. BBMRI-ERIC followed a comparable argument by focusing on the interests and rights of patients. Their position paper on the GDPR framed the inclusion of data and biomaterials in biobanks and related research as a right of patients, even if the exact future research objectives cannot be defined yet (BBMRI-ERIC and ISC, 2015: 3), while it explicitly framed the need to re-consent as a burden on patients (BBMRI-ERIC, 2015b: 6). The respective BBMRI-ERIC recommendations on the GDPR – based on a discussion event in Brussels with scientists, MEPs, and other stakeholders (‘2015 Day of Action on Data for Health and Science’) – followed a similar path in stressing ‘the right to donate’:

Many patient groups say that they do not want to re-consent to each new study, having allowed the usage of their data for scientific purposes for altruistic reasons, especially those with cancer or chronic diseases. Consequently, patients should have the option to donate their data and biomaterials to biobanks and research entities without restricting their consent to a specific study. This option would allow their data to be used for biomedical research for the benefit of the donors as well as future patients. Many future research purposes are impossible to predict at the time of data collection due to constant developments and progress in science. In addition, continuous re-consent is burdensome for many patients, not least because it reminds patients of their condition. “ – the quotation would remain the same (BBMRI ERIC 2015: 2).

Protection of data and data privacy are addressed in the documents by research-related stakeholders; however, they are not as detailed as one might have expected given that ‘data protection’ is at the core of this new legislation. Beyond references to the fact that privacy instruments are already in place (LERU, 2014), issues of data protection and privacy were typically not addressed in their own right but regarded as an issue already cared for. Rather, policy makers were called to strike a balance between privacy risks of data donors on the one hand and collective research and health benefits on the other. This argument can be clearly observed in the statement of EURODIS, the European association for rare diseases: ‘It is of fundamental importance to balance privacy rights with the right to protection of health and to bear in mind the ethical value of solidarity in sharing data to provide better health to others’ (EURODIS, 2013: 7). Here, the introduction of ‘the ethical value of solidarity’ should be highlighted, emphasizing that providing data for research could also be framed as an act of solidarity and thus as contributing to a wider system of shared long-term benefits for treating rare diseases. Another balancing argument was that data are a resource that could likely ‘go to waste’ if they cannot be used for research (LERU, 2014: 1), which can be seen as referring to the trope of responsible use of resources. The metaphor of ‘the balance’ was also explicitly used by the Wellcome Trust and the co-signing institutions and researchers, alerting readers to not underestimate the benefits associated with data sharing: ‘We believe it is vital that regulation strikes a balance to protect the interests of individuals while enabling research that benefits all society’ (Wellcome Trust et al., 2014: 1). Science Europe also aligned with this argument:

Science Europe believes that the new Regulation should reconcile the protection of individual rights to privacy with the safe processing of personal data for scientific purposes. A failure to strike the right balance would have major implications for a large number of different scientific research activities across Europe and would significantly reduce capacity for innovation and competitiveness. (Science Europe, 2013: 2)

Finally, stakeholders associated with biobanks warned that the rejection of derogations for data reuse for science would seriously threaten the very idea of data-driven research:

It is therefore alarming that the proposed amendments would make much of the research involving personal data at best unworkable (by severely hampering options for collecting, using and sharing data from registries and biobanks) and at worst illegal. (Karolinska Institute and Stockholms Lans Landsting, 2014: 1)

This last quotation reveals how an all-too-restrictive data protection was framed as a threat to research more generally and how the struggle over the GDPR connected to larger questions about data, science and society.

Discussion

This paper focuses the struggle over data reuse for research purposes in the context of the GDPR. We use this moment of controversy to better understand the reordering of the research landscape due to data intensive approaches, while also needing to strive for an adequate protection of both data and data subjects. To do so we start by exploring biobank-governance debates more generally and subsequently analyse the interventions of actors associated with this field in the negotiations between 2012 and 2015 that led to the final GDPR. We observe the efforts to perform a paradigmatic shift of the discourse around the GDPR-implementation away from ‘protecting data’ as key concern to ‘protecting health’ of individuals and societies at large.

We can see this negotiation not only as an engagement in discussing the GDPR, but also as a moment when the needs of contemporary ways of doing data-intensive biomedical research were spelled out in the policy arena. While science has always relied on research data, the increasing possibilities (and promises) to create and make use of Big Data not only opens up new fields of research but also (potentially) enables ground-breaking analytical possibilities in fields such as disease prediction or personalized health. Some authors thus highlight that the epistemologies of science are shifting towards a type of science that is much more closely tied to (digital) data analytics. Kitchin (2014: 1), for example, calls ‘Big Data and new data analytics (…) disruptive innovations which are reconfiguring in many instances how research is conducted’. Biobanks and the European biobank infrastructure BBMRI-ERIC can be considered a manifestation of this new type of science.

The analysed interventions of actors associated with biobanks, reveal a clearly shared systemic interest in data reuse. This is not astonishing as with the increasing efforts of pooling data, reuse has become a foundational principle of data infrastructures such as biobanks. Through their common narratives and arguments, these actors thus emphasized the values and benefits of data-driven research. Data protection issues were then either not addressed explicitly or they were balanced against the advantages this kind of research would bring for science and societies. Practices of meeting with MEPs, organizing workshops, and writing position papers and open letters constituted the shared repertoire of arenas in which persuasion had to happen. While there was no ‘official’ bond that connected the research-related actors we encountered, the various contributions followed a similar agenda and more or less aligned in the argumentative repertoires they used. Together, this allowed the formation of a quite-powerful discourse coalition (Hajer, 2009) that gained visibility in this larger struggle over the GDPR through sharing argumentative resources. Building issue-based tacit alliances had the advantage that no overall agreement needed to be reached regarding other research related policies among these actors. In creating a shared story line about the benefits of data-driven biomedical research, they challenged other narratives across the discursive space.

As the final version of the GDPR contains the called-for derogations for reuse of (personal) data for research, statistical and historical purposes based on a one-time consent (e.g. Recital 33), it could be concluded that this coalition has achieved its mission. However, there seems to be room for interpretation: we can today observe diverging readings of the possibilities for data reuse. The Article 29 Data Protection Working Party (2018: 28), for example, recently issued a widely cited document that clearly emphasizes the importance for a well-described purpose of data use in informed consent: ‘When regarded as a whole, the GDPR cannot be interpreted to allow for a controller to navigate around the key principle of specifying purposes for which consent of the data subject is asked’. Actors associated to biobanks and its European infrastructure, such as Holub et al. (2018), claim, on the contrary, to strengthen even further the possibilities for effective reuse of biological material and data. The ways in which the GDPR will be practiced over the years to come is thus not a closed issue and will demand interpretative work.

This debate over the interpretation of the data reuse regulation actually links to a pre-existing struggle already observed in biobank governance debates around the turn of the Millennium. While the GDPR has provided some legal clarity, it has not solved nor addressed sufficiently the key problem of informed consent: that it often fails to properly engage with people involved in data transfers, which applies to both narrow and broad forms (Caulfield and Kaye, 2009). Our data indicates that the exchange of information with data subjects was not a key concern in the arguments of biobank related actors that rather highlighted the (potential) benefits of biomedical research. The involvement of data from patients and other individuals is accordingly mainly framed as ‘donation’ (BBMRI-ERIC and ISC, 2015: 2), which implies no further connection of data subjects to the research after data have been provided. Data management and data privacy measures are framed as a task of scientists and biobankers and not as a process that others should be involved in over time.

The discourse coalition also entailed a specific construction of patients. They are depicted as wanting ‘their’ data to be used while restrictions on data reuse, such as re-consenting in narrow informed consent models, are framed as a burden for them rather than as a protective or empowering element. This line of argument stands in tension with the simultaneously made arguments that build on the reciprocity between research and those who provide data (Kaye et al., 2015; Titmuss, 1971) or that underline the importance to supplement informed consent models with attempts for deliberation, participation and representation (Gould, 2019). These arguments are in line with the currently widespread claim for more inclusive forms of research, manifested in frames such as Responsible Research and Innovation (Braun and Griessler, 2018; Felt, 2018). Indeed, in our analysis, we did only examine the voices of rather institutionalized actors as spokespersons for larger sets of people – be they affected by rare diseases, biobankers, or science policy actors. While these spokespersons and their alliances were surely the most powerful agents in this negotiation process, we are reminded by Callon et al. (2009) that speaking in the name of people means silencing those represented, not allowing to voicing and addressing the differences in opinion.

The observed formation of a discourse coalition, its focus on potential benefits and the ways how patients and citizens are imagined, can be understood as a reasonable ‘reaction’ to potential restrictions for data reuse, as the very idea of biobanking is conceptualized around long-term use of readily prepared data. Legal and regulatory measures are potentially associated with higher drop-out quotes and limited data access and might thus challenge the potential ‘benefit and wellbeing for European citizens and patients’ (BBMRI-ERIC, 2015b: 5). In this line, these debates do not emphasize the exchange of information with patients and citizens, although there is a large body of literature emphasizing the importance of this (Starkbaum, 2018). Also, the very ontology of biobanks, and the vast amount of resources they demand (Caulfield, 2018), is not questioned in these debates, as biobanks align with the hegemonic trend for Big Data science and the benefits presumably outscore potential risks. While the GDPR seems to have brought a satisfactory closure to the threats perceived to data-intensive biomedical research, open issues remain. Current developments related to Big Data reconfigure the relationships of power between science – in our case bio(medical)sciences – and society (Jasanoff, 2017). Indeed, in order to make biobanks sustainable on the long-term, governance modes need not solely to comply to the GDPR, but to proactively re-imagine its relation to citizens and data subjects in order to account for the various ways that science gets entangled with society.

Footnotes

Acknowledgements

Johannes thanks Martin Boeckhout who was involved in initial ideas and a very early draft version of this article.

Declaration of conflicting interests

The author(s) declared the following potential conflicts of interest with respect to the research, authorship, and/or publication of this article: Johannes Starkbaum has conducted research on public perceptions of biobanks for the BBMRI initiative before it received ERIC status from the EU (2010-2013). From 2015 to 2017, Johannes was part of the Austrian node BBMRI.at and a consultant for the BBMRI ERIC Common Service for Ethic Issues. Johannes' engagement with the BBMRI initiative likely inspired the idea for this article, but it is based solely on publicly available data.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: Johannes Starkbaum’s research was funded by the Institute for Advanced Studies (IHS) in Vienna, the Biobanking and Biomolecular Resources Research Infrastructure – European Research Infrastructure Consortium (BBMRI-ERIC), the Biobanking and Biomolecular Resources Research Infrastructure Austria (BBMRI.at), and the Federal Ministry of Science, Research and Economy under grant number BMWFW GZ 10.470/0016-II/3/2013.

Notes

References

Abbott

(2015) European medical research escapes stifling privacy laws. Proposed legislation had threatened the use of genomic and clinical data in medical studies. Nature News 16: 1.

Article 29 Data Protection Working Party (2018) Guidelines on consent under Regulation 2016/679. Report. Available at: https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51030 (accessed 3 July 2019).

BBMRI-ERIC (2015a) Biobanks Europe Newsletter, 2. Available at: http://www.bbmri-eric.eu/wp-content/uploads/2016/07/2015_Newsletter2012_web_low_reso.pdf (accessed 4 July 2019).

BBMRI-ERIC (2015b) Position paper on the General Data Protection Regulation. Biobanking and Biomolecular Resources Research Infrastructure – European Research Infrastructure Consortium. Available at: http://www.bbmri-eric.eu/wp-content/uploads/BBMRI-ERIC-Position-Paper-General-Data-Protection-Regulation-October-2015_rev1_title.pdf (accessed 3 July 2019).

BBMRI-ERIC and ISC (2015) 16 June 2015 Day of Action‘ Data for Health and Science’. Recommendations on the General Data Protection Regulation. Biobanking and Biomolecular Resources Research Infrastructure, European Research Infrastructure Consortium (BBMRI-ERIC) and Intelligence in Science (ISC). Available at: http://old.bbmri-eric.eu/documents/10181/125935/Position+Paper+Day+of+Action+Data+for+Health+and+Science+Final.pdf/b0657365-dedc-41de-831e-14ffb4fa621b (accessed 5 July 2019).

Braun

(2015) Between representation and narration: Analysing policy frames. In: Fischer

Torgerson

Durnová

et al. (eds) Handbook of Critical Policy Studies, Cheltenham/Northampton: Edward Elgar Publishing, pp. 441–461.

Braun

Griessler

(2018) More democratic research and innovation. Journal of Science Communication 17(03): 1–7.

Callon

Lascoumes

Barthe

(2009) Acting in an Uncertain World: An Essay on Technical Democracy, Cambridge, MA: MIT Press.

Caulfield

(2018) Spinning the genome: Why science hype matters. Perspectives in Biology and Medicine 61(4): 560–571.

10.

Caulfield

Kaye

(2009) Broad consent in biobanking: Reflections on seemingly insurmountable dilemmas. Medical Law International 10: 85–100.

11.

Ciriani

(2015) The economic impact of the European Reform of Data Protection. Communications & Strategies 97: 41–58.

12.

Curley

Salmelin

(2018) Data-driven innovation. In: Curley

Salmelin

(eds) Open Innovation 2.0. Innovation, Technology, and Knowledge Management, Frankfurt am Main: Springer, pp. 123–127.

13.

Deutsche Presse Argentur (2016) Datenschützer bewerten EU-Grundverordnung als “Meilenstein”. Süddeutsche Zeitung, 21 April 2016. Available at: http://www.sueddeutsche.de/news/politik/datenschutz-datenschuetzer-bewerten-eu-grundverordnung-als-meilenstein-dpa.urn-newsml-dpa-com-20090101-160421-99-667431.

14.

Erlich

Williams

Glazer

et al. (2014) Redefining genomic privacy: Trust and empowerment. PLoS Biology 12(11): 1–5. e1001983.

15.

EURODIS (2013) Questions & Answers on the revision of the personal data protection directive: Processing and free movement of data (General Data Protection Directive). Comment from March 2013 by the alliance of patient organisations: Rare Diseases Europe. Available at: https://www.eurordis.org/sites/default/files/personal-data-protection-directive-qa.pdf (accessed 3 July 2019).

16.

European Commission (EC) (2012a) eHealth Action Plan 2012–2020 – Innovative healthcare for the 21st century. Communication from the Commission to the European Parliament, The Council, the European Economic and Social Committee and the Committee of the Regions. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012DC0736&qid=1562219133967&from=EN (accessed 3 July 2019).

17.

European Commission (EC) (2012b) Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Brussels, 25 Jannuary. Available at: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0011&from=EN (accessed 3 July 2019).

18.

European Commission (EC) (2015) A digital single market strategy for Europe. Communication from the Commission to the European Parliament, The Council, the European Economic and Social Committee and the Committee of the Regions. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52015DC0192&from=EN (access 3 July 2019).

19.

European Commission (EC) (2016) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR). Official Journal of the European Union L119:1-88. Available at: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf (accessed 3 July 2019).

20.

European Parliament (2012) Draft report on the proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)). Committee on Civil Liberties, Justice and Home Affairs. Available at: http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf (accessed 3 July 2019).

21.

European Parliament (2014) Legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Available at: http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+TA+P7-TA-2014-0212+0+DOC+PDF+V0//EN (accessed 3 July 2019).

22.

Felt

(2018) Responsible research and innovation. In: Gibbon

Prainsack

Hilgartner

et al. (eds) Handbook of Genomics, Health and Society, London: Routledge, pp. 108–116.

23.

Felt

Bister

Strassnig

et al. (2009) Refusing the information paradigm: Informed consent, medical research, and patient participation. Health 13(1): 87–106.

24.

Gibbs S (2016) European parliament approves tougher data privacy rules. The Guardian, 14 April. Available at: https://www.theguardian.com/technology/2016/apr/2014/european-parliament-approve-tougher-data-privacy-rules.

25.

Gould

(2019) How democracy can inform consent: Cases of the internet and bioethics. Journal of Applied Philosophy 36(2): 173–191.

26.

Hajer

(2009) Authoritative Governance. Policy Making in the Age of Mediatization, Oxford: Oxford University Press.

27.

Hallinan

Friedewald

(2015) Open consent, biobanking and data protection law: Can open consent be ‘informed’ under the forthcoming data protection regulation?. Life Sciences, Society and Policy 11(1): 1–36.

28.

Hammersley

Atkinson

(2007) Ethnography: Principles in Practice, 3rd ed. London: Routledge.

29.

Holub

Kohlmayer

Prasser

et al. (2018) Enhancing reuse of data and biological material in medical research: From FAIR to FAIR-Health. Biopreservation and Biobanking 16(2): 1–9.

30.

International Association of Privacy Professionals (IAPP) (2015) GDPR: We have agreement. Comment from 25 January 2015 by Sam Pfeifle for the International Association of Privacy Professionals. Available at: https://iapp.org/news/a/gdpr-we-have-agreement/.

31.

Jasanoff

(2017) Virtual, visible, and actionable: Data assemblages and the sightlines of justice. Big Data & Society 1–15. Available at: https://journals.sagepub.com/doi/full/10.1177/2053951717724477.

32.

Karolinska Institute and Stockholm Lans Landsting (2014) New EU Data Protection Regulation may have Major Consequences for Patients in Europe. Open letter. Available at: http://sammantradeshandlingar.sll.se/sites/sammantradeshandlingar.sll.se/files/sll/Global/Politik/Politiska-organ/Landstingsstyrelsen/Forskningsberedningen/2015/2015-03-02/punkt-04-fob.pdf.

33.

Kaye

Whitley

Lund

et al. (2015) Dynamic consent: A patient interface for twenty-first century research networks. European Journal of Human Genetics 23(2): 141–146.

34.

Kitchin

(2014) Big Data, new epistemologies and paradigm shifts. Big Data & Society 1(1): 1–12.

35.

Klüver

Mahoney

Opper

(2015) Framing in context: How interest groups employ framing to lobby the European Commission. Journal of European Public Policy 22(4): 1–19.

36.

Knoppers

Chadwick

(2005) Human genetic research: Emerging trends in ethics. Focus 4(3): 416–422.

37.

Krystlik

(2017) With GDPR, preparation is everything. Computer Fraud & Security 6 5–8.

38.

Kulk

van Loenen

(2012) Brave new open data world. International Journal of Spatial Data Infrastructures Research 7: 196–206.

39.

League of European Research Universities (LERU) (2014) The EP’s position on the General Data Protection Regulation threatens EU Research!. Policy paper by the League of European Research Universities, December. Available at: https://www.leru.org/files/2014.12.01_The-EPs-position-on-the-General-Data-Protection-Regulation-threatens-EU-Research.pdf.

40.

League of European Research Universities (LERU) (2016) The new EU General Data Protection Regulation: Why it worries universities and researchers. Policy brief 14 April 2016 by the League of European Research Universities. Available at: https://www.leru.org/files/POLICY_BRIEF_FINAL.pdf (accessed 3 July 2019).

41.

Lehtiniemi T and Kortesniemi Y (2017) Can the obstacles to privacy self-management be overcome? Exploring the consent intermediary approach. Big Data & Society 1–11. Available at: https://journals.sagepub.com/doi/full/10.1177/2053951717721935.

42.

Lunshof

Chadwick

Vorhaus

et al. (2008) From genetic privacy to open consent. Nature Review Genetics 9(5): 406–411.

43.

Marin B and Mayntz R (1991) Policy networks: Empirical evidence and theoretical considerations. Frankfurt am Main: Campus.

44.

Mittelstadt

Floridi

(2016) The ethics of big data: Current and foreseeable issues in biomedical contexts. Science and Engineering Ethics 22(2): 303–341.

45.

Pálsson

(2008) The rise and fall of a Biobank. The case of Iceland. In: Gottweis

Petersen

(eds) Biobanks: Governance in Comparative Perspective, London: Routledge, pp. 41–55.

46.

Prainsack

Buyx

(2016) Solidarity in Biomedicine and Beyond, Cambridge: Cambridge University Press.

47.

Rapport

Maggs

(2002) Titmuss and the gift relationship: Altruism revisited. Journal of Advanced Nursing 40(5): 495–503.

48.

Rial-Sebbag E and Cambon-Thomsen A (2015) Governing Biobanks through a European infrastructure. In: Mascalzoni DE (ed.) Ethics, Law and Governance of Biobanking. National, European and International Approaches. Dordrecht: Springer, pp. 139–151.

49.

Saldaña

(2016) The Coding Manual for Qualitative Researchers, Los Angeles, CA: Sage.

50.

Science Europe (2013) Position Statement on the Proposed European General Data Protection Regulation. Available at: https://www.scienceeurope.org/wp-content/uploads/2014/05/SE_DPR_Position_FIN.pdf (accessed 3 July 2019).

51.

Starkbaum J (2018) Research, governance, and imaginaries of publics. Public engagement in the context of the European Biobank Infrastructure. Doctoral Thesis, University of Vienna, Austria, 192 p.

52.

Swan

(2013) The quantified self. Fundamental disruption in big data science and biological discovery. Big Data 1(2): 85–99.

53.

Titmuss RM (1971) The Gift Relationship: From Human Blood to Social Policy. London/New York, NY: Pantheon Books.

54.

Townend

(2016) EU laws on privacy in genomic databases and biobanking. The Journal of Law, Medicine & Ethics 44(1): 128–142.

55.

Tutton

(2002) Gift relationships in genetics research. Science as Culture 11(4): 523–542.

56.

Waldby

(2008) Oocyte markets: Women's reproductive work in embryonic stem cell research. New Genetics and Society 27(1): 19–31.

57.

Wellcome Trust, Medical Research Council, Institut Pasteur, et al. (2014) Data protection. Open letter by Professors from the Wellcome Trust et al. and other research-related institutions. The Times, 29 January. Available at: https://www.thetimes.co.uk/article/data-protection-dj89jl8rb8w (accessed 5 July 2019).

58.

Wimmer B (2015) EU-Datenschutz: Einigung auf neue Bestimmungen. Futurezone Technology News, 16 December. Available at: https://futurezone.at/netzpolitik/eu-datenschutz-einigung-auf-neue-bestimmungen/169.809.845 (accessed 3 July 2019).

59.

Wolff

(2007) Analysis of documents and records. In: Flick U, von Kardoff

Steinke

(eds) A Companion to Qualitative Research, Los Angeles, CA: Sage, pp. 284–295.

60.

Zito

(2017) Expert networks and epistemic communities: Articulating knowledge and collective entrepreneurship. In: Howlett

Mukherjee

(eds) Handbook of Policy Formulation, Cheltenham/Northampton, MA: Edward Elgar, pp. 304–318.

Negotiating the reuse of health-data: Research,Big Data,and the European General Data Protection Regulation