The growth and gaps of genetic data sharing policies in the United States

The 1996 Bermuda Principles launched a new era in data sharing, reflecting a growing belief that the rapid public dissemination of research data was crucial to scientific progress in genetics. A historical review of data sharing policies in the field of genetics and genomics reflects changing scientific norms and evolving views of genomic data, particularly related to human subjects’ protections and privacy concerns. The 2013 NIH Draft Genomic Data Sharing (GDS) Policy incorporates the most significant protections and guidelines to date. The GDS Policy, however, will face difficult challenges ahead as geneticists seek to balance the very real concerns of research participants and the scientific norms that propel research forward. This article provides a novel evaluation of genetic and GDS policies’ treatment of human subjects’ protections. The article examines not only the policies, but also some of the most pertinent scientific, legal, and regulatory developments that occurred alongside data sharing policies. This historical perspective highlights the challenges that future data sharing policies, including the recently disseminated NIH GDS Draft Policy, will encounter.     

Location privacy: The challenges of mobile service devices

Adding to the current debate, this article focuses on the personal data and privacy challenges posed by private industry's use of smart mobile devices that provide location-based services to users and consumers. Directly relevant to personal data protection are valid concerns about the collection, retention, use and accessibility of this kind of personal data, in relation to which a key issue is whether valid consent is ever obtained from users. While it is indisputable that geo-location technologies serve important functions, their potential use for surveillance and invasion of privacy should not be overlooked. Thus, in this study we address the question of how a legal regime can ensure the proper functionality of geo-location technologies while preventing their misuse. In doing so, we examine whether information gathered from geo-location technologies is a form of personal data, how it is related to privacy and whether current legal protection mechanisms are adequate. We argue that geo-location data are indeed a type of personal data. Not only is this kind of data related to an identified or identifiable person, it can reveal also core biographical personal data. What is needed is the strengthening of the existing law that protects personal data (including location data), and a flexible legal response that can incorporate the ever-evolving and unknown advances in technology.     

PGTandMe: social networking-based genetic testing and the evolving research model

The opportunity to use extensive genetic data, personal information, and family medical history for research purposes may be naturally appealing to the personal genetic testing (PGT) industry, which is already coupling direct-to-consumer (DTC) products with social networking technologies, as well as to potential industry or institutional partners. This article evaluates the transformation in research that the hybrid of PGT and social networking will bring about, and--highlighting the challenges associated with a new paradigm of "patient-driven" genomic research--focuses on the consequences of shifting the structure, locus, timing, and scope of research through genetic crowd-sourcing. This article also explores potential ethical, legal, and regulatory issues that arise from the hybrid between personal genomic research and online social networking, particularly regarding informed consent, institutional review board (IRB) oversight, and ownership/intellectual property (IP) considerations.     

The legal construction of personal information protection and privacy under the Chinese Civil Code

Personal information protection and privacy interact in diverse ways, especially in the contemporary information age. Although books and articles have focused on this topic, the new tendencies of worldwide legislation and judicial practice bring challenges, as the legal construction of personal information protection and privacy differs from culture to culture and time to time. In 2017, the General Provisions of the Civil Law of the People's Republic of China (“the General Provisions of the Chinese Civil Code” hereafter)¹ (expired) addresses the legal concepts of personal information protection and the right to privacy simultaneously, to which this article refers as the dual model, differing from the one-dimensional mode of privacy protection before. Subsequently, the “The Right to Privacy and the Protection of Personal Information,” a chapter of the newly issued Civil Code of the People's Republic of China's (“the Chinese Civil Code” hereafter), ascertains the dual model and details related provisions. It has been dubbed a landmark ruling of China's personal information protection, greatly boosting the modernization of China's civil system.Despite the many articles that discuss approaches to China's civil protections, little attention has been given to the fundamental question concerning what exactly encompasses the personal information protection and privacy to which these laws refer. Based on the regulations and applicability of the General Provisions of the Chinese Civil Code and the Chinese Civil Code, this paper explores the legal construction of personal information protection and privacy under Chinese legal orders, including the differences, similarities, and interplay between the two rights. By distinguishing the legal value, contents and remedial approaches, this paper concludes that the two rights are distinct but overlap. On one side, personal information protection is elevated to the status of a separate civil right in the legal context of China, rather than part of privacy. On the other side, tailored regulations should be establish according to the criteria of the nature of information, the extent of information processing, and the elements of damage when confronted with overlaps in the two rights in judicial practice. Thus, this paper provides a perspective from which to clarify the approaches to civil protection of personal information and privacy in China and a reference model for enactment of the Chinese Personal Information Protection Law in the future.     

公共空间运用大规模监控的法理逻辑及限度——基于个人信息有序共享之视角

为应对现代化进程中的社会风险,安抚公众对风险的恐慌情绪,公共空间大规模监控随之诞生,并迅速在现实社会和网络空间中全面运用。公共治理不能取安全保障而舍隐私保护,公共空间大规模监控的运用并非以牺牲隐私权为代价,而是在保障安全法益的同时兼顾隐私法益的保护。在此"既保障安全,又保护隐私"的法理念下,公共空间大规模监控的运用体现了风险治理从个人本位走向社会本位的转变趋势,并促进了个人信息保护从自主支配到有序共享的逻辑转换。为寻求安全保障与隐私保护之间的平衡路径,在公共空间合理运用大规模监控措施,就必须加强信息收集、存储、使用的阶段性控制,建立个人信息合理使用制度,实现个人信息的有序共享。     

论国家机关处理个人信息的合法性基础

我国个人信息保护法对国家机关处理个人信息作出了特别规定,但未明文解释其适用对象或澄清处理的合法性基础。个人信息保护领域的国家机关应采广义,除了通常的国家机关,还包括法律、法规授权提供公共服务的组织和规章授权组织。根据我国个人信息保护法第13条和民法典第1036条,国家机关处理个人信息具有多元的合法性基础:法定基础包括履行法定职责所必需,订立、履行合同或人事管理所必需,为应急所必需,合理处理已自愿或合法公开的个人信息,法律、行政法规规定的其他情形;意定基础指取得个人同意;酌定基础指为维护公共利益或者信息主体合法权益而合理处理个人信息。不同的合法性基础对应不同的告知同意规则,需准确理解适用。     

大数据背景下个人生物识别信息安全的法律规制

个人生物识别信息具有个人数据的唯一性、程序识别性、可复制性、损害的不可逆性及信息的关联性等特征。在大数据背景下,个人生物识别信息的广泛应用会带来严重的生物信息安全风险,其滥用可造成隐私权、平等权和财产权等权益受到侵犯,需要立法进行全方位规制。我国目前个人生物信息的相关立法存在总体位阶较低且内容分散、保护范围狭窄、权利义务边界不清、法律责任不明晰等缺陷,应当采取渐进式专门立法的思路,完善现有相关部门法关于个人生物信息的规制内容,构建层次分明、内外协调的个人生物识别信息安全保护的法律体系。     

社会风险控制抑或个人权益保护——理解个人信息保护法的两个维度

个人信息在《民法典》中被确认为一种人格法益,在理论和立法上确立了我国个人信息的私法保护面向。个人权益保护成为构建和理解个人信息保护的重要维度和线索。由于个人信息保护的公共目标和功能可能被个人私益保护的进路所覆盖或消解,因此有必要将社会风险控制作为个人信息保护的重要维度来对待。社会风险控制一直是电子化时代个人数据保护的基础性目的,它对于个人信息保护的相关理论和制度具有很强的解释力和动态构建作用。社会风险控制和个人权益保护两种进路在相关基础问题上出现分歧,如个人信息与隐私的基础关系、一般性保护与场景化保护以及本权与保护权的关系等。在《个人信息保护法》实施过程中,社会风险控制进路有助于合理解读和执行法律,把握风险大小与控制措施的合理匹配,以及在平衡相关立法价值的前提下,释放信息的流动性。     

Genomics and toxic torts: dismantling the risk-injury divide

Emerging genetic and molecular technologies are revolutionizing our understanding of the relationship between genes and the environment. This Article develops an innovative framework for understanding the implications of the genomic revolution for the law of toxic torts. Professor Grodsky demonstrates how new technologies are poised to challenge longstanding distinctions between legally inconsequential "risk" and remediable "injury," and how the U.S. legal system will need to adapt to this emerging reality. If the law remains wedded to conventional notions of injury, it will ignore the fruits of a scientific revolution and thus may forego new remedial opportunities as yet unimagined. This is particularly significant given that twenty-first century medicine strives to "go beyond the limitations of biology" and detect, prevent, and treat disease at the molecular level. The transformative and rapidly evolving technologies of the genomic era will present herculean challenges for the legal system. But opportunities to fashion new remedies and create new efficiencies must not be overlooked in the process. Professor Grodsky recommends legal approaches to balance the goals of deterrence and legal restraint in an age of accelerating scientific change.     

The fundamental right of data protection in the European Union: in search of an uncharted right

The entry into force of the EU Charter of Fundamental Rights and the ensuing introduction of the right to data protection as a new fundamental right in the legal order of the EU has raised some challenges. This article is an attempt to bring clarity on some of these questions. We will therefore try to address the issue of the place of the right to the protection of personal data within the global architecture of the Charter, but also the relationship between this new fundamental right and the already existing instruments. In doing so, we will analyse the most pertinent case law of the Court of Luxembourg, only to find out that it creates more confusion than clarity. The lesson we draw from this overview is that the reasoning of the Court is permeated by a ‘privacy thinking’, which consists not only in overly linking the rights to privacy and data protection, but also in applying the modus operandi of the former to the latter (which are different we contend). The same flawed reasoning seems to be at work in the EU Charter of Fundamental Rights. Therefore, it is crucial that the different modi operandi be acknowledged, and that any upcoming data protection instrument is accurately framed in relation with Article 8 of the Charter.     

A comparison of data protection legislation and policies across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement.The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.     

On Medical Secrecy

The Constitution of the USSR proclaims the right of citizens to privacy (Article 56). The harmony of personal and public interests in socialist society presupposes the existence of a certain area of personal life that is free of direct interference by society. Individual freedom in personal life is one of the most important and specific components of personal liberty. The state does not regulate many aspects of personal life unless such regulation is indicated by society's interests or else legislatively prohibits the invasion of privacy. Thus, the purely personal is granted the right to exist, and every citizen's right to privacy is assured.     

Data registers in respiratory medicine: a pilot project evaluating compliance with privacy laws and the National Statement on Ethical Conduct in Research Involving Humans

This article reports on data from a small pilot survey evaluating the compliance of voluntary databases in respiratory medicine with privacy laws and the National Health and Medical Research Council's National Statement on Ethical Conduct in Research Involving Humans. The increasing complexity of privacy law, including the recent private sector amendments, creates many challenges for database administrators. The impact of privacy laws upon voluntary or non-statutory databases, and upon doctors reporting patient data to such databases, is far from straightforward. The article suggests way in which the law might be adapted in order to better facilitate the role of voluntary data registers in health research and public health surveillance, while still protecting the privacy of patient information. The article also briefly considers how database administrators might "future-proof" their existing data holdings to ensure compliance with legal and ethical standards.     

电子商务平台服务提供者的商标间接侵权责任探析——论《侵权责任法》第36条在电子商务商标侵权中的适用

随着电子商务的发展,网络购物平台的知识产权侵权问题越来越受到人们的关注。2010年出台的《侵权责任法》第36条为判断电子商务平台服务提供者的责任提供了法律依据。但近来国内发生的几起案例对相关法条做出了不同的解读,对这些案例进行了梳理并提出若干判断电子商务平台服务提供者侵权责任的标准。     

Personal Data Protection in Nigeria: Reflections on Opportunities,Options and Challenges to Legal Reforms

The right to personal data protection is, without doubt, an important right in the jurisprudence of rights in the contemporary information society. It is becoming as crucial as other orthodox human rights and also attracting significant attention from academics, lawyers, human rights activists and policy makers. In spite of the growing attention data protection receives at international and regional levels, Nigeria is still lagging behind many competitor states like South Africa in establishing an effective legal framework to protect personal data. Individuals’ personal data is being collected and used without any serious form of control to check against abuse. This paper reflects on opportunities, option and challenges to legal reforms on data protection in Nigeria. It contends that certain legislative and practical challenges stand in the way of an effective legal regime on personal data protection. The paper suggests appropriate legal reforms that are needed to enable prevent the increasing risks of violating the right to data protection in a country that is making rapid advances in Information and Communication Technology but hamstrung by an outdated regulatory framework.     

Opening up government data for Big Data analysis and public benefit

Governments around the world are posting many thousands of their datasets on online portals. A major purpose of releasing this data is to drive innovation through Big Data analysis, as well as to promote government transparency and accountability. This article considers the benefits and risks of releasing government data as open data, and identifies the challenges the Australian government faces in releasing its data into the public domain. The Australian government has ambitious aims to release greater amounts of its data to the public. However, it is likely this task will prove difficult due to uncertainties surrounding the reliability of de-identification and the requirements of privacy law, as well as a public service culture which is yet to fully embrace the open data movement.     

个人信息权的宪法(学)证成——基于对区分保护论和支配权论的反思

《个人信息保护法》最终纳入“根据宪法”条款,表征着个人信息保护法律体系在底层逻辑上的更动。民法学上权利与利益的区分保护原理,难以适用于整个合宪性法秩序。应将个人信息权确立为宪法位阶的基本权利,并以基本权利作为针对国家的主观防御权和辐射一切法领域的客观价值秩序的原理,协调个人信息保护的私法机制和公法机制。通过对人权条款笼罩下的通信权和人格尊严条款的解释,可以在学理上证立“基本权利束”性质的个人信息权。但其具体保护则应分别归入不同基本权利条款,作出区分化、差异化的多层次构造。个人信息保护的支配权思维有其局限,告知同意模式的式微是重要表现。应将个人信息权的规范目标调整为人格的自由发展,指向免于他人的人格干预。从支配权到人格发展权的思维转换,有助于规制对已收集信息的不当利用、破除“信息茧房”、缓和个人信息保护与利用之间的紧张,以及在“个人—平台—国家”的三方关系中有效保护个人的自决,同时为数据产业保留发展空间。     

位置何以成为隐私?——大数据时代位置信息的法律保护

在数据这一新型生产要素中,位置数据的应用 日益广泛,不仅"基于位置的服务"雨后春笋般涌现,政府也基于位置数据创新社会治理方式、辅助案件侦破.然而,位置数据获取技术的进步及智能手机(作为现代最主要的定位工具)的普及,使得公民私密生活受到无处不在的位置监控威胁.位置信息的敏感性、位置获取技术的侵入性、公民对位置信息的隐私期...     

The principle of security safeguards: Unauthorized activities

The principle of information security safeguards is a key information privacy principle contained in every privacy legislation measure, framework, and guideline. This principle requires data controllers to use an adequate level of safeguards before processing personal information. However, privacy literature neither explains what this adequate level is nor how to achieve it. Hence, a knowledge gap has been created between privacy advocates and data controllers who are responsible for providing adequate protection. This paper takes a step toward bridging this knowledge gap by presenting an analysis of how Data Protection and Privacy Commissioners have evaluated the adequacy level of security protection measures given to personal information in selected privacy invasive cases. This study addresses both security measures used to protect personal information against unauthorized activities and the use of personal information in authentication mechanisms. This analysis also lays a foundation for building a set of guidelines that can be used by data controllers for designing, implementing, and operating both technological and organizational measures used to protect personal information.     

Reconstructing consumer privacy protection on‐line: a modest proposal

Problems with consumer trust and confidence in the Internet as a safe environment in which to shop, browse and associate are well documented, as are the correlations between this lack of consumer trust and fears about privacy and security online. This paper attempts first to show why existing legal and extra‐legal modes for the protection of privacy online are failing to protect consumers and promote consumer trust. In particular it critiques the European regime of mandatory data protection laws as outdated and inappropriate to a world of multinational corporatism and ubiquitous transnational data flows via cyberspace. In the second part lessons are drawn from the crisis currently faced by intellectual property in cyberspace, particularly in reference to MP3 music files and peer‐to‐peer downloading and useful parallels are drawn from the solution devised by William Fisher of the Berkman Centre, Harvard, in the form of an alternative payment scheme for copyright holders. Finally, the insights drawn from Fisher's work are combined with original proposals drawn from a comparison of the consumer–data collector relationship in cyberspace with the roles played by truster, trustee and beneficiary in the institution of common law trust. The resulting ‘modest proposal’ suggests that a ‘privacy tax’ be levied on the profits made by data collectors and data processors. This could fund no‐fault compensation for identified ‘privacy harms’, improve public privacy enforcement resources, provide privacy‐enhancing technologies to individuals, satisfy the desire of commerce for less data protection‐related internal bureaucracy and possibly create the conditions for better promotion of consumer trust and confidence. The uptake of electronic commerce would thus be significantly enhanced.