Introduction

As a legal concept, privacy can be considered as a social value, as a right and as a freedom granting to every person a capacity to live privately, in intimacy, without third interferences in personal life choices, in particular from governments.¹ Incorporated in the international human rights corpus through Article 12 of the Universal Declaration of Human Rights (UDHR),² the right to privacy protection can be seen as interconnected with other fundamental human rights. In this regard, in particular in the field of biomedical research and innovation, privacy protection can be related to the protection of human dignity, notably where invasions of the privacy sphere are particularly intrusive.³ Human dignity⁴ can be described as the foundational overarching matricial concept in human rights and biomedical ethics,⁵ that emphasises the inherent value and worth of every individual. Human beings possess an inherent dignity⁶ simply by virtue of being human.⁷ It can be interpreted as a component of the individual, opposable to third parties to protect individual freedom but also as a representation of a “dignified humanity,” capable of limiting individual freedom,⁸ Human dignity implies treating individuals with respect and involves recognising and protecting their rights and freedoms, fostering their well-being, and ensuring that ethical considerations guide actions and decisions in any context, including in scientific research. Therefore, specifically in the field of biomedical research and innovation, the principle of human dignity includes the essence of privacy protection that will be further developed separately,⁹ The legal meaning of dignity remains blurry and judges often have to arbitrate between the protection of human dignity and other fundamental rights. This arbitration can be particularly complex in the European context, where the margin of appreciation of states and European standards must also be taken into account. Human dignity enriches the interpretation of existing rights, particularly with regard to privacy and bioethical issues,¹⁰ as an inalienable individual right that can limit extensions of certain other rights, notably the right to privacy.

In Europe, privacy (or private and family life) is protected as a fundamental right by Article 8 of the European Convention of Human Rights (ECHR),¹¹ and Article 8 of the Charter of Fundamental Rights of the EU (CFREU).¹² These texts are ensuring that “everyone has the right to respect for his private and family life, his home and his correspondence.” They are also aligned in terms of conceptual interpretation of protected rights.¹³ We can see that the legal concept of a right to privacy protects different objects, revealing its multidimensionality. The Courts at European level, namely the European Court of Human Rights (ECtHR) and the Court of Justice of the European Union (CJEU), interpreted broadly these articles through many case-laws, in different contexts, confirming the proteomic nature of the right to privacy and allowing to envisage new approaches in the general definition of privacy as a legal concept. As the United Nations states, “privacy helps us establish boundaries to limit who has access to our bodies, places and things, as well as our communications and our information ».¹⁴ This statement needs to be completed by the legal capacity granted to individuals to freely self-determine, to voluntarily and knowingly accept interferences with their privacy sphere, notably for participating in biomedical research. Therefore, while the right to privacy may appear to conflict with the freedom to conduct research, international organisations in Europe, namely the Council of Europe (CoE) and the European Union (EU), strive to establish balanced rules allowing both scientific advances and biomedical innovations while respecting the essence of privacy and, by then, human dignity. In this regard, both organisations develop a consistent legal conceptualisation of privacy that needs further analysis and contextual clarification. How could privacy be described as a concept of law within biomedical research and innovation? Because privacy is a notoriously uncertain idea that has constant ethical and legal ramifications, this paper proposes to illustrate privacy in the context of biomedical research and innovations by qualifying further its multidimensionality. In this objective, we analyse how the right to privacy is integrated in legal instruments framing biomedical research and innovation in Europe, by considering both major hard law instruments which are legally binding States governments and research professionals, and relevant soft law instruments for privacy which are gold standard recommendations with non-legally-binding values. By adopting a pragmatic approach intended to unveil the anatomy of privacy as an empirical legal concept, we identify two essential dimensions of the concept based on the nature of the objects protected in relation to privacy. This approach allows to highlight the current scope of privacy, to deepen the analysis of related rules in biomedical research and innovation and to envisage its potential developments in biolaw. In the first part, we examine the material dimension of privacy in biomedical research through its applications to biological physical entities (I). Then, we analyse the immaterial dimension of privacy in biomedical research resulting from the importance of data and digital developments transforming the field (II). In doing so, we reflect on the areas of convergence of these dimensions and on the legal, ethical, scientific and technological evolutions supporting a broad interpretation of the legal concept of privacy.

I. The material dimension of privacy in health research and biomedical innovation: the protection of the human body

Material privacy can be understood as the protection of physical, tangible elements entering the private sphere of individuals. In the field of biomedical research and innovation, this dimension is focusing on the protection of the human body from unethical experimentation and, more directly, on recognising a right to respect the physical integrity of the individual (A). Then, in the light of the technological developments and the research needs, this protection of the body had to be extended to elements of the human body and its derivatives (B).

A) The progressive approximation of the protection of the individual physical integrity and privacy

Although the concept of privacy is broad and cannot be exhaustively defined, it is clear that privacy covers the protection of the human body as the seat of the individual personality and as a very personal and private means of expressing individuality. Although such a statement does not appear in the legal texts that define the concept of privacy, an analysis of the case law reveals some elements of a definition of privacy that is linked to the physical integrity of the person, since it can “encompass several aspects of a person’s physical and social identity.”¹⁵ Indeed, it was in 1985 that the ECtHR first affirmed that the concept of private life protected by Article 8 of the 1950 ECHR included the physical integrity of the individual in a case involving the sexual assault of a disabled minor, recognising the human body as the most intimate aspect of private life¹⁶ and the necessity for the government to open legal remedies for allowing privacy protection. Since then, the scope of the right to privacy has been further extended to protect the human body. This concept of the material dimension of privacy is particularly relevant in the biomedical field. This is because the body enters the sphere of intimacy and can be subjected to suffering, modification or even exploitation for scientific and other purposes. The inclusion of the protection of the human body within the scope of Article 8 has led to the development of individual rights linked to biomedicine, such as reproductive rights (in relation to prenatal diagnosis, contraception, abortion, surrogate motherhood and medically assisted procreation), end-of-life issues (euthanasia and assisted suicide) and affirmed the importance of the principle of individual autonomy and consent to any medical intervention on the human body as a basis for legitimising certain attacks on bodily integrity. Thus, considering the body as part of the individual’s private sphere means establishing a link between the protection of physical integrity, the protection of moral integrity and, consequently, the protection of privacy. These three elements are therefore three aspects of the protection of the individual that contribute to respect for the primacy of the human person.¹⁷

In this context, the biomedical research area is interesting as an exception when bodily integrity is not respected for non-medical reasons. In the context of research, the human body could be reduced to an object of experimentation, without necessarily being of direct benefit to the health of the individual. This raises a number of issues and is part of a framework that has developed over the course of history. The Second World War was a turning point in the recognition of fundamental rights in science, following the discovery of the atrocities committed on human beings by Nazi doctors under the guise of scientific research experiments. It therefore seemed essential to provide additional protection, first and foremost for the physical integrity of the individual. With this in mind, the Nuremberg Code, resulting from the Nuremberg judgment, established the essential principles of respect for human dignity for the research community and reaffirmed the very principles of medical ethics.¹⁸ This document, which has become a veritable international standard for research, has led to the recognition of the need for human experimentation, but in accordance with rules that guarantee respect for human dignity and privacy. Obligations such as obtaining the prior consent of research volunteers, after they have received sufficiently clear, complete and appropriate information, provide guarantees that the protection of the individual will prevail. The impact of research on the body is no longer considered solely in terms of physical suffering, but is directly linked to a global consideration of the individual and intimacy. Afterwards, the 1964 World Medical Association (WMA) Declaration of Helsinki, lastly revised in 2024, helped to refine the ethical principles applicable to medical research involving human subjects.¹⁹ The aim was to reaffirm the importance of research, but also to legitimise its existence in the light of the risks taken by individuals.²⁰ The interest of research for society, but also the development of methods of experimentation on living beings, entail specific considerations for the individual, which has led to the affirmation of the importance of the autonomy of the will.²¹ The set of principles laid down in the Declaration of Helsinki, such as the consideration of risks through a risk-benefit analysis, special consideration for so-called vulnerable persons, the scientific requirements of research protocols,²² the ethical evaluation of research protocols, respect for the fundamental rights and autonomy of participants through the expression of informed consent, constitute a set of rules that ensure adequate protection for human subjects involved in research.²³ The Declaration of Helsinki is addressed to doctors and leads them to consider the body as an element to be protected. However, the challenges of research cannot be reduced to the protection of the body, but require a broad consideration of the individual, from all angles of protection: physical and informational.²⁴

All the principles and rules for the protection of the individual, and in particular his or her physical integrity, in the context of biomedical research are laid down in the Oviedo Convention²⁵ of the CoE and its additional protocols. The rules set out in this Convention are implemented in the national legislation of the 29 States that have ratified it and are further defined by case law, in particular that of the EctHR, and integrated within EU law.²⁶ The Convention underlines the ambiguity of compromising the physical integrity of some individuals for the benefit of many and the advancement of medical and biological knowledge.²⁷ The essence of the text is to encourage the research community to put the interests and well-being of the human being first, in a spirit of respect for the dignity and, more broadly, the identity of the individual.²⁸ The link between physical integrity and privacy is reaffirmed. Rules are then laid down and, for example, the Additional Protocol on Biomedical Research (APBR) stipulates that research must always be carried out under the supervision of qualified clinical professionals and that research participants have the right to be compensated for any harm resulting from research interventions. In order not to conflict with the fundamental right to health care, research interventions must not interfere with necessary clinical interventions to which the donor has access.²⁹ On the basis of these provisions, it can be assumed that the extension of the scope of the protection of privacy includes aspects relating to the safety and quality of interventional procedures carried out for therapeutic or research purposes. In addition, privacy is no longer understood as a mere right to be protected, but takes on a more important dimension that justifies a right to receive any information concerning a person’s health.³⁰ The Oviedo Convention and its additional protocols lay down strict rules on information and consent, the basis for the expression of individual autonomy. The individual must be informed of the purpose and nature of the intervention in his or her body, as well as its consequences and risks³¹ in order to be free to withdraw consent to take part in the research at any time.³²

The Council for International Medical Sciences (CIOMS) of the World Health Organisation (WHO) strengthened the rules for the protection of human subjects in biomedical research in its International Ethical Guidelines particularly in the context of increasingly technical and digitalised research, so as not to increase the risk taking of research participants.³³

Moreover, the UDHR, adopted in 2005, refers to personal integrity³⁴ in the broadest sense of the term, which should allow for respect for human vulnerability at all levels. This declaration is based on all the principles that protect integrity, such as respect for dignity, the affirmation of autonomy and consent, and non-maleficence, but it brings a new perspective by linking the different aspects of vulnerability: all bodies, all individuals and all intimate spheres are not equal and cannot benefit from equal treatment alone. Privacy and its protection must also be considered at the level of each individual, who is not all equal in terms of risk. Therefore, the evolution of the ethical and conceptual considerations that led to the development of a normative framework for biomedical research shows a substantial shift from the protection of the integrity of the human body to a broader consideration of the whole nature of the individual. The integrity of the human person, and therefore his or her private life, has thus become the focus of protection.³⁵

However, while the human body as a whole has been taken into account in the various European and International texts laying down the main principles for the oversight of biomedical research,³⁶ as science and practice progressed, it has become necessary to consider the oversight of elements and derivatives of the human body.

B) The protection of elements and derivatives of the human body

Roman or Common law traditions differentiate between the human person, as a legal subject with rights of personality and dignity, and things, or goods, as legal objects or things subject to property rights.³⁷ Bodily elements are inherent components of a person but when detached from the body, they tend to become goods. The legal qualification of these elements may change over time, where they are modified, replicated and eventually reintroduced into the human body, thus becoming again an integrative part of the person,³⁸ In any case, the protection of human rights required the establishment of specific rules for scientific research.

Human biological samples can be used in research for several reasons depending on the scientific purposes of the projects. The lawfulness and legitimacy of their use is assessed by Research Ethics Committees (RECs) with regard to the public interest purpose of the research and the respect of individual’s rights. They can be collected and used for their biological function, such as in clinical research developing products or methods for organ transplantation, gene or cell therapies, or for their informational value, such as in genomic research on human diseases, samples containing the desired information.³⁹ Samples obtained from living or deceased persons, such as organs, cells, tissues, deoxyribonucleic acid (DNA) and ribonucleic acid (RNA)⁴⁰ as products or derivatives of the human body are considered as prolonging the body of the source person until a certain extent, necessitating to protect donor’s rights from the initial procurement or collection and along the samples’ lifecycle, in line with the respect of human dignity. Micro-organisms of human origins are only concerned where the collection or use in research invades the privacy sphere of their human host, the donor. The objective of the biolaw is to avoid objectification or reification of the human person, to avoid utilitarianism considering the person simply as a means to get biological samples without acknowledging his or her fundamental rights and interests.

In our view, sample donor’s rights related to material privacy are protected according to a risk-based approach establishing an equilibrium between the mere principles protecting the human body integrity and inviolability, the protection of human autonomy, and the necessity to collect and use samples for ethical scientific research. The nature of the intervention and associated risks and burden for the participant generated by the sample collection procedure must be scientifically justified to achieve the research purposes, necessary, minimised and detailed in the protocol,⁴¹ that will be submitted to independent review. Where founded and appropriate, planned interference with the human body integrity does not constitute degrading treatments prohibited under Art.3 ECHR. Quality requirements for tissues and cells donation for transplantation in the EU⁴² applying from donation, over procurement, testing, processing, preservation, storage, to distribution, including import, could be envisaged as contributing to the respect of material privacy by protecting safety and, by then, the respect of the integrity of the human receiver body.

The Oviedo Convention and its additional protocols protect the research participant’s autonomy regarding elements of the human body used in research.⁴³ The informed consent process shall clearly cover the collection of biological materials and their envisaged uses, including any foreseeable further uses and potential commercial uses.⁴⁴ As a general rule, the disposal (i.e storage and reuse) of human biological samples procured for another purpose is possible when it is complying with the information given to the concerned person and applicable consent procedures adopted in national laws.⁴⁵

Moreover, material privacy is questioned in relation to the beginning of life notably regarding embryos, which are considered as special biological elements raising very sensitive issues. Their statute and use in research and innovation question the right to life of future human beings and the right to private and family life as part of the parents’ rights. The Oviedo Convention grants a specific protection to in vitro embryos regarding their potential uses in research and prohibits their creation for research purposes,⁴⁶ but the ECtHR does not recognise an embryo as an autonomous subject of law, as a person.⁴⁷ Nevertheless, the Court recognises that the possibility for an individual to make a conscious and considered choice about the fate of his or her embryos concerns an intimate aspect of personal life and falls within the scope of their right to self-determination and private life.⁴⁸ In the EU, these issues have been raised in the preparatory works of research funding programs,⁴⁹ and, despite cultural and legal differences between EU Member States on human embryos protection, a minimal consensus⁵⁰ on non-negotiable requirements has been reached for allowing funding ethical research with human embryos.⁵¹ As a closely related topic, human cloning for reproductive purposes has been prohibited at international level in a specific additional protocol to the Oviedo Convention,⁵² In Europe, the artificial creation of viable genetically identical human beings is contrary to human dignity and constitutes a misuse of biology and medicine.⁵³ It would infringe the very essence of all fundamental rights of the clone by predetermining his genetic characteristics, genetic identity. Today, the scientific use of human reprogrammed stem cells is seen as an ethical alternative that has been regulated to avoid resulting in embryos capable of developing into human beings.⁵⁴

Material privacy is also questioned for performing scientific research or educational activities on human bodies or samples after death. There are no common European rules on this topic. Some States enacted specific legal provisions for body donation based on consent of the living individual before his or her death (e.g. Czech Republic, Greece) or on opt-out (e.g. Portugal, France) and provisions regarding relatives’ rights, some also condition the use of unclaimed bodies (e.g. Portugal, Romania), while others have no legislation on the topic (e.g. Belgium, Estonia).⁵⁵ Generally, privacy is regulated with regard to the respect of the memory of the deceased person and conditions for respecting the bodies are conceived as fiduciary duties of the research establishments in charge of ensuring the storage, availability and use of the bodies. In France for example, the law evolved⁵⁶ after a scandal and a public inquiry involving a University that committed ethical misconduct and injury to the deceased body donated for science.⁵⁷

Material privacy is also questioned from a property rights angle. None acts at CoE or EU level recognises an individual property right on its own human body or its elements as it would create (unnecessary) risks to human dignity⁵⁸ and increase the vulnerability of individuals. This would open the door to human exploitation, risks of expropriation, commercialisation and other types of undesirable threats to the physical or moral integrity of the person, and risks of misuses of human remains after the death.⁵⁹ Therefore, the human body and its elements are considered inalienable and the Oviedo Convention and its APBR prohibits that they give raise, as such, to financial gain,⁶⁰ giving them an extrapatrimonial nature. Undue payment for donation is prohibited and human samples cannot be sold or bought as such, they are special, out-of-market, goods. This approach notably justifies the prohibition and fight against human organ trafficking.⁶¹ Privacy ensures adequate protection based on an empirical ethical reasoning and actionable control rights for individuals which are not fully identical to property rights as a transferable right to exclude others. Courts in Europe or in the US,⁶² refused to address claims related to malpractices regarding human samples⁶³ based on individual ownership rights,⁶⁴ while accepting arguments based on the respect of private life. The extra-patrimonial protection adopted in Europe does not exclude certain valorisation of samples used in, or made available for, scientific research. Two pathways are possible: 1) the pricing of access to biocollections; fees can be calculated based on the integral cost of resources and infrastructures engaged in quality management of the samples;⁶⁵ 2) valorisation through intellectual property rights (IPR); this case being strictly regulated, specifically in EU law⁶⁶ regarding patentability of samples, tissues or cell lines produced or modified, or elements that have been isolated by researchers, as well as original technological processes underlying sample manipulation or modification, regardless of their human origin.⁶⁷ Some case laws in IPR pushed judges to advance biolaw, for instance, in 2011, where the CJEU defined the notion of human embryo⁶⁸ for enforcing the EU patenting law and protecting public order and morality,^69 70 71 Advances in biomedical research and innovations will still question the role and scope of IPR as many innovations include or are derived from human biological components (e.g. gene or cell therapeutic products, cDNA, bioprinting, organoids…).

Lastly, the material dimension of privacy is questioned by the transhumanist movement that claims for enabling human enhancement as an ethical paradigm shift based on a right to have full access to scientific innovations for personal uses.⁷² Frontiers in privacy protection are challenged based on an influential libertarian discourse promoting unrestricted individual freedom and individual-centered privacy where anyone could self-enhance its body or mind properties, notably with implants. While active implants are developed and beneficial, to treat Parkinson disease for example, new controversial projects are emerging to develop artificial organs or chips intended to increase or outpass natural human capacities, to create networked individuals through human-machine interfaces⁷³ or for reaching immortality thanks to technology. These non-clinical applications, notably based on neurotechnologies, raise silent concerns among scientists⁷⁴ and could call regulators to envisage restrictions of individual freedom to dispose of their body by considering negative effects,⁷⁵ not only for the concerned individual risking his health and freedoms, but also for society and humanity in terms of equity, justice, discrimination, privacy of others, morality, risks for democracy and human identity. Today, few Guidelines exist in Europe to help researchers appraising technological enhancement risks in their project.⁷⁶

Through these examples, we see that the scientific developments engaging the human body feed the development of the legal concept of privacy, helps to clarify its evolving scope and generate new ethical issues questioning the imbrications of privacy with human dignity.

The material dimension of privacy grants individuals a right to control the use of their own body, bodily elements and detached elements against a third entity provided that this control does not engage legitimate rights of thirds or important societal values. Personal control exercised is progressively loosen where a biological sample is manufactured, derived or substantially transformed in a way that does not anymore engage the donor’s interests entering into the scope of the protection of private and family life. Privacy protection can also be protected after death and entrusted by the relatives of the concerned individual. Nevertheless, protection is still afforded under the principle of human dignity. The link between the material side of privacy and its immaterial side is particularly strong in biomedical sciences as scientific research evolves towards practices focusing on the use of data attached to biological material samples.⁷⁷ The evolution of the international and European reference texts on research ethics underpins the adaptive nature of the concept of privacy in biomedical research. The WMA Declaration of Helsinki of 2013,⁷⁸ together with the Declaration of Taipei,⁷⁹ and recommendations from the CoE,⁸⁰ emphasise the various facets of privacy, including the protection of the integrity of the body and the protection of the information about individuals in any new biomedical research and technological development, notably in genetics. This second dimension relates to the protection of what some call the “informational body”,⁸¹ and is known as “informational privacy”.

II. The immaterial dimension of privacy in biomedical research and innovation: the informational privacy

Informational privacy completes material privacy by regulating the digital world and how data about someone can be processed (A) and governed (B). This section analyses the specific legal regime established in Europe for maintaining informational privacy in scientific research, including biomedical research and innovation. It illustrates current practices and challenges which are calling for reinforcing the underlying legal concept of informational privacy and developing related protection.

A) The personal data protection, digital privacy, and new challenges in research

Modern research is here understood as “data-driven” and research data, methods and biomedical innovations have become increasingly digital⁸² inscribing individuals’ informational privacy as part of biolaw. Data, whether anonymous or identifying, is a valuable and indispensable resource for the research community seeking greater data availability and circulation. Specifically, the access to personal data, and to specially protected categories of personal data such as health, genetic, biometric, ethnic data, for processing in biomedical research and innovation has to be regulated.

Informational privacy is a concept of legal science described in the literature⁸³ and based on freedom of choice, on personal control over information or informational resources, on a self-determination capacity on the part of the concerned individual or groups regarding the processing of the data, and on State protection. These elements have been essentially captured and developed as a legal concept by biolaws and guidelines at national and international level on personal data protection. But informational privacy in biomedical research and innovation could be understood more broadly and inclusively. For instance, it could be related to the Oviedo Convention’s Article 13 addressing issues related to advances in human genome editing technologies and providing that an intervention seeking to modify the human genome may only be undertaken for preventive, diagnostic or therapeutic purposes and only if its aim is not to introduce any modification in the genome of any descendants.

Therefore, informational privacy can be envisaged as the protection of individual rights and interests, for protecting individual identity and dignity of persons,⁸⁴ but also as measures to protect collective rights and interests that can eventually compete and restrict individual freedoms, for protecting human identity as an attribute of human species and a common heritage of mankind, on behalf of human dignity.

In Europe, national laws have first regulated personal data protection since the 1970’s,⁸⁵ then followed by the international CoE Convention 108 of 1981,⁸⁶ the first international legally binding on the topic, modernised in 2018 (Convention 108+),⁸⁷ and the EU Directive⁸⁸ of 1995, replaced by the General Data Protection Regulation (GDPR)⁸⁹ of 2016. Research and innovation have been progressively considered in such frameworks with the concern of both ensuring personal data availability and adequate protection of individual’s rights, in line with the APBR that specified that any personal information collected in the course of biomedical research must be considered confidential and treated as such.⁹⁰ In 2000, the ECtHR linked the right to protection of personal data to the concept of private life⁹¹ and reaffirmed this in 2008.⁹² In the EU, personal data protection has been recognised as a specific fundamental right protected by Article 8 of the CFREU and Article 16 of the Treaty on the Functioning of the EU. With the GDPR the processing of personal data in research activities is ruled by basic harmonised principles but Member States keep competence for further regulating the domain, what results in a fragmented EU national laws landscape,⁹³ National specificities and divergent interpretations led to complexities hampering the full achievement of the initial GDPR ambition to liberate the full potential of personal data and increase the circulation of this resource.

Both the CoE Convention 108+⁹⁴ and the GDPR⁹⁵ adopt a risk-based and proportionality principle approach to any personal data processing undertaken under the responsibility of a data controller and related data processors. The risk-based approach considers the nature of the data, the processing purposes and characteristics. The protection afforded applies to the entire data lifecycle, from initial collection, to reuses and final erasure. However, it does not apply to the protection of personal data after the death of the data subject, even if Member States can regulate this matter.⁹⁶ Both texts fix equivalent essential principles and related case-laws dealt by the ECtHR and the CJEU are consistent.⁹⁷ The GDPR applies specifically to EU Member States for processing taking place inside and, to some extent, outside the EU borders. Both texts establish a special legal regime for scientific research and technological development that set up the basis of an equilibrium between privacy protection and research needs. The CoE adopted specific recommendations on the protection of health data,⁹⁸ including in research, and in the EU, the European Data Protection Board (EDPB) is also developing specific guidelines, including for research.

Within the GDPR, this special regime comes from several provisions. Article 9 provides a legal basis allowing the processing of sensitive personal data where necessary in research, as an exception to the general prohibition of processing,⁹⁹ subject to the respect of specific conditions fixed by Article 89 GDPR. But Member States laws vary on the legal basis and conditions to be used for research.¹⁰⁰ For instance, while the GDPR emphasises the data subjects’ opt-out mechanisms for supporting individual autonomy, Member States can impose consent for processing special categories of data such as health or genetic data.¹⁰¹ Long debates opposed defenders of specific consent against those defending broad consent practices in research,¹⁰² The case has been made for broad consent utility and validity where it is not possible to fully identify the research purpose of the processing at the time of data collection, or where it is necessary for meeting legitimate scientific or public interest purposes, notably in genomics, this practice being lawful in some Member States.¹⁰³ The GDPR considers both practices and, without mentioning “broad consent”, it allows consent to be given for one or several specified purposes,¹⁰⁴ recognises e-consent and layered consent practices enabling the data subject to voluntarily enlarge the scope of consent while keeping adequately informed¹⁰⁵ about the research activities.¹⁰⁶ Now, similar issues are raised in the context of the draft European Health Data Space Regulation (EHDSR)¹⁰⁷ organising a governance system for the secondary use of personal data contained in various digital health records for research and innovation purposes at EU level. In this regard, Article 5(1)(b) GDPR introduces a presumption of compatibility for the further processing in research of personal data initially collected for a different processing purpose,¹⁰⁸ and Article 5(1)(e) allows the storage of personal data for longer periods than for the initial processing purposes insofar as the personal data will be processed solely for research or statistical purposes, subject to appropriate measures to safeguard the rights and freedoms of the data subject.¹⁰⁹ These provisions ground crucial activities of research projects and repositories (data repositories or biobanks) ensuring adapted data governance and data management practices conceived in the respect of the principles of accountability¹¹⁰ and data protection by design and by default.¹¹¹ Therefore, Article 89(2) GDPR allows derogations to data subjects’ rights in research in so far as this is planned for into EU or National laws and that such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes. The GDPR equilibrium is precious and is regularly challenged in practice. However, recent examples during the COVID-19 pandemic showed that informational privacy is a value to constantly respect, even where there are urgent needs for performing public health research at large scale,¹¹² Member States that restricted data subject’s rights during this period by using their legitimate margin of interference for protecting public health under Article 23(1)(e) GDPR, have always been obliged to ensure that such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society. The EDPB gave further interpretation of these requirements,¹¹³ Today, the GDPR continues raising specific challenges, divergent interpretation and practical roadblocks in data sharing. For instance, issues remain regarding the scope of the GDPR.¹¹⁴ Indeed, personal data is defined as any information concerning an identified or identifiable natural person, including pseudonymised data which remain indirectly identifiable, but excludes anonymous and anonymised data. For appraising identifiability, account should be taken of all the means reasonably likely to be used, by the controller or by another person, to identify the data subject directly or indirectly. To ascertain whether means are reasonably likely to be used for identification, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.¹¹⁵ In addition, the nature of the data processed must be considered and, in 2014, the EU data protection authorities¹¹⁶ defined three anonymisation criteria,¹¹⁷ since endorsed by the EDPB, which must be fulfilled irreversibly. The threshold of anonymisation requirements in the EU is very high and difficult to achieve. Challenges remain, notably for complying with the irreversibility criteria of anonymisation by considering the increasing availability of big data, new technologies,¹¹⁸ and despite the use of contractual instruments forbidding attempts to re-identify data subjects. In genomic research in particular, the singularity of the human genome¹¹⁹ and risks of reidentifiability¹²⁰ stemmed a precautionary approach tending to systematically consider such data as sensitive personal data, until it is demonstrated otherwise by the data controller.¹²¹ Therefore, it is scarce that researchers using big data or genetic and genomic data can reach these criteria and escape from the scope of the GDPR and other privacy laws, this leading to proposals to think post-identifiability, in genomics¹²² for example, by focusing more on education, engagement and adapted data governance. But, where reachable, anonymisation eases research collaborations and helps in meeting the requirements of open science through the deposition of research data in open data repositories. Other complexities come from the broadness and evolutive feature of the legal qualification of health data which can qualify either by nature, by crossing or by destination, everything depending on the context of the processing and a case-by-case analysis.¹²³ In current technological context, data considered anonymous in one context could become personal health data in another. Indeed, protecting the data as such does not totally avoid privacy issues. For instance, anonymisation has ethical consequences for individual rights that the participants should understand, such as the impossibility to respect their right to know and to have communication of clinically validated and useful results, including incidental findings,¹²⁴ revealed along the research. Also, as noted by the CoE, even if based on anonymised samples, research can lead to discrimination or stigmatisation of certain groups based on research results.¹²⁵ The CFREU even grants a specific right against genetic discrimination.¹²⁶

Moreover, recent advances in AI and algorithmic systems have raised new challenges of human manipulation and responsibility¹²⁷ affecting privacy and projects developing health innovations. Biomedical technologies relying on extensive computer modelling and simulation requiring AI tools powered by data¹²⁸ raise new informational privacy risks. For example, AI-enabled tools for medical decision-making, but also efforts for the creation of virtual patient cohorts,¹²⁹ or even digital twins,¹³⁰¹³¹ based on synthetic data.¹³² In reality, the risk seems to have shifted from one of data protection to one of representativeness.¹³³ Indeed, for synthetic data to be reliable and conclusive, it must be sufficiently representative of reality, so as not to conduct research based on false knowledge.¹³⁴ The manipulation of data therefore accentuates the responsibility of researchers, opening up a little more consideration on the protection of privacy,¹³⁵ the latter still being perceived as the sphere of intimacy to be protected, but also as a sphere specific to the individual,¹³⁶ which cannot be altered or erroneous. The concept of informational privacy is thus evolving towards the challenge of maintaining a faithful representation of individuals. Interestingly, this challenge is also highlighted with recent advances in the Digital Afterlife Industry¹³⁷ where “deathbots” or “digital ghosts” of deceased persons are created, for recreational or for health-related purposes,¹³⁸ thanks to generative AI systems (AIS), what also highlights the need to envisage privacy protection modalities after the death of the original data subject.

The EU AI Act (AIA) will set the stage for qualitative and trustworthy AI systems (AIS) that might present high-risk to health, safety or fundamental rights such as privacy. If the AIA liaises with the GDPR, this latter could prove incomplete regarding new issues raised by biomedical AIS. The next revision of the GDPR could be a milestone and the occasion to introduce new harmonised rules for protecting informational privacy based on ongoing regulatory achievement at National levels.¹³⁹

If the initial legal focus of informational privacy has been placed on personal data protection such a protection evolved from the specific protection of the data to the necessity to ensure appropriate governance of the data in order to cope with ground and sector-specific challenges.

B) Moving from an individual-centred privacy protection to a collective governance-based approach

As mentioned above, the development of scientific research methods now calls for a focus on the informational aspects of privacy protection. We are moving from an understanding of respect for privacy based on the implementation of mechanisms at the level of the individual (in particular through informed consent), to an approach that considers individuals at a more collective level by focusing on the implementation of measures to protect their rights and interests at the level of the databases and related processing (relying on actors’ responsibility and accountability) due to the multiplied risks arising from data aggregation and cross-referencing. This trend is directly reflected in the evolution of the Helsinki Declaration and its adaptation in the Taipei Declaration specific to issues related to database research, which introduces the word “governance” in its second version. The OECD guidelines on Creation and Governance of Human Genetic Research Databases (2006)¹⁴⁰ and on Human Biobanks and Genetic Research Databases (2009)¹⁴¹ also attest to the evolution of research practices and associated risks. The aim of this systemic governance approach is to organise the conditions for the free circulation of personal sensitive data based on accountable management implementing the special regime granted to scientific research. In the GDPR, this requires implementing technical and organisational measures to counterbalance the adjustment of data subject’s rights in research activities¹⁴² and to ensure the principle of data minimisation,¹⁴³¹⁴⁴ and other effective mechanisms of privacy protection. In a technical approach to the subject, the GDPR cites the anonymisation or pseudonymisation of data as examples.¹⁴⁵ These measures are completed by the use of specific contracts,¹⁴⁶ recognised technical standards, cybersecurity aspects, consideration of ethical aspects in the governance of data processing,¹⁴⁷ the use of Privacy Enhancing Technologies (PETs)¹⁴⁸ and more.¹⁴⁹ It is interesting to note that the law increasingly relies on technology to ensure respect of privacy and enshrines their relevance in this area, thus demonstrating the importance of the multidisciplinary approach when considering the effectiveness of the fundamental individual rights of individuals in highly digitalised sector, such as today’s research.¹⁵⁰

In addition to the technical and organisational measures foreseen by Article 89, the GDPR, in an operational approach to the law designed to guide actors faced with these issues, has introduced and imposed the use of certain tools, such as the Data Protection Impact Assessment¹⁵¹ for processing operations likely to generate a high risk for the rights and freedoms of natural persons. In addition, it introduced self-regulation mechanisms such as with the use of Codes of Conduct,¹⁵² to encourage stakeholders to adapt the general requirements to the specific features of their sector of activity or stakeholders concerned, which Codes must be validated by the supervisory authorities. Also, from a governance perspective, the GDPR requires organisations to appoint a Data Protection Officer in the case of processing of data considered as special by Article 9(1) GDPR,¹⁵³ including health and genetic data.

Continuing the efforts made by the GDPR to organise the free circulation of personal data with regard to the protection of personal data, the ongoing implementation of the European Data Strategy¹⁵⁴ presented in February 2020, which aims to create a single market for data, bears witness to the turning point that is taking place in the philosophy of the approach to both personal and non-personal data (including anonymised data in these new frameworks) by creating sectoral data spaces that must communicate with each other. Efforts are now being made to organise the circulation of data in order to unleash its potential, while respecting the values of the EU which calls for reflection on the adaptation of the fundamental rights at stake. As far as scientific research is concerned, the recent EHDSR aims in particular to propose a legal framework and a system of governance harmonised at European level in order to release the potential of existing health data for the benefit of research in particular, among other secondary uses of health data.

The final Regulation continues this collective understanding of privacy protection by imposing a European governance model for health data access and reuse in the public interest. This model differs from that of the GDPR as it facilitates access to health data with an obligation for data holders to make health data available through National Health Data Access Bodies, while at the same time ensuring full respect for fundamental rights, including respect for privacy.¹⁵⁵ Whereas the GDPR provided for the preservation of the autonomy and privacy of data subjects through mechanisms at individual level associated with data controllers’ accountability, the EDHSR provides for a reinforced general opt-out mechanism¹⁵⁶ together with “publicly available” information on the conditions under which electronic health data is made available for secondary uses. ¹⁵⁷ The EHDSR keeps the possibility for Member States to introduce consent for four types of data considered particularly sensitive.¹⁵⁸ Supporting the emphasis placed on access to health data, the EHDSR foresees that Member States may provide in their national law for the possibility of overriding the opt-out expressed by individuals¹⁵⁹ under the strict conditions listed in the Regulation, in particular for scientific research purposes for important reasons of public interest.

To ensure a balance between the protection of individual rights and the maximised use of health data for the benefit of the public interest—including scientific research—the EHDS will first provides controlled access to anonymous data and, if the purpose cannot be achieved in any other way, to pseudonymised data,¹⁶⁰ through a secure processing environment,¹⁶¹ after ethical assessment if required under national law. Moreover, the governance system intends to be representative of the various stakeholders’ interests. Indeed, the governance bodies planned at national and European level are expected to collaborate with European citizens and patients in order to preserve their autonomy in a collective approach. ¹⁶²

The EHDSR goes a step further than the GDPR in the collective approach of privacy protection as it organises a delegation of individual rights and interests’ protection to representative bodies completing the collective protection already ensured by established research ethics committees. However, we can hope that the EHDSR will prompt a move in Member States’ legislation to extend ethical assessment to all secondary uses of health data and that a joint debate will be launched at European level on the concept of “public interest” justifying access to such sensitive data. This would strengthen further the harmonized approach to privacy protection within the EU.

This objective of facilitating data sharing is already well known to the research community notably illustrated by the open science movement, for which those involved in research have structured themselves, as illustrated by the development of the FAIR principles¹⁶³ whose relevance is now unanimously recognised.

These major movements in favour of exploiting data for research purposes have led to a reconsideration of the traditional understanding of the effectiveness of privacy at the individual level, prompting the research community to propose new solutions to maintain autonomy. For example by introducing a certain granularity in consent,¹⁶⁴ and now, in a systemic approach focusing on an adapted governance of research projects, through the concepts of meta-consent,¹⁶⁵ consent to governance,¹⁶⁶ opt-out mechanism,¹⁶⁷ and transparency portal.¹⁶⁸ Each solution has the potential to pragmatically equilibrate the needs for sharing data for research and the necessary protection of individuals’ rights and freedoms—including privacy. Nowadays, research ethics committees play a considerable role in this search for this balance; we might even see in this a kind of transfer of autonomy from individuals to these ethics committees regarding the conditions under which their data is used. Effective respect for the privacy of individuals concerned by the processing of their personal data is now ensured at the level of access and data processing conditions, with controlled‑access procedures.¹⁶⁹ These procedures are set up by research actors, together with requirements aimed at ensuring that processing is carried out under conditions that minimise as far as possible the risks¹⁷⁰ of exposure for the data subjects privacy,¹⁷¹ having regard to the sensitivity of the data concerned and the processing context.¹⁷² This approach needs to be considered in a contextual and continuous manner, particularly with regard to changes in the processing undertaken or the potentially evolving sensitivity of the data processed, in order to guarantee the effectiveness of the privacy protection of the data subjects who have “entrusted” their data for the benefit of research.

As the autonomy of individuals over the way their data is used, and therefore over the risks to their privacy, becomes increasingly complex in the light of developments in the sharing of personal data for a variety of purposes, including research, new approaches are now being considered, based on the notion of the ‘commons’.¹⁷³ The commons refer to the collective management of certain goods on account of their collective potential, for the community.¹⁷⁴ Some authors wonder whether health data could be classified as commons¹⁷⁵ because of its potential for research and then for public interest, enabling collaborative modes of governance representing the various stakeholders concerned, and in particular the way in which the individuals concerned want their privacy to be protected. These new management modalities,¹⁷⁶ whose criteria and definitions are vague,¹⁷⁷ have for the most part been conceptualised in practice and are now tending to be recognised by the institutions¹⁷⁸ and the European legislator.¹⁷⁹ At international level, the WHO’s 2022 guidelines describe health data as a “common good,” advocating maximum re-use.¹⁸⁰ These new ways of using data have led some authors to argue in favour of the application of collective rights to health data in scientific research, because of the way it is networked through new research methods and practices.¹⁸¹ The protection of the privacy of individuals affected by the processing of their personal data would be more effective at the collective level than at the level of the individual, by relying on organisations having a fiduciary duty to respect the will of data subjects and protect their interests.¹⁸² The processing of health data on a massive scale made possible by new data processing techniques presents numerous opportunities for benefitting to the public interest and helps to continuously renew questions about the balance between the rights, freedoms and interests of individuals and the collective interest. The 2022 WHO guidelines on sharing and reuse of health-related data for research purposes¹⁸³ are a good reminder of this.¹⁸⁴

Thus, the effectiveness of the protection of individual privacy seems to be increasingly based on trust, and therefore on the social acceptability of the way in which the system of governance at work protects individual privacy, rather than on individual acceptance, as traditionally conceived. Therefore, in order to build this trustworthy collective protection, the research community is proposing adherence to complementary ethics principles for data governance.¹⁸⁵

Conclusion

As a legal concept, privacy is interconnected with other ethical values and fundamental human rights as several notions revolve around it, in particular those of freedom, dignity, confidentiality, self-determination and individual autonomy. The historical development of biolaw illustrates how the specific field of biomedical research and innovation allows establishing a link between the principles of human dignity and respect for privacy, and requires for their permanent conciliation. The EU law and CoE regulatory works characterise the elements protected under privacy right and emphasises how privacy can be respected in practice despite its conceptual gaps. Privacy should not be understood as the opposite of sharing intimate elements, whether related to one’s body or personal data. To the contrary, privacy right allows individuals to share by deciding about the scope of the protection they want to ensure with regard to material and immaterial elements of their private life. The biolaw conditions how and for which purposes interferences can be envisaged in research. The general jurisprudence of the ECtHR and CJEU in Europe shows complementarity: human dignity is non-negotiable and ultimately protects individuals and society from libertarian abuses. Human dignity plays where privacy don’t, and vice-versa. Biomedical research and innovation illustrate new potential tensions where current advances question the place of individual’s autonomy and the role of collective governance of privacy and data in the building of a balanced and dynamic research environment in consideration of the necessary interferences justified by public interest. While conceiving privacy in terms of its material and immaterial dimensions helps to understand its scope, advances in the biomedical field, particularly the current digital transformation of scientific research and health care, are leading regulators to focus on informational privacy to meet the challenges posed by new technologies. Material and immaterial privacy in the biomedical sciences is still based on an extra-patrimonial regime since it is not based on property rights (attached to objects) but on personality rights (attached to persons) and on State, organisational, technical and, increasingly, on collective means of protection to ensure effective protection of the individual. To date, privacy concerns are both drivers and bottlenecks for biomedical research, innovation and for technology adoption. Privacy is a moving target necessitating regulatory flexibility and anticipation, as well as sustainable, responsible, collective and agile governance, in order to accommodate to the evolving socio-technological contexts in which scientific research and biomedical innovation inscribe. Despite some shortcomings in its concrete application, it is crucial that the legal concept of privacy continues to be debated and developed in order to meet societal expectations in scientific and technological progress.

---

1 A. Lukács, “What is privacy? The history and definition of privacy,” 2016, pp. 256–265.

2 UN, Universal Declaration of Human Rights,1948.

3 Such a link between dignity and privacy has notably been established in relation to interferences with the human body, for example in cases of alleged abusive sexual practices, see European Court of Human Rights (EctHR) K.A. and A.D. v. Belgium, req.42758/98 and 45558/99, 2005, or of abusive strip-searching by the police, see ECtHR Wainwright v. the UK, req.12350/04, 2006, point 44, 46 and Roth v. Germany, req.6780/18 and 30776/18, 2021, points 5–6, 55, 64, 83–84, where the Court assessed the severity and justification of the invasion of the human body to engage Art. 3 and/or 8 of the European Convention on Human Rights (ECHR). In the EU, this link is also underlined by the European Data Protection Supervisor, see EDPS website, Data Protection, What is Privacy? (accessed on 28 september 2024).

4 UN, Universal Declaration of Human Rights,1948, Art. 1.

5 B. Mathieu, “La dignité de la personne humaine: quel droit? quel titulaire,” Recueil Dalloz, 33, 1996, pp. 282; R. Andorno, “Dignité humaine, droits de l’homme et bioéthique, quel rapport?,” Journal international de Bioéthique, vol. 21, 2010/4, 2014, pp. 51–59.

6 P. Bonjour, “La dignité humaine, philosophie, droit, politique, économie, médecine,” à partir de l’ouvrage coordonné par Thomas De Koninck et Gilbert Larochelle, Reliance, 2006/2 no 20, 2006, pp. 85–92.

7 P. Ricoeur, “Pour l’être humain du seul fait qu’il est humain,” in Jean-François de Raymond (dir.), Les enjeux des droits de l’homme, Paris, Larousse, 1988, pp. 235–236.

8 J. M. Sauvé, Vice-président du Conseil d’État Français, “Dignité humaine et juge administratif,” discours, Rencontre Européennes de Strasbourg, 27 Novembre 2009; X. Bioy, “Les limites du ‘renoncement’ aux droits fondamentaux,” in Le renoncement en droit public, édité par Nathalie Jacquinot, Presses de l’Université Toulouse Capitole, 2021.

9 K. Van Assche, S. Sterckx, “The protection of human dignity in research involving human body material,” in B. van Beers, L. Corrias, W. G. Werner (eds.) Humanity across International Law and Biolaw. Cambridge University Press, 2014:265–287, 2014; L. Floridi, “On Human Dignity as a Foundation for the Right to Privacy,” Philos. Technol., vol.  29, 2016, pp. 307–312; EU-RENEW, “The Foundations of EU personal data protection law: Privacy and Human Dignity,” epub, 30 January 2024.

10 C. Grewe, “La dignité de la personne humaine dans la jurisprudence de la Cour européenne des droits de l’homme,” Revue générale du droit, Études et réflexions 2014, numéro 3, pp. 6–7.

11 CoE, Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention of Human Rights – ECHR), Rome, 1950, as amended by Protocols Nos. 11 and 14 as from its entry into force on 1 June 2010.

12 EU, Charter of Fundamental Rights of the European Union (CFREU), OJEC C 364/1, 2000.

13 EU, Explanations relating to the Charter of Fundamental Rights (2007/C 303/02), OJEU C 33/17, 2007.

14 UN OCHR, Press release, Universal Declaration of Human Rights at 70: 30 Articles on 30 Art. – Art. 12, 21 November 2018.

15 ECtHR, Denisov v. Ukraine [GC], req.76639/11, 2018, § 95; and ECtHR, S. Marper v. the United Kingdom [GC], req. 30562/04 and 30566/04, 2008, § 66.

16 ECtHR, X&Y v. Netherlands, req.8978/80, 1985.

17 U. Kilkelly, “Le droit au respect de la vie privée et familiale. Un guide sur la mise en œuvre de l’Art. 8 de la Convention europeenne des Droits de l’Homme,” Conseil de l’Europe, 2003, p. 14.

18 Nuremberg Code, 1945, Art. 1.

19 WMA, Declaration of Helsinki – Ethical Principles for Medical Research Involving Human Subjects, adopted in 1964, last amended at the 75th WMA General Assembly, Helsinki, Finland, 2024.

20 C. Byk, Chapter 1. “The revised Declaration of Helsinki: a new context and new challenges for biomedical research,” in International Journal of Bioethics, “New practices, new ethics in biomedical research,” vol. 15, n° 1, 2004, pp. 17–30.

21 H. Rosenau, C. Magnon, “Chapter 3. Legal prerequisites for clinical trials according to the revised Declaration of Helsinki and the European Convention on Human Rights and Biomedicine,” in International Journal of Bioethics “New practices, new ethics in biomedical research,” vol. 15, n° 1, 2004, p. 48.

22 UNESCO, Establishing Bioethics Committees, Guide n° 1, 2005.

23 WMA, Declaration of Helsinki, op. cit.

24 Ibid., general principles point 9.

25 CoE, Convention on Human Rights and Biomedicine, European Treaty Series, No 164, Oviedo, 1997.

26 E.g. regarding the rights to dignity and to the integrity of the person as established under the ECHR and the Oviedo Convention. CJEU, Netherlands v. European Parliament and Council, Case C-377/98, 2001, ECR-I7079, point 70.

27 CoE, Convention on Human Rights and Biomedicine, op. cit., Preamble.

28 Ibid., Art. 1.

29 CoE, Additional Protocol to the Convention on Human Rights and Biomedicine concerning Biomedical Research (APBR), no. 195, Strasbourg, 2005, Arts 21–23.

30 CoE, Convention on Human Rights and Biomedicine, op. cit., Art. 10.

31 Ibid., Art. 5 ; CoE, Art. 14 APBR, op. cit.

32 CoE, Art.14 APBR, op. cit.

33 Council for International Organisations of Medical Sciences, International Ethical Guidelines for Health Research Involving Human Participants, Geneva, 2016, guideline 22.

34 UNESCO, Universal Declaration on Bioethics and Human Rights, op. cit., Art. 8.

35 CFREU, op. cit., Art. 1.

36 WMA, Declaration of Helsinki, op. cit. ; CoE, Convention on Human Rights and Biomedicine, op. cit.

37 J.-R. Trahan, “The Distinction Between Persons & Things: An Historical Perspective,” J. Civ. L. Stud., 1, 2008.

38 A. Mahalatchimy, E. Rial-Sebbag, V. Tournay, A. Faulkner, “Does the French Bioethics Law create a ‚moral exception‘ to the use of human cells for health? A legal and organisational issue ». Dilemata: International Journal of Applied Ethics, n° 7, 2011, pp. 17–37; A. Mahalatchimy, E. Rial-Sebbag, “Avant-propos : Contexte et enjeux soulevés par l’encadrement des thérapies innovantes » de l’ouvrage A. Mahalatchimy, E. Rial-Sebbag (coord.), “L’Humain médicament,” Quaderni, 81, 2013, Maison des sciences de l’homme (ed.), Paris, pp. 5–13.

39 CoE, Recommendation CM/Rec(2016)6 of the Committee of Ministers to member States on research on biological materials of human origin, adopted by the Committee of Ministers on 11 May 2016 at the 1256th meeting of the Ministers’ Deputies.

40 S. Minchin, J. Lodge, “Understanding biochemistry: structure and function of nucleic acids,” Essays Biochem, 63(4), 2019, pp. 433–456.

41 CoE, Convention on Human Rights and Biomedicine, op. cit., Art.16; CoE, Recommendation CM/Rec(2016)6, op. cit., Art.4, Art.12(2)(a), 21(3).

42 The EU Tissues and Cells Legislative Package composed of Directive 2004/23/EC and related Directives from 2006 and 2015.

43 CoE, Convention on Human Rights and Biomedicine, op. cit., Art. 5; CoE, Art. 14 APBR, op. cit.

44 Art.13 APBR op. cit.

45 CoE, Convention on Human Rights and Biomedicine, op. cit., Art.22.

46 CoE, Convention on Human Rights and Biomedicine, op. cit., Art.18.

47 ECtHR, Case Vo v. France, req. n° 53924/00, § 82. ECtHR Evans v. Royaume‑Uni, req. no 6339/05, § 54–56, 2007.

48 ECtHR Parrillo v. Italie, req. n° 46470/11, § 159, 2015. Reaffirmed in ECtHR Baret et Caballero v. France, req. n° 22296/20 and n° 37138/20, 2023.

49 G. Chassang, E. Rial-Sebbag, A. Cambon-Thomsen (2011). Chapitre 12. Les fondements de l’éthique de la recherche en droit communautaire. Journal International de Bioéthique, 22, 185–203; EGE, Ethical aspects of research involving the use of human embryo in the context of the 5th Framework Programme, 1998.

50 Are excluded from EU funding the research activities intending to create human embryos solely for the purpose of research, or for the purpose of stem cell procurement (including by means of somatic cell nuclear transfer) and activities leading to the destruction of human embryos. The activities using human embryos or embryonic stem cells for human cloning for reproductive purposes or activities intended to modify, hereditably, the genetic make-up of an individual (apart from research rekating to cancer treatment of the gonads, which may be financed). The creation of human embryoids (artificial embryo) may raise complex/serious issues necessitating a specific ethics assessment before funding. Where permitted by national laws, the EU can fund projects justifying the use of supernumerary human embryos generated through lawful medical reproductive procedures, subject to appropriate parental consent, competent authorities’ authorisations and ethics approval. See EC, “EU Grants: How to complete your ethics self-assessment,” V2.0, 13 July 2021, pp. 4–7.

51 EU, Regulation (EU) 2021/695 of the European Parliament and of the Council of 28 April 2021 establishing Horizon Europe – the Framework Programme for Research and Innovation, laying down its rules for participation and dissemination, and repealing Regulations (EU) No 1290/2013 and (EU) No 1291/2013. Art.18. see also Art.14 of Model Grant Agreement, V1.1, 15 November 2021.

52 CoE, Additional Protocol to the Convention for the Protection of Human Rights and Dignity of the Human Being with regard to the Application of Biology and Medicine, on the Prohibition of Cloning Human Beings (ETS 168), Paris, 12 January 1998; UNESCO, Report of IBC on human cloning and international governance, Annex. SHS/EST/CIB-16/09/CONF.503/2 REV.2. Belgium, Sweden, Spain, UK allow therapeutic cloning.

53 CoE, Additional Protocol on the Prohibition of Human Cloning, op. cit., Preamble.

54 A. E. Omole, A. O. J. Fakoya, K. C. Nnawuba, “Common Ethical Considerations of Human-Induced Pluripotent Stem Cell Research,” in K.H. Haider (eds) Handbook of Stem Cell Therapy, Springer, 2022.

55 E. Brenner, et al, “The legal and ethical framework for governing body donation in Europe – 2nd update on current practice,” Annals of Anatomy – Anatomischer Anzeiger, Vol. 252, 2024, pp. 152–195.

56 Décret n° 2022–719 du 27 avril 2022 relatif au don de corps à des fins d’enseignement médical et de recherche.

57 Synthèse du rapport définitif IGAS N°2019–115R / IGÉSR N°2020–028.

58 C. Foster, “Dignity and the use of body parts,” Journal of Medical Ethics, 40(1), 2014, pp. 44–47.

59 Even if a notion of “relational dignity » which integrates privacy considerations while not impeding by default life-saving sales has been proposed in literature. D. Hershenov, “Self-ownership, relational dignity, and organ sales,” Bioethics, 2018.

60 CoE, Convention on Human Rights and Biomedicine, op. cit., Art. 21.

61 CoE, Convention against Trafficking in Human Organs (ETS 216), 2015.

62 J. Pila, “Property in Human Body Parts: An Old Legal Question for a New Technological Age,” in D. Orentlicher, and Tamara K. Hervey (eds), The Oxford Handbook of Comparative Health Law, 2021.

63 Mainly addressing issues in the field of police investigations, compulsory medical examinations and, much more scarcely, in scientific research.

64 E.g. in R. Skloot, The immortal life of Henrietta Lacks, 2010.

65 B. Clément , M. Yuille, K. Zaltoukal et al. “Public biobanks: Calculation and recovery of costs,” Sci. Transl. Med., 6, 261fs45, 2014.

66 EU, Directive 98/44/EC of the European Parliament and of the Council of 6 July 1998 on the legal protection of biotechnological inventions. OJ L 213/3. 30 July 1998.

67 P. Cole, “Patentability of genes: a European Union perspective » Cold Spring Harb Perspect Med., 2014, 16;5(5):a020891. PMID: 25324232; PMCID: PMC4448586.

68 CJEU, Oliver Brüstle v Greenpeace e.V. Case C-34/10, 18 October 2011.

69 As required under the EU Directive 98/44/EC op. cit., Art.6.

70 M. G. Nielen, S. A. de Vries, N. Geijsen, “European stem cell research in legal shackles,” EMBO J., 32(24):3, 2013, pp. 07–11.

71 A. Kamperman Sanders, S. Bostyn,, H. Iserentant et al., “Final Report of the Expert Group on the development and implications of patent law in the field of biotechnology and genetic engineering,” European Commission, 2016, pp. 138–146.

72 R. Manzocco (ed. Springer), Transhumanism – Engineering the Human Condition (History, Philosophy and Current Status), doi:10.1007/978–3-030–04958-4, 2019.

73 E.g. Neuralink’s clinical trial is called PRIME — for Precise Robotically Implanted Brain-Computer Interface. See: B. Chappell, “What do we know about Elon Musk’s Neuralink, which put an implant into a human brain.” NPR., 30, 2024.

74 K. Kostick-Quenet , L. Kalwani, B. Koenig et al., “Researchers’ Ethical Concerns About Using Adaptive Deep Brain Stimulation for Enhancement,” Front Hum Neurosci. 16:813922, 2022.

75 W. Wiewiórowski, “Can We Trust Our Artificial Eyes?,” EDPS epub, 2019; SIENNA, Ethics Guidelines for Human Enhancement, 2021.

76 SIENNA, Ethical Guidance for Research with Potential for Human Enhancement, 2021.

77 K. Akyüz, G. Chassang, M. Goisauf et al., “Biobanking and risk assessment: a comprehensive typology of risks for an adaptive risk governance,” Life Sci Soc Policy 17, 10, 2021. https://doi.org/10.1186/s40504–021-00117–7

78 WMA Declaration of Helsinki, op. cit., point 24.

79 WMA Declaration of Taipei on Research on Health Databases, Big Data and Biobanks, 2016, point 4.

80 CoE, Recommendation CM/Rec(2016)6, op. cit.

81 L. Floridi (ed. Oxford University Press UK), The ethics of information. 1st ed. 2013; L. Floridi, “Distributed morality in an information society,” Science and Engineering Ethics, 19(3), 2013, pp. 727–743.

82 EC, Proposal for a Regulation of the European Parliament and of the Council laying down Union procedures for the authorisation and supervision of medicinal products for human use and laying down rules governing the European Medicines Agency, amending Regulation (EC) No 1394/2007 and Regulation (EU) No 536/2014 and repealing Regulation (EC) No 726/2004, Regulation (EC) No 141/2000 and Regulation (EC) No 1901/2006, COM(2023) 193 final, 2023/0131 (COD), Brussels, April 26, 2023, p. 38.

83 M. B. Lavagnino, “Information Privacy Revealed,” Educause Review, 28 January 2013. First, authors define it as “the claim of individuals, groups, or institutions to determine when, how and to what extent information about them is communicated to others.” Second, it is defined as “the appropriate use of personal information under the circumstances. What is appropriate will depend on context, law, and the individual’s expectations; also, [privacy is] the right of an individual to control the collection, use, and disclosure of personal information.” Third, “privacy involves the policies, procedures, and other controls that determine which personal information is collected, how it is used, with whom it is shared, and how individuals who are the subject of that information are informed and involved in this process.”

84 L. Floridi, “On human dignity as a foundation for the right to privacy,” Philosophy and Technology. doi: 10.1007/s13347–016-022, 2016.

85 EHNE, “Europe and cyberspace – Data protection, Cyberspace and the Need for the EU General Data Protection Regulation (GDPR),” Digital Encyclopedia of European History (Accessed on 25 September 2024).

86 CoE, Convention for the protection of individuals with regard to the processing of personal data, CETS n° 108, 1981.

87 CoE, Convention 108+ for the protection of individuals with regard to the processing of personal data, 2018.

88 EU, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281/31.

89 EU, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “GDPR »), OJ L 119/1.

90 Art. 25 APBR, op. cit.

91 ECtHR, Rotaru v Romania judgment, req. no. 28341/95, 4 May 2000.

92 ECtHR, Grand Chamber, S. and Marper v/ United Kingdom, req. n° 30562/04 and 30566/04, 4 December 2008.

93 G. Chassang, “The impact of the EU general data protection regulation on scientific research,” ecancer 11 709 / doi: 10.3332/ecancer.2017.709, 2017; F. Lesaulnier, “Recherche en santé et protection des données personnelles à l’heure du Règlement général relatif à la protection des données,” Médecine & Droit, vol.  142, Issue 40, 10/2018, pp. 103–111.

94 R. Gellert, The Risk-Based Approach to Data Protection, Oxford University Press, 2020, pp. 160–163.

95 Art.29 Statement on the role of a risk-based approach in data protection legal frameworks, 2014.

96 G. Chassang, “What About Post-Mortem Digital Privacy and Personal Health Data Protection ?,” In : Deep diving into data protection. Ed. CRIDS, 2021, pp. 433–460.

97 CoE, European Court of Human Rights, European Data Protection Supervisor, European Union Agency for Fundamental Rights (ed. Publications Office of the European Union), Handbook on European data protection law – 2018 edition, epub, 2018.

98 CoE, Recommendation CM/Rec(2019)2, Protection of health-related data, 2019.

99 Art.9(2) GDPR op. cit.

100 EC, Consumers, Health, Agriculture and Food Executive Agency, J. Hansen, P. Wilson, E. Verhoeven, M. Kroneman et al., Study “Assessment of the EU Member States’ rules on health data in the light of GDPR,” Publications Office, 2021.

101 Art.9(4) GDPR op. cit.

102 S. Wiertz, J. Boldt, “Ethical, Legal, and Practical Concerns Surrounding the Implemention of New Forms of Consent for Health Data Research: Qualitative Interview Study,” J Med Internet Res, 2024;26:e52180, 2024; S. Wiertz, “How to Design Consent for Health Data Research? An Analysis of Arguments of Solidarity,” Public Health Ethics, Volume 16, Issue 3, 2023, pp. 261–270.

103 D. Hallinan, “Broad consent under the GDPR: an optimistic perspective on a bright future,” Life Sciences, Society and Policy, vol.  16:1, 2020.

104 Art.9(2)(a) GDPR op. cit.

105 Art.13 and 14 GDPR op. cit.

106 Recital 33 GDPR. See also, EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research, point 4, 2021.

107 EC, Proposal for a Regulation on the European Health Data Space, COM/2022/197 final, 3 May 2022.

108 This presumption of research purpose compatibility for further processing personal data is also recognised in the CoE Convention 108+. See the Handbook on European data protection law, op. cit.,p. 124–125.

109 Art.89(1) GDPR op. cit.

110 Art.5(2) GDPR op. cit.

111 Art.25 GDPR op. cit.

112 EDPB, Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak, 2020. R. Becker, A. Thorogood, J. Ordish, M. J. S. Beauvais, “COVID-19 Research: Navigating the European General Data Protection Regulation,” J Med Internet Res., 22(8):e19799, 2020. A. Delfin-Rossaro, G. Chassang, E. Rial-Sebbag, “Outils algorithmiques et crises sanitaires: Enjeux éthico-juridiques et recommandations,” Droit, Santé et Société, 2–3, 2022, pp. 61–68.

113 EDPB, Statement on restrictions on data subject rights in connection to the state of emergency in Member States, 2020; EDPB, Guidelines 10/2020 on restrictions under Art. 23 GDPR, Version 2.0, 2021.

114 EC, Study “Assessment of the EU Member States’ rules on health data in the light of GDPR,” op. cit.

115 Recital 26 GDPR op. cit., These provisions raised questions in the field of scientific research where there are considerable means and expertise involved in projects to perform high-level complex data processing and investigations which could allow (re)identifying data subjects.

116 Art.29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, Adopted on 10 April 2014, 0829/14/EN WP2016.

117 Non-individualisation: it must no longer be possible to re-identify and isolate an individual from the anonymised dataset; Non-correlation: it must no longer be possible to establish links between different data concerning the same individual; and Non-inference: it must no longer be possible to deduce information linked to an individual.

118 S. Ayme, R. Choquet, L. Devillers et al., “Bénéfices et risques de l’utilisation des données de santé à des fins de recherche: Rapport du Conseil scientifique Consultatif du Health Data Hub,” 2023, hal-04345572, p. 14; C. Villani, “Giving meaning to artificial intelligence. Pour une stratégie nationale et européenne,” Report, 2018, pp. 224; H. Tanghe, P. O. Gibert, “L’enjeu de l’anonymisation à l’heure du big data,” RFAS, 4, 2017, pp. 79–93.

119 Health Data Hub, “Guide – What is anonymous health data,” epub, p. 4.

120 M. Shabani, L. Marelli, “Re-identifiability of genomic data and the GDPR,” EMBO Reports, 20:e48316, 2019.

121 EDPB, Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research, Q18, 2021.

122 K. Akyüz, M. Goisauf, G. Chassang et al., “Post-identifiability in changing sociotechnological genomic data environments,” Biosocieties, vol.  19, 2023, pp. 204–231.

123 CNIL, “Qu’est-ce qu’une donnée de santé ?,” epub, 2018.

124 A. Thorogood, Y. Joly, B.M. Knoppers, et al., “An implementation framework for the feedback of individual research results and incidental findings in research,” BMC Med Ethics, 15, 88, 2014.

125 CoE, Recommendation CM/Rec(2006)4, op. cit., Explanatory Memorandum, point 6.

126 EU, CFREU, op. cit., Art.21(1).

127 CoE, Declaration Decl(13/02/2019)1 on the manipulative capabilities of algorithmic processes, 2019.

128 J. Lennie, J. Fisher, M. R. Gastonguay, “Trends in the application of pharmacometric modeling and simulation in the development of the Orphan Drugs in the 21st century,” Journal of Pharmacokinetics and Pharmacodynamics, n° 42, 2015.

129 A. Bajard, S. Chabaud, C. Cornu, et al., “An in silico approach helped to identify the best experimental design, population, and outcome for future randomized clinical trials,” Journal of Clinical Epidemiology, 2015.

130 M. Grieves, “Digital Twin: Manufacturing excellence through Virtual Factory Replication,” White Paper, Florida Institute of Technology, 2014, p. 7.

131 A virtual human twin (VHT) is a digital representation of a human health or disease state. They refer to different levels of human anatomy (e.g. cells, tissues, organs or organ systems). VHTs are built using software models and data and are designed to mimic and predict behaviour of their physical counterparts, including interaction with additional diseases a person may have, European Virtual Twins Initiative, epub (Accessed on 25 September 2024).

132 M. Elliot, A. Hundepool, E. Schulte Nordholt, J.-L. Tambay, T. Wende, Glossary ion Statistical Disclosure Control, epub: website Statistical Disclosure Control, May 2009: “Synthetic data: An approach to confidentiality where instead of disseminating real data, synthetic data that have been generated from one or more population models are released”.

133 K. Bhanot, M. Qi, J. S. Erickson, I. Guyon, P. Bennett, “The Problem of Fairness in Synthetic Healthcare Data”, Entropy (Basel), no.23, September 2021, pp. 1165.

134 Ibid.

135 F. Lesaulnier, “Valorisation de la recherche en santé humaine et protection des données à l’ère du numérique,” Médecine & Droit, 2023, p. 22.

136 A. Voillemet, “L’usage de la donnée médicale. Contribution à l’étude du droit des données,” thèse en droit, Université Polytechnique Hauts-de-France, Institut national des sciences appliquées Hauts-de-France, 2022, p. 294.

137 C. Ohman & L. Floridi, “The Political Economy of Death in the Age of Information: A Critical Approach to the Digital Afterlife Industry,” Minds and Machines, 27, 2017, p. 639–662.

138 B. Jiménez-Alonso, I. Brescó de Luna, “Griefbots. A New Way of Communicating With The Dead?,” Integr. psych. behav., 57, 2023, pp. 466–481; B. Jiménez-Alonso, I. Brescó de Luna, “Chapter 9 – AI and grief: a prospective study on the ethical and psychological implications of deathbots,” In S. Caballé, J. Casas-Roma, J. Conesa (eds.), Intelligent Data-Centric Systems, Ethics in Online AI-based Systems, Cap. 9, pp. 175–191.

139 CNIL, Fiches pratiques IA. 2024.

140 OECD, Creation and Governance of Human Genetic Research Databases, Éditions OCDE, Paris, 2006.

141 OECD Guidelines on Human Biobanks and Genetic Research Databases, 2009.

142 Art. 89(2) GDPR op. cit.

143 Recital 156 and Art. 89(1) GDPR op. cit.

144 Art. 5(1)(c) GDPR, op. cit., on data minimisation, requires that personal data processed is adequate, relevant and limited to what is necessary in relation to the purposes of the processing. Specific issues can be raised in biomedical research, particularly where whole human genome sequencing technologies are used. Independent ethics review of research projects and infrastructures, together with data protection officers assessment, are implemented to decide, case-by-case, about the respect of data minimisation and other applicable legal and ethical requirements.

145 Art.89(1) GDPR op. cit.

146 Such as Data Transfert Agreement, Material Transfert Agreement.

147 C. Staunton, S. Slokenberga, A. Parziale and D. Mascalzoni, “Appropriate Safeguards and Art. 89 of the GDPR: Considerations for Biobank, Databank and Genetic Research,” Front. Genet., 13:719317, 2022, p. 9.

148 Such governance measures rely on the use of technological means, such as privacy enhancing technologies (PETs) enabling the controller to create and secure data, the processing environment, to control privacy and data breach risks based on data protection impact assessment, and on organisational means, in particular to ensure data access controls, reviews, and transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing features.

149 European Data Protection Supervisor, Study on the appropriate safeguards under Art. 89(1) GDPR for the processing of personal data for scientific research, 2019.

150 EU, Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act), Recital 7 : “There are techniques enabling analyses on databases that contain personal data, such as anonymisation, differential privacy, generalisation, suppression and randomisation, the use of synthetic data or similar methods and other state-of-the-art privacy-preserving methods that could contribute to a more privacy-friendly processing of data ».

151 Art. 35 GDPR, op. cit.

152 Art. 40 GDPR, op. cit.

153 Art. 37(1)c GDPR, op. cit.

154 Notably through the legislative measures provided for this purpose, namely: the EU Data Governance Act, op. cit. ; the EU Data Act, Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828, OJ L, 2023/2854, 2023 ; the EU Digital Markets Act, Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828, OJ L 265, 2022, pp. 1–66 ; the EU Digital Services Act, Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC, OJ L 277, 27.10.2022, pp. 1–102 ; and in particular the recently adopted Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space and amending Directive 2011/24/EU and Regulation (EU) 2024/2847 (EHDSR).

155 Recital 93, EHDSR, op. cit.

156 Art. 71, EHDSR, op. cit.

157 Art. 58(1), EHDSR, op. cit.

158 Including genetic, epigenomic and genomic data; molecular data such as proteomic and other omic data; data from wellness applications; health data from biobanks and associated databases (article 51(4) EHDSR, op. cit.).

159 Art. 71(4) EHDSR, op. cit.

160 The data user must provide a justification (art. 67(2)e EHDSR, op. cit.).

161 Art. 73 EHDSR, op. cit.

162 National health data access bodies will have to cooperate with all the stakeholders concerned, including patients’ organisations, representatives of natural persons, health professionals, researchers and ethics committees (art. 57(2)b EHDSR, op. cit.). Also, at national level, certain actors may be legally recognised as trusted health data holders if they comply with the requirements of the EHDSR. This status will enable them to assess requests for access to the health data they hold (art. 72 EHDSR, op. cit.). National bodies will also collaborate with the data altruism organisations created by the DGA (Chap. IV DGA op. cit.; Recital 78 EHDSR). At European level, the Stakeholder Forum should enable the views of stakeholders to be taken into consideration, including in particular representatives of patient organisations (art. 93 EHDSR, op. cit.).

163 M. Wilkinson, M. Dumontier, I. Aalbersberg, et al. “The FAIR Guiding Principles for scientific data management and stewardship,” Sci Data, 3, 160018, 2016.

164 Such as dynamic consent, meta-consent, broad consent or layered consent.

165 T. Ploug, and H. Søren, “Meta Consent – A Flexible Solution to the Problem of Secondary Use of Health Data,” Bioethics, vol.  30,9, 2016, pp. 721–732.

166 S. N. Boers, Johannes J. M. van Delden, and A. L. Bredenoord, “Broad Consent Is Consent for Governance,” American Journal of Bioethics, 15 (9), 2015, pp. 53–55.

167 A. Noor Giesbertz, L. Annelien Bredenoord, J.M. Johannes van Delden, “A Thick Opt-Out Is Often Sufficient,” American Journal of Bioethics, 13:4, 2013, pp. 44–46.

168 A transparency portal is an online tool designed to provide clear and accessible information on how an organisation processes and uses personal data, particularly in the field of health and medical research. In this way, the tool makes it easier for data subjects to exercise their rights.

169 Y. Joly, S. O. M. Dyke, B. M. Knoppers, T. Pastinen, “Are Data Sharing and Privacy Protection Mutually Exclusive?,” Cell., 167(5):1150–1154, 2016, pp. 1151 : “Controlled access uses an access agreement, overseen by an access committee, to make data availability conditional upon the researchers identifying themselves and agreeing to a number of conditions on data usage. Because controlled access is regarded as a form of open access, these conditions should be kept to the minimum necessary to ensure that participants’ data are reasonably well protected from re-identification ». This is the approach that seems to have been adopted by the proposed regulation on the European Health Data Space, op. cit., even raising questions about the interplay between this future regulation and the provisions of the GDPR, op. cit.

170 WHO, Sharing and reuse of health-related data for research purposes: WHO policy and implementation guidance. Geneva: World Health Organization, 2022.

171 J. E. Cohen, “Turning Privacy Inside Out,” Theoretical Inquiries in Law, vol.  20.1, 2018.

172 Such as ethics committees opinions, imposed processing conditions, prohibition of re-identification of data, use of secure processing environments, data protection impact assessment, etc.

173 “The term ‘common’ comes from the Latin noun munus, muneris meaning gift, obligation or function. Common goods can be represented as shared goods, like a co-ownership or a planet (Rémon, 2020: 1), whose use and governance are managed by a community (Villani et al., 2018: 14; Bollier, 2014),” translated from French,inA-S Hulin, E. Guiraud, J. Lawarée and L. Langlois, “Le partage et la mise en commun des données de santé : quels enjeux pour un objectif d’innovation sociale responsable ?,” Éthique publique [En ligne], vol.  25, no. 1, 2023, p. 12.

174 “This would be a third category of property alongside private property and public property (Emerich, 2021: 222; Benyekhlef, 2020: 315),” translated from French, Ibid.

175 Ibid.

176 Such as data trusts, data cooperatives, data marketplaces or data unions.

177 M. Micheli, E. Farrell, B. Carballa Smichowski, M. Posada Sanchez, S. Signorelli and M. Vespe, “Mapping the landscape of data intermediaries,” Publications Office of the European Union, Luxembourg, 2023, doi:10.2760/8943, JRC133988.

178 Ibid.

179 The Data Governance Act, op. cit., has defined different types of data-sharing intermediaries with inclusive governance arrangements, making it possible to institute players in the non-personal and personal data-sharing landscape that enable sharing in line with the interests of the various interests at stake, according to two models: data intermediation services (Art. 10) providing for commercial relationships, and altruistic data organisations (Chapter IV) based on the general interest.

180 “Data, and the knowledge derived from the use of that data, should be recognized as a global public good, and data-sharing and data reuse should be maximized in ways that are effective, ethical and equitable in order to improve public health,” WHO, Sharing and reuse of health-related data for research purposes, op. cit., p. 1.

181 I. Coulybaly, “La protection des données à caractère personnel dans le domaine de la recherche scientifique,” Thèse en droit, University of Grenoble, 2011.

182 D. Bourcier, P. De Filippi, “Vers un droit collectif sur les données de santé,” Revue de droit sanitaire et social (RDSS), Dalloz Revues, n. 3, 2018, pp. 445.

183 Op. cit.

184 “[. . .] all data sharing should balance and protect the privacy of individuals and the dignity of communities while acknowledging the imperative to improve public health through the most productive use of data,” p. 1

185 D. Lin, J. Crabtree, I. Dillo, et al., “The TRUST Principles for digital repositories,” Sci Data, 7, 144, 2020; S. R. Carroll, et al., “The CARE Principles for Indigenous Data Governance,” Data Science Journal, 19, 2020, p. 1–12.

---

Gauthier Chassang, Lisa Feriol, Noémie Dubruel, « The Evolving Concept of Privacy in European Law. Addressing Specific Challenges for Advancing Biomedical Research and Innovation », Définitions et concepts du biodroit [Dossier], Confluence des droits_La revue [En ligne], 07 | 2025, mis en ligne le 7 juillet 2025. URL : https://confluencedesdroits-larevue.com/?p=4182.