Introduction
On 25th November 2018, the world woke up to the startling news of designer babies, an event that was termed the “first leap of faith in science”. This groundbreaking incident made possible by Clustered Regularly Interspaced Short Palindromic Repeats (“CRISPR”) – a gene editing technology employed to modify DNA selectively, shocked the world and ignited intense debates on the implications of CRISPR technology. As India strives to keep pace with such technological advancements, two critical lacunae in its data protection framework emerge as significant obstacles to effectively regulating CRISPR.
Through this article, the authors firstly advocate for layered data classification (“LDC”) which consists of generic data (less important digital information that is identifiable to an individual), sensitive data (digital information traceable to an individual that requires higher security due to its significance) and genetic information (processed genetic data that can be traced back to an individual, that is subsequently digitalised) as a distinct category under sensitive data. Secondly, the authors advocate for a framework that encourages cross-border data transfer (sharing of data from one country to another) as a norm to provide a conducive environment for CRISPR technology as opposed to the current framework. Lastly, we advance solutions to mitigate the regulatory challenges of CRISPR.
CRISPR, Genetic Privacy, and the DPDPA: A Call for LDC
As genetic technology advances, the one-size-fits-all approach of the Digital Personal Data Protection Act, 2023 (“DPDPA”) to personal data falls dangerously short. The regulation of CRISPR technology hinges on robust protection of genetic information, which the DPDPA fails to address adequately. Genetic information should be treated as a unique category within sensitive data, demanding stricter security measures beyond the basic notice and information of complaint mechanisms currently prescribed in Part II of the DPDPA. This shortfall compromises both the preservation of genetic privacy and the effective regulation of CRISPR technology.
The one-size-fits-all approach to data protection in DPDPA is a shallow conception of data protection that is redundant in protecting genetic information. This is due to a plethora of reasons.
Firstly, genetic information warrants a relational approach to privacy, diverging from the predominant individualistic model. Unlike conventional data that identifies only the individuals to whom it relates, genetic information can be traced to identify even family members, ancestors, and descendants due to shared genetic traits. The increasing need for the processing of genetic data has culminated in the rise of a new legally relevant biological group whose rights are contingent on the relational conception of privacy which is gaining traction globally. Frameworks like the Hugo Ethics Committee and the Genetic Information Non-Discrimination Act (2008) highlight the emerging recognition of relational privacy principles. Genetic information forms a distinct legal category due to its profound impact on familial and biological connections. The International Declaration on Human Genetic Data (2003) acknowledges this by recognising the significant implications of genetic information on family units, while the European Union (“EU”) Working Party Report (2004) considers it partially as shared information. To effectively regulate CRISPR technology, which involves genetic information and raises extensive ethical concerns, India needs to adopt such a relational privacy framework. This layered approach will better address the unique legal and ethical dimensions of genetic information and its effects on family and biological groups.
Secondly, traditional techniques like anonymisation, a common safeguard to protect sensitive data, is not suitable for genetic information due to their inherently identifiable nature. Anonymisation is unviable for longitudinal research and cancer registries since they substantially reduce the value of the information. Data masking techniques face limitations in protecting genetic information due to these reasons. This insufficiency of genetic information protection measures highlights the need for establishing a specific classification for genetic information, especially when considering the implications of CRISPR technology.
Harnessing CRISPR: Resolving Roadblocks through the LDC
CRISPR technology primarily delves into the processing of genetic information to provide corresponding outcomes. In light of the significance of genetic information for CRISPR, the distinct classification of genetic data acts as the stepping stone in addressing the novel, ethical, and regulatory challenges of CRISPR for many reasons.
Firstly, the CRISPR technology promises groundbreaking advancements, such as curing genetic diseases and developing climate-resistant crops, but its success hinges on public trust. However, this is subject to the confidence that a “Data Principal” has in the existing system to protect his data. Recognising the unique nature of genetic information, and setting up robust protections will result in effective data protection that can be achieved through LDC of genetic data which will foster trust and enable broader acceptance and utilization of CRISPR technology, aligning with the data protection committee’s view that personal data protection is central to empowerment, progress, and innovation.
Secondly, the CRISPR technology is a double-edged sword that offers significant benefits but has the potential to be misused and inflict harm. The current data protection measures provide room for unethical genetic manipulation to occur. For instance, Section 7 of DPDPA permits the processing of data ‘in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.’ The wide and ambiguous ambit of this provision would have disastrous implications when applied to CRISPR technology as it does not account for the unique complexities of genetic information. The broad consenting mechanisms would permit ‘Data Fiduciary’ to manipulate genetic information for unethical but legal purposes, since DPDPA permits processing of data for only lawful purposes. To ensure CRISPR’s legal and ethical use, it is essential to establish a distinct category for genetic information, with stringent security measures and explicit consent requirements, to prevent the emergence of practices such as engineered soldiers. Therefore, the LDC with enhanced security measures is crucial for effectively regulating CRISPR technology. The subsequent section analyses the lacunae regarding Indian cross-border data transfer frameworks.
Transferring Beyond Borders: An Analysis of Cross-Border Data Transfers
The dawn of the era of technology underscores the significance of cross-border data transfers. Countries, in the technologically-driven era, are highly dependent on data. The essentiality of cross-border data transfers is also highlighted by the saying “Data is the new gold”. CRISPR, a part and parcel of human genome editing, has stood out among all the technological developments that provide viable opportunities. For instance, CRISPR has been given a green signal in the United States and China for cancer treatment. These reasons underscore the significance of CRISPR and the necessity of its cross-border data transfer for international collaboration.
Moreover, priceless technologies such as CRISPR should not be restrained to one jurisdiction. The globe works as a borderless entity in the information era. It is noteworthy as to what are the methods for the preservation, administration, and transfer of data. The Data Protection Directive underscores the necessity of consent from the “Data Subject” (International term for “Data Principal”) to transfer data from the European Economic Area. Under the DPDPA, the “Data Fiduciary” has to obtain consent from the “Data Principal” for the administration of data. The Act follows a defensive approach regarding cross-border data transfer since it furnishes the Central Government with the power to restrict the transfer for processing of personal data in its entirety [Section 16 of DPDPA]. The pivot of discussion has been the protection of personal data by restricting its transfer. Instead, a more dynamic and proactive approach allowing for transfer of data should be incorporated in the same because the global transfer of data is perhaps as crucial in our daily lives as the breath we take and is the lifeline of the global economy.
Beyond Standard Clauses: Addressing Standard Contractual Clauses Shortcomings in India
The public fears the global transfer of data as it is a cumbersome task to safely administer data transfers since each country or organisation has a distinct set of data protection rules. Thus, one can notice that the degree of formalisation differs between countries. This, in turn, stresses that jurisdiction is one of the most important elements of cross-border data transfers, but in data protection standards, there are a multitude of rules in different jurisdictions, posing problems relating to cross-border data transfer.
Standard Contractual Clauses (“SCC”), approved by the EU first in 2001, are used by the “Data Exporter” to enter into a contract with the “Data Importer” to transfer the data under a contract helping in cross-border data transfer from an EU exporter to a non-EU “Data Controller”. Subsequently, in 2002, its scope was enlarged to “Data Processors”. These clauses have been criticised by various jurisdictions, such as the US. Even in the Indian context, the SCC are not commensurate with the task they intend to undertake.There are various reasons for the same. Firstly, the SCC grant rights to “Data Subject” to third parties. Granting rights to third parties acts as a Pandora’s Box as it violates the necessity of data confidentiality. Secondly, the SCC requires the “Data Importer” to resolve disputes only in the member state, simultaneously providing the Data Protection Authority the right to audit the agreement. This restricts the scope of dispute resolution. The DPDPA already follows a more comprehensive and party-friendly approach as it also encompasses alternate dispute resolution. Thus, if the scope of the transfer of genetic information is extended internationally, this provision will furnish the parties with a robust grievance redressal mechanism.
Privacy vs. International Collaboration: A Cross-Jurisdictional Analysis
The EU, on the one hand, gives the status to the right to privacy as a fundamental right following an inclusive set of regulations. On the other hand, the US follows sectoral regulations. The American Data Privacy and Protection Act (2022) focuses on consent-based data collection and transfer. It allows for unhindered cross-border data transfer. Contrastingly, in light of Schrems v. Data Protection Commissioner, some EU officials opine that to obey EU data protection laws, companies in the respective technologies must restrict the personal data of EU citizens within the regions of the EU.
Thus, there are a myriad of rules and regulations supporting or repudiating cross-border data transfer in the international arena. The EU, the US, and China vary in their fundamental laws regarding the storage, administration, and transfer of genetic or personal data. Cross-border data transfer can prove to be beneficial for public health, economic growth, research collaboration, etc. in the context of CRISPR. It is in this regard that most of the countries opt and strive for an unhindered, efficient, and streamlined process of cross-border data transfer and India can take a cue from the same.
Blueprint for Progress: Innovating Data Protection in the Age of CRISPR
The advent of novel genome engineering technologies such as CRISPR has brought renewed attention to the unnoticed legal and ethical questions of synthetic biology. Thorns are strewn in the process of data transfer and the major stumbling block is the assurance of data safety. These roadblocks must be resolved for a proficient process amicable to the “Data Principal” and the “Data Fiduciary”.
The regulation of CRISPR technology hinges upon the robust protection of the genetic data it processes. Given the complexities of genetic information and the DPDPA’s inadequate standards, LDC is recommended. This involves classifying genetic data as a distinct category within sensitive personal data, with stringent security standards and explicit consent mechanisms. The EU working paper highlights two possible approaches to data protection; either the family members can be considered data subjects with all rights or they will be granted the right to information of a different character. However, it is essential that the demands of every case and the uniqueness of the same must be accounted for.
The ethical dilemmas that CRISPR poses, render the limit of ‘lawful purposes’ ineffective. To ensure that CRISPR technology is not employed to cross the ethical boundaries of humanity, the “Data Protection Board” needs to include diverse experts to evaluate the morality of genetic data use. This board should forbid instances like “Genetic Cleansing,” which involves removing certain genes deemed inferior using CRISPR, or enhancing traits like intelligence, which might widen the social divide due to the expensive nature of CRISPR. Safeguards are needed to ensure CRISPR technology is used responsibly and does not endanger humanity.
As already discussed, the SCC are insufficient for facilitating a seamless data transfer process. However, the interplay of various legislations from different jurisdictions can effectively improve the status quo. To ensure this, the DPDPA needs to have a specific provision ensuring a complete mechanism for the international transfer of data. Section 16(1) of the DPDPA allows the Central Government to “restrict the international transfer of personal data”, but Section 16(2) introduces the caveat of data misuse. The sub-section shows concern over the misuse of genetic and personal data. It is recommended that this approach, although appropriate, can be made more integrative if amendments are made to facilitate and not restrict cross-border data transfer, bearing in mind the already deliberated international significance of genetic and personal data transfer.The chief caveat people have in mind is about data misuse. Since the DPDPA already takes measures to safely administer and handle the data, data anonymisation, encryption and cryptography can be used to keep the data out of the clutches of its misuse. The information is masked from the potential data breachers unlocking a safe and sound mechanism. Despite the cloud’s abstract nature, it relies on physical hardware and infrastructure that can be misused. Hence, robust data protection technological mechanisms are also essential for safeguarding privacy and security.
The lack of clear regulatory frameworks, the long, and ineffective clinical trial methods, and the general misunderstanding of the scientific role of CRISPR are some of the reasons why it has been cumbersome for translational research. Nevertheless, the law should not be in a sustained slumber and lag with the challenges. Instead, it should make amends by anticipating the challenges resulting into more comprehensive frameworks.
Conclusion
The evolving landscape of genetic technology, epitomised by CRISPR, presses the need for a robust and progressive regulatory framework. The current shortcomings of DPDPA’s narrow approach are glaringly discernible in light of the challenges posed by genetic information. To safeguard genetic information, it becomes imperative to classify genetic information as a distinct category working along heightened security measures. By adopting the framework of relational privacy, India can address the challenges of genetic information. Furthermore, the amelioration of cross-border data transfer through the prism of DPDPA also has positive outcomes on the international collaboration essential for the development of CRISPR technology.
The suggested reforms highlight the necessity for an inclusive and dynamic approach to data protection, reflecting the nuances of genetic information and its legal dimensions. As we stand on the brink of unprecedented scientific advancements, a pioneering and visionary regulatory mechanism is required to ensure that CRISPR technology is harnessed responsibly, ethically, and legally to unlock its fullest potential for the benefit of mankind.
This article is a part of the DNLU-SLJ (Online) series, for submissions click here.
Students at HNLU, Raipur
