2.1 Genetic Data as Sensitive Personal Data in EU Data Protection Law

GDPR stands as a cornerstone of the contemporary EU legal framework designed to protect individuals’ data, which came into effect on May 25, 2018. ¹⁰ The GDPR’s framework is built upon a set of core principles that govern the lifecycle of personal data: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, and accountability. Its conceptualization of genetic data is pivotal since its predecessor, the Data Protection Directive 95/46/EC, ¹¹ did not provide a definition or specify the legal nature of genetic data. Although the Article 29 Working Party issued some opinion on genetic data in 2004, its recognition of the sensitive nature of genetic data remained implicit “considering the extremely singular characteristics of genetic data and their link to information that may reveal the health condition or the ethnic origin.” ¹² It is not until the GDPR’s formal introduction of the definition of genetic data that genetic data is explicitly classified as a “special category of personal data,” usually referred to as sensitive personal data, in EU law. These special categories of personal data, also including other types such as biometric data, data concerning health, and data revealing racial or ethnic origin, enjoy reinforced legal protection under the GDPR due to their inherent sensitivity in relation to fundamental rights and freedoms of individuals. ¹³

The definition of genetic data in the GDPR adopts an explicitly individual-centric —or more precisely, a sample-owner-centric — approach. Under Article 4(13), genetic data is defined as “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.” ¹⁴ Two observations could be made from this formulation. First, the genetic data protected by the GDPR are conceived as data derived from the analysis of biological material (such as chromosomal, DNA, or RNA analysis) of the data subject, rather than from biological material belonging to other persons (such as biological relatives whose genetic information is intrinsically linked). Second, the provision frames the unique physiological or health-related information as belonging to, and thus primarily concerning, that individual, while remaining silent about the ways in which such information may also implicate other data subjects or broader groups. As Kuru recognizes, a teleological reading confines GDPR protection of genetic data to the individual data subject — that is, data derived from and concerning that person — excluding other individuals from the protection.Reference Kuru ¹⁵ This narrow focus highlights the constraints of an individual-centric framework when applied to the inherently shared nature of genetic information. For example, an individual’s decision to undergo a DTC test may reveal pathogenic variants that are heritable and indicate an increased risk of certain cancers (e.g., BRCA1/2), ¹⁶ whereas an individual-only legal framing fails to adequately capture the downstream familial implications.

The GDPR imposes a general prohibition on the processing of sensitive personal data, including genetic data, ¹⁷ a rule that can only be lifted under a limited number of specific, conditional exceptions. These exceptions include processing for reasons such as “explicit consent,” “substantial public interest,” “public interest in the area of public health,” or for “scientific or historical research purposes.” Member States of the EU also retain a certain degree of discretion to introduce further conditions for the processing of genetic data. ¹⁸ These exceptions reflect a long-standing and inevitable tension between protecting an individual’s fundamental right to data privacy and the pursuit of benefits for society as a whole. In the case of genetic data, this is most evident in the balance between individuals’ genetic privacy and public health advancements derived from genetic research. The legal debate surrounding this balance is a central point of conflict, foreshadowing the need for a broader analytical model that extends beyond individual privacy.

In other EU data-related legislation, the definition of genetic data largely mirrors that set out in the GDPR, ¹⁹ maintaining an individual-centric approach that focuses narrowly on information revealing unique genetic characteristics derived from a person’s own biological samples. The concept of genetic data as primarily implicating individual privacy is similarly enshrined in many jurisdictions around the world — such as the US, Canada, and the UK, where legal frameworks often situate genetic information within the broader category of sensitive personal data and emphasize the individual’s right to control its use and non-discrimination. However, beyond this predominant framing, certain jurisdictions have begun to recognize that genetic data also raise concerns that extend beyond individual privacy — for instance, by implicating national interests and collective identities. These emerging perspectives, which depart from or supplement the traditional individual-centric view, will be examined in greater depth in Sections 3 and 4.

2.2. Jurisprudence of European Courts

The individual-privacy character of genetic data has long been recognized in the jurisprudence of the European Court of Human Rights (ECtHR or “the Court”), ²⁰ although the Court’s evolving case law has also addressed other dimensions of genetic information (see Section 3). Before the GDPR’s formal definition, the ECtHR decided a number of cases concerning genetic information, often under varying labels, such as “DNA data,” “DNA profile,” “DNA information,” or “DNA records.”Reference Tuazon ²¹ The cases discussed in this section are purposively selected as illustrative, focusing on landmark or representative decisions of the ECtHR rather than as the output of a systematic review.

Particularly, the Court consistently held that the collection and retention of an individual’s genetic data by public authorities constitutes an interference with their right to private and family life as protected by Article 8 of the European Convention on Human Rights (ECHR), which may be justified only if it is “necessary in a democratic society” for legitimate aims such as national security, crime prevention, or the protection of health. ²² In Van der Velden v. The Netherlands, considered the earliest case concerning genetic information, the Court found that the systematic retention of an individual’s cellular material (which the court treated as a proxy for the genetic information contained within) and DNA profile is “sufficiently intrusive” to amount to an interference with Article 8 ECHR, given the potential future uses of such material beyond mere neutral identification. ²³ In the following landmark S. and Marper v. The United Kingdom case, the Court described DNA information as having an “intrinsically private character,” noting that the information extracted from an individual’s cells is “highly personal” and can disclose sensitive facts such as health status. ²⁴ Furthermore, in cases such as Aycaguer v. France, the Court has emphasized that prolonged retention — here, a forty-year period with an effective practical result of indefinite storage — is disproportionate and therefore cannot be justified as necessary in a democratic society. ²⁵ Similarly, in Gaughran v. the United Kingdom and Trajkovski and Chipovski v. North Macedonia, the Court consistently held that the blanket, indefinite retention of convicted persons’ DNA profiles without adequate safeguards “fails to strike a fair balance between the competing public and private interests” and thus exceeds the State’s acceptable margin of appreciation. ²⁶ Together, these decisions underscore the ECtHR’s consistent recognition of the particular sensitivity of genetic data and its focus on proportionality, retention, and sufficient safeguards when public authorities process such information.

The Court of Justice of the European Union (CJEU) has likewise reinforced the individual-privacy character of genetic data, particularly in the context of Law Enforcement Directive 2016/680 (LED), which governs police and justice processing of personal data. ²⁷ In its 2023 judgment in V.S. v. Ministerstvo na vatreshnite raboti, the CJEU held that genetic data falls within the special category of personal data subject to enhanced protection under the LED, and that the systematic collection of such data for police records is, in principle, incompatible with the LED unless the competent authority can demonstrate strict necessity and the absence of less intrusive means to achieve their objective. ²⁸ The CJEU’s subsequent ruling in NG v. Direktor na Glavna direktsia ‘Natsionalna politsia’ pri MVR – Sofia sharpened this principle, concluding that the indefinite or generalized retention of genetic data (for example, retention “until death”) for persons convicted of offenses is contrary to the LED. ²⁹ It emphasized that retention must be strictly necessary, limited in time, and subject to periodic review. ³⁰ This decision also reinforces the core EU data protection principles of data minimization and proportionality. Both rulings demonstrate that the CJEU, like the ECtHR, regards genetic data as a highly personal and sensitive category of information, warranting stringent safeguards to protect individual privacy. Moreover, the CJEU’s jurisprudence builds upon the principles established in the ECtHR, applying them directly to the framework of EU data protection law and thereby solidifying the legal position that genetic data’s inherent sensitivity demands heightened protection and careful, limited use by public authorities.

Nevertheless, the jurisprudence of the two European courts, the ECtHR and the CJEU, remains premised on a strict one-to-one relationship between a person and their genetic information, a model that emerged before the full implications of genomic science were appreciated. This traditional framing, while providing a necessary baseline, overlooks the inherently shared character of genetic data and the cascade of consequences that a single person’s data can have on others. Nevertheless, academic analysis suggests that these court decisions contain the seeds of a broader conception of privacy — one that recognizes collective and relational dimensions of genetic information — and thus provide a natural transition to the next layer of the model (see section 3).

2.3. Inherent Limitations

It should be noted that most of the reported cases of the ECtHR and the CJEU concern state action such as law enforcement, public health, or other government uses, whereas other parts of the paper also discuss private and research uses. State uses can give rise to particular harms — such as risks of genetic searches, criminal prosecution, or deprivation of liberty — that make strong individual protections especially salient in that context.Reference Ram ³¹ By contrast, private and research uses more commonly implicate risks of commercialization, re-identification, discrimination, and epistemic bias. Despite these differences, there are important overlaps (for example, re-identification risks and familial impacts) that call for both context-sensitive rules and cross-cutting protections. While a detailed analysis of these different contexts is beyond the scope of this paper, it is still necessary to recognize both the shared features of genetic risk and the context-specific weight, which should be taken into account when translating the layered model (as proposed in Section 5) into concrete policy instruments.

Although, as analyzed in Section 2.2, case law of these two European courts and the GDPR provide a robust foundation for individual privacy, they struggle to capture the multidimensional nature of genetic information. Recent work highlights a familial and relational dimension entailed by genetic information while often overlooked by individualism in law and bioethics, arguing for the insufficiency of exclusively relying on the data-subject model of autonomy.Reference Gordon and Koenig ³² This narrow focus reveals a critical gap in the law’s ability to address other potentially important dimensions of genetic data than individual privacy, foreshadowing the need for reconceptualizing its nature through a legal lens.

Genetic information processing, which has been long believed to impose serious threats to the rights of the individual donor in ECtHR jurisprudence, may also bring certain groups into focus as subjects of processing, creating distinct collective interests that may justify recognizing groups as separate legal subjects of protection.Reference Hallinan, de Hert and Taylor ³³ A central critique of the GDPR’s individual-centric model is its failure to adequately protect the interests of these genetically related data subjects, or even entire groups. The GDPR’s definition ties genetic data exclusively to the individual from whom the biological sample is derived, ignoring the shared nature. As Hallinan and de Hert have found, significant legal technical difficulties would appear when extending the GDPR to genetic groups, such as the problem of defining and identifying groups that are genetically influenced, and the new form of interest conflict created by genetic groups that challenges the GDPR-shaped bilateral relationship between data subjects and data controllers. ³⁴ Similarly, Kuru’s analysis again emphasizes the GDPR’s failure to provide an effective protection for genetic groups, despite the fact that some mechanisms like data protection impact assessment (DPIA) and right to compensation may offer ancillary protection to individual members of genetic groups. ³⁵ However, such interpretation could also lead to ambiguous and contradictory outcomes the GDPR cannot resolve, given that these mechanisms remain designed around the individual data subject. ³⁶

Furthermore, existing data protection regulations tend to overlook the nuanced nature of genetic data itself, treating it as a uniformly sensitive and uniformly personal category. As pointed out by Rahnasto, such an approach ignores two distinct problems: (a) identifiability is context-dependent, given that many sequence elements are population-common or non-identifying on their own; and (b) sensitivity likewise varies, with much genetic information relating to benign, ubiquitous markers or functionally uninterpretable features. ³⁷ This one-size-fits-all legal conception (for example under the GDPR), while providing a high degree of protection, can also be disproportionate and create unnecessary hurdles for beneficial activities like scientific research. Towards a more granular and dynamic approach for protection and governance, other potential dimensions need to be explored to enrich the legal understanding of genetic data, a task that the next section will undertake by examining the relational and familial dimensions.

3.1. Relational Genetic Interests in Existing Literature

The very nature of genetic data challenges the legal concept of the autonomous and isolated data subject. In metaphors created by Knoppers and Beauvais for debates surrounding genetic privacy, the human genome is framed as the common heritage of humanity in the 1990s and genomic databases as global public goods in the 2000s, implying the conceptual limits of a purely individualist governance paradigm.Reference Knoppers and Beauvais ³⁸ As a biological record of familial inheritance, one individual’s genomic sequence and scientific results based on such information can provide significant insights into the health predispositions, ancestry, and even identity of their relatives.Reference Erlich ³⁹ Accordingly, one family member’s decision to participate in a genomic database can implicate the entire family, since submitting a biological sample for sequencing and storage may effectively render the familial genome (or substantial portions of it) accessible to third parties without collective consent or control.Reference Lafferriere ⁴⁰ This is also the case where individuals publicly post identifiable genetic data, obtained from direct-to-consumer genetic test companies, to find relatives, join condition-specific communities, or facilitate research, and their kin lack any practical ability to prevent such revelations and access to these data by others.Reference Clayton ⁴¹ De Groot points out that the individual informed-consent approach does not account for the shared nature of genomic information and its broader ethical and political implications on communities and genetically-related groups, and proposes a “genomics-specific contextual integrity approach” that is sensitive to group interests such as vulnerable and indigenous populations.Reference de Groot ⁴²

It has been widely discussed that clinicians and researchers usually encounter moral dilemmas, particularly regarding whether to share potentially lifesaving genetic data with a patient’s relatives over the patient’s objections, and determining who holds lawful decision-making authority over the disclosure of post-mortem genomic findings that could have material implications for surviving biological relatives.Reference Couzin-Frankel ⁴³ Although the relational character of genetic information has long been recognized in bioethics, the legal duties of clinicians are contested and legally nuanced. For instance, while US clinicians have traditionally been viewed as restricted from disclosing genetic risk information to relatives without patient consent under the Health Insurance Portability and Accountability Act (HIPAA), legal scholarship notes that multiple forms of provider-mediated direct contact are actually permissible under HIPAA to facilitate ethical obligations of family care and improve identification of clinically actionable risk.Reference Henrikson ⁴⁴ Recent developments in other jurisdictions illustrate evolving regulatory response; for example, updated Australian privacy guidance now explicitly permits clinicians to collect contact details from patients and notify at-risk relatives where a serious genetic threat to life or health exists and obtaining prior consent is impracticable.Reference Tiller and Otlowski ⁴⁵ Taken together, these legal and ethical complexities and the expanding prevalence of predictive genomic information exacerbates tensions between individual privacy and relatives’ health interests, which points to the need for clarified legal exceptions and well-defined professional responsibilities that permit appropriately direct disclosure in limited, preventable-risk circumstances.

Legal scholarship has begun to articulate this conceptual shift by distinguishing between different forms of collective genetic interests. Hallinan and de Hert, for example, propose the notion of a “genetic group” — groups that share common genetic architecture across multiple individuals — and divide it into two subtypes according to whether the group can manifest a collective personality to communicate and exercise collative self-determination. ⁴⁶ The first subtype, “genetic class,” maps onto readily recognized social or political groups whose members are typically conscious of their membership and may organize collectively (sometimes through legally recognized representative bodies, as with certain ethnic minorities). ⁴⁷ The second subtype, “genetic category,” denotes a grouping that lacks a distinct social existence, whose members may be unaware they share relevant genetic features and therefore cannot form a collective identity, organization, or channels of communication. ⁴⁸ Although these subtypes differ in the degree of social and organizational autonomy, both raise collective interests that merit legal protection. Genetic classes — by virtue of their social constitution and possible representation — warrant mechanisms that recognize collective agency and enable group-based remedies where data processing undermines members’ self-development; genetic categories likewise require protective measures focused on preventing harms such as stigma, discrimination, and mischaracterization that can affect members as a whole even in the absence of an organized collective actor. ⁴⁹

Relatedly, Leib-Neri and Prince advance the concept of an “intimate genetic community” to capture genetic privacy shared by interconnected social groups, including (1) one’s biological family, (2) one’s ancestry group, and (3) cohorts defined by particular variants associated with specific conditions and diseases.Reference Leib-Neri and Prince ⁵⁰ Recent literature on law-enforcement uses of genetic information has introduced the term “genometric data” to refer to personal data generated through specific technical processing of identification markers in the human genome that allow or confirm unique identification of an individual. ⁵¹ This concept departs from a strictly data-subject-centric framing (such as the GDPR’s emphasis on the sample owner) because the markers relied upon may not necessarily originate from the individual being identified but can be used inferentially to identify or locate biological relatives. The attendant notion of “genometric data privacy” therefore reflects the joint interest of both an identified individual and their genetic relatives in protecting uniquely identifying genomic signals, ⁵² reaffirming the relational dimension of genetic interests within the family circle. Given the heightened potential for intrafamilial and social harms, scholars argue that law enforcement uses of genometric data, most notably familial searching, should be tightly circumscribed, employed only as a last resort, and subject to rigorous procedural and substantive safeguards. ⁵³

Genetic privacy is increasingly understood not merely as an individual interest but as encompassing collective stakes — such as claims of ownership, control, and non-interference — held by families and broader communities, while many of their members may not be fully aware of the interdependent risks posed by genomic disclosure. ⁵⁴ The increasingly easy-to-access genetic testing and the aggregation of population-scale genomic datasets through big genetic data have transformed information that was traditionally viewed as private into a resource capable of yielding far more extensive inferences over time.Reference Quinn and Quinn ⁵⁵ The volume of information that could be inferred in the future will also increase, concerning disease risks, phenotypic traits, hereditary conditions, and markers of ancestry not only about the sample-donor but also about others who share substantial portions of their genome. ⁵⁶ From both legal and ethical perspectives, it creates a tricky problem to identify and determine the interests of which groups should be recognized and protected in coordination with individual interests. In the familial context in particular, protection and balance of individual’s privacy and autonomy with the family’s benefit-sharing rights and autonomy also becomes a key legal and ethical dilemma for policymakers and legislators. ⁵⁷

Some European scholars have proposed extending the GDPR’s protections to encompass genetic groups, which, in turn, underscores the necessity to look beyond the aspect of individual privacy. However, this approach would pose difficult legal-technical problems like legal uncertainty, conflicts of interest, and disproportionate burdens, since the core concepts, principles, and mechanisms of the GDPR are designed around individual data subjects. ⁵⁸ Given the inherently shared character of genetic information and the limits of the existing data-protection architecture, genetic data may constitute the GDPR’s Achilles’ heel, exposing doctrinal tensions unless focused and updated guidance clarifies whether and how group interests can be accommodated within the regime. ⁵⁹ Voices from public health and bioethics echo these concerns. Scholars note that biobanks exemplify a classical public health dilemma where the governance of biobanking and genomic medicine remains anchored in individualist principles like informed consent, autonomy, and privacy, while public health issues have a necessarily strong collectivist orientation, making the reconciliation of individual rights and community claims unavoidable in public health genomics.Reference Meslin and Garba ⁶⁰ Moreover, bioethical critiques call for a more structural reform, moving beyond the model of discrete “private rooms” for individuals toward institutional architectures that create legitimate “family rooms” or communal places where familial and community interests are deliberatively represented and protected. ⁶¹ Taken together, interdisciplinary scholarship reinforces the case for a diagnostic framework that explicitly registers collective and relational dimensions of genetic data alongside individual rights.

3.2. Recognition of Relational Dimension in Current Frameworks

Although most contemporary frameworks have not fully formalized a comprehensive model of group genetic interests, several key international instruments and regional precedents have implicitly or explicitly recognized its existence, providing a “small but growing” body of legal foundation for this second layer of the model. ⁶²

At the international level, UNESCO’s Universal Declaration on the Human Genome and Human Rights of 1997, the first global instrument to articulate ethical and legal limits on human genome research, ⁶³ provides an early and concise precedent for recognizing the communal consequences of genetic science. Its Article 10 states: “no research or research applications concerning the human genome, in particular in the fields of biology, genetics and medicine, should prevail over respect for the human rights, fundamental freedoms and human dignity of individuals or, where applicable, of groups of people.” Although it is non-binding and short on operational detail, the text offers clear normative guidance for treating certain genetic harms as implicating family- or group-level concerns rather than solely individual privacy.

The subsequent International Declaration on Human Genetic Data of 2003 elaborates the special status of human genetic data by recognizing its potential to have a “significant impact on the family … and in some instances on the whole group to which the person concerned belongs,” and to possess “cultural significance for persons or groups.” ⁶⁴ Its Article 7 requires states and actors to guard against discrimination and stigmatization for the use of human genetic data, expressly extending the protection to individuals, families, groups, or communities; Article 14 requires the protection of the privacy and confidentiality of genetic data linked to “an identifiable person, family or, where appropriate, group.” Taken together, these soft-law texts anticipate a relational dimension of genetic information and supply a normative obligation on states and researchers to weigh collective interests alongside human rights when designing research, consent processes, and governance regimes.

In Europe, early recognition of the relational character of genetic data appears in the Council of Europe (CoE)’s Recommendation No. R (97) 5 of 1997, which treats genetic data as “concerning the hereditary characteristics of an individual or concerning the pattern of inheritance of such characteristics within a related group of individuals,” and emphasizes the importance of the quality, integrity, and availability of such data for the health of an individual’s family. ⁶⁵ It further advises that, absent appropriate domestic safeguards, incidental or unexpected findings of genetic analysis should be disclosed to the sample donor where disclosure is unlikely to cause serious harm to relatives or others linked by descent. ⁶⁶ The CoE’s Additional Protocol to the Convention on Human Rights and Biomedicine concerning Genetic Testing for Health Purposes develops this relational dimension more concretely: it acknowledges the “particular bond that exists between members of the same family”; reiterates the prohibition on discrimination and stigmatization of individuals and groups on genetic grounds; and permits, under narrowly defined conditions, genetic testing of a person unable to consent “for the benefit of family members.” ⁶⁷ Together, these provisions illustrate an initial, albeit limited relational approach that, in certain circumstances, allows individual autonomy to be balanced against the health interests of the wider family unit. While the clinical context naturally foregrounds familial implications due to the direct management of hereditary disease risks, such relational concerns are not unique to medicine; rather, they also extend to other contexts such as DTC testing and research biobanks, driven by the inherently shared nature of the data itself.

The Article 29 Working Party (Article 29 WP), the predecessor of the European Data Protection Board (EDPB), likewise recognized the unique data protection challenges posed by genetic information and urged a perspective that is “more than merely individualistic perspective” in its early advisory capacity. ⁶⁸ Its 2004 Working Document on Genetic Data observes that genetic information can disclose attributes both at the individual level and at a group level — encompassing blood relatives across generations and socially salient collectives such as ethnic communities — and suggests that this gives rise to a “new, legally relevant social group … namely, the biological group,” including not only family members with kinship but also persons outside the family circle like gamete donors. ⁶⁹ Article 29 WP further noted that this expansion of the relevant class of affected persons complicates the application of conventional individual data rights. Tensions can arise, for example, between a data subject’s “right to know,” whose exercise may have implications for genetically related persons, and relatives’ “right not to know,” where disclosure would intrude on their private life or cause psychological harm — particularly in respect of untreatable, serious genetic conditions. ⁷⁰ As it recommended, a delicate and case-by-case balance of competing interests needs to be made to weigh the gravity and foreseeability of harm to relatives and proportionality in disclosure. ⁷¹ This also indicates that the context and sensitivity of risks need to be given more consideration in assessing relational genetic claims.

Notably, the ECtHR’s case law also exhibits a tendency, albeit occasional, of recognizing the relational character of genetic information, though this has not been substantively developed.Reference Costello ⁷² Crucially, even where courts acknowledge these wider interests, the discussions of familial implications are frequently subsumed within judgments that ultimately revert to an expressly individual-level framing. To date, the Court has not adjudicated a case that specifically defends the distinct rights of genetic relatives as such. ⁷³ In the landmark S. and Marper v. the United Kingdom, the Court nevertheless observed that biological samples and DNA profiles “contain a unique genetic code of great relevance to both the individual and his relatives,” and recognized that such data can be used to establish familial links and to infer probable ethnic origin. ⁷⁴ The Court, however, proceeded to assess the matter through the familiar lens of the individual’s right to respect for private life under Article 8 ECHR, leaving discrete group interests and implications silent. Notably, a subsequent decision, Gaughran v. the United Kingdom, reinforced the point that indefinite retention of genetic data of convicted individuals is unacceptable in part because it can continue to affect persons biologically related to the data subject. ⁷⁵ The Court in this case reiterates the highly sensitive nature of using DNA profiles to establish potential familial relationships, stating that such a capability alone is sufficient to conclude that retaining genetic data interferes with the Article 8 right of the individual concerned. ⁷⁶

By contrast, the CJEU has not produced a distinct “group privacy” doctrine for genetic data yet, while its existing case law acknowledges the broader proposition that disclosures about one individual can give rise to privacy intrusions for third parties who share the relevant relational ties. ⁷⁷ The relational approach has found more explicit judicial recognition in some European states, notably England and Wales, where domestic judges have held that clinicians may owe a duty to consider the interests of a patient’s genetic relatives when deciding whether to disclose health information that could prevent or materially reduce a serious risk of harm. ⁷⁸ Although scientific and ethical literature has long acknowledged that an individual is not the sole stakeholder in their genetic information, ⁷⁹ the two principal European Courts, the ECtHR and the CJEU, have so far refrained from developing an autonomous doctrine recognizing relatives’ genetic interests. Even so, their reasoning, read together with national rulings, could still offer a focused jurisprudential lens for reassessing whether and how the right to privacy should be reconceptualized to address the particular challenges posed by genetic data. ⁸⁰

4.1. China’s Regulatory Approach to Human Genetic Resources Under Biosecurity

China has been considered as a very consistent and assertive jurisdiction where HGRs including genetic data are explicitly recognized as a national strategic resource in law.Reference McKibbin and Shabani ⁹¹ Its Biosecurity Law of 2021, ⁹² along with the 2019 Regulations on the Management of Human Genetic Resources, ⁹³ consolidates a decades-long effort of policy and regulatory activities asserting state authority and control over genetic data. It should be noted that China’s Biosecurity Law is dedicated to biological risks and governance of the country, covering HGRs, animals, plants, microorganisms, and other biological resources that may affect public health, agriculture, ecosystems, or national security. ⁹⁴ Unlike the CBD and the Nagoya Protocol, China embeds HGRs within a broader biological security governance architecture that reaches beyond conventional public health.

China’s Biosecurity Law expressly announces that the state enjoys sovereignty over its human genetic resources and biological resources. It establishes a comprehensive administrative licensing system that strictly regulates the collection, preservation, use, and transfer of HGRs, particularly in international scientific collaborations, whether for commercial purposes or research. ⁹⁵ Notably, this framework issues many restrictions on foreign entities regarding access to the state’s HGRs, prohibiting them from collecting or preserving HGRs within China and transferring the state’s HGRs to entities outside China. ⁹⁶ A key requirement for collaborative research activities using China’s HGRs is that foreign entities must partner with a domestic Chinese entity under a government-approved license, and guarantee the substantial participation, full data access, and benefit-sharing interests of the Chinese entity. ⁹⁷

The rationale is explicitly tied to national security. This biosecurity-oriented approach is a direct reflection of China’s “holistic national security” strategy, which views all domains, including political, economic, military, and biological, as interconnected and critical to state security.Reference Huigang ⁹⁸ Administrative controls, most visibly the stringent double security review system for important human genetic data and HGRs, function as the tools through which the state primarily exercises its sovereignty to prevent risks to public health, technological advantage, and national security.Reference Chen and Li ⁹⁹ Furthermore, the mandatory benefit-sharing and domestic-participation requirements also produce a protective economic effect by ensuring that scientific and commercial value generated from Chinese HGRs is at least partially retained or channeled through domestic actors. This is, however, worrying from the perspective of international scientific communities, who considered that such an expanded national control over genetic data would make research collaboration even more difficult.Reference Mallapaty ¹⁰⁰ While China is one of the clearest statutory examples of asserted biosovereignty over HGRs, comparable tendencies can be detected elsewhere. It has been noted that many jurisdictions’ governance regimes for biomedical research, clinical genomics, and biobanking incorporate de facto assertions of state control over population-based genetic information, ¹⁰¹ albeit with varying emphases and legal mechanisms.

4.2. An Emerging Reactive Biosecurity Approach in the US

In the US, recent policy and legislative developments show a marked trend of elevating human genomic data, as a kind of sensitive personal data, to a national security concern, departing from a predominantly privacy-focused regulatory model. The most direct and immediate administrative measure is the Biden administration’s Executive Order 14117 issued on February 28, 2024, aiming to address threats to the country’s strategic advantages, national security, and foreign policy posed by the continuing effort of certain countries of concern to access Americans’ sensitive personal data and US government-related data. ¹⁰² It explicitly lists categories such as personal health data and human genomic data within the scope and authorizes regulatory interventions to restrict or prohibit certain data transactions deemed to pose unacceptable national-security risks.

This Executive Order was implemented through rules issued by the Department of Justice that took effect on April 8, 2025, and targets human genomic data as the most sensitive category of information among the regulated categories. ¹⁰³ While the “bulk threshold” for personal health data is set at 10,000 US persons, the threshold for human genomic data is dramatically lower, at more than 100 US persons collected or maintained. This lower threshold underscores the unique and disproportionate national security risk the US government attributes to this type of data, particularly the possible use of identifying population-based vulnerabilities for military purposes like developing bioweapons and the potential for re-identification when combined with other datasets. ¹⁰⁴ Whilst it has also been noted that economic considerations prevail over military ones in the US, national security concerns exist over the transfer of human genomic data, as large-scale human genomic data together with enhanced AI capabilities could significantly strengthen a country’s long-term advantages in healthcare and advanced technologies that are critical to national competitiveness. ¹⁰⁵

Parallel to executive action, congressional initiatives such as the BIOSECURE Act introduced in the 118th Congress focus on the biotechnology supply chain and the flow of citizen genetic data therein. The proposed BIOSECURE Act pursues statutory means to prohibit federal agencies from contracting with or providing grants to certain biotechnology providers, notably Chinese biotechnology companies like BGI Group and WuXi AppTec that are deemed to pose a national security risk. ¹⁰⁶ Whilst commentaries note that the practical effect of this initiative could force US biopharmaceutical companies to consider severing contractual arrangements with actual or potential targeted biotechnology companies in order to maintain their business relationship with the federal government, ¹⁰⁷ the very rationale of this Act is the concern that certain foreign governments could utilize their own domestic data laws to compel these designated biotechnology providers to transfer US citizens’ genetic data for any potential economic and military use. Accordingly, it seeks to cut off the flow of Americans’ genetic data to foreign adversaries by controlling the instruments and services used in the US. In this sense the BIOSECURE Act complements the Executive Order as the former controls who collects and processes the data through economic coercion and supply chain restrictions, while the latter regulates what the types of data could leave the country and how.

Scholars observe that characterization of human genomic data as a national strategic resource by the US could be largely provoked by US-China geopolitical rivalry. ¹⁰⁸ Whilst different from China’s approach, which claims national sovereignty over all genetic resources, the US approach is best characterized as precautionary and reactive, responding to perceived strategic competition and national-security threats related to human genomic data, and thus narrower than China’s. These developments also illustrate how national-security framing can materially reorient human genomic resource governance from an exclusive emphasis on individual privacy toward additional administrative controls that treat population-scale genetic data as strategic assets.

4.3. Relevant Initiatives in Europe

While the EU’s position on genetic data remains predominantly rooted in the individual-centric philosophy of the GDPR, there are a few recent initiatives suggesting a subtle but significant shift in thinking. For instance, the 1+ Million Genomes (1+MG) initiative is designed to create a federated data infrastructure that allows for the secure sharing of genomic data for research and public health across the EU. ¹⁰⁹ This represents a recognition that genomic data, aggregated at a continental scale, is a valuable asset for public health and economic competitiveness. The EU’s characterization of genomic data as a strategic resource could also be indirectly traced to its strategy for data policy, primarily driven by economic concerns over data and legislative leverage in healthcare areas in the post-GDPR time, such as the creation of a European Health Data Space (EHDS). ¹¹⁰ While not as obvious and proactive as that of China or the US, the EU’s recent moves signal a growing understanding of the collective and strategic value of genetic data, moving away from a fragmented country-by-country approach toward a more unified pan-European one.

The UK’s approach, while not as legally prescriptive as those of China or the US, also reflects a growing awareness of genetic data as a nationally significant scientific and economic asset. Its Biological Security Strategy sets out a high-level framework to mitigate biological risks — whether they are natural, accidental, or deliberate — and to enhance national resilience to a spectrum of biological threats by 2030. ¹¹¹ Although it does not explicitly single out human genetic datasets, it provides a policy backdrop that informs risk assessments and access controls for genomic resources. At the same time, a state-led push to develop population-scale genomic infrastructure, notably through initiatives like Genomics England ¹¹² and the Genome UK strategy, ¹¹³ treats genomic data as core components of future healthcare and nationally significant research. While governance debates have foregrounded security and ethical concerns regarding foreign access to UK citizens’ genomic data, ¹¹⁴ the UK has not formally designated genomics as “critical infrastructure” due to the existing strong legislation governing the healthcare sector. ¹¹⁵

The divergence of these national frameworks underscores a critical geopolitical dynamic. The EU’s model is founded on fundamental human rights, China’s on state sovereignty and economic protectionism, and the US on the prevention of specific perceived threat. It remains unclear whether there will be an emerging geopolitical contest for state control over human genetic data, elevating it to the status of a strategic asset akin to rare earth minerals. However, regardless of the divergence, scholars worry that laws and policies treating genomic data as a national strategic resource could indeed pose additional obstacles to the development of globally accepted guidelines and international scientific collaboration, such as genomic commons, open access, and international data sharing. ¹¹⁶