By: Yash Sharan and SK Subhiksha
INTRODUCTION
On 25th November 2018, the world woke up to the startling news of designer babies, an event termed as the “first leap of faith in science”. This groundbreaking incident, made possible by Clustered Regularly Interspaced Short Palindromic Repeats (hereinafter ‘CRISPR’) – a gene editing technology employed to modify DNA selectively – shocked the world and ignited intense debates on its implications. As India strives to keep pace with such technological advancements, two critical lacunae in its data protection framework emerge as significant obstacles to effectively regulating CRISPR.
Firstly, Digital Personal Data Protection Act, 2023 (hereinafter ‘DPDPA’) fails to adequately differentiate between types of personal data, overlooking the heightened sensitivity and unique safeguards required for genetic information, which is deeply tied to an individual’s identity and health-related outcomes. Secondly, DPDPA’s restrictive provisions on cross-border data transfer hinder the collaborative research and global integration essential for CRISPR. This limits India’s ability to foster a conducive environment for such advancements.
Through this article, the authors firstly advocate for Layered Data Classification (hereinafter ‘LDC’), which consists of generic data (Less important digital information that is identifiable to an individual), sensitive data (Digital information that is traceable to an individual and requires higher security due to its significance) and genetic information (Processed genetic data that can be traced back to an individual and is subsequently digitalised) as a distinct category under sensitive data. Secondly, the authors advocate for a framework that encourages cross-border data transfer (sharing of data from one country to another) as a norm to provide a conducive environment for CRISPR technology as opposed to the current framework. Lastly, the authors advance solutions to mitigate the regulatory challenges of CRISPR.
CRISPR, GENETIC PRIVACY, AND THE DPDPA: A CALL FOR LDC
As genetic technology advances, DPDPA’s one-size-fits-all approach to personal data falls dangerously short. The regulation of CRISPR technology hinges on robust protection for genetic information, which the DPDPA currently fails to address. Genetic information should be treated as a unique category within sensitive data, demanding elevated security measures beyond the basic notice and information of complaint mechanisms currently prescribed in Part II of the DPDPA. This shortfall compromises both – the safeguarding of genetic privacy and the effective regulation of CRISPR technology. This is due to a plethora of reasons:
Firstly, genetic information warrants a relational approach to privacy, diverging from the predominant individualistic model. Unlike conventional data that identifies only the individuals it pertains to, genetic information can be traced to identify family members, ancestors, and even descendants due to shared genetic traits. The increasing need for the processing of genetic data has culminated in the rise of a new legally relevant biological group whose rights are contingent on the relational conception of privacy, which is gaining traction globally. Frameworks like the Hugo Committee on Ethics, Law and Society and the Genetic Information Non-Discrimination Act, 2008 highlight the emerging recognition of relational privacy principles. Genetic information forms a distinct legal category due to its profound impact on familial and biological connections. The International Declaration on Human Genetic Data 2003 acknowledges this by recognising the significant implications of genetic information on family units, while the European Union (“EU”) Working Party Report 2004 considers it partially as shared information. To effectively regulate CRISPR technology, which involves genetic information and raises extensive ethical concerns, India needs to adopt a similar relational privacy framework. This layered approach will efficaciously address the unique legal and ethical dimensions of genetic information and its effects on family and biological groups.
Secondly, traditional techniques are unsuitable for genetic information due to their inherently identifiable nature. For instance, Anonymisation – a common safeguard for protecting sensitive data – is unviable for longitudinal research and cancer registries since it substantially reduces the value of the information. Similarly, Data masking techniques face limitations in protecting genetic information due to the aforementioned challenges. Such insufficiency of genetic information protection measures highlights the need for establishing a specific classification for genetic information This necessity becomes profound when considering the implications of CRISPR technology.
HARNESSING CRISPR: RESOLVING ROADBLOCKS THROUGH THE LDC
CRISPR technology primarily delves into the processing of genetic information to provide corresponding outcomes. In light of the significance of genetic information for CRISPR, the distinct classification of genetic data acts as a stepping stone in addressing the novel, ethical, and regulatory challenges of CRISPR for several reasons:.
Firstly, the CRISPR technology promises groundbreaking advancements, such as curing genetic diseases and developing climate-resistant crops, but its success hinges on public trust. However, this is subject to the confidence that a “Data Principal” has in the existing system to protect their data. Recognising the unique nature of genetic information will foster trust, resulting in broader acceptance and utilisation of CRISPR technology. This can be achieved through LDC of genetic data.
Secondly, the CRISPR technology is a double-edged sword that offers significant benefits but has the potential to be misused and inflict harm. The current data protection measures provide room for unethical genetic manipulation to occur. For instance, Section 7 of DPDPA permits the processing of data ‘in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.’ The wide and ambiguous ambit of this provision can potentially have disastrous implications when applied to CRISPR technology, as it does not account for the unique complexities of genetic information. The broad consenting mechanisms would permit a “Data Fiduciary” to manipulate genetic information for unethical but legal purposes. To ensure CRISPR’s legal and ethical use, it is essential to establish a distinct category pertaining to genetic information, with stringent security measures and explicit consent requirements to prevent the emergence of practices such as engineered soldiers. Therefore, LDC, with elevated security measures, is crucial for effectively regulating CRISPR technology. The subsequent section analyses the lacunae regarding Indian cross-border data transfer frameworks.
TRANSFERRING BEYOND BORDERS: AN ANALYSIS OF CROSS-BORDER DATA TRANSFERS
The dawn of the era of technology emphasises the crucial role of cross-border data transfers, as countries increasingly rely on data-driven innovations like CRISPR. This genome-editing technology has shown promise in opportunities such as cancer treatments in countries like China and the United States, which should not be restrained to one jurisdiction. Therefore, efficient data transfer is essential to maximise its potential.
In today’s information era, the globe operates as a borderless entity, where the transfer and management of data have become integral to daily life and the global economy. The EU Data Protection Directive emphasises the need for consent from the “Data Subject” (the international term for “Data Principal”) before transferring data outside the European Economic Area. Similarly, under the DPDPA, the “Data Fiduciary” must obtain consent from the “Data Principal” to manage their personal data. However, the DPDPA adopts a defensive approach regarding cross-border data transfers, granting the Central Government the authority to restrict the transfer of personal data for processing [Section 16 of DPDPA]. While the current focus has been on protecting personal data by limiting its transfer, a more dynamic and proactive approach is needed. Instead of imposing blanket restrictions, the framework should encourage and facilitate data transfers, as they are essential not only for the functioning of the global economy but also for the interconnectedness of our daily lives.
Beyond Standard Clauses: Addressing Standard Contractual Clauses Shortcomings in India
Standard Contractual Clauses (hereinafter ‘SCC’) approved by the EU in 2001, allow the “Data Exporter” to contract with the “Data Importer” for cross-border data transfers from the EU to a non-EU “Data Controller.” In 2002, their scope expanded to include “Data Processors.” However, these clauses have faced criticism, including from the US, and are further inadequate in the Indian context. SCC grants third parties’ rights of the “Data Subject,” which compromises data confidentiality. It also requires dispute resolution in the member state and grants the Data Protection Authority audit rights, limiting flexibility. In contrast, the DPDPA offers a more comprehensive, party-friendly approach with alternative dispute resolution. This would provide a stronger grievance redressal mechanism if genetic information transfer is extended internationally.
Privacy vs. International Collaboration: A Cross-Jurisdictional Analysis
The US and EU have contrasting approaches to data protection, representing two ends of the regulatory spectrum. The US follows sectoral regulations. The American Data Privacy and Protection Act, 2022 emphasises consent-based data collection. In contrast, the EU treats right to privacy as a fundamental right, enforcing inclusive set of regulations that often restrict cross-border data transfers. For instance, following Schrems v Data Protection Commissioner, some EU officials argue that companies must limit the transfer of EU citizens’ personal data within the EU to comply with its laws.
These divergent approaches highlight the complex landscape of rules governing cross-border data transfers globally. The EU, the US, and China adopt fundamentally different frameworks for storing, managing, and transferring genetic or personal data. In the context of CRISPR, cross-border data transfer offers significant benefits for public health, economic growth, and research collaboration. To leverage these advantages, countries strive for efficient and streamlined data transfer mechanisms. India can adopt similar measures to optimize its own frameworks.
BLUEPRINT FOR PROGRESS: INNOVATING DATA PROTECTION IN THE AGE OF CRISPR
The advent of novel genome engineering technologies such as CRISPR has brought renewed attention to the unnoticed legal and ethical questions of synthetic biology. The regulation of CRISPR technology hinges upon the robust protection of the genetic data it processes. Given the complexities of genetic information and the DPDPA’s inadequate standards, LDC is recommended. This involves classifying genetic data as a distinct category within sensitive personal data, with stringent security standards and explicit consent mechanisms. The EU working paper highlights two possible approaches to data protection: either the family members can be considered data subjects with all rights or they will be granted the right to information of a different character. However, it is essential that the demands of every case and the uniqueness of the same must be accounted for.
The ethical dilemmas that CRISPR poses, render the limit of ‘lawful purposes’ ineffective. To ensure that CRISPR technology is not employed to cross the ethical boundaries of humanity, the “Data Protection Board” needs to include diverse experts to evaluate the morality of genetic data use. This board should forbid instances like “Genetic Cleansing,” which involves removing certain genes deemed inferior using CRISPR, or enhancing traits like intelligence, which might widen the social divide due to the expensive nature of CRISPR. Safeguards are needed to ensure CRISPR technology is used responsibly and that it does not endanger humanity.
As already discussed, the SCC are insufficient for facilitating a seamless data transfer process. However, the interplay of various legislations from different jurisdictions can effectively improve the status quo. To ensure this, the DPDPA needs to have a specific provision ensuring a complete mechanism for the international transfer of data. Section 16(1) of the DPDPA allows the Central Government to “restrict the international transfer of personal data”, but Section 16(2) introduces the caveat of data misuse. The sub-section shows concern over the misuse of genetic and personal data. It is recommended that this approach, although appropriate, can be made more integrative if amendments are made to facilitate and not restrict cross-border data transfer, bearing in mind the already deliberated international significance of genetic and personal data transfer. Since the DPDPA has already taken measures to safely administer and handle the data, encryption and cryptography can be used to keep the data out of the clutches of its misuse. The information must be masked from the potential data breaches, thus unlocking a safe and sound mechanism.
CONCLUSION
The DPDPA requires strategic evolution to effectively regulate emerging technologies such as CRISPR. By implementing an LDC framework, India can establish robust protections for genetic information’s unique sensitivities. Simultaneously, adopting a more flexible cross-border data transfer mechanism will facilitate international scientific collaboration. Integrating diverse expert perspectives into data governance, implementing advanced encryption techniques, and creating comprehensive consent mechanisms will ensure responsible technological advancement while maintaining ethical standards in genetic research and application.
(Yash Sharan and SK Subhiksha are law undergraduates at Hidayatullah National Law University, Raipur. The authors may be contacted via mail at yash.232820@hnlu.ac.in and sksubhiksha.232821@hnlu.ac.in, respectively.)
Cite as: Yash Sharan and SK Subhiksha, Protecting the Code of Life: Reimagining Data Privacy in the Age of Gene Editing, 11th February 2025 <https://rmlnlulawreview.com/2025/02/11/5425/> date of access.