Patients v. Myriad or the GDPR Access Right v. the EU Database Right

In 2016, four US cancer patients legally challenged Myriad by claiming full access to all genomic information produced in the course of Myriad’s testing of their risks for a variety of cancers. Asserting that Myriad’s refusal to provide them with this information violated the HIPAA Privacy Rule, the patients sought a determination of a right to access all their genetic information from testing laboratories. Such access would not only serve their own care, but also enable them to share their genetic data with the scientific community which they alleged Myriad failed to do. A similar case may be brought in Europe under the novel EU GDPR. Specifically, it would put the GDPR right of access to personal data against Myriad’s database right under the EU Database Right Directive. The outcome of this case could impact the fate of personalized medicine, which depends on the one hand on patients’ having control over their genetic data, and on the other hand on incentives for genetic testing companies to generate these data. We first address the issue of whether the GDPR applies to medical records. We then analyse how GDPR rights could play out in the context of clinical genetic testing and conclude that the GDPR access right stops short of granting unconditional access to all data generated in the process of testing, to the extent that its exercise would result in the violation of medical-professional norms, expose the testing company to potential liability, or compromise normal exploitation of the database of which the personal data form part.