The draft Bodily Material Act (WZL) must be rewritten
The WZL versus the EHDS
The European Health Data Space Regulation concerns data, not bodily material. The draft Bodily Material Act (WZL) concerns material, not data. Therefore, based on the names of the two laws, one might assume there is no overlap. Therefore, there would be no reason to discuss the WZL on this website. I will discuss it anyway, because there is more overlap than one might think. When you extract data from material, you are doing something with both data and material. Moreover, the Guidelines for Regulations (rules on how to write laws) stipulate that new laws must always be carefully considered to determine their true necessity. Moreover, they must be harmonized with existing regulations as much as possible. Moreover, many (incorrectly) believe that the WZL does indeed concern data from material, while the EHDS explicitly does. For these three reasons, I will discuss the draft WZL here. Spoiler alert: it’s rubbish.
Why the WZL?
First, a little background on the WZL. Scientists are usually concerned with data from the material, not the material itself (unless, for example, they need material for a surgery class). They find this so logical that the two get confused. For lawyers, bodily material is completely different from data from the material. Previously, these were clearly legally separated. The WGBO (Dutch Medical Treatment Contracts Act) contains a statutory provision on the reuse of material (7:467 BW) and a statutory provision on the reuse of patient data (7:458). Because people often want to extract data from material, the law states: “Research with anonymous substances and parts separated from the body is understood to mean research in which it is guaranteed that the bodily material to be used in the research and the data to be obtained from it cannot be traced back to the person.”
So, as soon as you extract patient data from the material, you no longer fall under the article about the material, but under the article about data. This prevented duplication, and that was perfectly arranged. The problem is that over time, the legal article about material has been interpreted differently. Some believed that if traceable data were extracted, consent was always required (perhaps based on invalid a contrario reasoning applied to Article 7:467 of the Dutch Civil Code?), while the other legal article (Article 7:458 of the Dutch Civil Code) states: consent unless unreasonable.
What is anonymous?
Moreover, bodily material was previously generally considered anonymous: you can’t tell who a drop of blood belongs to. But now that DNA can be extracted from a drop of blood, it was argued that bodily material is essentially no longer anonymous. This conflicts with European (GDPR) case law regarding when something is considered personal data. This is based on a relative concept. Whether privacy is at stake and therefore whether the GDPR applies depends on who is processing the data and what that processing entails. This (case law on the) GDPR is relevant because, when the GDPR Implementation Act was drafted (Article 24), specific reference was made to the Medical Treatment Contracts Act (WGBO): these articles were intended to provide the same framework. However, this relative approach to personal data seems to have had no effect on how bodily material is treated. This may be because the experts cited in this regard are medical scientists, not lawyers. They will have concluded that material is never technically anonymous again, but that is a different matter from the question of whether it is legally anonymous.
All those biobanks...
Because the law stipulates that one can opt out of material unless it is not anonymous, many now believe that bodily material is never anonymous and therefore (almost) always requires consent. This is often difficult for scientists to handle. In my opinion, this difficulty lies in a misreading of the legal provisions, and in this regard, a legislative amendment was therefore unnecessary. However, this doesn’t change the fact that the House of Representatives simultaneously became uneasy about the fact that a large amount of material (from millions of Dutch people) was now being stored in biobanks, with little oversight. A law was therefore necessary, and that argument hasn’t been dismissed yet: and therefore, “a” WZL (Wiseness of the Authorization of Bodily Material) is necessary. However, the confusion about material versus data from that material has only increased with this draft law on the control of bodily material.
Double rules
The WZL itself explicitly states, “This law applies to procedures involving bodily material (…).” This is problematic in itself. Firstly, because the article in the WGBO stipulated: this article applies to bodily material, unless (traceable) data is extracted from it, in which case you fall under the article on data. This “unless” provision is not in the WZL. This means that if personal data is extracted from bodily material, it will soon fall under the WZL because it involves bodily material, and it will also fall under the GDPR (and soon the EHDS) because it involves personal data (and health data). This means that under the WZL, you must check whether an objection has been filed (via a separate system), while under the EHDS, you must also check whether an objection has been filed in the National Control Register.
This is despite the fact that the intention is to reduce the administrative burden, and the Guidelines for Regulations stipulate that harmonization must be as high as possible. Why the WZL isn’t aligned with the EHDS is therefore a mystery to me. Moreover, it’s unacceptable to choose to have data extraction from material fall solely under the WZL, as that is a Dutch law that cannot override the European GDPR. It should be the other way around: it should be explicitly stated that if personal data is extracted from material, it no longer falls under the WZL but under the GDPR. This is currently lacking.
But the WZL is not about the data itself
But it’s also problematic because it escapes almost everyone’s attention that the WZL concerns actions with material (including data extraction), but not with that data itself. Even the Council of State recently wrote in an advisory opinion: “A regulation will also be introduced for the (further) processing of personal data (health-related) for this situation.” That’s not the case. But if even the Council of State is confused about this, then so must be almost the entire field. It becomes even more serious when one examines precisely when the law will apply: “This law applies to actions with bodily material that has been (…) collected (…) in connection with medicine (…) and which actions are intended for a purpose other than (…) assessing the patient’s state of health.”
Bodily material (such as drops of blood or a piece of skin) is often collected for the care of a specific patient. Afterward, it is stored, still for that specific patient, due to the obligation to keep records of what is done and why. The WZL will therefore not apply in this case, while the article from the WGBO (Dutch Medical Treatment Contracts Act) on material will be repealed. This means that as long as no scientist is interested in the material, no regulations apply. But it gets even stranger. Because if a scientist becomes interested in the material after three years, the WZL will apply, and it will then stipulate (in 2028) that information must be provided to the patient when collecting it. But that was three years earlier, in 2025. How can a law now stipulate that it will apply in 2028, which then prescribes that something must be done three years earlier? I really don’t get it.
Nobody owns it
Another problem is that the bill appears to be based on incorrect assumptions. The Consultation Version of the Second Amendment Memorandum to the Bill on Control of Body Material, dated June 10, 2024, refers four times to a report. This report contains several remarkable statements. For example, on page 55 it states: “Our law primarily considers materials separated from the body as ‘substances susceptible to human control’ (Article 3:2 of the Dutch Civil Code). Ownership can then be considered. The person from whom the body material originates becomes the owner of that material.” This is incorrect. Article 3:2 of the Dutch Civil Code states: “Things are tangible objects susceptible to human control,” to which Article 5:1 of the Dutch Civil Code adds: “Ownership is the most comprehensive right a person can have in a thing.”
This “possession” does not imply that every thing is subject to ownership. You can only own something if it is also subject to possession, because you can only become an owner through transfer of possession, taking possession, or possession plus prescription. Everything “outside of commerce,” as it has been defined for centuries, is not subject to possession and therefore also not subject to ownership. If too much skin is wrongly removed, this may be abuse, but you cannot report theft to the police. No one owns bodily material, just as no one owns health data (one cannot own “the sun is hot,” and therefore also not “the patient has a fever.”).
Provide control, but harmonize
Intuitively, we feel that patients should perhaps have some control over their bodily material, but this is separate from the concept of ownership. Similarly, under the GDPR, patients have control rights over data to protect their privacy, which are therefore entirely independent of the question of ownership. The GDPR stipulates that a balance must always be struck between the interests of privacy and the interests of data use. And this should also be the case with bodily material. Therefore, the WZL should, where possible, align as closely as possible with the GDPR and the upcoming EHDS, and the subtle balance sought in these two regulations between the interests of privacy and the interests of data freedom. However, the WZL wrongly fails to align with the EHDS at all. In that regard, the recent report from the Council of State was indeed correct. Such a lack of harmonization violates Article 2.45 of the aforementioned Guidelines for Regulations, which stipulates that this should be pursued as much as possible.
Physical integrity not at stake
The decision not to align fully with the GDPR and the EHDS also appears to be related (besides the confusion of data and material) to the confusion of body and bodily material. The moment material is taken from a patient, at that moment, bodily integrity is compromised. This is no longer the case when a sample is retrieved from an archive for research five years later. Three situations can be distinguished regarding collection: collection for care, collection for care and research, and collection solely for research. The Medical Research Involving Human Subjects Act (WMO) applies to this third issue. This Act contains strict safeguards to protect the patient’s health and bodily integrity. There was some uncertainty about the extent to which this law also applied in the second situation: when an additional tube of blood is collected. In that case, too, the patient’s body is at stake, and ethical questions arise. However, if an existing sample is retrieved for research, only privacy issues arise.
So why an ethical assessment?
Despite this, the WZL stipulates that material managers must always have regulations that have been approved by an ethics committee. But this is very odd for a situation in which there are no ethical questions at all: the situation in which material was collected solely for healthcare purposes. If one only realizes afterward that this material might also be useful for research, bodily integrity is not at stake at all. The only question then is whether the patient’s privacy is sufficiently protected, which is already addressed by the GDPR and the EHDS. Why a Medical Ethics Review Committee needs to be involved in this is incomprehensible. These review committees are extremely valuable in medical research involving human subjects. Patients who think they might die say yes to everything. And then a review committee has to look into whether the risk to the patient is not too great, or whether the chance of a beneficial effect from the research is not too small. This ethical constellation is completely irrelevant when a piece of skin taken three years earlier is used. Therefore, it is incomprehensible why the ethics review committee needs to be involved in this.
In short: back to the drawing board
All in all, the WZL is an incomprehensible law, while the Explanatory Memorandum precisely states that it aims to provide clarity. Furthermore, the WZL is not in line with the Guidelines for Regulations because it is not optimally aligned with the GDPR and the EHDS. Therefore, the draft WZL must simply be scrapped. No minor adjustments, as was previously the case. A completely new WZL needs to be written (i) that precludes the dual application of rules to the same action, (ii) that aligns as closely as possible with the GDPR and the EHDS, (iii) that regulates control through the National Control Register, (iv) that, following the GDPR, opts for a risk-benefit assessment, and (v) that omits the ethical review if privacy is at stake but physical integrity is not.
The EHDS is about data, not bodily material. The Dutch draft Bodily Material Act is about material, not data. This might lead one to believe there's no overlap. But if you extract data from material, you're doing something with both data and material. That's why I'm discussing my thoughts on the draft act here. Spoiler alert: it's not good.
The Ministry of Health, Welfare and Sport will soon determine who will become the HDAB; who will be the source of permits for the beneficial reuse of health data. Who can be this, and who cannot? And what will this HDAB be responsible for?
Under the EHDS, work must be performed in a Secure Processing Environment (SPE). Scientists don't receive data, but access it in a SPE that meets the strict technical and security standards established under the EHDS. What does this entail? And will everyone be required to work in such a SPE from now on? Will it become a supercomputer containing all our health data?
