European Health Data Space proposal: A step forward for patients, healthcare providers and the science community?

On 3 May 2022 the European Commission published a proposal for a regulation of the European Health Data Space to address several challenges related to electronic health data. Access to accurate and up-to-date health data is often key for individuals to receive appropriate care, and, in some cases, even vital. The importance of up-to-date health data for health care has been demonstrated, particularly during the pandemic, but it has also become clear that there are some barriers to accessing and sharing health data across EU borders.

Background and purpose of the proposed regulation

The general objective of the proposed regulation is to ensure that EU citizens have increased control over their electronic health data (the ‘primary use’). However, the regulation also aims to ensure a legal framework, consisting of trusted EU and member state governance mechanisms and a secure processing environment. This would allow researchers, innovators, policymakers and regulators at EU and member state level to access relevant electronic health data to promote better diagnosis, treatment and well-being of individuals, and lead to better and well-informed policies (the ‘secondary use’). The proposed regulation also aims to support a genuine single market for digital health products and services by harmonising rules, and to boost the efficiency of healthcare systems.

The proposed regulation will also promote better exchange of and access to different types of electronic health data such as electronic health records, genomics data and patient registries. Improved exchange of data will support not only healthcare delivery to patients abroad, but also health research, innovation and other areas through new rules for the secondary use of electronic health data.

In practice, the European Health Data Space proposal sets out a European health data system that allows entities to access data subjects’ health data. By making it mandatory for member states to join the EU-wide MyHealth@Eu infrastructure and connect healthcare providers and pharmacies in member states to the infrastructure, the new regulation will allow entities such as hospitals to access individuals’ electronic health data. This is beneficial, for example, for private individuals who become ill while on vacation in another member state and require care.

While the European Health Data Space facilitates data subjects’ right to adequate care when abroad, we believe the main benefit of the new regulation is the proposal for secondary use of health data.

Interplay with the GDPR

A quick summary of the responsibilities and requirements under the GDPR may help to understand the new regulation. The purpose limitation principle, set out in Article 5(1)(b), has long been regarded as a cornerstone of data protection and a prerequisite for most other fundamental requirements under data protection law. The principle requires personal data to be collected for specific, explicit and legitimate purposes and not to be further processed in a manner that is incompatible with those purposes. Put simply, personal data must only be processed for the purposes for which it is collected – the primary use of the personal data – and not for any other secondary purpose. However, Article 5(1)(b) contains an exception for secondary use of personal data – namely, the processing of personal data for scientific research purposes. Thus, under the GDPR it is possible, subject to the other provision of that regulation, to process personal data for the secondary purpose of scientific research. For other purposes, such as the innovation and development of products and services that contribute to the healthcare sector, companies still need to consider the purpose limitation principle. This means that if personal data is to be used for such purposes, it needs to be collected for those purposes.

The European Health Data Space proposal changes this by allowing for the secondary use of electronic health data for a number of listed purposes. According to Article 34 of the proposal, it may allow for access to data subjects’ health data for purposes such as (i) development and innovation activities for products or services that contribute to public health or social security, or (ii) ensuring high levels of quality and safety of health care, medicinal products or medical devices. In addition, the regulation allows for the use of health data for the purpose of training, testing and evaluating algorithms, including in medical devices, AI systems and digital health applications that contribute to public health or social security, or ensuring high levels of quality and safety in health care, medicinal products or medical devices. These are all purposes for which, without the proposed regulation, it would be hard to process data subjects’ health data without collecting it for that purpose and obtaining the data subjects’ consent for processing. Furthermore, Article 9 of the GDPR prohibits the processing of a data subject’s health data unless the processing can be based on one of the exceptions in the aforementioned article. Under Article 9(2)(j) of the GDPR, health data may be processed for scientific purposes. However, such processing needs to be based on EU or member state law. The language of the proposed regulation clearly states that the regulation will provide the necessary legal basis for the aforementioned processing. Such statements make it easier for entities that want to use the forthcoming system, since they limit doubts about the legality of their processing.

Joint Opinion (03/2022) of the EDPB and EDPS and possible concerns

However, these broader possibilities for processing personal data for secondary use also raise concerns. The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a Joint Opinion (03/2022) on the proposed regulation, which comments on these concerns. One of the issues addressed by the EDPB and EDPS is that, although the general objective of the regulation is to strengthen the rights of natural persons to access and control their personal data, the regulation does not provide any possibility for individuals to restrict access to their personal data for secondary use.

Another concern raised by the EDPB and EDPS is the breadth of some of the purposes listed in Article 34. For example, they specifically point out that this article possibly encompasses any form of development and innovation activities for products or services that contribute to public health or social security. The EDPB and EDPS recommend that these listed purposes be further delineated. They also recommend circumscribing circumstances where there is sufficient connection to public health and/or social security.

We understand the concerns of the EDPB and EDPS. However, allowing development and innovation activities provides the possibility of innovations being developed and leading to products that will benefit data subjects, society and healthcare. Even though there will be possibilities to process the electronic health data for additional purposes, any company that carry out such processing for the aforementioned purposes has to comply with GDPR requirements and ensure that personal data is processed with sufficient security. If health data is not processed accordingly, the Vastaamo data breach serves as a reminder of the possible outcome and responsibilities for entities processing personal health data.

Moreover, the proposed regulation also governs the controller/processor roles for the entities that provide and access health data. According to Article 51 of the proposed regulation, health data access bodies and data users shall be deemed joint controllers for health data that data users access. By deviating from GDPR’s case-by-case assessment of the controller/processor roles, the regulation ensures that in such a case the assessment of the roles will be the same in all member states, creating legal certainty for the entities that benefit from the system. Furthermore, the European Commission will establish a template for the joint controller arrangement to further facilitate the use of the forthcoming system.

It should also be noted that the regulation sets out technical and organisational requirements that will lead to costs for entities involved in health care as well as manufacturers, importers and distributors of electronic health records systems. It is crucial that such costs do not affect the possibility of using health data within the healthcare system and for research and development. Moreover, the proposed regulation builds on and complements several existing and forthcoming legal acts such as the Medical Device Regulation (MDR), the Data Act and the pending AI Regulation. This could lead to boundary issues between the relevant legal acts and place additional burdens on companies’ compliance departments. This is because it may lead to a situation whereby manufacturers need to comply not only with sectoral legislation but also the additional regulatory requirements resulting from new legislation in several areas.

The EDPB and EDPS have also noted this potential issue of legal uncertainties, and their Joint Opinion recommends further clarification of the interplay between the proposal and the abovementioned legal acts.

Moreover, while the regulation governs important areas and thus harmonises rules within the EU, like other regulations, it allows for several areas to be regulated by member states. More harmonised legislation would provide greater clarity and legal certainty for stakeholders using health data for research. In addition, several important areas will be regulated later on through the implementation of legislation. Such areas will consequently remain unclear until the implementing acts are passed. This might lead to legal uncertainty in several relevant areas.

Conclusions

In summary, although we see some challenges with the proposed regulation, the benefits and harmonised proposals will enable life sciences companies to access health data in a new way. Importantly, they will not be required to obtain data subjects’ consent to process their personal data, and it also creates legal certainty for those entities affected. We believe this is beneficial for entities developing products and services that will contribute to better health care. The proposal is therefore very welcome and will hopefully lead to further innovation and development of beneficial products and services. However, we agree with the conclusions of several entities, such as the EDPB and EDPS, that there is still work to be done to avoid legal uncertainty regarding the interaction between the forthcoming regulation and other legislation such as the GDPR.