Earlier this month, a draft proposal for a European regulation on the health data space was published. The EHDS is one of the nine European data spaces identified in the European Commission’s European Data Strategy 2020, and a priority for the commission. It builds on the Data Governance Act and the recently published Data Bill. These acts are horizontal in nature; the EHDS regulation would provide for more specific sectoral measures in the field of health.
The draft proposal defines a comprehensive set of rules for the processing of electronic health data for primary use (to provide health care services to individuals) and secondary use (for research, innovation, development of policies, statistics and protection against cross-border threats to health). For the processing of personal electronic health data, the regulation would have the same territorial application as the EU General Data Protection Regulation (i.e. Article 3 of the GDPR) For data non-personal electronic health care, the regulation would apply to data holders and user data in the European Union, regardless of where it is processed.
In the sections dedicated to the processing of electronic health data for primary use, the draft proposal lists the rights and obligations of the main actors in this field: individuals/patients, healthcare professionals/pharmacies, Member States and providers of electronic health systems. healthcare which are defined as “solutions or software intended by the manufacturer to be used to store, mediate, import, export, convert, edit and/or consult electronic health records”.
For individuals/patients, the proposal focuses on the rights of access, rectification and data portability, including the right to restrict access. These concepts are familiar with the corresponding provisions of the GDPR. Access would be made available, free of charge, through the use of an electronic personal health data access service. Health professionals must have a corresponding right of access to the data of the people under their treatment, including when the Member State of residence of the person is different from the Member State of treatment. Healthcare professionals and pharmacies using an EHC system are subject to a series of obligations, such as the establishment of a risk management and security plan.
Member States have an important role to play in this area, especially given the fragmentation of current rules and the lack of consistency across the EU. According to the draft proposal, Member States, with the help of the Commission, are supposed to designate a national contact point and set up a common infrastructure for cross-border sharing of personal data and electronic health products, MyHealth @EU, thus ensuring continuity of care, for example when a person moves to another Member State. The draft proposal indicates that the national contact points would act as joint controllers of the processing carried out in [email protected] and that the Commission would be their processor. The project empowers the Commission to publish a series of implementing acts on various aspects of [email protected]
The proposal includes a specific chapter dedicated to EHC systems intended by the manufacturer to be used for the processing of personal electronic health data. These systems must meet certain criteria before being placed on the market and, among other things, undergo conformity assessment procedures resulting in certificates of conformity and European Confomite markings. The proposal also lists a series of obligations for manufacturers, importers and distributors of these systems.
A substantial part of the draft proposal is devoted to the secondary use of electronic health data, i.e. use for research, innovation, policy-making, regulatory decisions and medicine personalized. This secondary, cross-border use is part of the commission’s overall ambition to “unleash the power of data in the EU”. The proposal provides for a system of authorizations issued by a designated government body in each of the Member States. It can be an existing body or a newly created body. The permit is issued on the basis of an application which must provide details on a number of elements such as a description of the data requested, the reasons for the request for access, the intended uses, the guarantees, the duration and whether the data should be made available in an anonymized or aggregated format. The proposal clarifies that data will be disseminated in a pseudonymised format where the purposes for further processing can be fulfilled in this way. In this case, it is forbidden to re-identify the data and violations may result in criminal penalties.
The proposal specifies the purposes for which access may be granted but also the prohibited secondary uses. These prohibited uses include taking decisions against an individual to exclude him from the benefit of an insurance contract or to modify his premiums, commercial advertising, the sale of data to third parties or the taking of automated individual decision, including profiling.
The proposal contains a special section on intra-Community cross-border access to electronic health data, and the Member States and the Commission undertake to facilitate this access, in particular by cooperating closely, setting up an appropriate infrastructure and designating a point single national point of contact in each of the Member States.
There is a specific provision on the transfer of non-personal electronic health data to countries outside the EU. This transfer must be done in accordance with the provisions of the Data Governance Act for highly sensitive data. These provisions, currently included in Article 5(11) of the latest available version of the Data Governance Law, allow the Commission, through delegated acts, to subject such transfers to specific conditions and restrictions. . There does not appear to be any specific provision on transfers of personal electronic health data to a recipient outside the EU. Such transfers are therefore covered by the general international transfer rules of the GDPR, as interpreted by courts and competent data protection authorities.
The official publication of the commission’s proposal is scheduled for April. There may be some changes between the published draft summarized above and the official proposal, but key concepts are unlikely to change at this stage. Once the proposal is officially published, it is forwarded to the European Parliament and the Council for further processing. The stakes are high, the tasks colossal, so a fierce debate is to be expected both in Parliament and in the Member States through the Council.
Photo by Jair Lázaro on Unsplash