European Commission unveils measures to unlock the potential of health data


The European Commission has presented its proposal for a regulation on the European health data area (ee Proposal”). While it aims to strengthen the rights of individuals and unlock the potential of data for research purposes, it also adds complexity to an already extensive legal framework. Here’s what you need to know:

In its Data Strategy 2020, the European Commission presented a plan to unlock the untapped potential of the EU data economy. It envisaged a single European data space comprising several sectoral data spaces in key areas. To realize this vision, the Commission designed a multi-level legal framework, which it has since gradually put in place. The Data Governance Law and the proposed Data Law (currently under discussion) constitute the horizontal part of this framework. The draft proposal for a regulation on the European health data space, published in May 2022, is the first sectoral text to be based on this horizontal framework.

The proposal aims to ensure the free flow, sharing and reuse of health data for the benefit of patients, researchers and businesses. It establishes standards for the processing of electronic health data for both primary use (for the provision of health services to individuals) and secondary use (for research, innovation, policy development, statistics and protection against cross-border threats to health). We list the main highlights below:

Who does the project apply to?

The project includes in its personal scope:

  • Manufacturers and suppliers of electronic health record (EHR) systems and wellness apps;
  • Controllers and processors who process electronic health data of EU citizens or residents;
  • Controllers and processors established in a third country connected (or interoperable) with [email protected]; and,
  • Data users to whom electronic health data is provided by data holders in the Union.

All entities involved in the processing of health data or likely to use health data must follow these developments carefully.

New Core Usage Rules

Chapter II of the proposal sets out new rights and obligations for key stakeholders (patients, healthcare professionals, providers of EHR systems and Member States) in this area:

  • For natural persons, the proposal provides the right to free electronic access to their health data in a common European format. They will also have the right to rectify and transfer their health data to third parties (portability).
  • Health professionals will have a corresponding right of access to the data of the people under their treatment, including when providing cross-border health services. However, they are required to record certain categories of health data in an electronic format.
  • In order to facilitate cross-border healthcare, the proposal foresees that Member States will implement [email protected] platform intended to serve as a common infrastructure for cross-border sharing of data and personal electronic health products. By 2025, the platform is expected to provide EU citizens with ‘electronic prescriptions’ to obtain medicines in another EU country, as well as digital patient summaries that can be translated into all EU languages. EU.
  • EHR systems marketed in the EU will carry out a conformity assessment and demonstrate compliance with the specifications adopted by the Commission by means of implementing acts. The Commission will maintain a publicly accessible database of EHR systems.

Secondary use of electronic health data on the basis of a permit

To expand the reuse of health data, the proposal foresees a permit-based system. Member States will designate one or more health data access bodies which will cooperate with data protection authorities. Data holders will be required to transfer certain categories of electronic health data to health data access bodies, which will be responsible for reviewing data access requests from data users who wish to reuse health data at secondary purposes.

Authorization is granted on the basis of a request which must contain details on a number of points, such as a description of the data requested, the reasons for the access requested, the intended uses, the guarantees, the duration and whether the data is to be provided in an anonymized or aggregated format. The proposal specifies for what purposes and under what conditions access can be granted, but also which secondary uses are prohibited.

Monitoring and Enforcement

The European Commission will establish a “European Digital and Health Data Committee” composed of representatives of the competent authorities of all Member States and of the Commission. The committee will support the implementation of the regulation and cooperation between competent authorities.

With regard to enforcement, it will be up to the Member States to establish “effective, proportionate and dissuasive” sanctions in the event of an infringement.

Interaction with existing and impending laws

The proposal is without prejudice to existing laws, such as the General Data Protection Regulation (GDPR) and the Data Governance Act, as well as laws that have not yet entered into force, such as the Bills data and AI law. The proposal seeks to build on these laws – but unlike them, it focuses exclusively on health data. The proposal explicitly addresses the interaction with the GDPR, providing the legal basis for consent-based processing and providing for the roles of different stakeholders in the GDPR. Nevertheless, this will inevitably lead to legal uncertainties as the EU legal framework for data sharing becomes more complex.

The Proposal is a long document (122 pages!) and the above description only gives a general overview.


Comments are closed.