The European Data Protection Supervision Authority EDSA (European Data Protection Board EDPB) and the European Data Protection Supervisor EDPS (European Data Protection Supervisor EDPS) have published on July 12, 2022 a 30-page joint statement published (EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space) to the Proposal for a Regulation on the European Health Data Area (European Health Data Space EHDS) the European Commission (Proposal for a regulation – The European Health Data Space), which was published on May 3, 2022.
It had specifically asked the European Commission for an opinion. The EDSA and the EDPS welcome the Destination of the proposal to improve the exchange of and access to various types of electronic health data (esp. electronic health records, genomic data, patient registries), thereby supporting not only the primary use (health care) but also the secondary use (health-related research, innovation, policymaking, regulatory purposes, and personalized medicine) of electronic health data.
However, the EDSA and the EDPS also criticize the proposal. The success of the EHDS will depend on a solid legal basis depend, which are linked to both the EU data protection legal framework as well as with the Case law of the ECJ must be in line with the GDPR. The general references to the GDPR are insufficient. There is a risk of misinterpretation of key data protection provisions, which could lead to a lowering of the level of protection currently afforded to data subjects under the existing EU data protection legal framework.
“[…] the provisions in this Proposal will add yet another layer to the already complex (multi-layered) collection of provisions (to be found both in the EU and Member States law) on the
processing of health data (in the health care sector). The interplay between those different pieces of legislation needs to be (crystal) clear.“
The points of criticism and proposed amendments formulated in the joint statement can be summarized as follows:
Inaccurate description of GDPR rights
The fact that the Proposal refers to the rights under the GDPR (e.g. the right of access free of charge and the right to a copy of the data) is to be welcomed. However, their description differs in content from the GDPR. Clarity should be provided on the relationship between these provisions.
No extension of the exceptions to the GDPR guarantees
According to Article 38(2) of the proposal, dhe health data access points (appointed by the Member States; they grant access to electronic health data for secondary use) are not required to provide each natural person with the specific information under Article 14 GDPR on the use of their data for projects for which a data authorization has been granted. The EDSA and the EDPS see this as an explicit derogation from the GDPR. The new derogation could have unintended consequences for the fundamental rights and freedoms of data subjects due to the lack of concrete conditions under which the new derogation would apply.
Deleting wellness apps and other digital health apps from chapters III and IV.
Chapter III of the proposal addresses the implementation of a mandatory regime for self-certification of EHR systems in situations where such systems must meet essential interoperability and security requirements. The chapter also includes provisions for voluntary labeling of wellness apps that are interoperable with EHR systems. Chapter IV facilitates secondary uses of electronic health data, such as for research, innovation, policymaking, patient safety, or regulatory activities. It defines a range of types of data that can be used for certain purposes and specifies prohibited purposes (e.g., use of data against individuals, commercial solicitation, increasing insurance, development of dangerous products). The EDSA and the EDPS recommend the deletion of wellness apps and digital health apps from these chapters.
“The EDPB and the EDPS acknowledge the provisions in Chapter III that aim to improve the interoperability of Electronic Health Records and to facilitate the connectivity of wellness-apps with such electronic health records. However, the […] the latter should not be included in the secondary use of health data under Chapter IV of the Proposal. First, because health data generated by wellness applications and other digital health applications do not have the same data quality requirements and characteristics of those generated by medical devices. Furthermore, these applications generate an enormous amount of data and can be highly invasive since it relates to every step individuals takes in their everyday lives.“
If these data were to be retained, the processing for the Secondary use only with prior consent within the meaning of the GDPR permissible. The proposal would need to be amended accordingly. Secondly, the specific conditions for further processing of these personal data should be clearly defined in accordance with data protection legislation, and appropriate Mechanisms be created to ensure that the will of the data subjects is respected with regard to the further processing of their personal health data (generated by wellness and other digital applications). Moreover, such processing would fall within the scope of the ePrivacy Directive.
Unclear reference to GDPR exemptions from the ban on processing sensitive data
Article 9(2)(h) of the GDPR provides for exceptions where the processing of sensitive data is necessary for the purposes of preventive health care or occupational medicine, for the assessment of the employee’s fitness for work, for medical diagnosis, medical care or treatment, or for the management of health systems and services on the basis of Union or Member State law. The Proposal should lay down conditions and safeguards for the processing of electronic
health data by healthcare providers and healthcare professionals in accordance with this exception. The EDPS and the EDPS criticize that this is not reflected in the criteria according to which the competent authorities grant access to the requested health data (Article 45 f. of the Proposal). It is not clear how these provisions relate to the principles and provisions of the GDPR, in particular Article 9(2) GDPR.
Addition regarding storage in the EU/EEA required
Chapter V proposes further capacity-building measures by Member States to accompany the development of the EHDS. These include the exchange of information on digital public services, funding, etc. In addition, this chapter regulates international access to non-personal data in the EHDS. Due to the large amount of data to be processed, their highly sensitive nature, the risk of unlawful access and the need to ensure effective supervision of these data, the EDPS and the EDPS call for adding to this proposal a provision providing for the storage of personal electronic health data in the EU/EEA, without prejudice to further transfers in accordance with Chapter V of the GDPR.
Finally, as regards the governance model established by the Proposal, the tasks and responsibilities of the new public bodies need to be carefully tailored, in particular taking into account the tasks and responsibilities of the national supervisory authorities, the EDPS and the EDSA in the area of processing of personal (health) data. Overlapping responsibilities should be avoided and the areas and requirements for cooperation should be specified.