EDSA and EDPS: Joint Opi­ni­on on the Pro­po­sal for a Regu­la­ti­on on the Euro­pean Health Data Area.

The Euro­pean Data Pro­tec­tion Super­vi­si­on Aut­ho­ri­ty EDSA (Euro­pean Data Pro­tec­tion Board EDPB) and the Euro­pean Data Pro­tec­tion Super­vi­sor EDPS (Euro­pean Data Pro­tec­tion Super­vi­sor EDPS) have published on July 12, 2022 a 30-page joint state­ment published (EDPB-EDPS Joint Opi­ni­on 03/2022 on the Pro­po­sal for a Regu­la­ti­on on the Euro­pean Health Data Space) to the Pro­po­sal for a Regu­la­ti­on on the Euro­pean Health Data Area (Euro­pean Health Data Space EHDS) the Euro­pean Com­mis­si­on (Pro­po­sal for a regu­la­ti­on – The Euro­pean Health Data Space), which was published on May 3, 2022.

It had spe­ci­fi­cal­ly asked the Euro­pean Com­mis­si­on for an opi­ni­on. The EDSA and the EDPS wel­co­me the Desti­na­ti­on of the pro­po­sal to impro­ve the exchan­ge of and access to various types of elec­tro­nic health data (esp. elec­tro­nic health records, geno­mic data, pati­ent regi­stries), ther­eby sup­porting not only the pri­ma­ry use (health care) but also the secon­da­ry use (health-rela­ted rese­arch, inno­va­ti­on, poli­cy­ma­king, regu­la­to­ry pur­po­ses, and per­so­na­li­zed medi­ci­ne) of elec­tro­nic health data.

Cri­ti­cism
Howe­ver, the EDSA and the EDPS also cri­ti­ci­ze the pro­po­sal. The suc­cess of the EHDS will depend on a solid legal basis depend, which are lin­ked to both the EU data pro­tec­tion legal frame­work as well as with the Case law of the ECJ must be in line with the GDPR. The gene­ral refe­ren­ces to the GDPR are insuf­fi­ci­ent. The­re is a risk of mis­in­ter­pre­ta­ti­on of key data pro­tec­tion pro­vi­si­ons, which could lead to a lowe­ring of the level of pro­tec­tion cur­r­ent­ly affor­ded to data sub­jects under the exi­sting EU data pro­tec­tion legal framework.

[…] the pro­vi­si­ons in this Pro­po­sal will add yet ano­t­her lay­er to the alrea­dy com­plex (mul­ti-laye­red) collec­tion of pro­vi­si­ons (to be found both in the EU and Mem­ber Sta­tes law) on the
pro­ces­sing of health data (in the health care sec­tor). The inter­play bet­ween tho­se dif­fe­rent pie­ces of legis­la­ti­on needs to be (cry­s­tal) clear.“

The points of cri­ti­cism and pro­po­sed amend­ments for­mu­la­ted in the joint state­ment can be sum­ma­ri­zed as follows:

Inac­cu­ra­te descrip­ti­on of GDPR rights
The fact that the Pro­po­sal refers to the rights under the GDPR (e.g. the right of access free of char­ge and the right to a copy of the data) is to be wel­co­med. Howe­ver, their descrip­ti­on dif­fers in con­tent from the GDPR. Cla­ri­ty should be pro­vi­ded on the rela­ti­ons­hip bet­ween the­se provisions.

No exten­si­on of the excep­ti­ons to the GDPR guarantees
Accord­ing to Arti­cle 38(2) of the pro­po­sal, dhe health data access points (appoin­ted by the Mem­ber Sta­tes; they grant access to elec­tro­nic health data for secon­da­ry use) are not requi­red to pro­vi­de each natu­ral per­son with the spe­ci­fic infor­ma­ti­on under Arti­cle 14 GDPR on the use of their data for pro­jects for which a data aut­ho­riz­a­ti­on has been gran­ted. The EDSA and the EDPS see this as an expli­cit dero­ga­ti­on from the GDPR. The new dero­ga­ti­on could have unin­ten­ded con­se­quen­ces for the fun­da­men­tal rights and free­doms of data sub­jects due to the lack of con­cre­te con­di­ti­ons under which the new dero­ga­ti­on would apply.

Deleting well­ness apps and other digi­tal health apps from chap­ters III and IV.
Chap­ter III of the pro­po­sal addres­ses the imple­men­ta­ti­on of a man­da­to­ry regime for self-cer­ti­fi­ca­ti­on of EHR systems in situa­tions whe­re such systems must meet essen­ti­al inter­ope­ra­bi­li­ty and secu­ri­ty requi­re­ments. The chap­ter also inclu­des pro­vi­si­ons for volun­ta­ry labe­ling of well­ness apps that are inter­ope­ra­ble with EHR systems. Chap­ter IV faci­li­ta­tes secon­da­ry uses of elec­tro­nic health data, such as for rese­arch, inno­va­ti­on, poli­cy­ma­king, pati­ent safe­ty, or regu­la­to­ry acti­vi­ties. It defi­nes a ran­ge of types of data that can be used for cer­tain pur­po­ses and spe­ci­fies pro­hi­bi­ted pur­po­ses (e.g., use of data against indi­vi­du­als, com­mer­cial soli­ci­ta­ti­on, incre­a­sing insuran­ce, deve­lo­p­ment of dan­ge­rous pro­ducts). The EDSA and the EDPS recom­mend the dele­ti­on of well­ness apps and digi­tal health apps from the­se chapters. 

The EDPB and the EDPS ack­now­ledge the pro­vi­si­ons in Chap­ter III that aim to impro­ve the inter­ope­ra­bi­li­ty of Elec­tro­nic Health Records and to faci­li­ta­te the con­nec­ti­vi­ty of well­ness-apps with such elec­tro­nic health records. Howe­ver, the […] the lat­ter should not be inclu­ded in the secon­da­ry use of health data under Chap­ter IV of the Pro­po­sal. First, becau­se health data gene­ra­ted by well­ness app­li­ca­ti­ons and other digi­tal health app­li­ca­ti­ons do not have the same data qua­li­ty requi­re­ments and cha­rac­te­ri­stics of tho­se gene­ra­ted by medi­cal devices. Fur­ther­mo­re, the­se app­li­ca­ti­ons gene­ra­te an enor­mous amount of data and can be high­ly inva­si­ve sin­ce it rela­tes to every step indi­vi­du­als takes in their ever­y­day lives.“

If the­se data were to be retai­ned, the pro­ces­sing for the Secon­da­ry use only with pri­or con­sent wit­hin the mea­ning of the GDPR per­mis­si­ble. The pro­po­sal would need to be amen­ded accord­in­gly. Second­ly, the spe­ci­fic con­di­ti­ons for fur­ther pro­ces­sing of the­se per­so­nal data should be clear­ly defi­ned in accordance with data pro­tec­tion legis­la­ti­on, and appro­pria­te Mecha­nisms be crea­ted to ensu­re that the will of the data sub­jects is respec­ted with regard to the fur­ther pro­ces­sing of their per­so­nal health data (gene­ra­ted by well­ness and other digi­tal app­li­ca­ti­ons). Moreo­ver, such pro­ces­sing would fall wit­hin the scope of the ePri­va­cy Directive.

Unclear refe­rence to GDPR exemp­ti­ons from the ban on pro­ces­sing sen­si­ti­ve data
Arti­cle 9(2)(h) of the GDPR pro­vi­des for excep­ti­ons whe­re the pro­ces­sing of sen­si­ti­ve data is necessa­ry for the pur­po­ses of pre­ven­ti­ve health care or occup­a­tio­nal medi­ci­ne, for the assess­ment of the employee’s fit­ness for work, for medi­cal dia­gno­sis, medi­cal care or tre­at­ment, or for the manage­ment of health systems and ser­vices on the basis of Uni­on or Mem­ber Sta­te law. The Pro­po­sal should lay down con­di­ti­ons and safe­guards for the pro­ces­sing of electronic
health data by health­ca­re pro­vi­ders and health­ca­re pro­fes­sio­nals in accordance with this excep­ti­on. The EDPS and the EDPS cri­ti­ci­ze that this is not reflec­ted in the cri­te­ria accord­ing to which the com­pe­tent aut­ho­ri­ties grant access to the reque­sted health data (Arti­cle 45 f. of the Pro­po­sal). It is not clear how the­se pro­vi­si­ons rela­te to the princi­ples and pro­vi­si­ons of the GDPR, in par­ti­cu­lar Arti­cle 9(2) GDPR.

Addi­ti­on regar­ding sto­rage in the EU/EEA required
Chap­ter V pro­po­ses fur­ther capa­ci­ty-buil­ding mea­su­res by Mem­ber Sta­tes to accom­pa­ny the deve­lo­p­ment of the EHDS. The­se inclu­de the exchan­ge of infor­ma­ti­on on digi­tal public ser­vices, fun­ding, etc. In addi­ti­on, this chap­ter regu­la­tes inter­na­tio­nal access to non-per­so­nal data in the EHDS. Due to the lar­ge amount of data to be pro­ces­sed, their high­ly sen­si­ti­ve natu­re, the risk of unlaw­ful access and the need to ensu­re effec­ti­ve super­vi­si­on of the­se data, the EDPS and the EDPS call for adding to this pro­po­sal a pro­vi­si­on pro­vi­ding for the sto­rage of per­so­nal elec­tro­nic health data in the EU/EEA, without pre­ju­di­ce to fur­ther trans­fers in accordance with Chap­ter V of the GDPR.

Gover­nan­ce
Final­ly, as regards the gover­nan­ce model estab­lished by the Pro­po­sal, the tasks and respon­si­bi­li­ties of the new public bodies need to be care­ful­ly tailo­red, in par­ti­cu­lar taking into account the tasks and respon­si­bi­li­ties of the natio­nal super­vi­so­ry aut­ho­ri­ties, the EDPS and the EDSA in the area of pro­ces­sing of per­so­nal (health) data. Over­lap­ping respon­si­bi­li­ties should be avoided and the are­as and requi­re­ments for coope­ra­ti­on should be specified.