Mar 92021

European Commission Releases Assessment of the EU Member States’ Rules on Health Data in Light of GDPR

William RM Long, Francesca Blythe, Josefine Sommer and Yuliya Gevrenova
, , , , , ,

On February 12, 2021, the European Commission (Commission) published an “Assessment of the EU Member States’ rules on health data in the light of GDPR” (the Assessment). The Assessment concludes, amongst other things, that there are variations in the implementation of the EU General Data Protection Regulation (GDPR) at a national level with regards to the processing of health data. In turn, this has led to a fragmented approach to the processing of health data for health and research purposes across the EU. To avoid further fragmentation, the Assessment proposes various future EU-level actions, including stakeholder-driven Codes of Conduct as well as new targeted and sector-specific legislation.

Background

The value of health data continues to capture the attention of regulators and the life sciences and digital industries. Collecting health data may help encourage efficient communication between doctors and patients, and it may foster an increase in the overall quality of patient care.

The Commission is also looking closely at health data and its optimization. Indeed, the EU’s digitalization, including in the area of health, is one of the Commission’s key priorities and most recently the Commission has taken steps to progress this priority through the publication of its European Health Data Space (EHDS) Inception Impact Assessment – intended to support the Commission in progressing its legislative initiative for a EHDS (see Sidley post on “A Digital Europe – Digital Health and other Recent EU Data Initiatives”).

With the Assessment, the Commission sought to examine and analyse the Member States’ rules that govern the processing of health data. The Assessment, which acknowledges the lack of consistency in Member States’ approach to data protection for health data, considers health data processing both for primary purposes (i.e., for treatment of the patient) and secondary purposes (i.e., for research, registries and management of the healthcare system) where carried out cross-border in the EU for healthcare, research, innovation and policy-making.

Assessment findings

The Assessment has four main parts, each part addressing the relevant GDPR provisions and the corresponding implementation at a national EU Member State level as follows:

  1. The legal framework for patient care (chapter 3).
    • The Assessment highlights the inconsistency in application of the GDPR as it relates to the processing of health data for the provision of health and social care services (in-person and remotely), e., primary use. This is largely due to the fact that all Member States have some form of national legislation which provides a further framework which must be considered in parallel with the GDPR – some adopted pursuant to Article 9(4) of the GDPR (which provides that with regard to processing of genetic, biometric or health data, Member States may maintain or introduce further conditions including limitations) and others preceding the implementation of the GDPR.
    • By way of example, the Assessment states that whilst explicit consent is often viewed as the norm for processing health data – “perhaps because consent to treatment and consent to collecting data associated with treatment are conflated” – correspondents for twelve Member States included consent (Article 6(1)(a) with Article 9(2)(a), GDPR) as only one of the legal bases relied on for such processing. This is likely because for consent to be valid under the GDPR, it must be voluntary and there must not be an imbalance of power between the patient and the healthcare professional – requirements that are unlikely to be met in these circumstances. In turn, the Assessment proposes that consent be obtained as an “additional safeguard” where the processing is required by law.
    • However, as patients take more direct control over the data processed, e., in the context of apps and devices, reliance on consent as a legal basis for processing increases.
  2. The secondary use of health data for public health purposes (chapter 4).
    • In the context of secondary use, the Assessment states that (amongst other things): (i) the national legislation lacks flexibility in ensuring sharing of data to facilitate the timely identification of new trends in public health threats, g., the COVID-19 pandemic; (ii) there is currently no centralized body (in any Member State), which could give access to data in all the various source databases (electronic health records, industry data, health insurers data, etc.) for public health purposes, which makes access to health data for public health purposes fragmented and insufficient; and (iii) the organization of vigilance systems (for devices and medicines) and access for Health Technology Assessment bodies to health data and to disease registries vary.
  3. The secondary use of health data for scientific or historical research (chapter 5).
    • The Assessment states that whilst the GDPR provides that Member States may adopt legislation to allow for use of data for scientific research purposes such legislation has not been implemented in a homogenous way, resulting in a complex and fragmented landscape for researchers to navigate. For example, whilst the use of pseudonymised data is viewed under the GDPR as a safeguard, there exist different standards for, and interpretations of, pseudonymisation between the Member States. Consequently, differences between Member States in the way the GDPR is implemented and interpreted in the area of scientific research has made data exchange between Member State and EU bodies for research purposes difficult and in some cases highly technical.
  4. Data subjects’ rights (chapter 6).
    • The Assessment flags that the current practical barriers for data subjects (e.g., patients) to exercise their data protection rights largely result from the absence of standardised electronic health records and the low level of awareness among patients of their data protection rights.
    • The chapter proposes that patients’ data protection rights should be addressed both at a national and EU level, with the EU actively engaged in supporting Member States to make those rights better known and more realisable.

Assessment proposals

To address the issues and inconsistencies identified, and to support the development of the EHDS, the Assessment identifies four potential areas of further EU-level action, namely:

  1. An EU level Code of Conduct (as encouraged under the GDPR)

The Assessment encourages stakeholders to develop soft law tools that could support the application of data protection rules, including Codes of Conduct, as well as certification tools such as data protection seals and marks.

The Assessment envisages that the adoption of an EU-wide Code of Conduct could bring clarity to a variety of fields, including, for example common rules about anonymisation and pseudonymisation, and the nature and format of valid consent.

  1. New health sector specific EU-level legislation

The Assessment proposes various legislative measures, which could be adopted as part of  already existing acts, e.g., the Cross-Border Healthcare Directive, or based on new acts like the Proposal for a Regulation on European Data Governance (also known as the Data Governance Act), adopted by the Commission at the end of 2020. The proposed Data Governance Act creates an opportunity to develop sectoral EU level legislation, which could address not only the governance and infrastructure necessary for the primary and secondary use of health data for healthcare, but also facilitate data sharing within the EHDS in accordance with the GDPR.

  1. Creation of sectoral bodies

Some of the proposed legislative measures include the creation of sectoral bodies, which could be tasked to deal with digital health, and more specifically technical interoperability issues, tele-health, m-health and also the creation of criteria for security of digital health infrastructures.

In addition to the proposed legislative measures, other non-legislative measures could be considered such as technical guidance on infrastructure and technical interoperability.

  1. Practical measures to support the EHDS

Finally, the Assessment proposes several practical measures aim to support the EHDS, e.g., the creation of an infrastructure that provides trusted access to the data sets held in other EU countries through a single entry point.

The Assessment concludes that beyond the proposed legislative measures, there is a need for new practical tools to support the cross-border delivery of healthcare, which could also be addressed in the context of the creation of the EHDS. One of the proposed measures is the creation of an EU-wide agency, which could be supported by an EU-level committee or other body which ensures close interaction between the relevant Member State bodies. The Agency could serve as a single entry point for interested parties to obtain relevant health data.

The Commission, in cooperation with the Member States, is now to examine the Assessment and take appropriate steps and measures to address its findings.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Josefine Sommer

Brussels

jsommer@sidley.com

Yuliya Gevrenova

ygevrenova@sidley.com

You might also like
SEC’s Cybersecurity Disclosure Rules Are Here. Is Your Company Ready to Comply?

Companies are facing more attacks on their information systems. And, as their cyber risk skyrockets, the SEC has stepped in with new regulations, telling businesses what to disclose about these incidents — and requiring detailed disclosures on cyber risk management more broadly. With the deadline for compliance fast approaching, businesses are scrambling to mitigate their legal risk and comply with regulations that some say may be an overreach.

New EU FIDA Proposal: How Does This Affect GDPR?

The European Commission issued the Financial Data Access Act (FIDA) proposal in June this year. FIDA will create a legislative framework that aims to “bring payments and the wider financial sector into the digital age” by facilitating the sharing of and access to customer financial data (whether of businesses or consumers).

AI Foundation Models: UK CMA’s Initial Report

The CMA has set out its emerging thinking on the functioning of competition and consumer protection in the market for foundation models.