On February 12, 2021, the European Commission (Commission) published an “Assessment of the EU Member States’ rules on health data in the light of GDPR” (the Assessment). The Assessment concludes, amongst other things, that there are variations in the implementation of the EU General Data Protection Regulation (GDPR) at a national level with regards to the processing of health data. In turn, this has led to a fragmented approach to the processing of health data for health and research purposes across the EU. To avoid further fragmentation, the Assessment proposes various future EU-level actions, including stakeholder-driven Codes of Conduct as well as new targeted and sector-specific legislation.
The value of health data continues to capture the attention of regulators and the life sciences and digital industries. Collecting health data may help encourage efficient communication between doctors and patients, and it may foster an increase in the overall quality of patient care.
The Commission is also looking closely at health data and its optimization. Indeed, the EU’s digitalization, including in the area of health, is one of the Commission’s key priorities and most recently the Commission has taken steps to progress this priority through the publication of its European Health Data Space (EHDS) Inception Impact Assessment – intended to support the Commission in progressing its legislative initiative for a EHDS (see Sidley post on “A Digital Europe – Digital Health and other Recent EU Data Initiatives”).
With the Assessment, the Commission sought to examine and analyse the Member States’ rules that govern the processing of health data. The Assessment, which acknowledges the lack of consistency in Member States’ approach to data protection for health data, considers health data processing both for primary purposes (i.e., for treatment of the patient) and secondary purposes (i.e., for research, registries and management of the healthcare system) where carried out cross-border in the EU for healthcare, research, innovation and policy-making.
The Assessment has four main parts, each part addressing the relevant GDPR provisions and the corresponding implementation at a national EU Member State level as follows:
- The legal framework for patient care (chapter 3).
- The Assessment highlights the inconsistency in application of the GDPR as it relates to the processing of health data for the provision of health and social care services (in-person and remotely), e., primary use. This is largely due to the fact that all Member States have some form of national legislation which provides a further framework which must be considered in parallel with the GDPR – some adopted pursuant to Article 9(4) of the GDPR (which provides that with regard to processing of genetic, biometric or health data, Member States may maintain or introduce further conditions including limitations) and others preceding the implementation of the GDPR.
- By way of example, the Assessment states that whilst explicit consent is often viewed as the norm for processing health data – “perhaps because consent to treatment and consent to collecting data associated with treatment are conflated” – correspondents for twelve Member States included consent (Article 6(1)(a) with Article 9(2)(a), GDPR) as only one of the legal bases relied on for such processing. This is likely because for consent to be valid under the GDPR, it must be voluntary and there must not be an imbalance of power between the patient and the healthcare professional – requirements that are unlikely to be met in these circumstances. In turn, the Assessment proposes that consent be obtained as an “additional safeguard” where the processing is required by law.
- However, as patients take more direct control over the data processed, e., in the context of apps and devices, reliance on consent as a legal basis for processing increases.
- The secondary use of health data for public health purposes (chapter 4).
- In the context of secondary use, the Assessment states that (amongst other things): (i) the national legislation lacks flexibility in ensuring sharing of data to facilitate the timely identification of new trends in public health threats, g., the COVID-19 pandemic; (ii) there is currently no centralized body (in any Member State), which could give access to data in all the various source databases (electronic health records, industry data, health insurers data, etc.) for public health purposes, which makes access to health data for public health purposes fragmented and insufficient; and (iii) the organization of vigilance systems (for devices and medicines) and access for Health Technology Assessment bodies to health data and to disease registries vary.
- The secondary use of health data for scientific or historical research (chapter 5).
- The Assessment states that whilst the GDPR provides that Member States may adopt legislation to allow for use of data for scientific research purposes such legislation has not been implemented in a homogenous way, resulting in a complex and fragmented landscape for researchers to navigate. For example, whilst the use of pseudonymised data is viewed under the GDPR as a safeguard, there exist different standards for, and interpretations of, pseudonymisation between the Member States. Consequently, differences between Member States in the way the GDPR is implemented and interpreted in the area of scientific research has made data exchange between Member State and EU bodies for research purposes difficult and in some cases highly technical.
- Data subjects’ rights (chapter 6).
- The Assessment flags that the current practical barriers for data subjects (e.g., patients) to exercise their data protection rights largely result from the absence of standardised electronic health records and the low level of awareness among patients of their data protection rights.
- The chapter proposes that patients’ data protection rights should be addressed both at a national and EU level, with the EU actively engaged in supporting Member States to make those rights better known and more realisable.
To address the issues and inconsistencies identified, and to support the development of the EHDS, the Assessment identifies four potential areas of further EU-level action, namely:
- An EU level Code of Conduct (as encouraged under the GDPR)
The Assessment encourages stakeholders to develop soft law tools that could support the application of data protection rules, including Codes of Conduct, as well as certification tools such as data protection seals and marks.
The Assessment envisages that the adoption of an EU-wide Code of Conduct could bring clarity to a variety of fields, including, for example common rules about anonymisation and pseudonymisation, and the nature and format of valid consent.
- New health sector specific EU-level legislation
The Assessment proposes various legislative measures, which could be adopted as part of already existing acts, e.g., the Cross-Border Healthcare Directive, or based on new acts like the Proposal for a Regulation on European Data Governance (also known as the Data Governance Act), adopted by the Commission at the end of 2020. The proposed Data Governance Act creates an opportunity to develop sectoral EU level legislation, which could address not only the governance and infrastructure necessary for the primary and secondary use of health data for healthcare, but also facilitate data sharing within the EHDS in accordance with the GDPR.
- Creation of sectoral bodies
Some of the proposed legislative measures include the creation of sectoral bodies, which could be tasked to deal with digital health, and more specifically technical interoperability issues, tele-health, m-health and also the creation of criteria for security of digital health infrastructures.
In addition to the proposed legislative measures, other non-legislative measures could be considered such as technical guidance on infrastructure and technical interoperability.
- Practical measures to support the EHDS
Finally, the Assessment proposes several practical measures aim to support the EHDS, e.g., the creation of an infrastructure that provides trusted access to the data sets held in other EU countries through a single entry point.
The Assessment concludes that beyond the proposed legislative measures, there is a need for new practical tools to support the cross-border delivery of healthcare, which could also be addressed in the context of the creation of the EHDS. One of the proposed measures is the creation of an EU-wide agency, which could be supported by an EU-level committee or other body which ensures close interaction between the relevant Member State bodies. The Agency could serve as a single entry point for interested parties to obtain relevant health data.
The Commission, in cooperation with the Member States, is now to examine the Assessment and take appropriate steps and measures to address its findings.