In its 2020 Data Strategy, the European Commission outlined a plan to unlock the untapped potential of the EU data economy. It envisioned a single European data space comprising several sectoral data spaces in key areas. To realise this vision, the Commission has devised a multi-layered legal framework, which it has been gradually introducing since then. The Data Governance Act and the Data Act Proposal (currently under discussion) form the horizontal part of this framework. The draft proposal for the European Health Data Space Regulation, published in May 2022, is the first sectoral text to build on this horizontal framework.
The Proposal aims to ensure the free movement, sharing and reuse of health data for the benefit of patients, researchers and businesses alike. It sets standards for the processing of electronic health data for both primary use (for the provision of health services to individuals) and secondary use (for research, innovation, policy-making, statistics and protection against cross-border health threats). We list the main highlights below:
To whom does the draft apply?
The draft includes in its personal scope:
- Electronic Health Record (EHR) systems and wellness application manufacturers and providers;
- Controllers and processors who process the electronic health data of EU citizens or residents;
- Controllers and processors established in a third country connected (or interoperable) with MyHealth@EU; and,
- Data users to whom electronic health data is provided by data holders in the Union.
All entities involved in the processing of health data or that may be in a position to use health data should follow these developments closely.
New rules for primary use
Chapter II of the Proposal outlines new rights and obligations for the main stakeholders (patients, health professionals, EHR system providers and the Member States) in this area:
- For natural persons, the Proposal provides the right to free electronic access to their health data in a common European format. They will also have the right to rectification and to transfer their health data to third parties (portability).
- Health professionals will have a corresponding right of access to the data of the persons under their treatment, including when they provide cross-border health services. However, they are obliged to register certain categories of health data in an electronic format.
- To facilitate cross-border healthcare, the Proposal foresees that Member States will implement the MyHealth@EU platform to serve as the common infrastructure for the cross-border sharing of personal electronic health data and products. By 2025, the platform is expected to provide “ePrescriptions” for EU citizens to obtain medication in another EU country, as well as digital patient summaries that can be translated into all EU languages.
- EHR systems marketed in the EU will conduct a conformity assessment and demonstrate compliance with specifications adopted by the Commission through implementing acts. The Commission will maintain a publicly accessible database on EHR systems.
Permit-based secondary use of electronic health data
To expand the reuse of health data, the Proposal provides a permit-based system. The Member States will designate one or more health data access bodies that will cooperate with the data protection authorities. Data holders will be obliged to transfer certain categories of electronic health data to the health data access bodies, which will be tasked with reviewing data access requests from data users who wish to re-use health data for secondary purposes.
The permit is granted on the basis of an application that must include details on a number of points, such as a description of the data requested, the reasons for the access requested, the intended uses, the safeguards, the duration and whether the data is to be provided in an anonymised or aggregated format. The Proposal specifies for which purposes and under which conditions access can be granted, but also which secondary uses are prohibited.
Supervision and enforcement
The European Commission will establish a “European Digital and Health Data Board” composed of representatives of the competent authorities of all the Member States and the Commission. The Board will support the Regulation’s implementation and cooperation between the competent authorities.
As far as enforcement is concerned, it will be left to the Member States to establish “effective, proportionate and dissuasive” penalties for infringements.
Interaction with existing and imminent laws
The Proposal is without prejudice to existing laws, such as the General Data Protection Regulation (GDPR) and Data Governance Act, as well as laws that have not yet come into force, such as the proposed Data Act and AI Act. The Proposal seeks to build on these laws - but unlike them, it focuses exclusively on health data. The Proposal explicitly addresses the interplay with the GDPR, providing the legal basis for permit-based processing, and foreseeing the GDPR roles of different stakeholders. Nevertheless, it will inevitably lead to legal uncertainties as the EU legal framework for data sharing becomes more complex.
The Proposal is a lengthy document (122 pages!) and the description above only gives a broad outline. If you would like more details or to discuss the possible implications for your organisation, then please do not hesitate to contact our team at ALTIUS.