<!--:it-->European Health Data Space: Early indications of the future of circulation of health information in the European Union<!--:-->

Thanks to Alessandra Ruggiero for collaborating on the English version of this article

The Italian version of this article has been published on July 25, 2022 on AgendaDigitale.eu, within our “Legal Health” monthly column.

The establishment of a European Health Data Space sits within the broader framework of the strategy developed by European institutions to create a single market for data.^[1] The aim is to make the EU the benchmark for managing and sharing electronic health data, and in turn to utilize such data to its full potential when it comes to providing both care and assistance to citizens (primary use of data), and conducting research and development activities and making health policy (secondary use of data), ultimately encouraging innovation and allowing companies to compete on global markets.

In this context, the proposal for a regulation submitted by the European Commission on May 3 of this year represents a first step to understanding the intentions of and the ambitious goals set out by European institutions for the next decade. Accessibility, control, and portability will be key to breaking down the barriers that still exist to the circulation of health data among Member States. Fostering the exchange of data on dedicated infrastructure and introducing data sharing obligations for data controllers will encourage the use of such data in social and economic contexts.

For primary use of data, the new rules support and implement the rights granted to citizens under Regulation (EU) 2016/679 (“GDPR”) for the processing of personal data, with ad hoc legislation for the health sector. While the right of natural persons to access data is enshrined in Article 15 of the GDPR, that article does not required data controllers to provide access immediately, and in many cases such access is provided by supplying data in printed form or in the form of scanned documents. In addition, natural persons should be given broad opportunities to exchange data with health professionals by their own choice and to gain access to such data. This goes beyond the right to data portability guaranteed by the GDPR, as that right often cannot be applied in practice for reasons of interoperability and limited harmonization of prescriptions and technical rules. Furthermore, the right to data portability under the GDPR is limited to data processed on the basis of consent or a contract and rules out data processed on a different legal basis—for instance, when the processing is required by law.

In this area, the obligation to make data available in electronic form, the new regulation on health record systems, and the European common exchange format that the Commission is expected to identify, as well as the ad hoc certification process for such systems, should finally ensure effective interoperability and portability of data in electronic form all over Europe through the MyHealth@EU infrastructure.

As for secondary use of data, the new rules should promote creation of an organic ecosystem for later use of personal and other health data for the purposes of research and innovation, development of new drugs and devices, formulation of health policies, and setting forth common rules for access, including cross-border access, to information through a new dedicated platform and national access points aimed at managing usage requests from natural and legal persons. This may be the most significant new aspect that arises from the text of the proposal, given the importance of building a data economy at a European level.

Below we will analyze the new features in the text proposed by the Commission, which now will move to the EU Parliament and Council for discussion. We will also look briefly at the joint opinion of the European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”), who have closely analyzed the provisions in the draft, highlighting critical issues and suggesting some solutions.^[2]

Primary use of data

The text of the proposed regulation includes provisions, norms and common practice, infrastructure, and a governance framework for primary and secondary use of electronic health data. As mentioned, primary use of health data is data processing designed to provide help and care to citizens and to improve natural persons’ access to and control over such data by ensuring portability and ease of sharing, including among healthcare providers. Personal health data processing follows the rules set forth in Articles 6 and 9 of the GDPR.

The collector of the health information for primary use of data is identified in the electronic medical record. Article 5 of the proposal lists the following categories of data: (i) patient histories; (ii) electronic prescriptions and dispensing; (iii) medical images and image reports; (iv) laboratory results; and (v) discharge reports. The text includes an obligation to make available data collected in electronic form. In particular, pursuant to Article 7, Member States shall ensure that individual health professionals systematically register health data falling under the priority categories cited in Article 5—at a minimum—concerning health services provided by them to natural persons in electronic format in an EHR system.

Great emphasis is placed on citizens being guaranteed access, control, and portability of such data, along with the ability to grant access to one or more recipients in the health sector or enact a transfer from one controller to another, without any limitations (unlike the GDPR, which obliges controllers to transfer in response to a request submitted by the person concerned “only if technically feasible”). Interoperability is ensured by a common format for health records that the Commission is asked to identify; that should ensure that data and information can be exchanged without any obstacles, even when the exchange involves multiple Member States.

The certification process provided for health record systems, to be followed by CE marking, is also expected to offer common specifications and therefore effective interoperability—as well as quality and security. Telemedicine stands to benefit from a centralized system for collecting and sharing digital data, and Member States allowing the provision of remote services will have to accept that professionals located in other EU countries may do the same—two particularly interesting areas for further exploration.

A reference infrastructure for the circulation of data and health records is certainly needed. Member States are asked to establish one or more services for data access at national, regional, and local levels equipped with electronic identification mechanisms, whereas at the European level the proposed regulation provides that the ecosystem for primary use of data shall be the extant MyHealth@EU platform, which will need to be further developed. As of now, MyHealth@EU operates in the context of cross-border healthcare in only ten Member States and can be used for only two kinds of services (electronic prescription and patient history).

The development of this infrastructure should enable citizens and professionals to gain regular access to health data, allow the provision of telemedicine services even between Member States, and allow the exchange and verification of certificates of various kinds, such as vaccination passports, and the exchange of information on vaccination plans.

Lastly, as previously mentioned, the implementation and application of the regulation and in particular the chapter devoted to the primary use of data will be entrusted to digital health authorities that every Member State will be required to establish.

Secondary use of data

Secondary use of data grants public and private parties, researchers, innovators, and institutions access to personal and other electronic health data in order to develop as broadly and deeply as possible new products, services, and regulatory policies that meet current needs. Data involved include personal electronic health data originally collected in the primary use framework and electronic health data collected for the purposes of secondary use.

Under the European Commission’s proposal, data access in anonymized form will be the standard way in which information is provided with regard to secondary use. Only if the purpose of the processing—among those listed by the proposal—cannot be achieved through access to anonymized data will the bodies responsible for access identified by individual Member States be allowed to provide data access in pseudonymized form. There is an interesting provision under which bodies would not be required to provide the data subject with the information notice cited in Article 14 of the GDPR regarding the use of their data, as that notice system would be replaced by a publication mechanism that covers all authorizations granted for secondary use of data. This appears to codify exemption from the obligation to provide information notices under Article 14, Paragraph 5 of the GDPR.

The proposed regulation provides controllers with an obligation to share health data with bodies responsible for access, which in turn will make the data available to third-party seekers authorized to access data for secondary use. In fact, Article 33 provides that data controllers “make available for secondary use” the categories of electronic data listed therein within two months of receipt of a request. Those categories include data from electronic health records, medical devices, biobanks, questionnaires, and public health registries. Micro-enterprises^[3] shall be exempt from the obligation to share so as to avoid unreasonable burdens on them.

In at least some cases, that obligation to share will inevitably collide with the protection of intellectual and industrial property rights. The proposed regulation requires that even such data be provided, albeit in tandem with adoption of the measures needed to ensure their confidentiality.

Therefore, the regulation should provide the legal basis under Article 6, Paragraph 1, Letter c) of the GDPR (“processing necessary for compliance with a legal obligation to which the controller is subject”) to collect and process personal data for the purposes of secondary use. In addition, the text meets the requirements of Article 9, Paragraph 2, Letters h), i), and j) of the GDPR with regard to the conditions under which personal health data can be processed (processing necessary for reasons of significant public interest, public health, scientific research purposes, or based on EU law).

Secondary use data shared by controllers would also merge into a newly created dedicated European platform called HealthData@EU, whose minimum technical specifications will be identified by the European Commission.

The aim of the proposal is to create a digital ecosystem that is regularly updated and managed by bodies identified by Member States that—if the requirements set forth are met—provide data access for the purposes of secondary use to any applicant within Europe. In particular, access would be provided to an applicant in response to a specific request and on the basis of one of the purposes listed in Article 33, including health and research, the provision of personalized healthcare, support for the activities of public entities (for instance, legislative and regulatory activity), development and innovation activities in the health sector, activities of algorithms, and AI systems training.

If the applicant intends to access the electronic health data in pseudonymized format, “a description of how the processing would comply with Article 6 of the GDPR shall also be provided.” As for the legal basis for the processing, Article 33, Paragraph 5 of the proposal states that “where the consent of the natural person is required by national law, health data access bodies shall rely on the obligations laid down in this chapter to provide access to electronic health data,” as if to bypass consent as the ordinary rule for processing (and in particular “further” processing) health data through the use of another legal basis under the GDPR. In fact, some Member States have adopted more restrictive provisions than those provided in the GDPR; Italy reinstated consent as the legal basis for processing data for research purposes (Articles 110 and 110-bis of Legislative Decree 196/2003).

Authorization for access for secondary use may be granted for the period of time that is necessary to fulfill the relevant purpose, not to exceed five years. After authorization is granted, the body responsible for access immediately requests electronic health data from the data controller and later makes them available to the applicant. Simplified access procedures for public entities and institutions are set forth.

Finally, given the burden faced by data controllers and bodies appointed by Member States, the proposal expressly provides the possibility of imposing fees for the provision of electronic data for secondary use and, only for controllers, to cover a portion of collection costs, as long as fees are transparent, proportional, objectively justified, and not restrictive of competition.

The opinion of the EDPB and EDPS on the draft regulation

The draft was submitted for a joint opinion of the EDPB and EDPS, which looked at aspects related to personal data legislation.

Generally speaking, on the one hand European authorities (“Authorities”) voice their support for the proposal and its purposes, but on the other some issues and shortcomings will have to be dealt with to avoid not only that the purposes fail to be fulfilled, but also that a weak point is introduced into the personal data protection system and enshrined by the GDPR. Additionally, any obstacles to the creation of a European digital market must be ferreted out.

One of the major issues highlighted by the Authorities was the coordination between the draft regulation and the regulatory framework introduced by the GDPR. The draft is without prejudice to the application of the GDPR at several points, but there is no precise coordination between the provisions contained in it and those of the GDPR. Some examples—among many pointed out by the Authorities—are the lack of coordination between the definitions provided by the draft and those contained in the GDPR: for instance, the draft introduces a new definition of data recipient^[4] that does not correspond to the one provided by the GDPR.^[5]

Furthermore, Article 2.2, Letter d) of the draft regulation defines secondary use of data, specifying that “the data used may include personal electronic health data initially collected in the context of primary use, but also electronic health data collected for the purpose of secondary use.” Although the GDPR does not contain a definition of secondary use, it nonetheless refers to “further processing.”^[6] Authorities suggest clarifying the link between the two definitions, especially given the fact that the GDPR establishes a specific regime with respect to further processing.

On this specific point, however, the draft does not seem to take into account the fact that substantial differences between local laws may exist (and do exist), since the GDPR allows Member States a certain amount of autonomy in regard to further processing for research purposes (even if health data are involved).

In this writer’s opinion, the distinction between data controller under the draft regulation and controller (as defined by GDPR) to which the draft refers on several occasions remains unclear. In fact, the definition of data controller in the draft is independent from the functional aspect that underlies the definition provided by the GDPR and the distinction between the figures of controller and processor, which are fundamental to personal data protection legislation.

Another aspect noted by the Authorities is the lack of clarity on the European governance model proposed by the draft. A new authority, the European Health Data Space Board (EHDS Board), is created and tasked with facilitating cooperation and exchange of information between Member States. It will be made up of Member States’ health authorities and bodies responsible for access and will be chaired by the European Commission. Authorities propose that their own representatives should be permanent members of the EHDS Board. In addition, since the committee is also tasked with providing opinions and exchanging practices and information on the primary and secondary use of data, a provision should be made that the EHDS Board does not address issues related to personal data protection, so as to avoid creating divergent and conflicting interpretations of the matter.

One last thing worth mentioning is the issue of data localization within the European Health Data Space. For the first time in an official document, European authorities proposed the establishment of an obligation to localize within the European Union health data that are part of the European space, in order to allow national supervisory authorities effective oversight of compliance with the rules introduced by the draft and personal data protection rules.

Overall, the Authorities’ involvement is aimed at creating legislation that is as coordinated as possible both at the drafting stage and when it comes to application and interpretation.

Final remarks

The text of the proposal submitted by the European Commission is an important indicator of the European legislature’s intentions regarding policies for circulating health data within the European Union.

We are still in the early days of potential approval of the proposed regulation; in any case, we will have to wait a few years for its full and effective application. That might occur in 2026, given, among other things, the regulation on “deferred application” set forth in the final article of the proposal.

The 2026 deadline may coincide, more or less, with the deadline set for full implementation in individual Member States of recovery and resilience plans to cope with the economic and social impact of the Covid-19 pandemic. Given that the digitalization of the health sector is central to these recovery plans, application of the regulation may benefit from the measures introduced in the interim by Member States in implementing their respective plans—and that may contribute in a decisive way to effective establishment of a European common space for electronic health data. However, another possible outcome is a lack of coordination between this European legislative initiative and those that will be adopted at a local level in implementing recovery and resilience plans.

It will also be interesting to see whether European Authorities’ suggestions will be followed in the later stages of the discussion leading to approval of the final text of the regulation. The risk we are currently running, given the latest EU regulatory measures, is that of creating a digital market through legislation that is conceived to facilitate information exchange and circulation, but that in practice may constitute an obstacle to the development of a digital economy due to the actions of various sectors and a lack of coordination between them.

[1] https://eur-lex.europa.eu/legal-content/IT/TXT/PDF/?uri=CELEX:52020DC0066&from=IT.

[2] EDPB-EDPS Joint Opinion03/2022 on the Proposal for a Regulation on the European Health Data Space. https://edps.europa.eu/system/files/2022-07/22-07-12_edpb_edps_joint-opinion_europeanhealthdataspace_en_.pdf.

[3] As defined by the Annex to recommendation 2003/361/CE of the European Commission.

[4] Article 2.2, Letter k) of the draft regulation defines a data recipient as “a natural or legal person who receives data from another controller in the context of the primary use of electronic health data.”

[5]Article 4.9 GDPR defines a recipient as a natural or legal person, public authority, agency, or other body to which the personal data are disclosed, whether a third party or not. However, public authorities that receive personal data in the framework of a particular inquiry in accordance with European Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

[6] Article 5.1, Letter b), GDPR.