The authors of this article are participating in the following EU-funded projects:

• INCISIVE – Magdalena Kogut-Czarkowska
• RES-Q+ – Anubhuti Sinha
• LUCIA – Silke Fiers

The European Health Data Space (“EHDS”) proposal aims to overhaul the existing laws on health data in the EU. Please see here for our full overview of the draft EHDS Regulation, but we recall some key points below:

a.     The overarching purpose of the proposal is strengthening patients’ rights to electronic health data (“EHD”) and opening up medical data registries to make better use of that data

b.     It distinguishes between two uses for EHD: primary use in the context of healthcare, and secondary use for other purposes that benefit society, like research, policy-making, regulatory activities, etc.

c.      In the primary use context, the proposal introduces patient rights to access and control their own EHD.

d.     The system for secondary use is built on data holders, health data access bodies and data users. The first control and share EHD, the second act as intermediaries issuing data permits, the last can request access to data.

The European Commission had to carefully navigate around already existing rules such as in the area of data protection, or the Data Governance Act. Once the draft was published, it became apparent that some clashes could not be avoided. Many different organisations and stakeholders have in the meantime commented on the proposal and suggested ways to remedy these clashes. Below are four key points that are likely to still be worked on in the later stages of legislation. Needless to say, there are pending discussions on different aspects of the EHDS and the selection below is not exhaustive. 

1.   Compliance with GDPR

The EDPB and EDPS already indicated in their joint opinion (Nr. 03/2022 available here) that many provisions of the EHDS proposal cause interpretation difficulties in the context of the GDPR or are even inconsistent with its provisions. In particular, doubts have been raised about the provisions on the purposes for secondary use of health data: Article 34(1) in the EHDS proposal.

The original wording indicated, among others, as separate permitted purposes:

e.     scientific research related to health or care sectors, 

f.      development and innovation activities for products or services contributing to public health, 

g.     training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications. 

EDPB and EDPS observed that these purposes are not properly delineated and called to ensure full compatibility with GDPR provisions. The GDPR provides for special provisions on the use of personal data for “scientific purposes” (for example, in Article 89), and under the original EHDS proposal it was not clear whether safeguards provided in this regime would be applicable to, for example, training of AI. 

In a draft report dated 10/02/2023 (ENVI & LIBE committees report, available here) (“Draft Report”) parliamentary rapporteurs present a proposed amendment to Article 34. The “development and innovation activities” and “training of algorithms” are now included as examples of “scientific research” – rather than as separate grounds for secondary use of EHD. This would mean that the safeguards the GDPR provides for scientific research also apply to these innovation activities. Also, amendments clarify that the research activities must “aim to benefit the end-users of the activity”. 

Even though “scientific research” plays a central role in the EHDS proposal, it is still not defined and there is an ongoing debate about the limits of scientific research in the context of the GDPR research exemption. The rapporteurs have however defined “innovation activities” in the Draft Report as “the processes and actions taken to generate new or improve products, services, methods, practices and models expected to improve health outcomes, cost efficiency, quality, and reliability”. This definition is quite broad and does not provide answers to the existing debate. 

The comparison between Article 34, paragraph 1 is as follows, with changes marked in bold:

The parliamentary rapporteurs also proposed a number of other amendments with focus on ensuring GDPR compliance. For example, definitions were adjusted (e.g., in Articles 2 and 38) or new additions were made to stress the principles of data minimisation and proportionality (e.g., Recital 54, Articles 44 and 46). 

2. Opt-out right

Under the EHDS, the data holders will have a right and an obligation to provide requested electronic data for secondary use (Article 33), assuming that the requirements of the process are met (for example, the data user has received a data permit in accordance with Article 46). However, certain data holders such as biobanks or hospitals, collecting their data under existing data protection rules, often rely on consent from the data subjects as a legal basis for their research activities and further data sharing. Under the GDPR, such consent is required to have defined conditions. Patients may, for instance, have agreed to their data being used only for research in specific domains.

The new obligations under the EHDS proposal raised questions whether the boundaries under the existing data protection laws would be respected and, if not, how this would impact the trust that the patients had in the original controllers. It may be noted that for primary use the EHDS proposal provides patients with greater control over their EHD. For example, it allows patients to decide who has access to all of their EHD (Article 3(9) EHDS). However, the original EHDS proposal does not specifically envisage a similar mechanism or right for health data being used for secondary use.   

In fact, various advocacy and civil rights groups such as the German National Association of Statutory Health Insurance Physicians (KBV), the  European Patients’ Forum and the Irish Council for Civil Liberties have also observed the lack of specific provisions allowing a patient to control the data being utilised for secondary use. The Irish Council for Civil Liberties proposed an amendment to include a right to object in the wording of Article 33(5) EHDS Regulation. On the other hand, the European Patients’ Forum (EPF) suggested a right to opt-out from secondary use of their personal EHD. 

In the Draft Report, the parliamentary rapporteurs seem to have agreed to EPF’s suggestion and have included an opt-out right. The rapporteurs stress that the participation of data subjects must be ensured to be in compliance with Article 9(2) of the GDPR. The rapporteurs also emphasise that such an opt-out right is necessary to maintain the trust between patients and healthcare providers. So, in the amended proposal, patients would have the right to opt-out of the secondary use of their personal EHD. 

The wording proposed by the rapporteurs may generate some confusion in interpretation as it allows natural persons subject to secondary use “to decline the processing of their health data”. However, the right to opt-out is only provided for their EHD which qualifies as personal data.   

The proposed new Article 33, paragraph 5 replaces the one in the Commission proposal and reads as follows:

The amendments also introduce a mechanism for the exercise of the opt-out right (Articles 34(2a), 37(1)(j) and 38(1)(c)) and an evaluation of the opt-out right after 5 years (Article 50).

The introduction of an opt-out right highlights a crucial decision that needs to be made by the EU: how to reconcile the goal of increasing access to EHD for public interest and scientific research purposes, with the expectations of patients to have greater control over their personal EHD? The original EHDS proposal gives the control over data to the patients in the context of primary use, but prioritizes research creating benefit to society for the secondary use.  An opt-out right adds to this tension between two opposing visions on the (re-)use of health data.

3. Health data from single data holders

In the proposed EHDS system, the standard way for data users to get access to EHD is through a health data access body. The EHDS proposal however also included a possibility to bypass the health data access body, and get data directly from data holders, if the request concerns a single data holder in a single EU Member State. The Commission introduced this possibility in Article 49 “in order to alieviate the administrative burden for heath data access Bodies”.

At first sight, a system where all access requests have to pass by health data access bodies might create considerable bottlenecks. In that sense, the Commission’s proposed possibility to get data directly from single data holders is a welcome one. However, a lot of commentators have stressed the importance of health data access bodies to uphold safeguards and the rights of data subjects when granting access to EHD (e.g. KBV, Greens/European Free Alliance Group). In order to address this concern, the parliamentary rapporteurs have removed the possibility to get access from single data holders in their Draft Report. Thus, Article 49 of the proposal has been deleted in the amendment. If this change is accepted, then all data requests would pass through a health data access body, even when they concern a single data holder in one Member State. The discussion in the parliament is still ongoing, and the various parliamentary committees that are involved in the EHDS proposal sometimes have conflicting views. The parliamentary committee on the Internal Market and Consumer Protection (in its opinion dated 25/05/2023), has retained Article 49 and suggested some changes to the provision while the opinion of the Committee on Industry, Research and Energy has followed the rapporteurs' approach and deleted the concept of single data holders. 

While the concept of single data holders may help to reduce the bureaucratic processes for accessing health data for secondary use, the popular sentiment and the amendment proposed suggest that data permits will be awarded only by health data access bodies. It will have to be seen whether the final EHDS Regulation will retain the concept of data permits from single data holders or not.   

4. EU storage

A last point to highlight is the storage and transfer of EHD outside the EU. The EDPB and EDPS called in their joint opinion for mandatory storage of personal EHD in the EEA, notwithstanding requirements on transfers in accordance with Chapter V of the GDPR. The parliamentary rapporteurs have heeded this call and introduced a series of provisions and recitals in their amendment. 

The new Article 60a imposes that storage, processing and analysis of EHD, both for primary and secondary use, shall be carried out exclusively in the EU, unless a transfer is in compliance with Chapter V of the GDPR. The new Recitals 64a-c and Article 60(2a) also impose this EU storage.

Furthermore, the amendment introduces the concept of Commission “reciprocity decisions”. The parliamentary rapporteurs consider that access to EHD from third countries should only take place where this country allows for the use of health data by EU entities under the same conditions and safeguards as within the EU. This sort of reciprocity should be established in Commission delegated acts – a similar mechanism as the adequacy decisions under Article 45 of the GDPR. The reciprocity condition is in a new Article 63a and Recitals 64d.

The proposed Articles 60a and 63a of the parliamentary draft report read as follows:

Next steps

The proposal is currently still in the committee stage in the European Parliament. The Parliament is set to hold a plenary sitting on the proposal on 11/09/2023. The EHDS Regulation will be adopted only after further discussion both in Parliament and by the Council. The Regulation will enter into force 20 days after publication and shall apply from 12 months after its entry into force, however enforcement of certain provisions will be further delayed.

INCISIVE, RES-Q+ and LUCIA have received funding from the European Union’s Horizon 2020 and Horizon Europe research and innovation programmes. However, the content of this article reflects the opinion of its authors and does not in any way represent opinions of the European Union. The European Commission is not responsible for any use that may be made of the information the article contains.