Data security in European Health Data Space
European data protection authorities publish opinion
CC – 07/2022
The European Data Protection Board (EDPB)
and the European Data Protection Supervisor (EDPS) adopted their joint
opinion on the European Commission's proposal for the European Health Data
Space (EHDS)on 12 July. In the 32-page paper, they identify a number of
regulatory needs to ensure a high level of protection for electronic health
data in the EHDS. The paper focuses on aspects such as data protection, data
security and legal clarity with existing data protection laws, in particular
the General Data Protection Regulation (GDPR) and critically reviews them.
Data storage in Europe
Data privacy advocates are calling for the
highly sensitive and large amounts of electronic health data to be stored
within the European Economic Area (EEA). This would avoid the risk of unlawful
access and ensure effective supervision by independent data protection
authorities. This obligation to store electronic health data in the EEA would
need to be added to the draft regulation.
Wellness applications
The draft regulation's inclusion of
voluntary self-certified wellness apps and other digital health apps are
rejected for secondary data use. Data privacy advocates maintain that health
data generated by wellness apps and other digital health applications would not
be of the same quality as that generated by certified medical devices. Data
from health and fitness apps should not be able to be uploaded to the
electronic health record as the inclusion of such data poses a privacy risk in
addition to reduced data quality. Thus, conclusions could be drawn not only
about the health of subjects, but also about their behavioural data, such as
eating habits. This could reveal particularly sensitive information, such as
religious orientation. If wellness applications were retained for secondary
data use, it would be essential to obtain prior consent before processing this
personal data.
Uses for secondary use
EDPB and the EDPS also point to a lack of
legal clarity regarding the purpose of processing these electronic health data.
The draft regulation stipulates that health data may also be used under certain
conditions for, among other things, development and innovation activities, as
well as training, testing and evaluation of algorithms and artificial
intelligence systems as long as they contribute to public health or social
security. However, how and when a sufficient connection to public health and/or
social security is established is unclear and is pending clarification.
Background of EHDS
In May, the European Commission presented a draft
regulation on a European Health Data Space. The goal is the pooling and
cross-border use of health data in the EU. Insured persons should have digital
access to their treatment data and be able to decide on its cross-border use,
e.g. for research and policy-making. Currently, the European Parliament and the
Member States are discussing the draft regulation.