European data protection authorities publish opinion

CC – 07/2022

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted their joint opinion on the European Commission's proposal for the European Health Data Space (EHDS)on 12 July. In the 32-page paper, they identify a number of regulatory needs to ensure a high level of protection for electronic health data in the EHDS. The paper focuses on aspects such as data protection, data security and legal clarity with existing data protection laws, in particular the General Data Protection Regulation (GDPR) and critically reviews them.

Data storage in Europe

Data privacy advocates are calling for the highly sensitive and large amounts of electronic health data to be stored within the European Economic Area (EEA). This would avoid the risk of unlawful access and ensure effective supervision by independent data protection authorities. This obligation to store electronic health data in the EEA would need to be added to the draft regulation.

Wellness applications

The draft regulation's inclusion of voluntary self-certified wellness apps and other digital health apps are rejected for secondary data use. Data privacy advocates maintain that health data generated by wellness apps and other digital health applications would not be of the same quality as that generated by certified medical devices. Data from health and fitness apps should not be able to be uploaded to the electronic health record as the inclusion of such data poses a privacy risk in addition to reduced data quality. Thus, conclusions could be drawn not only about the health of subjects, but also about their behavioural data, such as eating habits. This could reveal particularly sensitive information, such as religious orientation. If wellness applications were retained for secondary data use, it would be essential to obtain prior consent before processing this personal data.

Uses for secondary use

EDPB and the EDPS also point to a lack of legal clarity regarding the purpose of processing these electronic health data. The draft regulation stipulates that health data may also be used under certain conditions for, among other things, development and innovation activities, as well as training, testing and evaluation of algorithms and artificial intelligence systems as long as they contribute to public health or social security. However, how and when a sufficient connection to public health and/or social security is established is unclear and is pending clarification.

Background of EHDS

In May, the European Commission presented a draft regulation on a European Health Data Space. The goal is the pooling and cross-border use of health data in the EU. Insured persons should have digital access to their treatment data and be able to decide on its cross-border use, e.g. for research and policy-making. Currently, the European Parliament and the Member States are discussing the draft regulation.