On 3 May, the Commission published its proposal for a Regulation on the European Health Data Space (EHDS). The measure constitutes the first sectoral intervention of the Commission’s plan to develop thirteen common European data spaces, as announced by the Digital Europe Work Program for 2021-2022. As such, the Commission’s proposal for an EHDS is in line with the overall objective of the European strategy for data to create a single European data space, namely
“a genuine single market for data, open to data from across the world – where personal as well as non-personal data, including sensitive business data, are secure and businesses also have easy access to an almost infinite amount of high-quality industrial data, boosting growth and creating value, while minimizing the human carbon and environmental footprint” (p. 4).
The Commission’s proposal for an EHDS attempts to achieve this ambition for personal and non-personal electronic health data on three main fronts. First, the measure tries to improve access to and control by natural persons over their personal electronic health data in the context of healthcare. The proposal calls this the “primary use of electronic health data.” Second, it enhances access to healthcare data for purposes that benefit society as a whole, such as research, innovation, policy-making, patient safety, personalized medicine, official statistics and regulatory activities. This is called the “secondary use of electronic health data.” Finally, it tries to streamline the functioning of the internal market by laying down a uniform legal framework for the development, marketing, and use of electronic health record systems in conformity with Union values.
The second objective – outlined in chapter IV of the proposal – is an important contribution to discussions about increasing access to and reuse of health data, being so closely aligned with the regulatory objectives laid down by the Data Governance Act (DGA) and Data Act (DA) proposal. This is especially true for the EHDS-proposed business-to-government (B2G) data sharing that is closely intertwined with those developed by the DA proposal. On this point, the relationship between the two measures might give rise to legal uncertainty because of the lack of explicit provisions regulating the two horizontal and sectoral regimes.
This lack of coordination needs to be addressed by the European legislator to provide effective conditions for B2G data sharing uptake in the European data economy, both for horizontal and sector-specific dynamics. This should be done by introducing a strong public interest justification in the DA instead of watering down the EHDS proposal.
Chapter IV of the proposed EHDS is an important step for the development of the data commons in Europe as it establishes the conditions for greater access to and sharing of health data to fulfill societal objectives of general interest.
The chapter starts by stipulating an obligation for data holders – any public, private, and not-for-profit organization, except for micro-enterprises – to make electronic data available for secondary use in a secure processing environment. Access to the shared data is administered by new intermediary bodies – ‘health data access bodies’ – that are designated Member States authorities. They have the main obligation to evaluate the validity of access requests by third parties, which can be based on the following grounds: activities for reasons of public interest in the area of public and occupational health, activities of public sector bodies, compilations of statistics, education or teaching activities, scientific research, development of innovation activities for products and services in the area of public health, training, testing and evaluating algorithms, and providing personalized healthcare to natural persons. Any natural or legal person can submit a data access application. Both health data access bodies and individual data holders can charge reuse fees on the level of incurred marginal costs.
Health data access bodies also have to protect electronic health data via “all measures necessary” where the collected data is an object of intellectual property rights and trade secrets. In addition, they must make data available in an anonymized or pseudonymized format through a single information point. The collected data must be accompanied by “data quality and utility labels developed by data holders.” The single information point must also provide public information on all issued data permits, requests, and applications as well as on the results obtained by data users following access to health data. Finally, health data access bodies are also tasked with monitoring the application of chapter IV and cooperating at both the Union and national levels to develop appropriate measures and requirements for accessing electronic health data in a secure processing environment.
The proposed rules also contain a list of prohibited cases where health data cannot be used for purposes that are detrimental to a natural person, exclude them from the benefit of an insurance contract, advertising or marketing activities, provide access to unauthorized third parties, and develop products that may harm individuals and society at large.
Finally, chapter IV also covers situations of cross-border access to electronic health data for secondary use. It stipulates an obligation for the Member States to designate a national contact point for secondary uses to be connected through HealthData@EU – a new data sharing infrastructure that is to be developed by the Commission via implementing acts. Member States and the Commission must ensure the interoperability of HealthData@EU with other relevant common European data spaces.
Health data access bodies have a high degree of responsibility for granting access and ensuring the availability of electronic health data for secondary uses in the Union. One of their tasks is also related to enabling data sharing flows between data holders and public sector bodies. In article 34, there are two main legal grounds for B2G data sharing where health data access bodies can channel access requests from public bodies.
First, in art. 34(1)(a), health data access bodies must support
“activities for reasons of public interest in the area of public and occupational health, such as protection against serious cross-border threats to health, public health surveillance or ensuring high levels of quality and safety of healthcare and of medicinal products or medical devices”
Second, art. 34(1)(b) stipulates that health data access bodies must
“support public sector bodies or Union institutions, agencies and bodies including regulatory authorities, in the health or care sector to carry out their tasks defined in their mandates” (art. 34.1.b).
Article 34(3) also clarifies that access to privately-held data for the purpose of preventing, responding to, or assisting in the recovery from public emergencies must be in line with article 15 DA. Yet, at the same time, recital 41 also adds that
“There is a need for public bodies to go beyond the emergency scope of Chapter V of the DA”.
This specification might give rise to legal uncertainty on the overall scope of the B2G data sharing rules proposed by the EHDS and on their intersection with the DA proposal. It suggests an overall lack of coordination between sectoral and horizontal rules which might ultimately hinder B2G data sharing dynamics in the Union.
This lack of alignment is particularly evident in art. 34(1)(a) of the EHDS proposal which introduces a public interest framework that is currently missing in the proposed DA (which contains a mechanism for cases of “exceptional need” instead). The DA proposal foresees access to privately-held data by public sector bodies in situations where data is necessary to respond to a public emergency (art. 15a DA), and to prevent and assist the recovery from a public emergency (art. 15b DA). These are aligned with the scope of the EHDS, as stipulated in article 34(3).
However, this is not the case for the rules contained in art. 15(c) DA, which regulates B2G data sharing in situations “where the lack of available data prevents the public sector body or Union institution, agency or body from fulfilling a specific task in the public interest that has been explicitly provided by law.” The latter mechanism is superseded by the EHDS proposal since the sectoral rules for electronic health data introduce a much more ambitious framework rooted in public interest justifications in the area of public and occupational health. This is also confirmed by recital 41 which makes it clear that
“Public bodies and Union institutions, bodies, offices and agencies may require to have regular access to electronic health data for an extended period of time, including in order to fulfill their mandate, which is provided by this Regulation”.
As such, the EHDS rules clearly go beyond the exception-based and time-limited framework proposed by the DA provisions in article 15(c), showing that — in line with the ambitions expressed in the data strategy — there is a place for structural public interest data sharing provisions in the EU legislation.
To prevent legal uncertainty, the European legislator needs to make sure that the two measures are better aligned to enable effective conditions for B2G data sharing in the EU. For this to occur, the EHDS sectoral rules could serve as a template for a more ambitious B2G horizontal framework in the DA. As we argued in this policy brief, this should be done by including a strong public interest justification in the DA proposal and not by watering down the sector-specific provisions introduced by the EHDS.