Last May, the Commission published a proposal for a Regulation on the European Health Data Space (EHDS) with the objective of fostering access to and reuse of electronic health data. To achieve the reuse of healthcare data for so-called ‘secondary purposes’ – namely, “to contribute to the general interest of the society” (recital 41) – the proposal introduces Health Data Access Bodies as central public institutions to govern the collection of and access to data by third parties. In doing so, the proposal establishes specific rules for governing electronic health data as a European commons by obliging data holders to share certain categories of electronic health data while regulating third parties’ access to data based on specific legal grounds.
We previously responded to the Commission’s public consultation on the European health data space focusing our submission on suggesting improvements to maximize and redistribute the societal value stemming from access to and sharing of electronic health data by strengthening the public accountability and collective governance of Health Data Access Bodies. In collaboration with Instrat Foundation, we proposed a governance framework that increases community participation in decision-making and democratic oversight of electronic health data while building trust-by-design mechanisms in Health Data Access Bodies.
In this context, a recent paper published by Petros Terzis – a research fellow at the University College London – identifies another problematic aspect of the Commission proposal: the legal bases regulating access to electronic health data might allow established market players to access data of general interest without necessarily demonstrating alignment with public interest justifications.
To govern electronic health data as a true data commons at the European level, the rules introduced by the EHDS proposal regulating access to data should be improved in line with two design principles that we have described in our Data Commons Primer. First, the proposal needs to better align conditions for access to and use of centrally stewarded data with public interest considerations to generate public value. Second, the measure needs to ensure society-wide participation and democratic oversight by the community over its data via the establishment of independent supervisory panels in the design structure of Health Data Access Bodies.
Legal bases for secondary uses
Article 34 identifies eight legal bases where third parties can submit a data access application to Health Data Access Bodies. In his paper, Petros Terzis identifies the last four as problematic as they offer significant pathways for established market players to access electronic health data, without necessarily acting in the public interest. These concern situations where third parties can access the data to
- (e) scientific research related to health or care sectors;
- (f) development and innovation activities and products;
- (g) training, testing and evaluating algorithms; and
- (h) providing personalized healthcare to natural persons.
Regarding the justification of conducting scientific research (point e), the proposed text does not elaborate on specific benchmarks against which the validity and merit of research endeavors by private sector bodies can be evaluated. The measure does not specify whether such research projects need to generate public value but rather vaguely states in recital 41 that “the provision of data should also support activities related to scientific research (including private research).” As pointed out by the EDPB-EDPS joint opinion, this wording might give rise to situations where private sector bodies can access centrally pooled electronic health data without contributing to research aligned with public interests, but mainly with commercial ones.
Further, the proposal allows private companies to access data to develop innovative services contributing to public health or social security (point f), for training, testing and evaluating algorithms (point g), as well as to provide personalized health care to natural persons (h). These requirements can be interpreted as granting private companies access to electronic health data to train their proprietary artificial intelligence algorithms and to develop products in data-intensive industries in the healthcare sector, such as with the Internet of Things appliances. And this is problematic for multiple reasons. Not only can they give rise, once again, to uses and services which might not be socially beneficial; but they also increase public sector dependencies on privately owned computational infrastructure in the healthcare sector – where Big Tech has significantly expanded their business activities in recent years.
As pointed out by the Radboud University submission to the European Commission public consultation, this could foster the scenario where commercial profits generated from accessing datasets created by public sector bodies do not flow back to the public. Instead, they would remain privatized, increasing the reliance of public institutions on private digital infrastructure in the healthcare field – a crucial area of public activity.
Building a European data commons in the healthcare sector
The rules regulating access to electronic health data in the EHDS proposal need to be revised to develop a fair data ecosystem where uses stemming from data access can benefit society as a whole. To make this happen, and build a true European commons for electronic health data, the EHDS proposal needs to be improved along two points. First, the conditions allowing for access and use of centrally stewarded data should be aligned with public interest considerations. Second, the community should be involved in the governance of the EHDS via society-wide participation and democratic oversight over its data.
First, as we argue in our Data Commons Primer, a successful data commons needs to ensure that data of general interest is used to develop products and services that increase the common good. To maximize public value generation, article 34 of the EHDS proposal should be improved so that the legal bases allow private sector bodies to conduct scientific research, develop innovative products and services, train, test, and evaluate algorithms, and provide personalized health care, are aligned with public interest considerations. This can restructure the data value cycle, change the balance of power, and introduce a regenerative function to the health data ecosystem.
Second, Health Data Access Bodies need to be publicly accountable by ensuring that access to and use of data is aligned with societal interests. This objective can be achieved by improving the governance structure of Health Data Access Bodies by making sure that it incorporates permanent venues of engagement where the community can enjoy greater autonomy and decision-making on the shared data. As we point out in our response to the Commission’s public consultation on the European health data space, to make this happen, the Health Data Access Bodies should have in place a democratic framework of collective data governance; that would have the form of independent supervisory panels where the community is represented in the governance structure of electronic health data at the European level.
