In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS). For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted.
We expect the final text of the EHDS to be adopted by the European Parliament in April 2024 and by the EU Member States shortly thereafter.
1. Basic structure has not changed
The basic idea behind the EHDS has not changed. Holders of electronic health data will be required to make their data available to health data access bodies (HDAB), who, in turn, will make it available in a secure platform to data users who obtained a permit. The data users can only download anonymous data from the platform. According to the recitals, the anonymization should occur as early as possible in the chain so, in most cases, probably by the data holder. In our experience, “anonymization” of health data is a tricky topic, with different regulators and companies taking different approaches; to address this, the recitals to the EHDS provide that the Commission should set out a “unified procedure” for anonymization and pseudonymization.
In exceptional cases, the data user may seek access to pseudonymized data, instead of anonymous data. The data user must identify an appropriate legal basis for its intended use, such as legitimate interest (Art. 6(1)(f) GDPR). A recital in the agreed text now indicates explicitly that the EHDS itself provides the safeguards required under Art. 9 GDPR for the processing of special category personal data, such as health data.
The data covered by the EHDS has not substantially changed vis-vis the Commission proposal. It still covers, for example, electronic health data from electronic health records, clinical trial data (recitals, but not legal text, limit this to data relating to trials that have ended, and there is also no explicit exclusion trials closed prior the entry into force of the EHDS), data from wellness apps, genetic data, personal health data generated by medical devices and other health data from medical devices, data from registries, and data from research cohorts (but only after the first publication of the results). Member States may add data categories on national level, and they may adopt national-level access limitations for certain sensitive data types, such as genetic data and biobanks.
2. Introduction of an opt-out
One of the most controversial topics of the EHDS was the introduction of a (reversible) right to opt-out for EU citizens. The original Commission proposal did not contain such a right under the assumption (correct in our opinion) that the EHDS contained sufficient safeguards itself. However, the European Parliament and some Member States disagreed and insisted on inserting a right to opt-out.
Member States will have to provide for an accessible and easily understandable opt-out mechanism. After individuals opt-out (“and where personal electronic health data relating to them can be identified in a dataset”), the data of those individuals must not be shared with data users, even in anonymous form. Member States can adopt derogations from the opt-out rule (i.e., allow for the use of data despite an opt-out), but only in favor of certain secondary use by public bodies and under strict conditions.
Finally, the EHDS provides that data holders will not be required to collect and store personal data merely to comply with the opt-out rule. In other words, pharmaceutical companies do not have to change their practices of only collecting pseudonymized clinical trial data, merely to meet the reversible opt-out choices of trial participants.
We expect that the opt-out rule will raise many questions in practice. For example, the text is silent on the level of granularity required for the opt-out. It is also unclear how the opt-out will be managed and by whom. Member States can rely on the HDAB to do this, but they do not have to, which could lead to a divergence in approaches. It is also unclear how the opt-out will work for data sets collected prior to the entry into force of the EHDS and where there is no easy link with the individuals (e.g., pseudonymized data). Similarly, the reversibility of the opt-out choice will be difficult to implement for certain data sets even after the entry into force the EHDS (e.g., for clinical trial data where only the hospital can make the link with the patient).
3. Improved language on IP protection
The original Commission proposal was quite cavalier in respect of IP rights. The adopted text expands on this aspect of the EHDS considerably (and is broadly aligned with the Data Act) through a detailed regime on identifying IP-protected data and trade secrets, measures that the HDAB needs to take to protect the relevant data, and a possibility to refuse access in case of serious risks to IP-rights or trade secrets. The IP regime also includes a dedicated complaint procedure.
4. Limited data localization
While the European Parliament proposed sweeping data localization requirements for all electronic heath data, the final text appears much more moderate. In a nutshell, Member States can (but do not have to) require that personal electronic health data used for healthcare purposes (primary use) be stored in the EU.
Similarly, in relation to secondary use, HDAB will have to store the data they process for purposes of EHDS (i.e., the collection of data for sharing with a data users, anonymization efforts and the delivery of the secure platform) in the Union or in a third country that provides adequate protection in accordance with the GDPR – thus including entities certified to the EU-US Framework.
Finally, in accordance with Art. 9(4) GDPR, Member States maintain the right to restrict or condition international transfers of personal electronic health data, for example to data users or processors outside the EU, above and beyond the conditions imposed by the GDPR itself.
5. Restrictions on international transfers of non-personal data
EHDS may restrict international transfers of non-personal data in two ways.
First, non-personal health data held by HDAB (but not trusted health data holders, apparently) and made available for secondary use are considered “highly sensitive” (in accordance with the Data Governance Act), provided there is a risk of re-identification “through means going beyond those reasonably likely to be used” (otherwise it would be personal data to begin with). For this non-personal data, the European Commission can set out protective measures in secondary legislation.
Second, in relation to secondary use, HDAB and data users must prevent international transfers of non-personal data where such a transfer would create a conflict with Union or Member State law. Similar to the GDPR, transfers of non-personal data pursuant to a foreign court order or administrative decision are also restricted, unless the legal regime of the third country in question meets certain standards. Subject to some exceptions, the data holder must be informed about the data request prior to the transfer.