A proposal put forward by European Union lawmakers in May, to establish a legal framework to make it easier to share electronic health records and other medical data — across borders and care institutions; and with researchers and developers of innovative health products — should be revised to ensure citizens’ health data is stored locally, inside the European Economic Area (EEA), to avoid the risk of unlawful access, a joint opinion by two key EU data protection supervisory bodies has recommended.
“[Due] to the large quantity of electronic health data that would be processed, their highly sensitive nature, the risk of unlawful access and the necessity to fully ensure effective supervision by independent data protection authorities, [we] call on the European Parliament and on the Council to add to the Proposal a requirement to store the electronic health data in the EEA,” the two supervisors write in a summary of their joint opinion on the Commission’s European Health Data Space (EHDS) proposal.
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), two EU bodies which advise on the interpretation and application of laws, adopted their 32-page joint opinion on the EHDS yesterday.
In it they make a series of other suggestions for tightening the draft regulation and clarifying the interplay with existing data protection laws, warning that the Commission’s first pass falls short on that front in a number of areas.
There is already extensive regulation of health data across Europe, both nationally and at Union level (where processing this type of sensitive data with user consent requires an explicit ask, per purpose). Simplifying the process of sharing this sensitive, ‘special category’ data is thus a key driver for the EHDS — with lawmakers talking up the potential for the continent if fragmentation can be banished and citizens’ health data more easily pooled, processed and reused for purposes such as research into diseases and drug discovery, or for innovative health tech (like AI diagnosis).
But the introduction of a new legal framework that’s geared towards data sharing and reuse could have negative impacts on individual rights, like privacy and data access, if the legislation is not rigorously drawn.
The EDPB and EDPS opinion highlights a number of areas where the two bodies believe the EHDS risks creating legal inconsistencies; generating confusion for data subjects; and even undermining existing regulations — such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive — warning, for example, that it’s not clear how individual rights, like the GDPR’s right to rectification of personal, would be impacted by the framework (since the EHDS envisages not one data controller but multiple sources and recipients of personal data, at a national, EU and potentially even international level).
They are also unhappy about the proposal suggesting restricting data subjects’ right to information over so-called “secondary” uses of their health data — which the draft legislation envisages health data access bodies regulating via a data permit system.
“The EDPB and the EDPS underline that the right to information and the right to object are inextricably linked. By restricting the right to information under the GDPR, the EDPB and the EDPS are of the view that the Proposal may not achieve the objectives laid down in Article 1(2)(a) of the Proposal. In fact, the envisaged approach appears to undermine the rights of natural persons to privacy and to the protection of personal data, especially taking into account the very broad definition of secondary use and the minimum categories of electronic data for secondary use introduced by the Proposal, which is not only limited to scientific research but also includes other purposes, such as innovation,” they warn in the opinion.
“Given the wide scope of the rights and obligations set out in the Proposal with regard to the access, use and sharing of special categories of personal data as is the case for health data, general references to the GDPR and the EUDPR [data protection regulation] may not suffice. In this regard, the EDPB and the EDPS consider that there may be a risk of misinterpreting key provisions related to data protection which, in turn, may lead to a lowering of the level of protection currently granted to data subjects under the existing EU data protection legal framework (GDPR, EUDPR and ePrivacy Directive). Therefore, the EDPB and the EDPS consider further specifications necessary,” they add.
In an accompanying statement, EDPB chair, Andrea Jelinek, also warns: “The EU Health Data Space will involve the processing of large quantities of data which are of a highly sensitive nature. Therefore, it is of the utmost importance that the rights of the EEA’s individuals are by no means undermined by this Proposal. The description of the rights in the Proposal is not consistent with the GDPR and there is a substantial risk of legal uncertainty for individuals who may not be able to distinguish between the two types of rights. We strongly urge the Commission to clarify the interplay of the different rights between the Proposal and the GDPR.”
Risks of ‘Quantified self’ data
The two data supervisors are also recommending that the proposed for a European Heath Data Space is revised to shrink the types of information in scope — to only include bona fide health data — advocating for the removal of a reference that would also draw in data from wellness and other consumer health/fitness apps (such as behavioral/lifestyle data) too, where it has been uploaded to a person’s electronic health record (EHR).
The pair argue that including such data would pose a major privacy risk for individuals, since such high dimension lifestyle/behavioral data could be used to make sensitive inferences about the data subjects linked to their health.
They also raise a further concern — warning that consumer-grade tech does not generate the same quality of data as professional health services and medical devices. Ergo, bundling it with robust health data could lead to other problematic and potentially discriminatory linkages being made.
“The EDPB and the EDPS are aware that the COVID-19 pandemic has greatly accelerated the use of medical devices, wellness applications or wearables amongst the general population. However, this kind of technology generates an enormous amount of data, often special categories of personal data, and can be highly invasive. More than tracking humans’ actions and decisions, it is now possible to track humans’ bodies, minds and emotions at a level that even humans themselves might not be able to do. These data can then be used to predict people’s actions and manipulate their behaviour, even at a group level,” they write in the opinion.
“Mandatory availability of electronic heath data generated by medical devices, wellness applications or other digital health applications for secondary use must be assessed against the rapid technological developments in mobile and wearable technology and the increasing popularity of ‘quantified self’ apps and devices, that allow people to register all kinds of aspects about their personality, mind, body, behavioural patterns and whereabouts,” they also recommend. “Clearly these types of data processing deserve significant attention, since it is not easy to recognize as the processing of health data by the concerned data subjects. However, at the same time this brings real privacy risks, especially in the case where such data are processed for additional purposes and/or combined with other data or transferred to third parties.
“These types of data processing may create specific risks, including the risk of unequal or unfair treatment based on data about a person’s assumed or actual health status derived, for example through profiling, of very intimate details concerning his/her private life, irrespective of whether these conclusions concerning his/her health status are accurate or not. In fact, those risks may also be linked to the reliability and accuracy of data generated by medical devices, wellness applications or other digital health applications. Against this background, the EDPB and the EDPS acknowledge that Article 33(3) attempts at delimiting which data generated by medical devices, wellness applications or other digital health applications shall be made available for secondary uses. However, the EDPB and the EDPS underline that it is still unclear either what kind of data fall under this category or who would assess its validity and quality once inserted by individuals in their own EHR pursuant to Articles 3(6).”
If EU lawmakers are set on maintaining such data in scope of the sharing framework, the pair recommend the proposal is amended to ensure individuals remain free to decide “if and which of their personal data generated by wellness application and other digital applications… shall be shared with other recipients and further processed for secondary uses”.
Any further processing must also clearly comply with data protection legislation, they stress, and there must also be “suitable mechanisms” put in place to ensure that data subjects’ choices are respected. (Which could be a warning against any moves to replicate adtech style ‘consent’ systems, which certainly get people’s data moving but have been found to breach the GDPR… )
“Health data generated by wellness applications and other digital health applications are not of the same quality as those generated by medical devices. Moreover, these applications generate an enormous amount of data, can be highly invasive and may reveal particularly sensitive information, such as religious orientation. Wellness applications and other digital health applications should therefore be excluded from being made available for secondary use,” said EDPS supervisor Wojciech Wiewiórowski in another supporting statement.
The two data supervisors go on to warn that the “success” of the EHDS will depend on what they summarize as “a robust legal basis for processing in line with EU data protection law, the establishment of a strong data governance mechanism and effective safeguards for the rights and interests of natural persons that are fully compliant with the GDPR” — which they emphasize must be accompanied by “sufficient assurances of a lawful, responsible, ethical management anchored in EU values, including respect for fundamental rights”.
“In this regard, the EDPB and the EDPS consider that the EHDS should serve as an example of transparency, effective accountability and proper balance between the interests of the individual data subjects and the shared interest of society as a whole,” they add.
The Commission was contacted for a response to the recommendations. At the time of writing it had not sent a reply.
Update: Commission officials said it has “taken note” of the recommendations and is “carefully scrutinizing” the proposals of EDPB and EDPS.
“The EDPB and the EDPS welcomed the idea of strengthening the control of individuals over their personal health data and facilitating both the primary and secondary use of electronic health data, meanwhile the EDPB and EDPS in their opinion made recommendations for co-legislators concerning some data protection aspects,” the Commission source added.
The process of EU lawmaking typically loops in the European Parliament and Council, as co-legislators, who vote on and can amend Commission proposals — so there is an established path for addressing the two data supervisors’ concerns if there is consensus that the framework needs to be bolstered to protect fundamental rights.
The EHDS fits into an overarching strategy by the bloc’s lawmakers, set out by the Commission back in 2020, to boost data reuse for economic and societal gain.
Since then, the EU’s executive has been busy slotting in key regulatory planks, such as the Data Governance Act (introduced at the end of 2021, it was adopted by the co-legislators this year and entered into force on June 23); and the Data Act (proposed February 2022).
Internal market commissioner, Thierry Breton, has suggested the data strategy will help Europe tip the scales away from US-dominated Big Tech — by putting enabling rules and infrastructure in place that will make the region “the most data-empowered continent in the world”, as he has put it.
However critics who blame the EU’s relative lack of homegrown tech giants on its penchant for high dimension regulation are unlikely to be won round to a ‘medicine’ of (yet) more rules delivering a winning innovation formula.
Time will tell which side is right — but the Commission is pressing on in the meanwhile.
The EHDS is the first of what it hopes will be a series of bespoke common “data spaces” to boost industrial data sharing and reuse and to encourage citizens to donate personal data for “altruistic” causes (like heath research or fighting climate change).
Its plan to spin up these spaces involves coming with dedicated rules and requirements for specific sectoral or topic-based information-sharing hubs — like the EHDS — in order to create conditions for “secure and privacy-preserving access and interoperability” via dedicated trusted infrastructure and processes — and thereby grease the pipes of data sharing for research and innovation.
And for economic gain — with huge store being placed by lawmakers on improving access to data as a strategy to charge up development of Europe’s AI ecosystem.
Other data spaces the Commission has mooted include one for the region’s manufacturing industry; another for mobility; and one for the EU’s green deal, to support the bloc’s decarbonization and emissions reduction goals.
The rapid adoption of the Data Governance Act suggests there’s broad backing among EU lawmakers for the data reuse strategy. Although certain sectoral/thematic data spaces rules — such as health — may generate more debate/dispute as commercial imperatives intersect with individual rights.
Health is certainly one of the most sensitive areas to encourage data sharing so it may seem an odd choice for the Commission to prioritize for the first common data space. But the COVID-19 pandemic has concentrated lawmakers’ minds on having smoother mechanisms for getting health data moving to be ready for the next emergency.
Since each data space will be accompanied by its own set of bespoke rules the approach will inevitably amp up compliance complexity for those wanting to tap in — but the idea is the benefits will outweigh the administrative burden.
However, as the EDPB and EDPS are warning, the EU increasing the sprawl of digital regulation raises the risk of inconsistencies being introduced into its legal framework which could harm individual rights in areas like data protection as more rules overlap and/or get meshed together.
It could also create fresh legal uncertainties for business if regulatory requirements fail to line up.
Security and privacy researcher, Lukasz Olejnik, who has worked on health tech policy in Europe, agrees this is a growing risk. “In the previous, and the next five years, policies towards technologies are constantly popping up. Their confluence and fusion may create additional risks: Of compliance, even lesser protections,” he tells TechCrunch.
“I don’t deny that digitisation of health data may help lower costs, perhaps even contribute in improving healthcare or even saving lives. But it also carries risks. Of misuse, of leaks, of theft. Such centralised ‘spaces’ could become a tempting point for cyberattacks,” he also warns.