The “GDPR of patient data” is on its way

The EU’s much anticipated pioneering legislation on artificial intelligence, adopted in March 2024, took away the limelight from another key legislation concerning data protection, namely on patients’ digital rights.

The European Health Data Space proposal presented by the European Commission in May 2022 aims to provide patients with better control over their data in the digital era. In line with this, the EU aims to support scientists involved in increasingly complex health research with reliable access to large-scale data from all over the 27 member states.

More precisely the European Health Data Space envisages empowering individuals to be able to have better control over their health data. At the same time, it facilitates the use of health data for better healthcare services, research, innovation, and policy-making. This will be enabled by inter-member state regulations, allowing researchers to leverage the opportunities for secure data exchange and reuse across borders. Thus simplifying and regulating patient data sharing across various scientific and research fields.

Deeply embedded in EU law

Following conclusive negotiations between the member states and the Parliament, the new data space forms part of a larger regulatory framework under Ursula von der Leyen’s European Commission, as a key component of the European Health Union while being closely linked to the European Data Strategy. This framework builds on the General Data Protection Regulation (GDPR), proposals on data governance, data sharing legislation, and the directive on the security of network and information systems. Emma O’Driscoll, the Council’s spokesperson on health issues, speaking to EUrologus says that while the European Parliament is expected to vote on the compromise agreement by the end of its current parliamentary term (before June), final approval by the Council will likely occur in the autumn, already during the next European Commission cycle.

Beyond the legislation, the EU’s ambition is for the data space to evolve into a digital healthcare ecosystem composed of rules, common standards, practices, infrastructures, and governance frameworks.

The data-sharing system will be based on the logical structure of primary and secondary health data use. Primary data use allows direct access to patient data primarily for doctors and pharmacists. While secondary use extends beyond individual patient care to include data utilisation for research, innovation, policy-making, and regulatory activities. Enhancing national and EU-level digital access and control for patients, and facilitating portability after the regulation’s enactment in the Official Journal of the European Union in autumn 2024.

Opt-outs and too too many exemptions

However, not everyone shares the policymakers’ optimism. Elisabetta Biasin, a PhD researcher specialising in healthcare law at the KU Leuven Centre for IT & IP Law, warned in an interview with EUrologus about overly broad exceptions for secondary use, potentially leading to legal uncertainties.

Biasin points out that “What has been problematic from the beginning is having a list of both permitted and prohibited purposes. It would have been better to have a general prohibition with a list of exceptions, like in the GDPR for the processing of sensitive data. The compromise text has improved from its initial version. However, some hypotheses should be more specific and more explicitly connected to public health or social security purposes”.

The new rules classify primary and secondary health data based on their usage. Primary health data directly relates to patient care, allowing individuals to control their own health data. Secondary health data covers aggregated, anonymised data not tied to individual identities but used as statistical samples for broad analysis.

Controversy arises over patient rights to deny access to their data for research purposes, reflecting a broader debate on balancing privacy with the public good. According to MEPs discussing the draft law, patients have the right to demand that they be denied access to their data for research purposes. Nor can lawmakers ignore the wishes of patients who do not want their confidential data, for example on abortions, HIV status, miscarriages or cancer survival, to be made available for the public good.

Another concern, according to an expert who spoke to EUrologus on condition of anonymity and who has insight into the preparation of the dossier from the Commission’s side, is that the legislator has tried to create rules on data transfer before it has a clear understanding of how health data will be used and shared. That said, our source says it is hopeful that there is a high rate of patient consent for non-profit research, and this is particularly true for rare diseases and those affecting children.

In any case, at the final stage of the negotiations between the EP and the representatives of the member states in early March, the delegates were forced to go home without an agreement, despite negotiating until 5 a.m. on one occasion. Some condemned the members of the Renew Europe group, who stayed away from the negotiating table.

Main course: patients opt-out rights

The main problem was the so-called right to opt out of sharing patient data. Originally, the European Commission proposal did not allow for this option, but it was subsequently inserted by MEPs. In the end, the Council compromise concluded that it should be up to each country to decide which data-sharing opt-outs are permitted for citizens.

The economic stakes of health data utilisation are significant, with initial European Commission estimates suggesting benefits between €1,4 billion and €4 billion from improved health services and savings from enhanced telemedicine and cross-border data exchange.

Regarding the application of the rules, according to an analysis by the Swedish Institute for European Studies (Sieps), the introduction of the health data space will impact a broad array of market players within the healthcare sector, including European electronic health record vendors, wellness app developers, pharmaceutical companies, and pharmacies, potentially accelerating competition in AI development within the European health sector.

Original source: https://hvg.hu/360/20240415_eu-betegadatok-gdpr