On 3rd May 2022, the European Commission launched the proposal for a Regulation for the European Health Data Space (“EHDS”), one of the central building blocks of a strong European Health Union. This proposal, amongst others, includes a legal framework for the use of health data by the industry for innovation purposes, in particular through Artificial Intelligence (“AI”) and Machine Learning (“ML”) technology. Companies in this space will for that purpose have access to large amounts of high-quality health data to enable the development of life-saving treatments, vaccines or medical devices. This does not only concern the common players in healthcare, but also tech companies expanding into digital health by utilizing their technology know-how.
According to Vice-President of the European Commission, Margaritis Schinas, “it is a milestone for our digital transformation and a real revolution in the European medical history." Whether the Commission has kept their promises with this proposal is however questionable.
Maximizing the value of data is at the heart of the digitization of all sectors of the modern economy, and given the high level of public interest, specifically in healthcare. The digitization and interconnectedness of the healthcare sector is generating a vast amount of health data every second, providing healthcare services and stakeholders with potential valuable insights. These large amounts of data could be commercialized in a variety of ways, giving rise to new “data-driven” business models for innovative services and products to foster public health. In this context, the commercialization of data is also increasingly happening in healthcare by AI and ML.
As is well known, data plays a central role for AI systems in application, testing, and especially training. For training, the rule is that the more complex the task to be learned, the more data is needed. The quantity of the available data thus plays an important role for AI in addition to the quality. However, the complexity of rules, structures and processes across Member States makes it difficult to access and share health data today.
Against this background, the EHDS is the Commission’s first sectoral legislation measure, building on the Data Act and the Data Governance Act, to increase data availability and create a single European market for data. It is a harmonized framework for the legal groundwork for the secondary use of health data in the EU, which aims to ensure the free movement, sharing and reuse of healthcare data for the benefit of patients, businesses, researchers and/or public administrations. The EHDS was announced back in February 2020 under the European Data Strategy and has been eagerly awaited ever since.
The EHDS reflects the high level of public interest in sector-specific legislation for access to and use of data in healthcare. One of the goals of the EHDS is to strengthen and expand the reuse of health data for research and innovation purposes in the health sector, particularly through AI. This is especially about the secondary use of already existing data treasures, which are still largely unused – particularly in the highly regulated healthcare sector – leaving considerable innovation potential untapped.
The Commission rightly concludes that a lack of data availability, resulting from the fragmentation of standards and specifications for storing and sharing health data, strongly hinders innovation in digital health, i.e. the development of new products and services for public health (e.g. to accelerate the discovery, development and approval of new prevention approaches and treatments). This is particularly true with regard to difficulties of the industry to access health data for secondary use (i.e. the vast amounts of existing health data stored at hospitals or other healthcare providers, for example), which impacts on their innovation capacity. Indeed, one of the biggest obstacles to innovation, yet, as recognized by the EU Commission in the EHDS, are the restrictions to access and use health data under the General Data Protection Regulation (“GDPR”), including the uneven implementation and interpretation of the GDPR by Member States.
The Commission seems to have identified a market failure, following their statements published under the European Data Strategy. Under this strategy, the Commission emphasized that data access rights must be the exemption, and should only be sector-specific and only given if a market failure in this sector is identified/can be foreseen, which competition law cannot solve (see here under recital 39). The proposal for the EHDS now appears to address this market failure.
The secondary use of electronic health data is stipulated in Chapter IV of the proposal.
Art. 34 of the proposal sets out the different permitted purposes for which electronic health data can be accessed and processed for the secondary use by so-called “data users”, that could be anyone who pursues activities for reasons of public interest (including industry). It entitles data users to claim access to electronic health data from so-called data holders, who can be public, non for profit or private health or care providers, public, non for profit and private organisations, associations or other entities, public and private entities that carry out research with regards to the health sector. The term “health data” is thereby very broad and seems to include all categories of conceivable electronic health data (from electronic health records to data from clinical trials to health survey data, Art. 33 para 1).
Regarding industrial use in the health care sector, the following two permitted purposes are of particular interest:
Either of these purposes will allow industry to benefit from health data that could help them develop new medicinal products or new devices involving AI. Combined with AI technologies and access to real world conditions (such as through testing and experimentation facilities), this is supposed to accelerate the discovery, development and approval of new prevention approaches and treatments.
It is noteworthy that a couple of processing purposes are forbidden, i.e. to use the data to take decisions detrimental to individuals, to increase insurance premiums, to market health products towards health professionals or patients or to design harmful products or services.
However, industry is only permitted to access and use the health data from data holders if they obtained a data permit from the national health data access bodies following a data access application. The data permit sets out how the data may be used and for what purpose (Art. 44 et seqq.).
To this end, Member States must establish a health data access body for secondary use of electronic health data and ensure that data holders make electronic data available to data users. According to the proposal, it is a task of the health data access bodies to “support the development of AI systems, the training, testing and validating of AI systems and the development of harmonized standards and guidelines under Regulation […] [AI Act COM/2021/206 final] for the training, testing and validation of AI systems in health” (Art. 37 para 1 (i)).
In order to get access to the data for the permitted purposes, a data applicant has to submit a data access application, which must meet certain requirements that are set out in Art. 45. The scope of the provided access of the data is provisioned in Art. 44, which specifies the requirements of the GDPR, namely the principles of data minimization and purpose limitation. The secondary use of the data is possible only upon payment of fees. Art. 42 regulates the calculation of the fees, including which costs must be covered by the fees.
The proposal contains provisions on setting up a cross-border infrastructure for the secondary use (so-called HealthData@EU)). A data user from one Member State should get access to health data from another Member State for secondary use without having to seek permission from all of those Member States. This infrastructure will be piloted in a “EU4Health” project starting in 2022.
The EHDS aligns with the GDPR´s data protection by design principle in that the data to be accessed shall be provided in an anonymised format only, unless the purposes of the processing cannot be achieved with anonymised data; in such case the access to pseudonymised data is permitted as well. Pseudonymous data in that sense is specified as offering information about the disease, symptoms and medication, without revealing to the data applicant the identity of the individual. It is forbidden for the data user to attempt to re-identify the data subjects.
Following the issuance of the data permit, the health data access body shall immediately request the electronic health data from the data holder. The health data access body shall make the electronic health data available to the data user after receiving them from the data holder.
The data can only be accessed and processed in closed secure environments to be provided by the health data access bodies with clear standards for cyber security.
The elephant in the room is certainly the relationship of the EHDS with GDPR, which is seen as a major obstacle to the secondary use of health data today. This shall be resolved by essentially establishing the future EHDS regulation as a legal basis to access and use health data under GDPR. Essentially, the proposal shall build the legal basis under Art. 9 para 2 GDPR both for the data holder´s data provision as well as the data user´s subsequent data use. The additional requirements under Art. 6 para 1 GDPR are also met both for the holder (Art. 6 para 1 (c) GDPR; the proposal as the legal obligation to provide data) and the applicant (Art. 6 para 1 (f) GDPR; the requirements of the data permit define the outcome of the legitimate interest assessment).
A few details: According to recital 37 of the proposal, the EHDS regulation provides the legal basis in accordance with both Artt. 6 and 9 GDPR (whose requirements must be met cumulatively for sensitive data) for the data holder and its provision of the health data to the health data access bodies. Under Art. 6 para 1 (c) GDPR, the proposed regulation shall be the legal obligation to provide the data for the data holder. From an Art. 9 GDPR perspective, the proposed regulation constitutes the legal basis for the secondary use of health data, namely under Artt. 9 para 2
The EHDS moreover establishes the safeguards for the processing, determines lawful purposes, provides trusted governance for providing access to health data (through health data access bodies) and enables the processing of health data in a secure environment, as well as determines the modalities for data processing, as set out in the data permit.
Under the proposal a data applicant should demonstrate a legal basis pursuant to Art. 6 GDPR, based on which they could request access to data. For industry data applicants, this is Art. 6 para 1 (f) GDPR, the legitimate interest’s exemption. The proposal however suggests that the applicable requirements are met by way of the data permit issued by the health data access bodies (as an administrative decision this defines the conditions for the access to the data).
Finally, as a side note only, for the processing of electronic health data in the scope of a granted permit, the health data access bodies and the data users are joint controllers in the sense of Art. 26 GDPR.
The EHDS attempts to foster digital health through innovative means like AI by increasing data availability through tackling a fragmented digital health market across the EU.
The permit-based approach seems at first sight quite balanced to facilitate the sharing of health data and at the same time sufficiently protecting the sensitive data of patients and other user of healthcare services.
However and as highlighted, the quantity of the available data plays an important role for AI. Whether the permit-based approach is suitable in this context is dubious as it is very bureaucratic and may thus not be as efficient as required to really make a difference for innovating digital health. Whether it works also very much depends on how Member States equip their health data access bodies, which may be very different across the EU (see e.g. how data protection authorities are equipped in different Member States).
An alternative to this approach may lie in adopting the risk-based approach from GDPR also for the EHDS. This would mean self-assessments and sufficient documentation of the (sensible) requirements the proposal suggests (e.g. in terms of permitted purposes, secure processing environments and data protection by design safeguards, see above), rather than a process channelled through health data access bodies which may become a bottleneck.
The self-assessments could be accompanied by established standards along with retroactive enforcement actions to support EHDS compliance. The standards should be established e.g. for the secure processing environment and – very important – for the requirements on pseudonymized and anonymized data. As a European Health Data Space Board (EHDS Board) shall be set up as well in order to promote the consistent application of the proposal, this EHDS Board could set those standards up for all Member States. On top, the currently foreseen cross-border infrastructure HealthData@EU – the proposed new decentralised EU infrastructure for secondary use of health data – could be a secure processing environment also for national access requests to health data, which would allow monitoring the requests to a certain extent, and thus also strengthen compliance.
This way, the availability of data would be increased even further, by still having stringent safeguards in place that protect the sensitive health data in the healthcare sector.