Europe’s health data reuse plan needs some surgery, say privacy supervisors

A proposal put forward by European Union lawmakers in May, to establish a legal framework to make it easier to share electronic health records and other medical data — across borders and care institutions and with researchers and developers of innovative health products — should be revised to ensure citizens’ health data is stored locally, inside the European Economic Area (EEA), to avoid the risk of unlawful access, a joint opinion by two key EU data protection supervisory bodies has recommended.

That looks like wise council — given ongoing legal uncertainty clouding personal data exports to third countries, following major privacy rulings by the bloc’s top court since 2015.

“[Due] to the large quantity of electronic health data that would be processed, their highly sensitive nature, the risk of unlawful access and the necessity to fully ensure effective supervision by independent data protection authorities, [we] call on the European Parliament and on the Council to add to the Proposal a requirement to store the electronic health data in the EEA,” the two supervisors write in a summary of their joint opinion on the Commission’s European Health Data Space (EHDS) proposal.

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), two EU bodies which advise on the interpretation and application of laws, adopted their 32-page joint opinion on the EHDS yesterday.

In it they make a series of other suggestions for tightening the draft regulation and clarifying the interplay with existing data protection laws, warning that the Commission’s first pass falls short on that front in a number of areas.

There is already extensive regulation of health data across Europe, both nationally and at Union level (where processing this type of sensitive data with user consent requires an explicit ask, per purpose). Simplifying the process of sharing this sensitive, ‘special category’ data is thus a key driver for the EHDS — with lawmakers talking up the potential for the continent if fragmentation can be banished and citizens’ health data more easily pooled, processed and reused for purposes such as research into diseases and drug discovery, or for innovative health tech (like AI diagnosis).

Homegrown European health tech startups, like telehealth platform Kry, have also weighed in with some supportive words for the EU’s plan.

But the introduction of a new legal framework that’s geared towards data sharing and reuse could have negative impacts on individual rights like privacy and data access if the legislation is not rigorously drawn.

The EDPB and EDPS opinion highlights a number of areas where the two bodies believe the EHDS risks creating legal inconsistencies; generating confusion for data subjects; and even undermining existing regulations — such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive — warning, for example, that it’s not clear how individual rights, like the GDPR’s right to rectification of personal, would be impacted by the framework (since the EHDS envisages not one data controller but multiple sources and recipients of personal data, at a national, EU and potentially even international level).

They are also unhappy about the proposal suggesting restricting data subjects’ right to information over so-called “secondary” uses of their health data — which the draft legislation envisages health data access bodies regulating via a data permit system.

“The EDPB and the EDPS underline that the right to information and the right to object are inextricably linked. By restricting the right to information under the GDPR, the EDPB and the EDPS are of the view that the Proposal may not achieve the objectives laid down in Article 1(2)(a) of the Proposal. In fact, the envisaged approach appears to undermine the rights of natural persons to privacy and to the protection of personal data, especially taking into account the very broad definition of secondary use and the minimum categories of electronic data for secondary use introduced by the Proposal, which is not only limited to scientific research but also includes other purposes, such as innovation,” they warn in the opinion.

“Given the wide scope of the rights and obligations set out in the Proposal with regard to the access, use and sharing of special categories of personal data as is the case for health data, general references to the GDPR and the EUDPR [data protection regulation] may not suffice. In this regard, the EDPB and the EDPS consider that there may be a risk of misinterpreting key provisions related to data protection which, in turn, may lead to a lowering of the level of protection currently granted to data subjects under the existing EU data protection legal framework (GDPR, EUDPR and ePrivacy Directive). Therefore, the EDPB and the EDPS consider further specifications necessary,” they add.

In an accompanying statement, EDPB chair, Andrea Jelinek, also warns: “The EU Health Data Space will involve the processing of large quantities of data which are of a highly sensitive nature. Therefore, it is of the utmost importance that the rights of the EEA’s individuals are by no means undermined by this Proposal. The description of the rights in the Proposal is not consistent with the GDPR and there is a substantial risk of legal uncertainty for individuals who may not be able to distinguish between the two types of rights. We strongly urge the Commission to clarify the interplay of the different rights between the Proposal and the GDPR.”

Risks of ‘Quantified self’ data

The two data supervisors are also recommending that the proposed for a European Heath Data Space is revised to shrink the types of information in scope — to only include bona fide health data — advocating for the removal of a reference that would also draw in data from wellness and other consumer health/fitness apps (such as behavioral/lifestyle data) too, where it has been uploaded to a person’s electronic health record (EHR).

The pair argue that including such data would pose a major privacy risk for individuals, since such high dimension lifestyle/behavioral data could be used to make sensitive inferences about the data subjects linked to their health.

They also raise a further concern — warning that consumer-grade tech does not generate the same quality of data as professional health services and medical devices. Ergo, bundling it with robust health data could lead to other problematic and potentially discriminatory linkages being made.

“The EDPB and the EDPS are aware that the COVID-19 pandemic has greatly accelerated the use of medical devices, wellness applications or wearables amongst the general population. However, this kind of technology generates an enormous amount of data, often special categories of personal data, and can be highly invasive. More than tracking humans’ actions and decisions, it is now possible to track humans’ bodies, minds and emotions at a level that even humans themselves might not be able to do. These data can then be used to predict people’s actions and manipulate their behaviour, even at a group level,” they write in the opinion.

“Mandatory availability of electronic heath data generated by medical devices, wellness applications or other digital health applications for secondary use must be assessed against the rapid technological developments in mobile and wearable technology and the increasing popularity of ‘quantified self’ apps and devices, that allow people to register all kinds of aspects about their personality, mind, body, behavioural patterns and whereabouts,” they also recommend. “Clearly these types of data processing deserve significant attention, since it is not easy to recognize as the processing of health data by the concerned data subjects. However, at the same time this brings real privacy risks, especially in the case where such data are processed for additional purposes and/or combined with other data or transferred to third parties.

“These types of data processing may create specific risks, including the risk of unequal or unfair treatment based on data about a person’s assumed or actual health status derived, for example through profiling, of very intimate details concerning his/her private life, irrespective of whether these conclusions concerning his/her health status are accurate or not. In fact, those risks may also be linked to the reliability and accuracy of data generated by medical devices, wellness applications or other digital health applications. Against this background, the EDPB and the EDPS acknowledge that Article 33(3) attempts at delimiting which data generated by medical devices, wellness applications or other digital health applications shall be made available for secondary uses. However, the EDPB and the EDPS underline that it is still unclear either what kind of data fall under this category or who would assess its validity and quality once inserted by individuals in their own EHR pursuant to Articles 3(6).”

If EU lawmakers are set on maintaining such data in scope of the sharing framework, the pair recommend the proposal is amended to ensure individuals remain free to decide “if and which of their personal data generated by wellness application and other digital applications… shall be shared with other recipients and further processed for secondary uses”.

Any further processing must also clearly comply with data protection legislation, they stress, and there must also be “suitable mechanisms” put in place to ensure that data subjects’ choices are respected. (Which could be a warning against any moves to replicate adtech style ‘consent’ systems, which certainly get people’s data moving but have been found to breach the GDPR… )

“Health data generated by wellness applications and other digital health applications are not of the same quality as those generated by medical devices. Moreover, these applications generate an enormous amount of data, can be highly invasive and may reveal particularly sensitive information, such as religious orientation. Wellness applications and other digital health applications should therefore be excluded from being made available for secondary use,” said EDPS supervisor Wojciech Wiewiórowski in another supporting statement.

The two data supervisors go on to warn that the “success” of the EHDS will depend on what they summarize as “a robust legal basis for processing in line with EU data protection law, the establishment of a strong data governance mechanism and effective safeguards for the rights and interests of natural persons that are fully compliant with the GDPR” — which they emphasize must be accompanied by “sufficient assurances of a lawful, responsible, ethical management anchored in EU values, including respect for fundamental rights”.

“In this regard, the EDPB and the EDPS consider that the EHDS should serve as an example of transparency, effective accountability and proper balance between the interests of the individual data subjects and the shared interest of society as a whole,” they add.

The Commission was contacted for a response to the recommendations.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *