EHDS Position Paper

EU Commission’s draft regulation “on the European Health Data Space”, COM(2022) 197 final, 
The  organisation of health services is the responsibility of the Member  States. With this draft regulation, the EU is exceeding its competences. Electronic  health records are to be established compulsorily for all citizens and  their health data subjected to commercial use. There is no provision for  solidarity-based compensation for citizens who suffer disadvantages as a  result. The proposed level of security is criticised by many experts as  insufficient.

EU Commission’s Health Data Commercialization Act

The   draft regulation proposes making the health data of all EU citizens   available and monetising it. Patients could only avoid this by no  longer  going to the doctor. The draft regulation continues and  intensifies projects already under way in Germany and France, that have  been harshly criticised by data privacy groups:
–  The German “Forschungsdatenzentrum Gesundheit”, its collection of  patient data from health insurers is currently subject of a lawsuit  initiated by the Gesellschaft für Freiheitsrechte:
In   an expert opinion for the above-mentioned lawsuit, cryptography   professor Dominique Schröder demonstated that just a few data such as   place of residence, age and diagnosis are sufficient to identify  persons  concerned (“data subjects”), even if the data have been  anonymised: 

Objectives of the draft regulation

The EU draft regulation pursues different objectives varying in legitimacy which should be better separated from each other:
1. Europe-wide standardisation of health data and electronic health record systems.
2.   cross-border health data exchange, data portability between member   states, e.g. for cross-border commuters, as well as access for online   pharmacies like DocMorris to all prescriptions issued by doctors in the   EU, 
3.   obligation for doctors, hospitals and other health professionals  (“data  holders”) to store all of their treatment data in online  accessible standardised patient health records, 
4.   creation of an infrastructure for the commercial “secondary use” of   health data. To this end, member states will be required to set up   “health data access bodies” that maintain registers of all available   health data. The access bodies are authorized to request these health   data from the data holders, to store them and make them available to   data users. Access to health data can take place at doctors’ offices,   but also at insurance companies or data processing centres. Access   authorization would be granted to any person or entity that can make a   relatively complicated, sufficiently justified request. The “data   holders” (doctors, insurance companies, etc.) would receive fees for  the  use of “their” data. 
5. The proposal claims to give the individual more control over their own data, but actually deprives them of the right to decide on its use. The data subjects will not participate in the profits from the exploitation of their health data. They are not informed about who receives their data and have no right to object. 

Essentials from the draft regulation

The  large number of authorisations for the EU Commission to adopt  “delegated acts” is remarkable. There are at least ten of these in the  draft regulation. They allow,  for example, the introduction of further  obligations for “data holders” (doctors, hospitals, health insurers) and  further powers for “health data access bodies” to collect and  distribute health data. Citizens’ and institutions’ rights and  obligations in the draft regulation may later be changed  single-handedly  by the Commission by means of such delegated acts. The  authorisations are so broad that the Commission could use them to  redefine the content of the regulation. 
In  addition, the EU Commission develops, deploys and operates the  cross-border infrastructures for primary and secondary use of electronic  health data. In this context, it merely acts as a processor without  responsibility under data protection law. The data protection regime of  the draft regulation is complex and designates different controllers for  each primary and secondary use at national and cross-border level.
According   to Art. 3 “natural persons” shall have the right to access their  personal health data “immediately, free of charge and in an easily   readable, consolidated and accessible form” and to receive them in a   standardised electronic exchange format. The change compared to the   current, corresponding provision under Article 15 (3) of the General   Data Protection Regulation is the “right” to immediate,  i.e. online access. Member States must therefore set up electronic  health data access services, and proxy services through which patients  and their representatives can get the intended immediate access. 
According   to Art. 4, all doctors in the EU must have access to all health data of  the individuals they are treating, regardless of in which  EU member  state they are stored. There are no provisions for patients  to prevent,  for example, an orthopaedist from accessing the psychotherapist’s  records of his patients. Rather, they would only be able to block the  entirety of their health  data for certain individual practitioners. In  emergencies, however, the  “blocked” practitioners are still allowed to  access the data. 
Art.  7 stipulates that all patients must receive electronic health records   (EHR) and that all treatment data must be stored in them. The current   legal situation in Germany is that the persons concerned (“data   subjects”) must agree to this (opt-in). In contrast the coalition  agreement of the current German government specifies the creation of   electronic health records for all residents unless they object   (opt-out). The draft regulation on the European Health Data Space   creates an EHR obligation for all. 
The  resulting data collections, as well as all existing health data pools  at health insurance companies, private insurers or other “data holders”,  are to be made available for “secondary use”. Art. 33 contains a  catalogue of data to be released for secondary use, including Electronic  Health Records and “health-related administrative data, including  claims and reimbursement data”. The latter means that in Germany,  patients with private health insurance will no longer be spared. The  insurance companies will have to hand over their billing data too. 
Art.  34 lists the purposes for which electronic health data can be  processed  for secondary use. These include “public health surveillance”  and  “scientific research related to health or care sectors”,  “development  and innovation activities for products and services  contributing to  public health or social security”, and “training,  testing and evaluating  of algorithms, including in medical devices, AI  systems and digital  health applications ensuring (…) high levels of  quality and safety of  health care, of medicinal products or of medical  devices”. So there are hardly any limits to the imagination. According  to Art. 45, “any natural or legal person” may submit a data access  application.
According   to Art. 42, the “data holders” (doctors, hospitals, insurance   companies, etc.) as well as the health data access bodies receive fees  for the secondary use of “their” data.
The  commercialisation of health data is intended. A participation of the  patients concerned (“data subjects”) in the proceeds from this data  marketing is not intended. 
According  to Art. 44, access is provided to no more data than “relevant for the  purpose of processing indicated in the data access  application by the  data user”. When the purpose is e.g. training of AI applications, or  establishing new prevention programmes, millions of people may be  affected by such a transfer of their data. In principle, the data shall  be released “in an anonymised format” (Art. 44(2)). However, Art. 44 (3)  literally states: “Where the purpose of the data user’s processing  cannot be achieved with anonymised data, taking into account the  information provided by the data user, the health data access bodies  shall provide access to electronic health data in pseudonymised format.”  The regulation provides no definitions as to what constitutes an  “anonymised format” or a “pseudonymised format”, nor does it provide requirements for permissible anonymisation or pseudonymisation procedures. 


According  to  Article 168 (7) of the “Treaty on the Functioning of the European  Union”  (TFEU), “the management of health services and medical care” is  the  sole responsibility of the member states. The provisions on primary  and  secondary data use in the draft EU Regulation on the European  Health  Data Space interfere significantly with the management of  healthcare.  This is the responsibility of the member states, not the  EU  institutions. Solely the Europe-wide standardisation of health data  and  their cross-border exchange can be the subject of an EU regulation.
With   the provisions on primary and secondary data use, the EU Commission is   exceeding its competence. We demand the removal of the relevant parts   from the draft regulation. 
The  obligation to make patient data available for online access and to  store them in electronic health records is to be rejected, because that  would jeopardize highly sensitive data. There are already weekly media  reports about theft or unintentional publication of large amounts of   health data from hospitals or private insurance companies. Any mass  accumulation of health data poses a high risk, as their net worth will  attract all kinds of criminal activities.
In  addition the draft regulation does not state that health data access  bodies or data holders must store their data within the EU. Outsourcing  data processing to US cloud providers is therefore conceivable. 
As  a matter of principle, information from the doctor-patient relationship  should not be disclosed to third persons or entities without the  consent of the data subjects in each individual case. Disclosure to  statutory or private health insurance companies for billing purposes  should be as restrictive as possible; it must not become a gateway for  data trafficking in electronic health records. This is indispensable to  protect the relationship of trust between doctor and patient as well as  the patient’s constitutionally guaranteed fundamental right to privacy.  It is not justifiable that data held by lawyers are protected  considerably better than those held by doctors.
The  provisions on technical data security for the primary and secondary use  of data are inadequate. Provisions for compensation in the case of  disclosure of health data are completely missing. With such far-reaching  rights of use, liability regardless of fault must be mandatory, so that  those affected by a breach of confidentiality of their data would  receive full compensation. This could be implemented through a  compensation fund of the kind that already exists for travels or bank  deposits. All data users will have to pay into this fund. The basis of assessment for these  payments must be the risk potential, i.e. the amount of data and  whether they are anonymised or pseudonymised. This promotes the data  users’ self-interest in data minimisation and effective anonymisation. 
The  draft regulation aims to make health data available for commercial use.  Thereby the EU enters into competition with China, which is world  leader in distributing mass health data of its citizens since 2017 (  The EU can only lose such a competition due to the different  political  frameworks; but in doing so it can set in motion a downward spiral when  countries try to undercut each other on privacy protection for their  citizens’ health data. Instead,  the EU should reflect on its strengths and use guaranteed fundamental  rights and reliable, high data protection standards as an advantage in  international competition.




Patientenrechte und Datenschutz e.V.