EU Commission’s draft regulation “on the European Health Data Space”, COM(2022) 197 final, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52022PC0197
The organisation of health services is the responsibility of the Member States. With this draft regulation, the EU is exceeding its competences. Electronic health records are to be established compulsorily for all citizens and their health data subjected to commercial use. There is no provision for solidarity-based compensation for citizens who suffer disadvantages as a result. The proposed level of security is criticised by many experts as insufficient.
EU Commission’s Health Data Commercialization Act
The draft regulation proposes making the health data of all EU citizens available and monetising it. Patients could only avoid this by no longer going to the doctor. The draft regulation continues and intensifies projects already under way in Germany and France, that have been harshly criticised by data privacy groups:
– The French “Health Data Hub”, criticism by La Quadrature du Net is here: https://www.laquadrature.net/2021/03/17/health-data-hub-du-fantasme-de-lintelligence-artificielle-a-la-privatisation-de-nos-donnees-de-sante/
– The German “Forschungsdatenzentrum Gesundheit”, its collection of patient data from health insurers is currently subject of a lawsuit initiated by the Gesellschaft für Freiheitsrechte: https://freiheitsrechte.org/themen/freiheit-im-digitalen/gesundheitsdaten
In an expert opinion for the above-mentioned lawsuit, cryptography professor Dominique Schröder demonstated that just a few data such as place of residence, age and diagnosis are sufficient to identify persons concerned (“data subjects”), even if the data have been anonymised: https://freiheitsrechte.org/uploads/documents/Freiheit-im-digitalen-Zeitalter/Gesundheitsdaten/2022-04-25-Gutachten_Schroeder-Gesundheitsdaten-Gesellschaft_fuer_Freiheitsrechte.pdf
Objectives of the draft regulation
The EU draft regulation pursues different objectives varying in legitimacy which should be better separated from each other:
1. Europe-wide standardisation of health data and electronic health record systems.
2. cross-border health data exchange, data portability between member states, e.g. for cross-border commuters, as well as access for online pharmacies like DocMorris to all prescriptions issued by doctors in the EU,
3. obligation for doctors, hospitals and other health professionals (“data holders”) to store all of their treatment data in online accessible standardised patient health records,
4. creation of an infrastructure for the commercial “secondary use” of health data. To this end, member states will be required to set up “health data access bodies” that maintain registers of all available health data. The access bodies are authorized to request these health data from the data holders, to store them and make them available to data users. Access to health data can take place at doctors’ offices, but also at insurance companies or data processing centres. Access authorization would be granted to any person or entity that can make a relatively complicated, sufficiently justified request. The “data holders” (doctors, insurance companies, etc.) would receive fees for the use of “their” data.
5. The proposal claims to give the individual more control over their own data, but actually deprives them of the right to decide on its use. The data subjects will not participate in the profits from the exploitation of their health data. They are not informed about who receives their data and have no right to object.
Essentials from the draft regulation
The large number of authorisations for the EU Commission to adopt “delegated acts” is remarkable. There are at least ten of these in the draft regulation. They allow, for example, the introduction of further obligations for “data holders” (doctors, hospitals, health insurers) and further powers for “health data access bodies” to collect and distribute health data. Citizens’ and institutions’ rights and obligations in the draft regulation may later be changed single-handedly by the Commission by means of such delegated acts. The authorisations are so broad that the Commission could use them to redefine the content of the regulation.
In addition, the EU Commission develops, deploys and operates the cross-border infrastructures for primary and secondary use of electronic health data. In this context, it merely acts as a processor without responsibility under data protection law. The data protection regime of the draft regulation is complex and designates different controllers for each primary and secondary use at national and cross-border level.
According to Art. 3 “natural persons” shall have the right to access their personal health data “immediately, free of charge and in an easily readable, consolidated and accessible form” and to receive them in a standardised electronic exchange format. The change compared to the current, corresponding provision under Article 15 (3) of the General Data Protection Regulation is the “right” to immediate, i.e. online access. Member States must therefore set up electronic health data access services, and proxy services through which patients and their representatives can get the intended immediate access.
According to Art. 4, all doctors in the EU must have access to all health data of the individuals they are treating, regardless of in which EU member state they are stored. There are no provisions for patients to prevent, for example, an orthopaedist from accessing the psychotherapist’s records of his patients. Rather, they would only be able to block the entirety of their health data for certain individual practitioners. In emergencies, however, the “blocked” practitioners are still allowed to access the data.
Art. 7 stipulates that all patients must receive electronic health records (EHR) and that all treatment data must be stored in them. The current legal situation in Germany is that the persons concerned (“data subjects”) must agree to this (opt-in). In contrast the coalition agreement of the current German government specifies the creation of electronic health records for all residents unless they object (opt-out). The draft regulation on the European Health Data Space creates an EHR obligation for all.
The resulting data collections, as well as all existing health data pools at health insurance companies, private insurers or other “data holders”, are to be made available for “secondary use”. Art. 33 contains a catalogue of data to be released for secondary use, including Electronic Health Records and “health-related administrative data, including claims and reimbursement data”. The latter means that in Germany, patients with private health insurance will no longer be spared. The insurance companies will have to hand over their billing data too.
Art. 34 lists the purposes for which electronic health data can be processed for secondary use. These include “public health surveillance” and “scientific research related to health or care sectors”, “development and innovation activities for products and services contributing to public health or social security”, and “training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications ensuring (…) high levels of quality and safety of health care, of medicinal products or of medical devices”. So there are hardly any limits to the imagination. According to Art. 45, “any natural or legal person” may submit a data access application.
According to Art. 42, the “data holders” (doctors, hospitals, insurance companies, etc.) as well as the health data access bodies receive fees for the secondary use of “their” data.
The commercialisation of health data is intended. A participation of the patients concerned (“data subjects”) in the proceeds from this data marketing is not intended.
According to Art. 44, access is provided to no more data than “relevant for the purpose of processing indicated in the data access application by the data user”. When the purpose is e.g. training of AI applications, or establishing new prevention programmes, millions of people may be affected by such a transfer of their data. In principle, the data shall be released “in an anonymised format” (Art. 44(2)). However, Art. 44 (3) literally states: “Where the purpose of the data user’s processing cannot be achieved with anonymised data, taking into account the information provided by the data user, the health data access bodies shall provide access to electronic health data in pseudonymised format.” The regulation provides no definitions as to what constitutes an “anonymised format” or a “pseudonymised format”, nor does it provide requirements for permissible anonymisation or pseudonymisation procedures.
According to Article 168 (7) of the “Treaty on the Functioning of the European Union” (TFEU), “the management of health services and medical care” is the sole responsibility of the member states. The provisions on primary and secondary data use in the draft EU Regulation on the European Health Data Space interfere significantly with the management of healthcare. This is the responsibility of the member states, not the EU institutions. Solely the Europe-wide standardisation of health data and their cross-border exchange can be the subject of an EU regulation.
With the provisions on primary and secondary data use, the EU Commission is exceeding its competence. We demand the removal of the relevant parts from the draft regulation.
The obligation to make patient data available for online access and to store them in electronic health records is to be rejected, because that would jeopardize highly sensitive data. There are already weekly media reports about theft or unintentional publication of large amounts of health data from hospitals or private insurance companies. Any mass accumulation of health data poses a high risk, as their net worth will attract all kinds of criminal activities.
In addition the draft regulation does not state that health data access bodies or data holders must store their data within the EU. Outsourcing data processing to US cloud providers is therefore conceivable.
As a matter of principle, information from the doctor-patient relationship should not be disclosed to third persons or entities without the consent of the data subjects in each individual case. Disclosure to statutory or private health insurance companies for billing purposes should be as restrictive as possible; it must not become a gateway for data trafficking in electronic health records. This is indispensable to protect the relationship of trust between doctor and patient as well as the patient’s constitutionally guaranteed fundamental right to privacy. It is not justifiable that data held by lawyers are protected considerably better than those held by doctors.
The provisions on technical data security for the primary and secondary use of data are inadequate. Provisions for compensation in the case of disclosure of health data are completely missing. With such far-reaching rights of use, liability regardless of fault must be mandatory, so that those affected by a breach of confidentiality of their data would receive full compensation. This could be implemented through a compensation fund of the kind that already exists for travels or bank deposits. All data users will have to pay into this fund. The basis of assessment for these payments must be the risk potential, i.e. the amount of data and whether they are anonymised or pseudonymised. This promotes the data users’ self-interest in data minimisation and effective anonymisation.
The draft regulation aims to make health data available for commercial use. Thereby the EU enters into competition with China, which is world leader in distributing mass health data of its citizens since 2017 (https://amj.amegroups.com/article/view/3667). The EU can only lose such a competition due to the different political frameworks; but in doing so it can set in motion a downward spiral when countries try to undercut each other on privacy protection for their citizens’ health data. Instead, the EU should reflect on its strengths and use guaranteed fundamental rights and reliable, high data protection standards as an advantage in international competition.