With the publication last May of the draft Regulation on the European Health Data Space (EHDS), the European Commission aims to create a system of governance for health data at the European level.

In this framework, this European space would be composed of national and European digital infrastructures with a high degree of interoperability, for the primary use (for diagnosis and treatment) and secondary use (for scientific research, innovation, public statistics, public policy development) of health data in electronic format. In short, the EHDS could be considered a secure ecosystem in which access, exchange and use of pseudonymized or anonymized electronic health data would be facilitated for the benefit of the greatest number of people.

One of the challenges pursued by the European Commission, in particular through the creation of a framework favorable to the secondary use of health data, is to encourage the production and improvement of medical knowledge.

The proposed regulation provides that secondary data will be accessible to researchers, innovators and policy makers. With regard to individuals, it is planned that they will be able to control access to their electronic health data and that the exercise of their rights, in particular the right of access and transmission, will be facilitated at national and European level.

What is really the place foreseen for citizens' rights and freedoms in the draft regulation?

Article 1 states that the regulation strengthens the rights of individuals with regard to the availability and control of their electronic health data. However, there is a disparity in the rights and freedoms of individuals between the primary and secondary use of data.

The rights and freedoms of individuals in the case of the primary use of their data

The draft regulation provides that individuals have the right to be informed of the identity of health professionals who have accessed their health data. However, this information is given afterwards. In order to make the control of individuals over their electronic health data effective, it would be appropriate to consider informing individuals beforehand, i.e. before the professional accesses the data, especially if the professional is not a member of the healthcare team.

The EHDS regulation also provides that individuals have the right to immediate and free access, in a readable, consolidated and accessible format, to their personal health data. However, the text does not specify whether this right is linked to the right of access provided for in the General Data Protection Regulation (GDPR) or whether these rights are separate. However, the proposal provides that this right of access may be limited if this is necessary for the protection of natural persons in accordance with the provisions of the GDPR. The lack of detail on the articulation between the draft EHDS Regulation and the GDPR leads to a lack of clarity that may be damaging to the rights and freedoms of citizens.

The rights and freedoms of individuals in the case of secondary use of their data

Despite what is stated by the European Commission in Article 1 of the draft regulation, individuals have no enhanced control over the secondary use of their health data.

First of all, there is no article dedicated to the rights of individuals regarding the secondary use of their health data unlike the primary use of these data.

Secondly, the text expressly provides for a derogation from the right to information of data subjects regarding the processing of personal data that is contained in the GDPR. Indeed, Article 38 of the proposal provides that "organizations responsible for access to health data are not required to provide each individual with specific information (...) regarding the use of their data in the context of projects subject to a data processing authorization". In other words, in the majority of cases of re-use of health data, individuals will not be informed.

Therefore, how can data subjects exercise control over their health data and exercise their rights if they do not know that their personal data is being reused?

This article 38 is in total contradiction with the right to informational self-determination, which states that "every person has the right to decide and control the uses that are made of personal data concerning him (...)". This means that individuals are recognized as having the right to control their data in all circumstances.

What are the opinions of the European Union bodies on the draft regulation?

In their joint opinion of July 12, 2022, the Data Protection Supervisor and the European Data Protection Committee state that the planned provisions may "weaken the protection of privacy and data protection rights." In essence, the two organizations are asking that the interactions between the proposed regulation and the GDPR be clarified and that the derogation from the obligation to inform natural persons not be maintained in the final version of the text.

More recently, the European Economic and Social Committee expressed strong concerns related to the secondary use of health data in its opinion of September 22, 2022. The Committee asks the European Commission to provide more clarity on the secondary use of data, its limits, the precise identification of the control and validation body and finally, the sanctions applicable in case of non-compliance with the provisions of the regulation.

One thing is sure: we have not finished hearing about this text, to be continued!