Health data: the devil is in the details
EU citizens are entitled to receive the same services regardless of their citizenship and regardless of their current location. Once everyone agrees with this principle, difficulties arise in executing the rules. As of now, the only document recognized across the EU and Iceland, Liechtenstein, Norway and Switzerland and the United Kingdom to guarantee citizen's rights is the European Health Insurance Card (EHIC), which can be seen as the maximum extent of shame for anyone coming from the smart card industry! The EHIC has no chip, not even a magstripe or a QR code, and also does not include any security printing feature. However, this EHIC is the key for people to receive care that could be worth thousands of Euros or more.
Now, building upon lessons learnt from the Covid-19 pandemic, the EU is going towards a more online approach with the European Health Data Space (EHDS), a part of the European Health Union policy, which aims at guaranteeing citizens will receive healthcare benefits and support them to take control of their own health data while supporting the use of health data for better healthcare delivery, better research, innovation and policy making, and enabling the EU to make full use and reuse of health data. This project is based on the rationale for building a market for electronic health record systems.
To achieve these goals, the EU is setting up programs:
MyHealth@EU – ensuring the continuity of care for European citizens thanks to ePrescription and eDispensation and access to Patient Summaries, including allergies, current medication, previous illness, …
HealthData@EU - facilitating the cross-border use of health data for secondary purposes like research, policy making, regulatory activities and innovation.
This is where privacy issues arise! The European Data Protection Board (EDPB), which is composed of representatives of the EU national data protection authorities and the European Data Protection Supervisor (EDPS), has expressed its concerns about sharing health data across European borders, without the explicit consent of each citizen, who is the only legitimate owner of his/her data, according to GDPR principles. They even go further as EDPB Chair Andrea Jelinek said: "The description of the rights in the Proposal is not consistent with the GDPR." Also, the proposed EHDS program manages data generated by wellness applications and other digital health applications together with those generated by medical devices, something opposed by EDPS as they consider these data may reveal particularly sensitive information, such as religious orientation or other personal details.
Such positions are supported by national data protection authorities. For instance, French CNIL, along with other national data protection authorities, issued a statement that requires:
Locating health data on the territory of the European Union,
Clarifying the interactions between this proposal and the GDPR,
Retaining the exclusive jurisdiction of the data protection authorities in dealing with any question relating to the protection of personal data,
Limiting strictly the exceptions made to the rights of data subjects guaranteed by the GDPR,
Excluding data collected by wellness apps and other digital apps from the scope of the proposal,Respecting the principle of minimization by limiting access to health data to the strict needs of health professionals involved in the primary uses of health data,
Defining better the objectives pursued in the context of the secondary uses of health data.
As is often the case with lobbying processes, we can see the devil is in the details. The project started with global and universally supported objectives such as providing a better health to all citizens and ends up in building programs that endanger our privacy rights. Now, the bets are off! Which consensus will be found between supporters of an all-encompassing European Health Data Space and national and European Data Protection Authorities? The outcome will reflect the weight of each lobby in the decision-making process.