1. What is the EHDS about

In a nutshell, the goal of the EHDS is to create a common infrastructure and governance framework for the accessibility of health data across the borders of Member States to support both healthcare delivery (“primary use”) and health research and policy-making (“secondary use”) in a secure and trustworthy way. The EHDS touches on different areas of law, such as medical law, data protection law and laws related to products used in a medical context. It also makes reference to several European directives and regulations.

In addition to the definitions contained in the specific legislation referred to in the EHDS, the EHDS itself provides, inter alia, the following key definitions that must be kept in mind in order to fully understand the scope and implications of the EHDS:

“EHR” means a collection of electronic health data related to a natural person collected and processed for the purpose of the provision of healthcare. This is, for example, in Germany, comparable to the electronic patient medical records.

“EHR system” refers to any system where the appliance or software allows the user to store, intermediate, export, import, convert, edit or view personal electronic health data and is intended by the manufacturer to be used by healthcare providers for providing patient care or by patients to access their health data.

“Health data holder” is any natural or legal person, public authority, agency or other body in the healthcare or the care sectors including reimbursement services as well as any natural or legal person developing products or services intended for the health sector, developing or manufacturing wellness applications or performing research in the healthcare sector, who

• has the right to process electronic health data in its capacity as a controller or joint controller, including for the provision of healthcare, research and innovation purposes; or

• has the ability to make available, including to register, provide, restrict access or exchange non-personal electronic health data, trough control of the technical design of a product and related services.

This definition applies, for example, to hospitals as health care providers, companies which develop medical devices and pharmaceutical companies who are the data holders of their clinical trial data.

“Health data user” means a natural or legal person which has been granted lawful access to electronic health data for secondary use pursuant to a data permit, data request or an access approval by an authorized participant in the framework for multi-country secondary use of electronic health data, HealthData@EU.

“Wellness application” means any appliance or software intended by the manufacturer to be used by a natural person for processing electronic health data specifically for providing information on the health of individual persons, or the delivery or care for other purposes than the provision of healthcare.

In our opinion, this definition is broad enough to also cover medical devices as it explicitly includes appliances and software. However, it must be seen how this will be interpreted once the EHDS comes into force.

2. Who is affected by the EHDS?

The EHDS will be applicable to natural persons with regard to their health data, as well as companies and institutions in the healthcare sector. The following overview will focus on the effect of the EHDS on the latter. In order to determine which companies and institutions are affected by the provisions of the EHDS and who needs to take action under the EHDS, it is necessary to distinguish between primary and secondary use of health data:

1. Primary use

The primary use of health data to facilitate healthcare delivery and improve patient outcomes as governed by the EHDS generally affects two types of health data holders, the healthcare providers and the manufacturers of EHR systems. Manufacturers of wellness applications have the opportunity to claim interoperability with an EHR system, after relevant conditions are met.

1. Healthcare providers: To enable seamless cross-border healthcare delivery, healthcare providers shall register relevant personal health data free of charge in an electronic format to be determined by the EU Commission in an EHR System. The EU Commission will establish a central interoperability platform for digital health (the “MyHealth@EU” platform) to provide services to support and facilitate the exchange of personal electronic health data between national contact points for digital health of the Member States. More detailed criteria regarding how and to which extent the healthcare providers must register personal health data will be determined by the Member States.
   

Challenges: The main challenge for healthcare providers will be to implement robust interoperability standards and to ensure that their system can effectively communicate with other systems to secure effective provision of personal health data, both within their country and across the EU. This may involve an adjustment or upgrade of the existing infrastructure to support the requirements under the EHDS and to avoid the high effort of extracting and transferring data from disparate information systems. Healthcare providers must manage this potential transition carefully, including training staff and adapting workflows. When providing personal health data, the healthcare providers must maintain certain data quality requirements and must observe the requirements of applicable data protection and regulatory laws. With these legal circumstances in mind, it is essential to review possible technical solutions for their compliance with applicable laws.

2. Manufacturers of EHR systems: EHR systems are crucial to achieve a seamless cross-border transfer of health data as the objective of primary use under the EHDS as they build the underlying infrastructure. The EHDS contains a whole chapter to set out the requirements on EHR systems and the obligations of manufacturers of EHR systems, such as including a so-called “European interoperability component for EHR systems” and a “European logging component for EHR systems”, sufficient technical documentation, affix a CE marking if applicable, cooperation with authorities etc. The European Commission will develop a European digital testing environment for the assessment of the harmonized components of EHR systems prior to putting them on the market.

Challenges: The requirements on the compliance of EHR systems with the provisions of the EHDS are high with regard to harmonized components as well as with regard to technical aspects in terms of security, identification and authentication and documentation obligations. As some components of EHR systems could potentially qualify as a medical device, manufacturers have the challenge to navigate how the requirements of the EHDS align with the requirements of other regulations, e.g., under medical or data protection laws. As EHR systems handle large amounts of sensitive personal data in the form of health data, manufacturers must enhance security measures to protect data privacy and prevent security incidents.

3. Manufacturers of wellness applications: As the market of wellness applications and devices using wellness applications is steadily growing, the data collected and processed by such wellness applications may be valuable for the treatment of their users. In order to provide their users the feature to have the data collected by the wellness applications included in an EHR system, the manufacturers of wellness applications may claim interoperability with an EHR system after the relevant conditions are met. The data of the users of wellness applications will not automatically be shared with the EHR system as such sharing is subject to the consent of the users of the wellness applications.

2. Secondary use

The main purpose of secondary use of health data is to support research and innovation activities. Researchers will have access to larger amounts of high-quality data in a more efficient and cost-effective manner. Potentially, every health data holder will have to provide certain health data when requested by a natural or legal person. On the flipside, health data holders themselves can apply for access to health data and benefit from the system.

Member States shall designate Health Data Access Bodies (“HDAB“) to receive, review and approve requests for access to health data and to be entrusted with the relevant tasks and powers with regard to the secondary use of health data.

The EHDS establishes a detailed procedure for access to electronic health data for secondary use. The request for access must be submitted to the competent HDAB and must include detailed information on, for example, the identity of the natural or legal person requesting access to the health data, the purposes for which access to the data is requested, the intended use and scope of the data and a description of the safeguards. Based on this information, the HDAB reviews the request and denies or approves the request for access to health data. In case of approval, the HDAB will request the health data holder to provide the relevant electronic health data. This data will generally be provided in an anonymised form. The HDAB may charge a fee for this service. These fees shall be proportionate to the costs of providing the data, including the costs of consolidating, preparing, anonymising, pseudonymising and making the electronic health data available.

3. Who is in charge?

Each Member State shall designate one or more digital health authorities responsible for the implementation and enforcement of the primary use of health data under the EHDS at national level. These digital health authorities shall be entrusted with various tasks and powers and shall serve as a contact point for complaints from natural persons in relation to the relevant provisions of the EHDS. In addition, the competent data protection authorities will cooperate with the digital health authorities and will be responsible for monitoring and enforcing the rights of data subjects under the EHDS.

With regard to the secondary use of health data under the EHDS, the HDAB shall be entrusted with monitoring and supervisory tasks. In addition, the data protection authorities shall be responsible for monitoring and enforcing the right to object to the processing of personal electronic health data for secondary use.

A European Health Data Space Board will also be established to facilitate cooperation and the exchange of information among Member States and the Commission.

4. When does the EHDS come into force?

The exact implementation date is not yet specified. However, it is expected that the provisional agreement will be endorsed by the European Council and the European Parliament and will be formally adopted by both within 2024. The EHDS shall then enter into force twenty days after its publication in the Official Journal of the European Union. In general, the EHDS shall apply 2 years after entry into force with exemptions for specific provisions which shall apply from 4 or from 6 years after entry into force. This applies, for example, for Chapter IV of the EHDS which governs the secondary use of health data and will apply from 4 years after entry into force.

5. Conclusion

The EHDS is a very ambitious project with the aim of creating an EU-wide common health data governance framework with a seamless exchange across EU borders to enhance healthcare delivery. Even though building the EHDS will require significant development efforts and numerous determinations and clarifications on an EU and Member State level, it is already foreseeable that the EHDS will create a new market for EHR systems, as manufacturers of EHR systems will play an essential role in achieving interoperability and data exchange. In light of these considerations, healthcare providers and private companies should begin preparing for EHDS provisions now, in order to be able to implement and benefit from them once they come into force.

In December 2023, the CJEU delivered two important decisions which supplement a growing body of jurisprudence on the issuance of administrative fines and claims for non-material damages.  

In Deutsche Wohnen C-807/21, the CJEU delivered effective guidance on the need to establish wrongdoing by a controller in order to impose a fine, while in Natsionalna agentsia za prihodite C-340/21, the CJEU has weighed in on the adequacy of a controller’s security measures and their exposure to claims for damages as a result.

Deutsche Wohnen

Background

On 5 December 2023, the CJEU delivered a judgment on the culpability of data controllers and the administration of fines by a supervisory authority for infringing the GDPR.

In this case, Deutsche Wohen, a German listed real estate company was fined by the Berlin Data Protection Authority approximately €14.5 million for the “intentional infringement” of the GDPR. The primary issue was Deutsche Wohen’s failure to delete personal data belonging to tenants when no longer necessary.

Deutsche Wohen brought an action against that decision which led to two fundamental questions being referred to the CJEU:

1. To address a complex faceoff between German law and the GDPR on the liability of undertakings, the CJEU was asked whether an administrative fine can be issued under Article 83 GDPR against an undertaking without that infringement being first attributed to identified natural person (e.g., member of bodies or represent of the concerned undertaking)?
   
2. The CJEU was asked whether an undertaking must have intentionally or negligently committed an infringement of the GDPR, or was the objective fact of the infringement suffice to impose a fine (i.e., is the undertaking strictly liable for the infringement)?

Key findings

Perhaps not surprisingly, in answering the first question, the CJEU held that the obligations and provisions of the GDPR do not permit the inference by Member States that the imposition of an administrative fine on a legal person as a controller is subject to a previous finding that that infringement was committed by an identified natural person.

In answering the second question the CJEU has provided some clear and direct guidance:

• A function of administrative fines is to incentivise compliance with the GDPR. However, to do so, they do not need to be imposed in the absence of any wrongdoing.
  
• Only infringements committed wrongfully (intentionally or negligently) can result in culpability and lead to a fine being imposed.
  
• Nothing in the GDPR allows for Member States to deviate from this requirement and to effectively establish a strict liability regime.
  
• Ignorance of an infringement is no defence.
  
• It is not necessary to establish that a member of management acted intentionally, negligently, or was even aware of the infringement.
  
• The concept of an undertaking is derived from EU competition law and that when a supervisory authority is calculating a fine to be imposed, they must do so on the basis of the percentage of the total worldwide annual turnover of the undertaking (group) in the preceding business year.

Natsionalna agentsia za prihodite

Background

On 14 December 2023, the CJEU delivered an important judgment on the conditions necessary to award compensation for non-material damage suffered by data subjects following a cyberattack.

The Bulgarian National Revenue Agency (NAP) is an authority attached to the Bulgarian Minister for Finance. Its function is to identify, secure and recover public debts. On 15 July 2019, it was revealed that a cyberattack had taken place on the NAP’s IT system leading to the unlawful dissemination of personal data of more than six million individuals, including both Bulgarians and foreigners.

A case was brought by an affected data subject against the NAP before the Bulgarian Administrative Court, seeking an order for compensation under Article 82 GDPR for the non-material damage suffered as a result of the fear that the data subject’s personal data may be misused in the future.

The case was referred to the CJEU by the Bulgarian Supreme Administrative Court seeking clarification on whether a person’s fear that their data may be misused in the future following unauthorised access due to a cyberattack amounts to non-material damage under Article 82 GDPR.

Key findings

• The CJEU confirmed that such fear can constitute non-material damage under the GDPR. However, a national court must satisfy itself that the fear is genuine and well founded, having regard to the specific circumstances of the infringement and of the data subject.
  
• The following factors were persuasive:
  
  • Article 82(1) GDPR establishes the right to compensation from the controller for the (non-material) damages.
  • The right of compensation requires three cumulative conditions to be met: (i) damage which has been suffered; (ii) an infringement of the GDPR; and (iii) a causal link between the damage and the infringement (as set out in the Austrian Post decision).
  • Once an infringement has been established, Article 82 GDPR cannot be interpreted as distinguishing between a scenario where the non-material damage suffered stems from actual misuse of personal data compared to where the damage stems from the fear over potential future misuse. In other words, the concept of non-material damage encompasses both.

Conclusion / implications

The Deutche Wohnen judgment is significant in that it develops the concept of culpability and wrongdoing and has thankfully provided long overdue clarity on whether Article 83 GDPR imposes a strict liability regime. The CJEU said that it does not.

Whereas from the NAP judgment, controllers must take account of not only the exposure to damages claims for tangible harm suffered due to a cyberattack but also the psychological distress that can be suffered from the fear of the misuse of compromised personal data. This case reifies the expression “better safe than sorry”. It elucidates the importance of having robust and state of the art technical and organisational measures in place. Controllers should consider both in tandem as controller exposure for infringing the GDPR can take form in both a fine imposed by a supervisory authority and an award for damages by a national court.

The two judgements, along with several other key CJEU decisions issued recently,[1] are a continuation of the CJEU beginning to impose its reach on controllers under the GDPR. The trickle up affect from the decisions of supervisory authorities and national courts to the CJEU is starting to bear fruit and over the course of 2024 we can expect a number of further important decisions from the CJEU on fundamental data protection issues.

[1] See for example, the Schufa case (C-634/21) and its impact on automated decision-making processes and the CJEU’s landmark decision in Meta vs Bundeskartellamt (C-252/21), where the CJEU imposed strict limitations on the use of the lawful bases of contractual necessity, legitimate interests and consent.