This article provides an overview of the framework for accessing health data for secondary use under the EHDS. It is based on the compromise text of the EHDS published by the Council of the European Union in March 2024.  

Improving access to health data for the purposes of supporting research and innovation activities is one of the key pillars of the EHDS and offers a potentially significant benefit for life sciences and healthcare companies who are looking for improved access to high-quality secondary use data.

By way of reminder, in general terms the EHDS creates a regime under which organisations may apply to a health data access body (“HDAB“) for access to electronic health data held by a third party, for one of a number of permitted secondary use purposes.  When required to do so by the HDAB, the company holding the health data (the health data holder) must then provide the data to the HDAB in order to satisfy the access request. The EHDS provides for safeguards to protect intellectual property rights and trade secrets, and there is some scope for health data holders to recover costs incurred in making data available.  

In more detail, the process operates as follows:

1. Access to secondary health data

The EHDS stipulates a specific process as well as certain requirements for the access to secondary health data.

In order to get access to secondary health data under the EHDS, the applicant must submit a data access application to the health data access body (“HDAB”). Each Member State must designate an HDAB which is, inter alia, responsible for deciding on data access applications, authorizing and issuing data permits, providing access to electronic health data and monitoring and supervising compliance with the requirements under the EHDS.

Further, the HDAB is responsible for ensuring that data that are adequate, relevant and limited to what is necessary in relation to the purpose of processing indicated in the data access application. The default position is that data will be provided in an anonymized format. However, if the applicant can demonstrate that the purpose of processing cannot be achieved with anonymized data, the HDAB may provide access to the electronic health data in a pseudonymised format.

The data access application must include at least the following:

• The applicant’s identity, description of professional functions and operations, including the identity of the natural persons who will have access to electronic health data;

• Which purposes the access is sought for including a detailed explanation of the intended use and expected benefit related to the use (e.g., protection against serious cross-border threats to health in the public interest, scientific research related to health or care sectors to ensure high levels of quality and safety of health care or medicinal products/devices with the aim of benefitting the end-users, including development and innovation activities for products and services);

• A description of the requested electronic health data, including their scope and time range, format and data sources, where possible, including geographical coverage where data is request from health data holders in several member states;

• A description whether electronic health data need to be made available in a pseudonymised or anonymized format, in case of pseudonymised format, a justification why the processing cannot be pursued using anonymized data. Further, where the applicant seeks to access the personal electronic health data in a pseudonymised format, the compliance with applicable data protection laws shall be demonstrated;

• A description of the safeguards, proportionate to the risks, planned to prevent any misuse of the electronic health data as well as to protect the rights and interests of the health data holder and of the natural persons concerned, including to prevent any re-identification of natural persons in the dataset;

• A justified indication of the period during which the electronic health data is needed for processing in a secure processing environment;

• A description of the tools and computing resources needed for a secure processing environment and, where applicable, information on the assessment of ethical aspects

Where an applicant seeks access to electronic health data from health data holders established in more than one Member State, the applicant must submit a single data access application to the HDAB of the main establishment of the applicant which shall be automatically forwarded to other relevant HDABs.

Also, there is the option to only apply for access to health data in anonymized statistical format with less formal requirements as well as a simplified procedure for trusted health data holders. The European Commission is responsible for creating templates for the data access applications.

• Requirements for the technical infrastructure

The HDAB shall only provide access to electronic health data pursuant to a data permit through a secure processing environment. The secure processing environment shall comply with the following security measures:

• Access to the data must be restricted to the natural persons listed in the data access application;

• Implementation of state-of-the-art technical and organisational measures to minimize the risk of unauthorized processing of electronic health data;

• Limitation of the input of electronic health data and the inspection, modification or deletion of electronic health data to a limited number of authorized persons;

• Ensure that access is only granted to electronic health data covered by the data access application;

• Keeping identifiable logs of access to and activities in the secure processing environment for not shorter than one year to verify and audit all processing operations;

• Monitoring compliance and security measures to mitigate potential security threats.

The HDAB shall ensure regular audits, including by third parties, of the secure processing environments and, if necessary, take corrective actions for any shortcomings or vulnerabilities identified.

• Data protection roles

From a data protection law perspective, the health data holder shall be deemed controller for the disclosure of the requested electronic health data to the HDAB pursuant to Art. 4 No. 1 GDPR. When fulfilling its tasks under the EHDS, the HDAB shall be deemed controller for the processing of personal electronic health data. However, where the HDAB provides electronic health data to a health data user pursuant to a data access application, the HDAB shall be deemed to act as processor on behalf of the health data user. The EU Commission may establish a template for controller to processor agreements in those cases.

• Fees for the access to health data for secondary use

The HDAB may charge fees for making electronic health data available for secondary use. Such fees shall cover all or part of costs related to the procedure for assessing a data access application and granting, refusing or amending a data permit, including the costs related to the consolidation, preparation, anonymization, pseudonymization and provisioning of electronic health data. The fees further include compensation for the costs incurred by the health data holder for compiling and preparing the electronic health data to be made available for secondary use. The health data holder shall provide an estimate of such costs to the HDAB.

Conclusion

The access to electronic health data for secondary use is a big opportunity especially for companies operating in the life science and healthcare sectors to get access to potentially large volumes of high-quality electronic health data for research and product development purposes. Although Chapter IV of the EHDS, which deals with the secondary use of electronic health data, will become applicable 4 years after the EHDS enters into force, companies are well-advised to begin preparation to gain access to electronic health data for secondary use at an early stage in order to gain a competitive advantage and to ensure that they are able to make direct use of the opportunities granted by the EHDS. Such preparation includes, inter alia, the early determination of the specific electronic health data required for the specific purpose the company wants to achieve as well as the set up of an infrastructure which meets the requirements under the

In its judgement of 04 October 2024 (C-21/23), the European Court of Justice (“ECJ”, “Court”) ruled, that the provisions of Chapter VIII of the GDPR, do not preclude national rules which grant undertakings the right to rely, on the basis of the prohibition of acts of unfair competition, on infringements of the substantive provisions of the GDPR allegedly committed by their competitors. The ECJ further ruled, that the data of a pharmacist’s customers, which are provided when ordering pharmacy-only but non-prescription medicines on an online sales platform, constitute “health data” within the meaning of Art. 4 (15) and Art. 9 GDPR (to that extent contrary to the Advocate General’s opinion of 25 April 2024).

Background

The plaintiff and the defendant in the main proceedings each operate a pharmacy. The defendant also holds a mail order license and sells its range of products, including pharmacy-only medicines, through the online sales platform Amazon Marketplace, which allows the seller to offer products directly to consumers. The plaintiff sought an injunction to prohibit the defendant selling pharmacy-only pharmaceuticals via the online sales platform. In the plaintiff’s opinion, such distribution constitutes an unfair commercial practice because the defendant was violating a statutory provision within the meaning of Section 3a of the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – “UWG”).

The District Court upheld the claim. The Higher Regional Court dismissed the defendant’s appeal and ruled that the defendant’s sale of pharmacy-only medicines via Amazon Marketplace violates the provisions of the UWG, as this distribution involves the processing of health data within the meaning of Art. 9(1) GDPR, to which the customers have not explicitly consented. According to the Higher Regional Court, the provisions of the GDPR must be regarded as market conduct rules within the meaning of national competition law, with the result that the plaintiff, as a competitor, is entitled to claim injunctive relief based on national competition law by relying on an infringement of the provisions of the GDPR by the defendant.

The defendant then appealed to the German Federal Court of Justice (Bundesgerichtshof – “BGH”), in which it maintained its application for dismissal of the injunction. The BGH stated that the key factor for the decision is how Chapter VIII and Art. 9 of the GDPR are to be interpreted, and referred the following questions to the ECJ for a preliminary ruling:

1. Do the rules in Chapter VIII GDPR preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the regulation and the options for legal redress for data subjects – empower competitors to bring proceedings for infringements of GDPR against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices?

2. Do the data of the customers of a pharmacist, who acts as a seller on an online sales platform, provide when ordering pharmacy-only but not prescription-only medicines  (customer’s name, delivery address and information required for individualising the pharmacy-only medicine ordered) constitute data concerning health within the meaning of Article 9(1) GDPR?

Decision

First question (competitor’s right to bring injunction claims)

According to the ECJ, neither the wording of the provisions of Chapter VIII of the GDPR nor their context precludes competitors from bringing claims based on an infringement. On the contrary, where the infringement of the substantive provisions of the GDPR is likely to affect primarily the data subjects, it may also affect third parties. The Court notes that, in the context of the digital economy, access to personal data and the use that can be made of it are of considerable importance. Accordingly, in order to take account of real economic developments and to maintain fair competition, it may be necessary to take into account the rules on the protection of personal data when enforcing competition law and the rules on unfair commercial practices. The judgment recognises that the GDPR does not contain a specific opening clause, which expressly authorises Member States to allow competitors to seek an injunction to prevent an infringement of the GDPR. However, according to the Court, it is clear that the EU legislature, when adopting the GDPR, did not intend to achieve full harmonisation of the remedies available in the event of a breach of the provisions of the GDPR and, in particular, did not intend to exclude the possibility for competitors of an alleged infringer of the rules on the protection of personal data to bring an action under national law on the basis of the prohibition of unfair commercial practices.

Moreover, such an action for an injunction brought by a competitor could prove to be a particularly effective means of ensuring such protection, since it makes it possible to prevent numerous infringements of the rights of the data subjects (in this respect, the Court refers to its judgment of 28 April 2002, Meta Platforms Ireland, C-319/20, in which the Court ruled that the GDPR does not preclude national legislation which allows a consumer protection association to bring an action, in the absence of a mandate given to it for that purpose and irrespective of the infringement of specific rights of the data subjects).

In the light of the foregoing, the answer to the first question is that the provisions of Chapter VIII of the GDPR must be interpreted as not precluding a national law which, in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcing that regulation, and the means of redress available to the data subjects, gives competitors of the alleged infringer the power to take action against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices for infringements of the GDPR.

In the present case, it is therefore for the national court to determine whether the alleged infringement of the substantive provisions of the GDPR at issue in the main proceedings, if established, also constitutes an infringement of the prohibition of unfair commercial practices under the relevant national legislation.

Second question (scope of the protection of health data)

In the second part of its decision, the ECJ once again interpreted the term ‘special categories of personal data’ and, in this case specifically the term health data (Art. 4 no. 15 GDPR), very broadly. The Advocate General in its Opinion on the case had assumed that it is not possible to deduce the state of health of the customer with sufficient probability from orders of pharmacy-only but non-prescription medicines and therefore had found that such information is not health data.

The ECJ has now decided otherwise. The Court ruled that the provisions of the GDPR cannot be interpreted as meaning that the processing of personal data that only indirectly reveals sensitive information about a natural person would be exempt from the increased protection. For personal data to be classified as health data within the meaning of Article 9(1) of the GDPR, it is sufficient that the health of the data subject can be inferred by association or deduction. The Court affirms that the data provided by a customer when ordering pharmacy-only medicines via an online platform can be used to infer, by association or deduction, the health status of the data subject, since the order establishes a link between a medicinal product, its therapeutic indications and uses, and an identified natural person or a person who can be identified by information such as his or her name or delivery address.

Moreover, the prohibition on processing health data shall apply in principle, regardless of whether the information disclosed by the processing in question is accurate or not, and regardless of whether the data controller acts with the aim of obtaining information falling within one of the special categories referred to in Article 9(1) of the GDPR. Consequently, the information provided by customers when ordering non-prescription medicines online constitutes health data, even if those medicines are only intended for those customers with a certain probability and not with absolute certainty. In this context, the Court also mentions the possibility that the order data may allow conclusions about the health of third parties (e.g. by means of a different delivery address).

The court of the main proceedings will therefore have to decide whether the processing of health data of the customers of the defendant is permissible on the basis of one of the exceptions in Article 9(2) of the GDPR – in particular, because the data subject has given explicit informed consent, or whether the processing is permissible on the basis of Article 9(2)(h) of the GDPR because it is necessary for the purposes of health care and on the basis of Union or Member State law or pursuant to contract with a health professional .

Practical note

This is the third decision by the ECJ that allows actors other than data protection supervisory authorities to take legal action against controllers: in addition to the Meta Platforms decision of April 2022 mentioned above (C-319/20), in July this year, the ECJ clarified that the right of a consumer protection association to challenge the infringement of a data subject’s right “occurring in the course of processing” also extends to information obligations pursuant Articles 12(1) and 13(1) GDPR (C-752/22).

These rulings have significant consequences – they not only increase compliance risks, but also legal defense costs. In practice, consumer protection organisations – out of ignorance or lack of knowledge of business contexts – often take a more dogmatic approach than the competent data protection supervisory authority.

With the competitors, further inexperienced players are now entering the ring. Unlike in the past, it can be assumed that going forward, competitors will make use of the right to sue for injunctive relief if a controller is,  in its view, violating the provisions of the GDPR and this is deemed unfair within the meaning of national competition law. As the acts against unfair competition are based on the EU Directive 2005/29/EC and therefore largely harmonized within the European Union, the ECJ’ decision is likely to affect all data controllers in the European Union.

Accordingly, in order to identify potential shortcomings that could be the subject of a competitor’s claim, controllers are well advised to review their existing processes in light of their specific business model. With respect to the potential processing of health information, a careful assessment is necessary. In particular, the question arises as to which constellations the extensive interpretation of the ECJ still covers in relation to health data – for example, dietary supplements. Or whether – as we believe – it should remain limited to pharmacy-only medicines.

Furthermore, this aspect should be considered in the planning of future business activities in order to avoid a cease-and-desist order.

For any questions about this decision or any assistance please contact your local DLA Piper contact.

Alongside the better-known provisions of the EHDS dealing with secondary use of health data, the draft Regulation also sets out specific technical requirements for electronic health record systems (“EHR systems”).  In so doing, the law attempts to ensure the interoperability of such systems within the EU, and therefore the secure and seamless processing and transfer of health data – a key objective of the EHDS.

The following article provides an overview of the key requirements that manufacturers of EHR systems will need to observe in order to be able to place an EHDS-compliant EHR system on the market.

1. What exactly is an EHR system?

An EHR system is any system where the appliance or software allows the user to store, intermediate, export, import, convert, edit or view certain categories of personal electronic health data, and where the system is intended by the manufacturer to be used by healthcare providers in providing patient care, or by patient to access their health data.

As such, EHR systems lie at the heart of the EHDS – they are the central technical prerequisite for fulfilling the objective of ensuring the secure and smooth processing and cross-border transfer of health data.

An EHR system under the EHDS must consist of two core elements which form an integral part of the software:

• The interoperability component: EHR systems must have the ability to interact with software applications and devices from the same or different manufacturers in order to transfer and receive personal electronic health data. The technical specifications with regard to the health record exchange format which shall be commonly used to provide health data in a machine-readable format and support transmission of structured and unstructured health data will be determined by the European Commission.

• The logging component: EHR systems must be able to record logging information about access to personal electronic health data by users of the system. As a minimum standard, the logging information shall contain the following information on each time the data is accessed:

• Identification of the health provider or other individuals having accessed personal electronic health data;
  • Identification of the specific individuals having accessed to personal electronic health data;
  • Categories of data accessed;
  • Time and date of access; and
  • Origin(s) of data.

Additional data quality requirements for EHR systems are to be determined by the European Commission by means of implementing acts.

2. Which requirements apply to the manufacturers of EHR systems?

The requirements of EHR systems which, in accordance with the EHDS, need to be fulfilled to ensure compliance with the EHDS, include the following core requirements:

a) Ensure conformity with the essential requirements laid down in Annex II of the EHDS and the common specifications to be adopted by the EU Commission by way of a common template document

In common with other regulatory frameworks for products, manufacturers of EHR systems will need to undertake an assessment to demonstrate that their product complies with certain minimum requirements before it can be put onto the market in the EU.  Those requirements, under Annex II of the EHDS, are:

• General requirements, such as designing the EHR systems in such a way as to ensure they are suitable for their intended purpose without putting patient safety at risk. In addition, EHR systems must be designed and developed in a way which allows the system to be supplied and installed in accordance with the instructions of the manufacturer without adversely affecting its characteristics and performance during its intended use.

• Requirements for interoperability, such as providing an interface enabling access to and receipt of personal electronic health data processed in the European health record exchange format. An EHR system must not include features that prohibit, restrict or place undue burden on authorised access or exporting of personal electronic health data for permitted purposes.

• Requirements for security and for logging, such as providing reliable mechanisms for the identification and authentication of health professionals and supporting different retention periods and access rights taking into account the origins and categories of electronic health data. EHR systems must include tools to review and analyse the log data or must support the connection and use of external software for the same purposes.

b) Draw up the technical documentation of EHR systems before placing them on the market, and subsequently keep them up to date

The technical documentation must be drawn up in a way that demonstrates conformity with the above-mentioned essential requirements, and must be provided upon request to the market surveillance authority at short notice. As a minimum standard, the technical documentation shall contain the following elements:

• A detailed description of the EHR system, including, among other things, its intended purpose, date and version of the EHR system, how the EHR system can be used to interact with other hardware and software, a description of the hardware on which the EHR system is intended to run, a description of the system architecture and the technical specifications such as features, dimensions and performance attributes;

• A detailed description of the system in place to evaluate the EHR system performance, where applicable;

• The references to any common specification used;

• The results and critical analyses of all verification and validation tests undertaken to demonstrate conformity of the EHR system with the requirements under the EHDS;

• A copy of the information sheet which accompanies the EHR system;

• A copy of the EU declaration of conformity;

c) Ensure that the EHR system is accompanied, free of charge for the user, by the information sheet and clear and complete instructions for use

EHR systems shall be accompanied by an information sheet for professional users which shall specify:

• the identity, registered trade name or registered trademark, and the contact details of the manufacturer and, where applicable, of its authorised representative;

• the name and version of the EHR system and date of its release;

• its intended purpose;

• the categories of electronic health data that the EHR system has been designed to process;

• the standards, formats and specifications and versions thereof supported by the EHR system.

d) Draw up the EU declaration of conformity

By drawing up the EU declaration of conformity, the manufacturer shall assume responsibility for the compliance of the EHR system with the requirements laid down in the EHDS when it is placed on the market or put into service. Annex IV of the EHDS sets out the specific information which needs to be included in the EU declaration of conformity.

e) CE marking

The EHDS stipulates that EHR systems shall be affixed with a CE marking. The CE marking shall be subject to the general principles for CE markings set out in Article 30 of EU Regulation 765/2008. The Member States should build upon existing mechanisms to ensure correct application of the regime governing the CE marking.

f) Representative in the EU

Manufacturers of EHR systems established outside the European Union shall appoint an authorised representative established in the European Union. The representative in the European Union shall, among other things, be authorised by the manufacturer to communicate with consumers and professional users and to cooperate with the market surveillance authorities.

As well as the abovementioned requirements, there are also further requirements for manufacturers of EHR systems. These include a post-market surveillance regime of product monitoring as well as cooperation with the respective market surveillance authority. Further obligations also apply to other actors in the supply chain, including importers, other economic operators or distributors of EHR Systems.

3. Conclusion

The EHDS is a ground-breaking law for manufacturers of EHR systems.  It imposes a comprehensive pre- and post-market compliance framework that is designed to ensure that systems processing electronic health data are high-quality, secure, and capable of inter-operability across the EU market.  As such, manufacturers of EHR- systems are well-advised to begin preparation on these requirements at an early stage in order to gain a competitive advantage and to ensure that their products are capable of being sold and used lawfully on the European market.

1. What is the EHDS about

In a nutshell, the goal of the EHDS is to create a common infrastructure and governance framework for the accessibility of health data across the borders of Member States to support both healthcare delivery (“primary use”) and health research and policy-making (“secondary use”) in a secure and trustworthy way. The EHDS touches on different areas of law, such as medical law, data protection law and laws related to products used in a medical context. It also makes reference to several European directives and regulations.

In addition to the definitions contained in the specific legislation referred to in the EHDS, the EHDS itself provides, inter alia, the following key definitions that must be kept in mind in order to fully understand the scope and implications of the EHDS:

“EHR” means a collection of electronic health data related to a natural person collected and processed for the purpose of the provision of healthcare. This is, for example, in Germany, comparable to the electronic patient medical records.

“EHR system” refers to any system where the appliance or software allows the user to store, intermediate, export, import, convert, edit or view personal electronic health data and is intended by the manufacturer to be used by healthcare providers for providing patient care or by patients to access their health data.

“Health data holder” is any natural or legal person, public authority, agency or other body in the healthcare or the care sectors including reimbursement services as well as any natural or legal person developing products or services intended for the health sector, developing or manufacturing wellness applications or performing research in the healthcare sector, who

• has the right to process electronic health data in its capacity as a controller or joint controller, including for the provision of healthcare, research and innovation purposes; or

• has the ability to make available, including to register, provide, restrict access or exchange non-personal electronic health data, trough control of the technical design of a product and related services.

This definition applies, for example, to hospitals as health care providers, companies which develop medical devices and pharmaceutical companies who are the data holders of their clinical trial data.

“Health data user” means a natural or legal person which has been granted lawful access to electronic health data for secondary use pursuant to a data permit, data request or an access approval by an authorized participant in the framework for multi-country secondary use of electronic health data, HealthData@EU.

“Wellness application” means any appliance or software intended by the manufacturer to be used by a natural person for processing electronic health data specifically for providing information on the health of individual persons, or the delivery or care for other purposes than the provision of healthcare.

In our opinion, this definition is broad enough to also cover medical devices as it explicitly includes appliances and software. However, it must be seen how this will be interpreted once the EHDS comes into force.

2. Who is affected by the EHDS?

The EHDS will be applicable to natural persons with regard to their health data, as well as companies and institutions in the healthcare sector. The following overview will focus on the effect of the EHDS on the latter. In order to determine which companies and institutions are affected by the provisions of the EHDS and who needs to take action under the EHDS, it is necessary to distinguish between primary and secondary use of health data:

1. Primary use

The primary use of health data to facilitate healthcare delivery and improve patient outcomes as governed by the EHDS generally affects two types of health data holders, the healthcare providers and the manufacturers of EHR systems. Manufacturers of wellness applications have the opportunity to claim interoperability with an EHR system, after relevant conditions are met.

1. Healthcare providers: To enable seamless cross-border healthcare delivery, healthcare providers shall register relevant personal health data free of charge in an electronic format to be determined by the EU Commission in an EHR System. The EU Commission will establish a central interoperability platform for digital health (the “MyHealth@EU” platform) to provide services to support and facilitate the exchange of personal electronic health data between national contact points for digital health of the Member States. More detailed criteria regarding how and to which extent the healthcare providers must register personal health data will be determined by the Member States.
   

Challenges: The main challenge for healthcare providers will be to implement robust interoperability standards and to ensure that their system can effectively communicate with other systems to secure effective provision of personal health data, both within their country and across the EU. This may involve an adjustment or upgrade of the existing infrastructure to support the requirements under the EHDS and to avoid the high effort of extracting and transferring data from disparate information systems. Healthcare providers must manage this potential transition carefully, including training staff and adapting workflows. When providing personal health data, the healthcare providers must maintain certain data quality requirements and must observe the requirements of applicable data protection and regulatory laws. With these legal circumstances in mind, it is essential to review possible technical solutions for their compliance with applicable laws.

2. Manufacturers of EHR systems: EHR systems are crucial to achieve a seamless cross-border transfer of health data as the objective of primary use under the EHDS as they build the underlying infrastructure. The EHDS contains a whole chapter to set out the requirements on EHR systems and the obligations of manufacturers of EHR systems, such as including a so-called “European interoperability component for EHR systems” and a “European logging component for EHR systems”, sufficient technical documentation, affix a CE marking if applicable, cooperation with authorities etc. The European Commission will develop a European digital testing environment for the assessment of the harmonized components of EHR systems prior to putting them on the market.

Challenges: The requirements on the compliance of EHR systems with the provisions of the EHDS are high with regard to harmonized components as well as with regard to technical aspects in terms of security, identification and authentication and documentation obligations. As some components of EHR systems could potentially qualify as a medical device, manufacturers have the challenge to navigate how the requirements of the EHDS align with the requirements of other regulations, e.g., under medical or data protection laws. As EHR systems handle large amounts of sensitive personal data in the form of health data, manufacturers must enhance security measures to protect data privacy and prevent security incidents.

3. Manufacturers of wellness applications: As the market of wellness applications and devices using wellness applications is steadily growing, the data collected and processed by such wellness applications may be valuable for the treatment of their users. In order to provide their users the feature to have the data collected by the wellness applications included in an EHR system, the manufacturers of wellness applications may claim interoperability with an EHR system after the relevant conditions are met. The data of the users of wellness applications will not automatically be shared with the EHR system as such sharing is subject to the consent of the users of the wellness applications.

2. Secondary use

The main purpose of secondary use of health data is to support research and innovation activities. Researchers will have access to larger amounts of high-quality data in a more efficient and cost-effective manner. Potentially, every health data holder will have to provide certain health data when requested by a natural or legal person. On the flipside, health data holders themselves can apply for access to health data and benefit from the system.

Member States shall designate Health Data Access Bodies (“HDAB“) to receive, review and approve requests for access to health data and to be entrusted with the relevant tasks and powers with regard to the secondary use of health data.

The EHDS establishes a detailed procedure for access to electronic health data for secondary use. The request for access must be submitted to the competent HDAB and must include detailed information on, for example, the identity of the natural or legal person requesting access to the health data, the purposes for which access to the data is requested, the intended use and scope of the data and a description of the safeguards. Based on this information, the HDAB reviews the request and denies or approves the request for access to health data. In case of approval, the HDAB will request the health data holder to provide the relevant electronic health data. This data will generally be provided in an anonymised form. The HDAB may charge a fee for this service. These fees shall be proportionate to the costs of providing the data, including the costs of consolidating, preparing, anonymising, pseudonymising and making the electronic health data available.

3. Who is in charge?

Each Member State shall designate one or more digital health authorities responsible for the implementation and enforcement of the primary use of health data under the EHDS at national level. These digital health authorities shall be entrusted with various tasks and powers and shall serve as a contact point for complaints from natural persons in relation to the relevant provisions of the EHDS. In addition, the competent data protection authorities will cooperate with the digital health authorities and will be responsible for monitoring and enforcing the rights of data subjects under the EHDS.

With regard to the secondary use of health data under the EHDS, the HDAB shall be entrusted with monitoring and supervisory tasks. In addition, the data protection authorities shall be responsible for monitoring and enforcing the right to object to the processing of personal electronic health data for secondary use.

A European Health Data Space Board will also be established to facilitate cooperation and the exchange of information among Member States and the Commission.

4. When does the EHDS come into force?

The exact implementation date is not yet specified. However, it is expected that the provisional agreement will be endorsed by the European Council and the European Parliament and will be formally adopted by both within 2024. The EHDS shall then enter into force twenty days after its publication in the Official Journal of the European Union. In general, the EHDS shall apply 2 years after entry into force with exemptions for specific provisions which shall apply from 4 or from 6 years after entry into force. This applies, for example, for Chapter IV of the EHDS which governs the secondary use of health data and will apply from 4 years after entry into force.

5. Conclusion

The EHDS is a very ambitious project with the aim of creating an EU-wide common health data governance framework with a seamless exchange across EU borders to enhance healthcare delivery. Even though building the EHDS will require significant development efforts and numerous determinations and clarifications on an EU and Member State level, it is already foreseeable that the EHDS will create a new market for EHR systems, as manufacturers of EHR systems will play an essential role in achieving interoperability and data exchange. In light of these considerations, healthcare providers and private companies should begin preparing for EHDS provisions now, in order to be able to implement and benefit from them once they come into force.

On 15 March 2023, the French Supervisory Authority (the “CNIL”) unveiled in a post its four key priorities regarding its upcoming investigations for 2023 targeting specific sectors (I), to which it added another topic related to DPO in line with the coordinated enforcement framework of the European Data Protection Board to gauge whether DPOs can exercise properly their job (II).

As a reminder, in 2022, the CNIL priority topics were (i) direct marketing (ii) monitoring telework and (iii) the use of cloud computing (see our previous post).

1. The national key priorities for 2023

• Use of “smart” cameras by public stakeholders

With the upcoming 2024 Olympic and Paralympic Games in France and the usage of such devices in large-scale sporting events planned for 2023 (rugby world cup), the CNIL provided guidance and published opinions on the use of so-called “smart” cameras:

• Last July, the CNIL published its position on the deployment of these cameras in public spaces. This document provides guidance on the conditions applicable to the use of this technology which presents high risks to the data subjects’ right to privacy.
• At the end of last year, the CNIL also gave its opinion on the draft Law relating to the 2024 Olympic and Paralympic Games which notably introduces the possibility to implement, on an experimental basis, smart cameras in areas accessible to the public for detecting and reporting in real-time predetermined events likely to threaten the safety of people.

The CNIL’s roadmap for its dawn raids in 2023 is thus to check that the use of “smart” cameras, complies with the legal framework.

• The use of the personal credit repayment incidents by banks

A file named “Fichier des incidents de crédit aux particuliers” (FICP) (personal credit repayment incidents file) held by the Banque de France, includes information on payment incidents related to overdrafts and loans granted for non-professional needs, as well as information on over indebtedness. The banks are required to consult this file before granting a loan. Given the sensitiveness of such file,  the related processing activities represent a high risk for data subjects.

It is therefore paramount to ensure that the entries in such file are accurate and that the data retention term and conditions of management of this file are compliant with the data protection law (e.g., management of data subjects’ rights). The CNIL will also check the measures implemented to ensure the security of the data.

• The access to the electronic patient record in health care institutions

The security of health data has already been under the CNIL’s scrutiny over the past years and subject to investigations in 2020 and 2021 in health care institutions.

For 2023, the CNIL will continue to focus on health care sector. A particular attention will be paid to the conditions of access to the electronic patient record in health care institutions and in particular the technical and organizational security measures implemented to ensure  the security of health data. This decision comes from several claims filed with CNIL for unauthorized access by third parties to patient records held by health care institutions.

• Tracking of users by mobile applications

Phone manufacturers enable applications publishers to track users for advertising, statistical or technical purposes (e.g., Apple IDFA, IDFV and Google AAID). Such identifiers equivalent to cookies are generally used without the user’s information or consent. While the CNIL presented its three steps action plan, last November 2022 to protect privacy in the context of mobile apps usage (see, in French only), several investigations have been carried out by the CNIL on applications accessing identifiers generated by smart phones operating system, without the users’ consent. The CNIL will continue its investigations in 2023.

Last December, the CNIL already issued a fine for an amount of €3 million against a company publishing video games for smartphone and which used Apple’s IDFV identifier for advertising purpose without the users’ valid consent (see, in French only).

2. Support to the coordinated enforcement framework regarding Data Protection Officers

On the same day of the CNIL’s publication, the European Data Protection Board (EDPB) made a press release regarding the launch of a coordinated enforcement to assess whether the  Data Protection Officers (DPO) have the position required by the GDPR in their organization. The CNIL will verify the conditions of appointment  and modalities of exercise of the DPO function.

In France, the CNIL has already published a practical guide on DPO (see our previous post). In line with EDPB, it is likely that the CNIL will send questionnaire for fact finding or determine if an investigation is relevant and can conduct investigations. The results of this initiative will be analyzed in a coordinated manner and the Supervisory Authorities will decide whether national supervision and enforcement actions would be necessary. The EDPB will publish a report on the outcome of this analysis in an aggregated format.

Once again, the coming year promises to be a busy one for the CNIL and organizations targeted by this new annual dawn raid program.

For more information, please contact denise.lebeau-marianna@dlapiper.com, Partner.

Facebook
Twitter
LinkedIn

Introduction

The benefits of using genetic information for research purposes are clear, especially as the technology underpinning medical research continues to advance at such a rapid pace. Outside of research and clinical development, the number of organisations which use blood and saliva samples and other genetic information for diagnostic and treatment purposes, as well as ancestry research, has exponentially increased.

When an individual provides a genetic sample, whether as part of a medical treatment, a clinical trial or in connection with ancestry research, what regimes are in place to protect his or her privacy?

In this article we examine, by way of example, the differing regimes in place in Australia and the UK.

Australia

When does the privacy regime apply in Australia?

Australia’s Privacy Act 1988 (Cth) expressly includes health information and genetic information in the definition of “Sensitive Information”.  Genetic information is not further defined, however more clarity is provided in respect of “health information”.  This includes:

genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual (with the genetic relative of an individual (the first individual) being another individual who is related to the first individual by blood, including but not limited to a sibling, a parent or a descendant of the first individual).

There is no requirement for information falling within the definition above to also be “personal information” – namely information about an identified individual or an individual who is reasonably identifiable.  The key requirement is that the genetic information must be about an individual. However, when can it be said that genetic information is not “about” an individual?

The answer appears to be that genetic information is per se about an individual (and therefore within the scope of the Privacy Act) if it is associated with information that otherwise identifies an individual i.e. some form of record/label containing identifiers of an individual (and this does not necessarily need to include a name).

Looked at another way, for privacy purposes, unless and until a genetic sample is dis-associated with information which could be used to identify a specific individual, it is within the scope of the Privacy Act.

If genetic samples are processed in isolation, without any identifying information, the Privacy Act is unlikely to apply.  At the other end of the scale, the Privacy Act will apply to a genetic sample with the name of the individual affixed.  The grey area is where genetic samples are associated with some information about the individuals who provided those samples, whether or not that information is linked to a specific sample.  Here, it will depend upon the facts and the extent to which it is possible to ascertain the identify of an individual based on all of the information available (including any pre-existing records of the processor).

Who does it apply to?

Any organisation which collects, holds (i.e. has within its possession and control), uses or discloses a record of genetic information falls within the scope of the Privacy Act (although the extent of the compliance requirement varies).

A “record” is defined broadly and includes records captured in documents, electronically or via other devices.  No settled position applies as to whether a genetic sample constitutes a “record” for this purpose, but certainly any data or other information accompanying the sample (and, possibly, generated as a result of that sample such as test results) will qualify.

In the complex ecosystem of medical research this may result in multiple parties being subject to privacy obligations in respect of the same record.  For example, a patient suffering from a rare disease is involved in a clinical trial for a new treatment run by a local clinical trial company on behalf of an Australian research institution. The patient provides written consent to the research institution and amongst other things, provides blood samples at various stages of the trial.  These blood samples are sent to the UK for testing by an expert facility.  The clinical trial agreement with the patient permits the overseas entity to retain leftover blood samples for research purposes.  Following the conclusion of the trial, the UK facility uses the leftover blood samples for its own and third party studies.  In this case, there are multiples entities which are collecting, holding and otherwise controlling the use of the genetic information provided by the patient, however Australian privacy laws do not automatically apply to each entity which processes the personal information of Australians.

Research guidelines

Organisations wishing to use health information for research purposes in Australia may wish to have reference to the so-called “section 95A guidelines” on the collection, use or disclosure of health information published by the National Health and Medical Research Council.

Generally, these guidelines are not binding.  Organisations wishing to avail themselves of the exceptions related to “permitted health situations” in the Privacy Act are required to comply other than where consent is used as the basis for processing.  The Office of the Australian Information Commissioner recommends that consent should be informed, specific and voluntarily provided by an individual with the requisite capacity.

In addition to Privacy Act, organisations must also be aware of the health records laws which operate in several jurisdictions in Australia (namely New South Wales, Victoria and the Australian Capital Territory).

United Kingdom

The UK GDPR identifies both ‘genetic data’ and ‘health data’ as ‘special category data’ that merit additional protection in comparison with normal personal data.

This is because the risk-based approach of the UK GDPR provides that the processing of genetic and health data presents a heightened inherent risk to an individual’s fundamental rights and freedoms, including:

• the freedom of thought, conscience and religion;
• the right to bodily integrity;
• the right to respect for private and family life; and
• freedom from discrimination.

‘Genetic data’ is defined under Art 4(13) UK GDPR as:

personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Recital 34 further elaborates to state that this definition includes chromosomal, DNA or RNA analysis or any other analysis that would result in equivalent information. As with the position in Australia above, genetic information only constitutes genetic data if can be linked back to an identifiable individual. However, it is increasingly challenging to determine when genetic information is anonymised – i.e., no longer constitutes personal data – due to technological advances.[1]  In this context, the grouping of EU data protection authorities (the EDPB) has ‘strongly advised’ data controllers to treat genetic data as personal data by default.[2]  Whilst the UK has now left the EU, its laws are inherited from its EU membership and EDPB guidance remains persuasive.

However, at the same time it is important to remember that the unique nature of a person’s genomic data does not inherently make it identifying (and therefore personal data).  A number of factors need to be considered, including the other information and technical means available to the persons processing the data, as well as the context and purposes for which the data is being processed (e.g., is it being processed to create a profile concerning, or take measures or decisions relating to, a specific individual or, on the other hand, is it being processed as part of a much larger dataset to lead to the publication of anonymised research findings?).  ‘Individuation’ (or the ability to single out one person’s data from the data of other persons) can be a factor contributing to the existence of personal data, but is not by itself determinative.

‘Health data’ is defined under Art 4(15) UK GDPR as:

personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

The ICO clarifies that health data as a concept is broader than information about specific medical conditions, tests or treatment. It can also include any related data that reveals any information regarding the state of an individual’s health such as medical examination data or information on disease risk.

The privacy regime for genetic data in the United Kingdom

The UK GDPR requires a lawful basis to process personal data. It further prohibits processing special category data unless one of the 10 exceptions, referred to as ‘conditions’, apply (see table below).

In addition to the UK GDPR conditions the Data Protection Act 2018 states that, when using a UK GDPR condition, you must also meet one of the additional conditions in Schedule 1 as follows:

In any case, Art 22(4) UK GDPR prohibits the use of special category data solely for automated decision-making purposes unless you have either explicit consent or meet the substantial public interest condition.

What else must be done?

You must carry out a data protection impact assessment (DPIA) for any type of high risk data processing. You are therefore likely required to carry out a DPIA if you plan on processing special category data:

• on a large scale;
• to determine access to a product, service, opportunity or benefit; or
• which includes genetic data.

Other considerations recommended by the ICO include:

• data minimisation – ensuring the data collected and retained is kept to the minimum required amount;
• security measures – ensuring the appropriate level security is in place for the sensitive data;
• transparency – ensuring the special categories of data are included in a privacy notice;
• rights related to automated decision-making – considering whether automated decision-making might have a ‘legal or similarly significant effect’ on the individual and taking the appropriate steps;
• documentation – ensuring accurate records documenting the categories of data are provided and considering whether an ‘appropriate policy document’ is required under DPA 2018;
• data protection officer – considering whether a data protection office must be appointed; and
• EU representatives – considering whether an EU representative must be designated.

[1] https://www.phgfoundation.org/media/94/download/gdpr-and-genomic-data-exec-summary.pdf?v=1&inline=1

[2] ‘EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research.’ European Data Protection Board 2 February 2021.

The UK’s Department for Health and Social Care (“DHSC”) has published a major strategy document (‘Data saves lives: reshaping health and social care with data’) outlining the government’s plans for the regulation and use of data in healthcare.

In this post, we look at some of the most interesting proposals outlined in the strategy and consider what they might mean for the future regulation of data and technology in UK healthcare.

Secure Data Environments

The NHS will step up its investment in and use of ‘secure data environments’ (sometimes referred to as ‘trusted research environments’).  In simple terms, these are specially designated, secure servers on which a third party researcher’s access to health data can be properly controlled and monitored. These will become the default route for NHS organisations to provide access to their de-identified data for research and analysis.  This creates opportunities for providers of secure data platforms and the privacy enhancing technologies on which these platforms depend.  It also highlights the need for companies working with the NHS to increase their own familiarisation with, and investment in, secure data environments.

Secure data environments are a hot topic in data circles.  For example, they also emerge in the EU’s new Data Governance Act, in the form of its creation of ‘data intermediation services’ – i.e., services that provide a secure environment in which companies or individuals can share data.

Fair Terms for Data Partnerships

The strategy also contains proposals for the data sharing agreements that NHS bodies use when providing access to health data.   Supposedly responding to public concerns about data sharing partnerships with the private sector, the Government will:

• Require data sharing arrangements to embody 5 core principles (for example, any use of NHS data not available in the public domain must have an explicit aim to improve the health, welfare or care of patients in the NHS, or the operation of the NHS, and any data sharing arrangement must be transparently and clearly communicated to the public).
• Develop commercial principles to ensure that partnerships for access to data contain appropriate contractual safeguards. This will lead to a review and likely update of NHS Digital’s template data sharing and data access agreements by December 2023.

Consequently, those organisations accessing NHS datasets are likely to see changes in the contractual terms on which that access is provided, and greater scrutiny of the overall arrangement to ensure adherence with principles designed to encourage public trust and confidence in such arrangements.

Trust and Transparency

On a similar theme, the strategy contains a range of other proposals designed to improve the public’s trust in the use of health data.

Alongside the investment in secure data environments, the Government also publicly commits to increase investment in a wider range of privacy enhancing technologies (or ‘PETs’), such as homomorphic encryption (a technology that allows functions to be performed on encrypted data without ever having to decrypt it) and synthetic data (artificially manufactured data which strongly mimics real-world data, but without the privacy consequences).  The ICO has written supportively about some of these technologies in its updated draft guidance on anonymisation, and consequently there seems to be a concerted push towards the adoption of technical solutions to privacy concerns in an ever more data-dependent world.

The Government also plans to further improve transparency and understanding around how it uses health data (public confusion surrounding changes to the National Data-Opt Out regime in 2021 is admitted as an example of the sort of failing the Government wants to avoid in the future).  Developments on this front will include a ‘Data Pact’ (a high-level charter outlining core guarantees towards the public in terms of fair use of health data) and an online hub, with a transparency statement explaining how publicly held health and care data is used in practice.

Improving Access to Health Data

Alongside the focus on public trust and transparency, the strategy is also concerned with promoting greater access to health data in the public interest.   This is a theme that has been prominent internationally following the Covid pandemic – a renewed understanding of the importance of health data for research and development purposes, leading to a demand to break down unnecessary barriers to accessing and combining datasets for these purposes.

The Government plans to do this partly through major investment in (of up to £200 million) in NHS data infrastructure to make research-ready data available to researchers.  DHSC envisages a  ‘vibrant hub of genomics, imaging, pathology, and citizen generated data, where AI-enabled tools and technologies can be deployed’.

On the legislative front, it’s likely that this part of the strategy will also be supported by the Government’s impending Data Reform Bill, which amongst other things, is making changes to the research provisions of UK data protection law to, for example, provide a clearer definition of scientific research, a broader form of consent where used as a lawful basis for research, and a more concrete privacy notice exemption where data is repurposed for scientific research purposes.  All of these changes are expressly intended to promote greater use of personal data, including health data, for responsible research purposes.

There are strong parallels here with the EU’s proposals for a European Health Data Space, which will promote access to electronic health data for secondary purposes.

Encouraging AI Innovation

No data strategy in 2022 would be complete without consideration of Artificial Intelligence (AI).  On this front, DHSC:

• Commits to working with the Office of AI (OAI) on its developing plans for the regulation of AI in the United Kingdom. The OAI’s White Paper on the governance and regulation of AI is expected imminently and will be closely scrutinised as the UK’s response to the EU’s draft AI Act.  The health sector is one of the most sensitive and important in an AI context and the NHS’ work on this will be led by a newly created NHS AI Lab.
• Will develop unified standards for the efficacy and safety testing of AI systems, working with the Medicines and Healthcare products Regulatory Agency (MHRA) and the National Institute for Clinical Excellence (NICE). Safety standards that can be used by development teams building AI systems are an important part of the regulatory framework for safe AI, and this is likely to be a welcome step.
• Will, through the NHS AI Lab, develop a methodology for evaluating the AI safety of market-authorised products in healthcare.

In summary, the strategy contains an ambitious set of proposals that are intended to cement the UK’s position as a world leader in healthcare informatics and data-driven health research.  Notably, they are clearly designed to balance and reconcile competing demands for greater access to and use of health data, with the protection of trust, privacy and security in that data.