The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted their Joint Opinion on the European Commission’s Proposal for the European Health Data Space (EHDS). The Proposal aims to facilitate the creation of a European Health Union and to enable the EU to make full use of the potential offered by a safe and secure exchange, use and reuse of health data.
The EDPB and the EDPS welcome the idea of strengthening the control of individuals over their personal health data. However, they draw the co-legislators’ attention to a number of overarching concerns and urge them to take decisive action. In particular, the EDPB and the EDPS acknowledge that Chapter IV of the Proposal, which aims to facilitate the secondary use of electronic health data, may generate benefits for the public good. At the same time, the EDPB and the EPDS consider that these further processing activities are not without risks for the rights and freedoms of individuals.
EDPB Chair Andrea Jelinek said: „The EU Health Data Space will involve the processing of large quantities of data which are of a highly sensitive nature. Therefore, it is of the utmost importance that the rights of the European Economic Area’s (EEA) individuals are by no means undermined by this Proposal. The description of the rights in the Proposal is not consistent with the GDPR and there is a substantial risk of legal uncertainty for individuals who may not be able to distinguish between the two types of rights. We strongly urge the Commission to clarify the interplay of the different rights between the Proposal and the GDPR.”
EDPS Supervisor Wojciech Wiewiórowski said: „Health data generated by wellness applications and other digital health applications are not of the same quality as those generated by medical devices. Moreover, these applications generate an enormous amount of data, can be highly invasive and may reveal particularly sensitive information, such as religious orientation. Wellness applications and other digital health applications should therefore be excluded from being made available for secondary use.”
While the EDPB and EDPS acknowledge the Commission’s efforts to align the Proposal with the GDPR provisions when personal data is involved, they note that this Proposal will add yet another layer to the already complex collection of provisions on the processing of health data. As such, they stress the need to clarify the relationship between the provisions in this Proposal, the ones in the GDPR and Member State law and also with ongoing European initiatives.
In addition, the EDPB and EDPS acknowledge that the infrastructure for the exchange of electronic health data foreseen in this EHDS Proposal aims at facilitating the exchange of health data. However, due to the large quantity of electronic health data that would be processed, their highly sensitive nature, the risk of unlawful access and the necessity to fully ensure effective supervision by independent data protection authorities, the EDPB and the EDPS call on the European Parliament and on the Council to add to the Proposal a requirement to store the electronic health data in the EEA, without prejudice to further transfers in compliance with Chapter V of the GDPR.
As to the purposes for secondary use of health data, the EDPB and the EDPS are of the view that the Proposal lacks a proper delineation of the purposes for which electronic health data may be further processed. In order to achieve a balance that adequately takes into account the objectives pursued by the Proposal and the protection of personal data of the individuals affected by the processing, the co-legislators should further delineate these purposes and circumscribe when there is a sufficient connection with public health and/or social security.
Finally, egarding the governance model introduced by the Proposal, the tasks and competences of the new public bodies need to be carefully tailored, particularly taking into account the tasks and competences of national supervisory authorities, the EDPB and the EDPS, when processing of health data is involved. The EDPB and the EDPS underline that data protection authorities are the only competent authorities responsible for data protection issues and should remain the only point of contact for individuals with regard to those issues. Overlap of competences should be avoided and fields of and requirements for cooperation should be specified.