29 November 2023
Following months of negotiations, the lead committees in the European Parliament voted on a compromise text of the European Health Data Space (EHDS) yesterday.
This draft text will next be voted on by the entire European Parliament in a plenary vote in December. Separately, the Council (representing 27 members states of the European Union) is expected to vote on its position next week. Once the Parliament and the Council decide their positions, intense negotiations to finalise the text of this law is anticipated.
ICCL recommendations
Earlier this year, ICCL made recommendations to address the problems related to secondary use of health data in the EHDS. Our recommendations have been included in the compromise text.
Our two recommendations were:
- EHDS should specify the legal basis consistent with the GDPR and be specific about the allowed purposes of secondary use of electronic health data; and
- EHDS should narrow the categories of health data allowed for secondary use to reduce risks to fundamental rights.
First, the Parliament’s text includes our first recommendation by relying on Article 6(1)(c) and Article 9(2)(g), (h), (i) and (j) of GDPR as the legal basis when health data is processed for secondary uses. This limits the allowed processing purposes of health data for reasons of public interest, and scientific or statistical research.
As we had recommended, the Parliament removes “electronic data related to insurance status, professional status, education, lifestyle, wellness and behaviour data relevant to health” from the categories of electronic health data that are allowed for secondary use. Use of health data to train AI systems is limited to scientific research.
Second, natural persons can opt-out from their health data being used for secondary uses. This opt-out possibility did not exist in the European Commission's initial text from 2022. Further, data from wellness applications and biobanks, and genetic data can be used for secondary uses only if natural persons opt-in. This gives people more control over their health data.
When organisations request to use health data of natural persons, they need to clearly explain “the expected benefits and how these benefits contribute to the purposes” listed in this law. Mere claims of public interest will not suffice.
There is still room for improvement. We are concerned that data generated by wellness applications is allowed for secondary uses. Such data is usually not of high quality but can reveal intimate details about a person’s life. Moreover, the risks to privacy of people are amplified when the data from wellness applications are processed for secondary uses or combined with other data.
Finally, EHDS is much broader in scope than secondary use of electronic health data. There remain other concerns that this proposed law raises that we do not cover in this post.