A proposal put forward by European Union lawmakers in May, to establish a legal framework to make it easier to share electronic health records and other medical data — across borders and care institutions and with researchers and developers of innovative health products — should be revised to ensure citizens’ health data is stored locally, inside the European Economic Area (EEA), to avoid the risk of unlawful access, a joint opinion by two key EU data protection supervisory bodies has recommended.
That looks like wise council — given ongoing legal uncertainty clouding personal data exports to third countries, following major privacy rulings by the bloc’s top court since 2015.
“[Due] to the large quantity of electronic health data that would be processed, their highly sensitive nature, the risk of unlawful access and the necessity to fully ensure effective supervision by independent data protection authorities, [we] call on the European Parliament and on the Council to add to the Proposal a requirement to store the electronic health data in the EEA,” the two supervisors write in a summary of their joint opinion on the Commission’s European Health Data Space (EHDS) proposal.
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), two EU bodies which advise on the interpretation and application of laws, adopted their 32-page joint opinion on the EHDS yesterday.
In it they make a series of other suggestions for tightening the draft regulation and clarifying the interplay with existing data protection laws, warning that the Commission’s first pass falls short on that front in a number of areas.
There is already extensive regulation of health data across Europe, both nationally and at Union level (where processing this type of sensitive data with user consent requires an explicit ask, per purpose). Simplifying the process of sharing this sensitive, ‘special category’ data is thus a key driver for the EHDS — with lawmakers talking up the potential for the continent if fragmentation can be banished and citizens’ health data more easily pooled, processed and reused for purposes such as research into diseases and drug discovery, or for innovative health tech (like AI diagnosis).
Homegrown European health tech startups, like telehealth platform Kry, have also weighed in with some supportive words for the EU’s plan.
But the introduction of a new legal framework that’s geared towards data sharing and reuse could have negative impacts on individual rights like privacy and data access if the legislation is not rigorously drawn.
The EDPB and EDPS opinion highlights a number of areas where the two bodies believe the EHDS risks creating legal inconsistencies; generating confusion for data subjects; and even undermining existing regulations — such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive — warning, for example, that it’s not clear how individual rights, like the GDPR’s right to rectification of personal, would be impacted by the framework (since the EHDS envisages not one data controller but …read more
https://techcrunch.com/2022/07/15/european-health-data-space-edpb-edps-opinion/