A shared EU data space for health?

In the wake of the Covid pandemic, questions have been raised whether the management of this health crisis could have been more effective if the data sharing within and between states had been easier. Or, as the more polemic among media voices are asking, is too much data protection costing lives? 

There must be a way to safeguard health and other sensitive personal data and at the same time to improve the management of health crises, to enable scientists to further our understanding of health conditions, to accelerate digital health innovations and to facilitate patient care across borders – or at least these are the hopes of the European Commission (EC). The solution is going to be a shared European data space specifically designed for the health domain. 

Accordingly, in May 2022, the EC submitted a “Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space”. If this proposal is successful, the resulting regulation will require all member states to provide their citizens with easy and free electronic access to their healthcare data. These interfaces will be compatible between states and with the central healthcare data exchange platform named “MyHealth@EU”. The EC will take responsibility for MyHealth@EU and its roll-out to all member states, to be finalized by 2025. Until then, each member state will have to appoint a national authority for the implementation and oversight of MyHealth@EU access. In a way, MyHealth@EU is the physical correlate of the regulatory concept of the European Health Data Space (EHDS). 

Lawful and unlawful uses of health data

Access to health data will be granted not only to patients and their healthcare professionals. Explicitly, MyHealth@EU will also permit data sharing with scientists, developers, politicians and government officials. However, for all purposes except patient care, access is supposed to be limited to anonymized or pseudonymized data. By facilitating not only patient care but also pharma and digital health innovations and making existing data sharing processes more efficient, the EC expects economic gains of about € 11 bn while planning for additional infrastructure costs of € 810M. 

In addition to anonymization and pseudonymization, some potential uses of health data will be explicitly forbidden under the new regulation, according to the EC’s proposal. MyHealth@EU data may not: 

• be used for health-related advertising and marketing purposes; 
• be analyzed in a way that could lead to higher insurance premiums or the exclusion of certain insurance benefits; 
• be used for research with the intent of developing new harmful substances and products, for instance those related to nicotine or alcohol consumption. 

However, this “black list” shows that the EC is already very much aware of the abuse potential of such a shared data space, and that companies with unsavoury business models may already be waiting in the wings. Also, as the EC itself points out in the proposal, it cannot guarantee perfect security against de-anonymization of previously anonymized patient data. Anonymization is a difficult problem in data science, and there are numerous approaches that sometimes permit the re-identification of individual persons or small groups. Pseudonymized data are even more vulnerable to re-identification. 

But all these problems notwithstanding, the EU is in dire need of some form of shared and interoperable data space for its citizens‘ health data. More efficient data sharing will improve political decision making in future crises, improve actual patient care and speed up innovations in pharma and health technologies. If the EU does not create a safe legal way of sharing data, its citizens and companies will sooner or later use non-EU infrastructure, developed by and hosted in countries that are less privacy-sensitive and may have no compunctions at all in exploiting anonymized and non-anonymized healthcare data for economic purposes. It must be assumed that large datasets of EU citizens‘ healthcare data are already owned by non-EU tech companies because their platforms are used for informal data sharing in various contexts. 

Next steps: EU Council and EU Parliament

In the next steps, the EC’s proposal will be debated and commented upon by the EU Council and the EU Parliament. Considering the aforementioned issues surrounding privacy and security, but also the potential for economic gains and growth, discussions in the member states will certainly be controversial. The EU Council may come to a decision as early as the second half of 2023. But if one or several member states have more severe objections, the EHDS may be delayed for years. For instance, German data protection activists are already taking proceedings against similar legislation: pseudonymized data of 73 million citizens was going to be collected and used for research purposes starting in October 2022. An urgent court appeal was made to stop this process while court proceedings are still pending. 

01.12.2022

• data management (565)
• healthcare politics (252)
• IT (873)
• security (446)