European Health Data Space (EHDS) update: what this means for pharmaceutical and biotech
The proposed EHDS Regulation1 (Proposal), introduced in May 2022 by the European Commission (EC), aims to reform the “situation of fragmentation” that depicts the existing approach to health data access across Europe2 through the establishment of a centralised data system.
The intention is to streamline the process for patients wishing to access their medical records via electronic health record systems (“EHR systems”) and to facilitate the ability for researchers, innovators, and policy makers to use the data in a trusted and secure way that preserves privacy.
For pharmaceutical and biotech companies, this is a significant development and means that a broader pool of data could become accessible for research and development purposes. It should also assist from a standardisation and efficiency perspective, meaning that, across the EU, companies only have to comply with one set of rules, rather than grappling with multiple sets of regulations.
The Proposal cites a number of reasons and studies that contributed to the desire for regulatory reform in the health data sector. Despite the introduction of the GDPR3 in 2018, studies have demonstrated that the legislation has, unfortunately, been unevenly implemented and interpreted throughout by Member States. This has created uncertainty and challenges for individuals in exercising their rights and resulted in barriers to the secondary use of electronic health data.4
The COVID-19 pandemic also highlighted and emphasised the importance of ensuring timely access to health data for health threats preparedness and response,5 and revealed the urgent need and the high potential for interoperability and harmonisation of health data. Further, the EC has expressed the desire to support researchers and innovators, recognising the simple fact that access to large amounts of health data is necessary for breakthroughs in the medical field.6
The Proposal hopes to address the concerns with the current system and support the EC’s vision for the EU’s digital transformation by 2030.
Rights for individuals
The draft EHDS Regulation proposes to bolster individuals’ rights to their personal electronic health data, to exist alongside the access and data portability rights that exist under the GDPR.
For example, under the GDPR, data controllers have a one-month period to respond to data access requests7, which has largely been considered as unsatisfactory where health data is concerned and may cause detrimental effects, in particular where an individual has a serious or urgent health condition. The Proposal would enable individuals to obtain immediate access to their data and, in addition, to transmit their data free of charge to a recipient of their choice in the health sector (currently, the GDPR requires controllers to do so only “where technically feasible”).
However, it has been recognised that there must be exceptions to such rights. In the case of immediate rights of access, particularly where this would be inappropriate or unethical, such as informing a patient via an electronic channel about a diagnosis of an incurable disease instead of providing this information during a face-to-face consultation. The parameters of such restrictions will be left up to each Member State to decide.8
Secondary use of health data
The EHDS sets out a regime that would allow electronic health data to be further processed for a specific set of “secondary use” purposes, such as development and innovation activities.
“Data holders” (defined to include most entities in the pharmaceutical, healthcare, and MedTech sectors, including hospitals and public health bodies, and companies undertaking research in relation to these sectors) would be required to allow access to certain categories of data, ranging from data from health registries and clinical trials, to genetic and pathogen genomic data, health-related administrative data, and even data collected via digital health and wellness applications. However, access may only be granted where the intended purpose for processing satisfies Article 34(1) of the Proposal, which includes the following notable research and development focussed criteria:
- activities for reasons of public interest, development and innovation activities in/contributing to the area of public and occupational health;
- for education or teaching activities or scientific research related to health or care sectors;
- to ensure high levels of quality and safety of health care, medicinal products, or devices;
- training, testing, and evaluating of algorithms, including in medical devices, AI systems, and digital health applications contributing to the public health or social security; and
- providing personalised healthcare consisting in assessing, maintaining, or restoring the state of health of individuals.
There are also a number of proposed specific prohibited uses of the data, including advertising or marketing towards health professionals, or use of the data for the purpose of tailoring insurance premiums.9
Secondary use of health data would require the data “re-user” to lodge an application for access, which would then need to be assessed by the competent health data access body in charge of delivering the permission to access the data. It has been proposed that the amount of these fees charged by the data holder must be transparent, proportionate, and “must not restrict competition”10. Further, where access is granted, the data must be transferred in an anonymised format unless the applicant’s purpose cannot be achieved by processing anonymised data, in which case pseudonymised data may be provided following consideration of the reasoning why access is required.
There is uncertainty regarding interpretation of the Proposal and over the protections it provides. As well as being able to access data, pharmaceutical and biotech companies are likely to be obliged to make available their own potentially valuable research data to others under the new rules. However, there is a notable lack of clarity with regards to the protection of trade secrets and intellectual property rights – concerningly, the Proposal merely states that “all measures necessary”11 should be taken with regards to the preservation of such rights.
Further, there are question marks around how the secondary use concept will sit alongside the GDPR, under which a legal basis is required for data users to process health data for secondary uses. Other concerns raised involve security and how the proposal will support the functionality of “secure processing environments” for transmission of data, as well as practical concerns around how data in the context of international transfers will be pseudonymised or anonymised.
When will it come into force?
The EC is hoping that, by the end of its current mandate on 31 October 2024, the legislative process will be completed, with the EHDS becoming operational in 2025.
It is undeniable that the Proposal has the potential to generate significant opportunities for the pharmaceutical and biotech sector. The EC hopes that the Proposal will contribute to a genuine single market for digital health products and services, by harmonising rules and boosting healthcare system efficiencies.12 However, the legislative procedure is in its early stages and, if the EC’s vision is to succeed, the issues identified would need to be considered further by the European Parliament and the Council of Ministers in the hope of implementing guidance and addressing concerns around the existing areas of uncertainty and ambiguity.
1. European Health Data Space: Regulation 2022/0140.
2. Explanatory Memorandum, Section 2 of the Proposal.
3. General Data Protection Regulation 2016/679.
4. Explanatory Memorandum, Section 1 of the Proposal.
5. Explanatory Memorandum, Section 1 of the Proposal.
6. EC’s Impact Assessment Report on the Proposal.
7. Pursuant to Article 15 GDPR, which may be extended by a further 2 months in certain circumstances.
8. Recital 9 of the Proposal.
9. Article 35(c) of the Proposal.
10. Article 42(4) of the Proposal.
11. Article 34(4) of the Proposal.
12. Explanatory Memorandum, Section 1 of the Proposal.
About the authors
Tim Wright is a partner at Fladgate. He is a technology, sourcing, and commercial lawyer with nearly 30 years' experience advising clients on their outsourcing, cloud, digital, technology, and other commercial projects.
Michelle Waknine is an associate at Fladgate, specialising in technology, data protection, commercial contracts, and intellectual property.