The European health data space is in the making

On the 3^rd of May this year, the European Commission unveiled their proposal for a regulation to establish the European Health Data Space ("EHDS"). The EHDS is a "health specific ecosystem comprised of rules, common standards and practices, infrastructures and governance framework".^[1] It aims to achieve a number of different goals. Most importantly are the empowering of individuals' access to and control of their personal health data, and providing European researchers, health officials and industry with a simple system to obtain and analyze citizens' health data from the entire European Union.

For European patients, the regulation seeks to enable them to have easy access to their data across the entire Union, regardless of which country they are geographically located. The principal function is to allow, if consent is given or an emergency requires it, a medical practitioner in another country to access medical records and other information, so that they can provide the appropriate assistance. This is so-called "primary" use of the health data. Simple access will increasingly facilitate a patient's free movement across the European Union as well as to help foster a genuine single market for electronic health record systems. The EHDS will seek to fulfil these goals through the establishment of a common framework of data sharing through integrated databases filled with personal health information presented using a standardized format.

The standardization and availability of health data is also of significance to another of the mentioned fundamental goals, referred to as the "secondary" use of data. Basically, the plan is to gather, sort and anonymize all the health data of citizens of the European Union and make it available to scientists and innovators. This will increase the available data pool significantly. The objective is to strengthen European health research, innovation, policy-making and regulatory activities. Access to an increased data pool is likely to, for example, increase the magnitude of technological innovation, ensure better public policies to improve European citizens' health, and enhance government and health officials' ability to prevent and combat future pandemics.

The European Commission has yet to unveil more detailed information on how the technological systems are to be designed and how they will interact. However, the European Commission have stated that they aim to have the framework operational by 2025. It is therefore quite clear that implementation will require a substantial effort by governments, public and private health organizations, and tech companies.

The governments of European countries, as well as the European Union itself, will play an important role in establishing the necessary technical infrastructure. An ambitious project of the projected scope will require substantial knowledge and expertise for the governmental agencies and officials that are involved.

For tech companies, implementation of the regulation will introduce several opportunities. A few specific examples are given below:

• Implications of the General Data Protection Regulation ("GDPR") and case law from the Court of Justice of the European Union imply that personal data may have to be stored on servers geographically located in the European Union. Given this outcome, data centers providing safe storage of personal data will be in high demand.
• When establishing the software for the new databases where the health data is to be stored, tech companies will be needed, either to connect existing databases or to create new ones.
• If new databases are created, health data must be transferred from an existing database to a new one. This process can require a significant amount of work. Digitalizing this process, for example by enlisting a company that offers robotic process automation solutions, could prevent substantial resources being poured into a repetitive and unproductive task.
• Tech companies that are specialized in artificial intelligence or machine learning can tailor their algorithms to cater to the requirements of scientists, industry or others who are permitted to analyze the health data.

How can we assist?

Both primary and secondary use of health data have to be in compliance with obligations arising from other legislation in the European Union. As health data is considered a special category of personal data pursuant to Article 9 of the GDPR, extra care has to be afforded when processing it. This includes implementation of adequate technical and organizational measures, watertight data processing agreements, and complying with the GDPR's general principles, such as data anonymization, pseudonymization, minimization and purpose limitation. In addition, national sector-specific data protection regulations apply for personnel and institutions processing health data.

Schjødt holds one of Scandinavia's strongest professional environments on privacy and data protection, including within the health data space. We combine deep insight on the legal aspects with significant understanding of technology and tech-related issues. We are therefore well suited to assist our clients with any legal questions that may emerge in light of the upcoming regulatory innovations within the health space.

^{[1] https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space_en}