Official Journal of the European Union

C 358/13

Executive summary of the Opinion of the European Data Protection Supervisor on the Communication from the Commission on ‘eHealth Action Plan 2012-2020 — Innovative healthcare for the 21st century’

(The full text of this Opinion can be found in English, French and German on the EDPS website http://www.edps.europa.eu)

2013/C 358/08

1.   Introduction

1.1.   Consultation of the EDPS


On 6 December 2012, the Commission adopted a Communication on the ‘eHealth Action Plan 2012-2020 — Innovative healthcare for the 21st century’ (the Communication) (1). This proposal was sent to the EDPS for consultation on 7 December 2012.


Before the adoption of the Communication, the EDPS was given the possibility to provide informal comments to the Commission. He welcomes that some of his comments have been taken into account in the Communication.

1.2.   Objectives and scope of the Communication and aim of the EDPS Opinion


The Communication establishes an eHealth Action Plan for 2012-2020. The Action Plan presents the view that information and communication technologies (ICT) applied to healthcare and well-being can improve the efficiency and effectiveness of healthcare systems, empower the individual citizen and unlock innovation in the health and well-being markets.


This EDPS Opinion is to be seen in the light of the growing importance of eHealth in the evolving information society and of the ongoing policy debate within the EU on eHealth. The Opinion focuses especially on the implications of the fundamental right to data protection for eHealth initiatives. It also comments on the areas for further action identified in the Communication.

3.   Conclusions


The EDPS welcomes the attention paid specifically to data protection in the proposed Communication, but identified some scope for further improvement.


The EDPS underlines that data protection requirements should be appropriately considered by industry, Member States and the Commission when implementing initiatives within the eHealth area. In particular he:

emphasizes that personal data processed in the context of eHealth and well-being ICT often relate to health data, which require a higher level of data protection and underlines the guidance already given to controllers and processors in the area,

notes that the Communication does not refer to the current data protection legal framework set forth under Directive 95/46/EC and Directive 2002/58/EC, which contains the relevant data protection principles that are currently applicable and reminds the Commission that these rules are to be respected for any action to be taken in the short to medium term until the proposed revised data protection regulation enters into force,

notes that the importance of the data subject's rights of access and information in the context of eHealth has not been made clear in the Communication. He therefore encourages the Commission to draw the attention of controllers active in the field of eHealth on the necessity to provide clear information to individuals about the processing of their personal data in eHealth applications,

notes that the availability of guidance in respect of eHealth processing operations taking place under the current legal framework has not been emphasized in the Communication with specific references to the relevant documents and recommends that the Commission consults the Article 29 Working Party, in which the EU national data protection authorities are represented, and the EDPS in the preparation of such guidance,

recommends consulting the EDPS before the adoption by the Commission of a green paper on an EU framework applicable to mHealth and health and well-being mobile apps,

notes that the Communication does not underline that any data mining using non-anonymous health data is only acceptable under very limited circumstances and provided that full account is taken of data protection rules and encourages the Commission to draw the attention of controllers to this fact,

underlines that profiling should only be done in very limited circumstances and provided that strict data protection requirements must be met (e.g. as set forth in Article 20 of the proposed data protection regulation) and encourages the Commission to remind controllers of this important obligation,

reminds the Commission that any future work in the areas of facilitating wider deployment, supporting user skills and literacy should be pursued in due observance of the principles of data protection,

recommends that the Commission carries out a data protection impact assessment in the context of the development of a common European eHealth Interoperability Framework, before any further action is undertaken,

urges the Commission, when examining the interoperability of health records, to look into possible legislative initiatives at EU level, as he believes that such interoperability would benefit from a strong legal basis, which would include specific data protection safeguards.

Done at Brussels, 27 March 2013.


Assistant European Data Protection Supervisor

(1)  COM(2012) 736 final.