23.3.2021   

EN

Official Journal of the European Union

C 99/13


Summary of the Preliminary Opinion of the European Data Protection Supervisor on the European Health Data Space

(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2021/C 99/09)

Text of executive summary

On 19 February 2020, the European Commission presented its Communication on ‘A European strategy for data’. This communication envisages the creation of a common space in the area of health, namely the European Health Data Space (‘EHDS’), presented as an essential tool for the prevention, detection and cure of diseases as well as for the taking of evidence-based decisions and to enhance effectiveness, accessibility and sustainability of the healthcare systems.

Whereas the EDPS strongly supports the objectives of promoting health-data exchange and fostering medical research, it underlines the necessity for data protection safeguards to be defined at the outset of the creation of the EHDS. Thus, with this preliminary opinion the EDPS highlights the essential elements that should be considered in the development of the EHDS from the data protection perspective.

The EDPS calls for the establishment of a thought-through legal basis for the processing operations under the EHDS in line with Article 6(1) GDPR and also recalls that such processing must comply with Article 9 GDPR for the processing of special categories of data.

Moreover, the EDPS highlights that due to the sensitivity of the data to be processed within the EHDS, the boundaries of what constitutes a lawful processing and a compatible further processing of the data must be crystal-clear for all the stakeholders involved. Therefore, the transparency and the public availability of the information relating to the processing on the EHDS will be key to enhance public trust in the EHDS.

The EDPS also calls on the Commission to clarify the roles and responsibilities of the parties involved and to clearly identify the precise categories of data to be made available to the EHDS. Additionally, he calls on the Member States to establish mechanisms to assess the validity and quality of the sources of the data.

The EDPS underlines the importance of vesting the EHDS with a comprehensive security infrastructure, including both organisational and state-of-the-art technical security measures to protect the data fed into the EHDS. In this context, he recalls that Data Protection Impact Assessments may be a very useful tool to determine the risks of the processing operations and the mitigation measures that should be adopted.

The EDPS recommends paying special attention to the ethical use of data within the EHDS framework, for which he suggests taking into account existing ethics committees and their role in the context of national legislation.

The EDPS is convinced that the success of the EHDS will depend on the establishment of a strong data governance mechanism that provides for sufficient assurances of a lawful, responsible, ethical management anchored in EU values, including respect for fundamental rights. The governance mechanism should regulate, at least, the entities that will be allowed to make data available to the EHDS, the EHDS users, the Member States’ national contact points/ permit authorities, and the role of DPAs within this context.

The EDPS is interested in policy initiatives to achieve ‘digital sovereignty’ and has a preference for data being processed by entities sharing European values, including privacy and data protection. Moreover, the EDPS calls on the Commission to ensure that the stakeholders taking part in the EHDS, and in particular, the controllers, do not transfer personal data unless data subjects whose personal data are transferred to a third country are afforded a level of protection essentially equivalent to that guaranteed within the European Union.

The EDPS calls on Member States to guarantee the effective implementation of the right to data portability specifically in the EHDS, together with the development of the necessary technical requirements. In this regard, he considers that a gap analysis might be required regarding the need to integrate the GDPR safeguards with other regulatory safeguards, provided e.g. by competition law or ethical guidelines.

I.   INTRODUCTION AND SCOPE OF THE OPINION

1.

On 19 February 2020, the European Commission (‘Commission’) presented its Communication on ‘A European strategy for data’ (1). This was part of a package of documents, including a Communication on Shaping Europe’s digital future (2) and a White Paper on Artificial Intelligence - A European approach to excellence and trust (3).

2.

One of the key initiatives of the European strategy for data (‘Data Strategy’) is to create Common European data spaces in strategic sectors and domains of public interest, which would increase the possibilities for public authorities and business to access high quality data, boost growth and create value. More generally, the various initiatives of the Data Strategy go in line with the Commission’s ambition to have the ‘(...) EU at the forefront of the data-agile economy, while respecting and promoting the fundamental values that are the foundation of European societies’ (4).

3.

The EDPS released its Opinion 3/2020 on the European strategy for data (‘Opinion 3/2020’) in June 2020 (5), after an informal consultation on a draft version by the Commission in January 2019. Opinion 3/2020 presents the EDPS’ views on the Data Strategy, and touches particularly on certain relevant concepts from a data protection perspective, including the notion of ‘public good’, Open Data, use of data for scientific research, data intermediaries, data altruism and international data sharing.

4.

The EDPS notes that eHealth is a key area of public interest where the Commission’s Data Strategy envisages the creation of a common space, namely the European Health Data Space (‘EHDS’). In accordance with the Data Strategy, the EHDS will be essential for the prevention, detection and cure of diseases, as well as for evidence-based decisions in order to enhance effectiveness, accessibility and sustainability of the healthcare systems (6).

5.

In its recent meeting of October 2020, also the European Council welcomed ‘(...) the European strategy for data, which supports the EU’s global digital ambitions to build a true European competitive data economy, while ensuring European values and a high level of data security, data protection, and privacy. It stresses the need to make high-quality data more readily available and to promote and enable better sharing and pooling of data, as well as interoperability. The European Council welcomes the creation of common European data spaces in strategic sectors, and in particular invites the Commission to give priority to the health data space, which should be set up by the end of 2021.’ (7).

6.

Whereas the EDPS strongly supports the objectives of promoting health-data exchange and fostering research on new preventive strategies, treatments, medicines, medical devices, it also underlines the necessity for data protection safeguards to be defined at the outset. In the context of the Covid19 pandemic, the European Union has seen more than ever the need for the GDPR data processing principles to be fully applied. In line with the recent European Council Conclusions, the EDPS recalls the fundamental rights to data protection and privacy, and calls for data protection principles to be integrated in the future eHealth solutions that will soon be at the heart of all European eHealth systems. In this context, we highlight that data protection safeguards must be embedded in the core of the upcoming EHDS, with the aim of guaranteeing the respect of fundamental rights of individuals, including the right to privacy and to the protection of personal data of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (‘the Charter’).

7.

The aim of this preliminary opinion is to contribute to the Commission’s work on the future EHDS, in particular through identifying of the essential elements that should be considered in the development of the EHDS from the data protection perspective. This preliminary opinion should be read in conjunction with other relevant EDPS Opinions, including the Opinion on the European Strategy for Data (8), the preliminary Opinion on scientific research (9), the Opinion on Open Data (10), the Opinion on the European Commission’s White Paper on Artificial Intelligence (11) and the EDPS Opinion on the proposal for a recast of the Public Sector Information (PSI) re-use Directive (12). It is worth underlining that this preliminary opinion is without prejudice to any future EDPS opinion that may be issued in accordance with Article 42 of Regulation (EU) 2018/1725 on the related forthcoming legislative proposals of the Commission.

IV.   CONCLUSIONS AND RECOMMENDATIONS

In light of the above, the EDPS makes the following recommendations:

46.

Supports the initiative to create a common European Health Data Space and acknowledges its key role to improve access to and quality of healthcare, by helping competent authorities in taking evidence-based policy decisions and by supporting scientific research. However, the EDPS calls for the adoption of necessary data protection safeguards in parallel to the works towards the creation of the EHDS.

47.

Recalls that all processing operations resulting from the EHDS’ establishment will require a robust legal basis in line with EU data protection law, particularly Article 6(1) GDPR and Article 9 GDPR for the processing of special categories of data.

48.

Considers that the forthcoming legislative initiative on the EHDS should also aim at contributing to a mitigation of the current fragmentation of rules applicable to the processing of health data and to scientific research, thus also aimed at guaranteeing a lawful and ethical use and re-use of the data within the EHDS.

49.

Advocates for additional clarity on the boundaries of what constitutes a lawful processing and a compatible further processing of the data for all stakeholders involved in the EHDS process, while also strengthening the transparency of data processed by making the conditions for re-use publicly available.

50.

Considers essential the setting of clear rules to the Member States for the identification of controllers within the context of the EHDS, before whom individuals may be able to exercise their data protection rights, in line with current legislation (GDPR and Regulation 2018/1725).

51.

Requests that the main actors involved and the categories of data processed within the EHDS are clearly identified and considers fundamental for the European Data Protection Authorities (‘DPAs’) to be clearly involved in its supervision and data protection compliance.

52.

Calls for the adoption of a comprehensive security infrastructure, including both organisational and state-of-the-art technical security measures to protect the sensitive data fed into the EHDS.

53.

Recalls the essential role of Data Protection Impact Assessments (‘DPIAs’), and recommends, whenever possible, making public the results of such assessments, as an enhancing measure of trust and transparency.

54.

Calls for the establishment of a strong data governance mechanism that providing for sufficient assurances of a lawful, responsible and ethical management of the data processed within the EHDS.

55.

Has a preference for data being processed by entities sharing European values, including privacy and data protection.

56.

Strongly supports the achievement of data sovereignty where data generated in Europe is converted into value for European companies and individuals, and processed in accordance with EU rules and regulations.

57.

Calls on the Commission to ensure that the stakeholders taking part in the EHDS, and in particular, the controllers, do not transfer personal data unless data subjects whose personal data are transferred to a third country are afforded a level of protection essentially equivalent to that guaranteed within the European Union.

58.

Invites the Commission to ensure in its legislative proposal that Member States guarantee the application of the right to data portability together with the development of the necessary technical requirements in the EHDS that allow and effective exercise of such right by data subjects.

59.

Recommends performing a gap analysis regarding the need to integrate the GDPR safeguards with other regulatory safeguards, provided e.g. by competition law or ethical guidelines.

Brussels, 17 November 2020.

Wojciech Rafał WIEWIÓROWSKI


(1)  COM 2020 66 final https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf

(2)  COM(2020) 67 final, https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/shaping-europedigital-future_en

(3)  COM(2020) 65 final, https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/excellence-trustartificial-intelligence_en

(4)  COM (2020) 66 final https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020DC0066&from=EN, p. 2.

(5)  EDPS Opinion 3/2020 on the European Strategy for Data https://edps.europa.eu/sites/edp/files/publication/20-06-16_opinion_data_strategy_en.pdf

(6)  COMM 2020 66 final https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf, p. 22.

(7)  See https://data.consilium.europa.eu/doc/document/ST-13-2020-INIT/en/pdf

(8)  EDPS Opinion 3/2020 on the European Strategy for Data https://edps.europa.eu/sites/edp/files/publication/20-06-16_opinion_data_strategy_en.pdf

(9)  EDPS Preliminary Opinion on data protection and scientific research https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf

(10)  EDPS Opinion on the 'Open-Data Package' of the European Commission including a Proposal for a Directive amending Directive 2003/98/EC on re-use of public sector information (PSI), a Communication on Open Data and Commission Decision 2011/833/EU on the reuse of Commission documents, https://edps.europa.eu/sites/edp/files/publication/12-04-18_open_data_en.pdf

(11)  EDPS Opinion 4/2020 EDPS on the European Commission’s White Paper on Artificial Intelligence– A European approach to excellence and trust https://edps.europa.eu/sites/edp/files/publication/20-06-19_opinion_ai_white_paper_en.pdf

(12)  EDPS Opinion 5/2018 on the proposal for a recast of the Public Sector Information (PSI) re-use Directive https://edps.europa.eu/sites/edp/files/publication/18-07-11_psi_directive_opinion_en.pdf