THE EUROPEAN HEALTH UNION PACKAGE – Analysis from a data protection perspective12 August 2021
On 18 March 2021, the European Data Protection Supervisor (“EDPS”) issued its formal comments on the package of the Commission’s three legislative proposals for a European Health Union. This reaction is based on the Commission’s communication issued in February 2020, entitled “A European Strategy for data” (“Data Strategy”). One of the key initiatives of the Data Strategy is to create common European data spaces in strategic sectors and domains of public interest for all EU citizens, like the proposed European Health Data Space (“EHDS”). In this respect, EDPS strongly supports the objectives of promoting health-data exchange and fostering research on new preventive strategies, treatments, medicines, and medical devices.
What place takes the protection of individual’s personal data in the context of this digital transformation?
EDPS recalls the fundamental rights to data protection and privacy according to the provisions of Regulation no. 2016/679 on the protection of natural persons about the processing of personal data (“GDPR”), by issuing its opinions on three legislative proposals in the field of health, respectively: (i) the Proposal for a Regulation on a reinforced role for the European Medicines Agency in crisis preparedness and management for medicinal products and medical devices (“EMA Proposal”); (ii) the Proposal for a Regulation on serious cross-border threats to health (“SCBTH Proposal”) and (iii) the Proposal for a Regulation on establishing a European Centre for Disease Prevention and Control (“ECDC Proposal”).
EHDS – the promoter of the EDPS’s initiative
The main objective of the EHDS is to improve access to quality healthcare, firstly by helping competent authorities in taking legally substantiated decisions and secondly, supporting scientific research. To achieve this objective, it is necessary to deploy data infrastructures for the EHDS’s functioning, in particular by designing a platform that will allow certain data to be processed for the benefit of society. In a nutshell, the most important EDPS’s considerations in connection with these issues are related to the following:
► the sensitive nature of health data – in this respect, EDPS considers that all processing operations will require solid legal grounds in line with EU data protection laws;
► the legal basis of the processing – EDPS considers that processing operations under the EHDS will only be lawful if they are based on one or more of the six legal bases provided by Article 6 para. (1) of the GDPR, especially based on Article 6 para. (1) letters a) and e);
► the character of “special category of data” of health data – EDPS considers that Article 9 para. (2) letters i) and j) of the GDPR, which allow processing of sensitive data for reasons of public interest and scientific research purposes, could be considered as a possible legal basis for the processing carried out by the EHDS;
► the principle of purpose limitation – EDPS considers that data should be processed according to this principle and highlights that the purposes for which the health data may be processed within the EHDS must be established before the processing;
► the importance of the right to data portability – EDPS considers that it is essential to provide “control” to data subjects over their data and this right may only be enforced upon the data subject’s request.
EMA Proposal, SCBTH Proposal, and the ECDC Proposal – a “trio” of particular personal data concerns.
I. The EMA Proposal & EDPS’s recommendations
Broadly, the most important objectives of the EMA Proposal are to (i) monitor and mitigate potential and actual shortages of medicinal products and medical devices considered as critical for the population and (ii) to allow EMA to use and facilitate the exchange of health data and be part of the establishment and operation of the EHDS infrastructure. In this respect, EDPS made the recommendations for the amendment of the EMA Proposal from a data protection perspective, such as:
► EDPS recommends specifying that further implementing acts will outline the roles of the actors involved in the processing of personal data in such a context (i.e., EMA, the Commission, Member States, etc.)
► EDPS considers that EMA Proposal should specify that the pseudonymization shall apply in connection with “electronic health data outside of clinical studies” and “real-time data” and to include in the content of the EMA Proposal a clear definition of these terms, providing examples in this regard;
► EDPS suggested that transfers of personal data to third countries or international organizations must comply with Chapter V of the EUDPR (i.e., Articles 46 and the following).
II. The SCBTH Proposal & EDPS’s findings
Briefly, the SCBTH Proposal aims to (i) set out a comprehensive legislative framework to govern action at the EU level on preparedness, surveillance, risk assessment, and early warning and responses; and (ii) enhance the Union’s guidance in the adoption of common measures at EU level to face a future cross-border health threat. From a data protection perspective, the main EDPS’s recommendations were:
► to provide in the Proposal for further implementing the roles of the actors involved in the processing of personal data in such a context (i.e., the role and responsibilities of the controller and processors, etc.);
► to conduct a Data Protection Impact Assessment (DPIA) before the deployment of a digital platform, given that the European Centre for Disease Prevention and Control (ECDC) shall set up and manage a digital platform through which data is managed and automatically exchanged;
► EDPS recalls that transfers of personal data to third countries or international organizations must comply with Chapter V of the EUDPR (i.e., Articles 46 and following) and the applicable case law of the Court of Justice.
III. The ECDC Proposal & EDPS’s guidelines
Briefly, the ECDC Proposal aims to (i) adapt the founding act of the ECDC to the new challenges brought by the COVID-19 pandemic, as well as to create synergies with other EU initiatives such as the EU Digital Single Market agenda and the EHDS and (ii) to facilitate the sharing of information including real-world evidence, and support the development of a Union-level IT infrastructure for health data surveillance and monitoring. From a data protection perspective, the most relevant EDPS’s recommendations were:
► to include in the provisions of the ECDC Proposal the legal basis for the processing of personal data;
► to insert in the ECDC Proposal: (i) the categories of data subjects whose data will be processed; (ii) the categories of the personal data processed, (iii) a description of the specific measures to safeguard the rights and freedoms of the data subjects and (iv) the storage periods, given that the processing will involve special categories of personal data (i.e., data revealing racial or ethnic origin, genetic data, biometric data or data concerning health);
► to anonymize and process the data according to the principle of data minimization, where the processing of personal data is not necessary to perform the objectives of the ECDC;
► to conduct a DPIA before the deployment of the digital platforms and applications supporting epidemiological surveillance developed by the ECDC.
In the light of the above, we can conclude that the EDPS supports the Commission’s initiative to create a common European Health Data Space but at the same time calls for the adoption of necessary data protection safeguards in parallel to the works towards the creation of the EHDS. EHDS also supports the role of the main actors involved in the building of eHealth Strategy (i.e., EMA, SCBTH, and ECDC), but requires at the same time full compliance of their activities with GDPR’s provisions and all EU’s data protection laws.
 EDPS’s considerations can be consulted at the following address: https://edps.europa.eu/sites/edp/files/publication/20-11-17_preliminary_opinion_european_health_data_space_en.pdf
 The EDPS would also like to draw attention to its recently published ‘Strategy for Union institutions, offices, bodies and agencies to comply with the Schrems II Ruling (https://edps.europa.eu/sites/edp/files/publication/2020-10-29_edps_strategy_schremsii_en_0.pdf) as well as the ‘EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf)