Opting-in or -out or not at all: secondary use of health data in the EHDS framework

Blogpost 17/2024

In accordance with the European data strategy the European Commission gave its proposal for the Regulation on European Health Data Space (EHDS) in May 2022. The purpose of the EHDS is to establish a mandatory cross-border infrastructure which makes it possible for residents to access their electronic health data anywhere in Europe for health care purposes and use such data for reimbursement purposes and similar purposes (primary use). Furthermore, EHDS creates a mandatory cross-border infrastructure for the secondary use of electronic health data, such as electronic patient records, genetic data, socio-economic data and data processed in relation to healthcare services.  The secondary uses cover everything from public health, planning and statistical purposes, scientific research, development and innovation activities, training and testing of algorithms and providing personalised healthcare.

Each country shall have one central public sector health data access body which shall assess the applications for accessing electronic health data and issue data permits for accessing pseudonymised data sets or answers to data requests in anonymised statistical format. It must also maintain a public information system and fulfil obligations towards natural persons as required by the EHDS Regulation and the GDPR.  Holders of electronic health data are obliged to grant access to their data through the access body when data permit is granted or answer to data request is provided.

Given the sensitive nature of health data, selecting the health data space as the first of several data spaces to be instituted within EU was a bold move from the Commission. This could be explained by the need to make it possible for Europeans to seek health care within the EU and from the pressing need to harmonise interpretation of the GDPR and national laws with regard to carrying out EU-wide health research projects, as well as the desire of the pharmaceutical industry to obtain large amounts of EU-originated health data. The up-coming European elections in June 2024 have put pressure on different institutions to arrive to a common position in relation to the proposed regulation. The Council of Ministers and the EU Parliament both were able to come up with negotiating mandates in December which made it possible to start with the Trilogue negotiations between different EU institutions already in then.

The scope of proposed secondary uses of electronic health data is broad. According to the original Commission proposal the rights of data subjects would rely on the GDPR and the only additional safeguard would be the secure technical processing environment for personal health related data. The extent to which data subjects should control the secondary use of their health related data in the EHDS has turned out to be one of the most contentious issues dividing the Council and the Parliament.

In the following blog I shall first discuss different forms of control envisaged for data subjects over the secondary use of their health data. Thereafter I’ll describe the respective positions of different institutions and discuss them in light of the Finnish law relating to the secondary use of health and social data which has acted as one the models of the EHDS proposal.

 

Opt-out or -in versus right to object

When considering the degree of control the data subjects have over the secondary use of their health data we should make a distinction between the GDPR based consent and right to object, on the one hand, and the fundamental rights and ethics based consent (opt-in) and its lighter version opt-out, on the other hand. In short, the GDPR based consent relates to the processing of personal data and is proposed by the Parliament for genetic, genomic and proteomic data. The Commission and the Council do not propose a consent for any type of secondary use of processing.

The right to object in terms of the GDPR gives the data subject the right to object, on grounds relating to their particular situation, at any time to processing of their personal data when such processing is based on public interest (Article 6 para 1(e)) or legitimate interest (Article 6 para 1(f)). After the objection the controller can no longer process the personal data unless it can demonstrate, i.a. compelling legitimate grounds which override the interests, rights and freedoms of the data subject. (Article 21 para 1) For scientific or historic research or statistical purposes the right to object is valid unless the processing is necessary for the performance of a task carried out for reasons of public interest. (Article 21 para 6) In other words, the data subject can not exercise their right to object unless they give a personal reason to such objection and for scientific or statistical use this may not be enough if the processing is deemed to be necessary for public interest reasons. Right to object is thus conditioned by disclosing personal reasons by the data subject, that is more  personal data, and the eventual overriding interests of the controller.

According to the GDPR the right to object must be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information at the time of the first communication with the data subject. The data subject may exercise this right by automated means and using technical specifications. (Article 21 para 4)

An opt-out is used in many areas of law and each should be regarded separately. According to the  the French Senate secondary processing of health data should require a consent from the data subject but that consent could be deemed to have been given if persons after having been informed of the secondary use have not opposed to it. The European data protection board (EDPB) states that in cases where consent is not the basis for processing of personal data it can still be used as a safeguard for processing. Moreover, a right to prohibit direct marketing in terms of Article 21.2 GDPR is an unconditional right to prohibit the use of personal data for direct marketing and is generally called an opt-out. Accordingly, an opt-out could be described as a safeguard for the processing of special categories of personal data within the EHDS when consent is not required. Similarly, an opt-in or so called ethical consent, when it is not the used as the legal basis for processing of personal data could be described as a safeguard in terms of the GDPR.

 

Council negotiating mandate: different versions of the right to object

The Council mandate for the negotiations is written in a manner which leaves the difficult aspects of the Regulation to Member States’ national legislation. This pertains, in particular, to the exercise of rights of data subjects. The right to object to the secondary processing of their data is a core example. If the crucial issues are left to the Member States or, as proposed by the Commission, to the GDPR, the current situation with regard to applying the GDPR for cross-border research and development projects will be reproduced within the EHDS and each country will end up applying their own version and interpretation of the law.

Even the role of the proposed right to object for secondary uses is fluid. According to the Council ‘[i]t is appropriate to leave Member States free to decide to introduce and modulate such a right as it involves a balance between individual autonomy and the availability of health data for secondary use purposes, which is best made at national level, taking into account Member States’ specific situations and historical experiences.(recital 37a)Where a Member State does not introduce a specific right to object in accordance with article 35F of this regulation, solely Article 21 of Regulation (EU) 2016/679 will apply.’

The Council Mandate proposes a new Article 35f in which different options for introducing right to object in Member States are given. First it is important to emphasize that according to the Council introducing any kind of right to object beyond Article 21 GDPR at the national level would be voluntary and up to Member States. The most comprehensive opt-out version is the one according to which natural persons could exercise their right to object, at any time and without stating reasons, in a simple and accessible manner, including by electronic means.

The Council also highlights the possibility of a Member State to restrict the right to object under the conditions set out in Article 23 GDPR in case a Member State chooses not to implement the full opt-out with regard to secondary uses of health data. This would be possible, in particular,  in relation to purposes related to the protection of public health and occupational safety and  activities ensuring high levels of quality and safety of healthcare and of safety of medicinal products or medical devices. Member States would have to implement appropriate and effective measures to inform data subjects about such restrictions to their right to object.

To sum up, the Council position seems to be that Member States could choose to introduce a full or partial right to object providing data subjects better control over the secondary uses of their health data, or not to introduce any specific right to object beyond Article 21 GDPR.

 

EU Parliament negotiating mandate

In contrast to the EU Council the EU Parliament proposes an introduction of a comprehensive opt-out for all secondary uses of electronic health data with the exception of genetic, genomic and proteomic data for which a consent in required. This right to opt-out is anchored in securing the confidential relationship between the patient and the physician as confirmed by the European Court of Human Rights. Accordingly, it is provided that Member States shall provide for an accessible and easily understandable opt-out mechanism, whereby natural persons are offered the possibility to explicitly express their wish not to have all or part of their personal electronic health data processed for some or all secondary use purposes. The exercise of this right will not affect the lawfulness of the processing that took place under EHDS before the individual opted-out (Article 35(5).

Given the sensitive nature of certain health related data and the difficulties relating to anonymizing of such data, it is further provided that extracts from human genetic data, genomic and proteomic data, such as genetic markers, and data from biobanks and dedicated databases can only be made available for secondary use after obtaining the consent of the natural person. Individual consent is also required for secondary uses of personal data obtained from wellness applications.

The Parliament Mandate provides further that health data access bodies make publicly available and easily searchable and accessible for natural persons the conditions under which their electronic health data is made available for secondary use. Data subjects should be made aware of the sensitive nature of such data. This should include information on, amongst other things, the legal basis under which access is granted to the health data user and the applicable rights of natural persons in relation to secondary use of electronic health data, including the right to opt-out and the right to opt-in and detailed information on how to exercise them (Article 38).

Since natural persons are left the possibility to opt-out or opt-in for all or some of the parts of their data for all or some of the secondary uses, it is imperative that they are conveyed detailed information as to this possibility, the nature of different uses and the ways to exercise their rights. How to implement these provisions in practice is not provided for, but it is conceivable that such information can be easily given in electronic on-line service, in which the possibility to opt-out or opt-in can be exercised by data subjects. Electronic information system could be built in a manner to automatically recognize in connection with the collection of electronic health data the secondary uses permitted for a given personal electronic health data.

 

Transparent processing and right to information as the basis for exercising rights of data subjects

Closely connected to the discussion on whether to have a real opt-out or a nationally applied right to object are the provisions of the GDPR relating to the transparent processing of personal data and facilitating the use of rights (Articles 12 to 14). According to the original proposal of the Commission, health data access bodies are not obliged to provide information to data subjects for projects subject to data permit but they should provide general public information on all data permits issued pursuant to the Regulation (Article 38(2)).

Transparency of processing of personal data is not only obligatory in terms of the GDPR but according to the European Data Protection Board it can also act as an additional safeguard in a situation when circumstances of the research do not allow for a specific consent. This would speak in favour of stronger information requirements which would make it possible for data subjects to know when and for what secondary purposes their electronic health data is being used.

A major study conducted in 12 European countries about digital health data sharing concluded that people want to be informed about the sharing of their health data for secondary purposes. People also wanted to be in control of the sharing of personal health data for different purposes. Given some geographical variations of the respondents in terms of the extent of control, the authors propose a compromise model reflecting the general attitude of the respondents. This is characterised as ‘ethical consent’ in a form of dynamic digital consent on a digital platform in which data subjects could control the use of their health data. This model could also encompass the opt-out model proposed by the Parliament. If realised as an opt-in model in the EHDS it could also be used as the legal basis for the processing of personal health data.

 

Secondary use of health data and right to object under Finnish law

As Finland was one of the foremost advocates for the EHDS having already a comparable framework for health data secondary uses in place, it is interesting to see how Finland has included the opt-out possibility in the secondary use of health data legislation.

In the Finnish law relating to secondary uses of health and social data, upon which the proposal for the EHDS Regulation for the large part is formed, no explicit right to opt-out is included. It is possible to exercise the right to object in terms of the GDPR article 21 within the permission authority, Findata, through registering it in the government e-identification scheme and by giving a personal reason for the objection. It is unclear in what kind of situations the right to object could be overridden by the applicant of the data permit. In such cases persons having opted-out should be informed and they are able to appeal this decision.

So far, approximately 230 persons out of population of 5,6 million have used their right to object. Findata gives information relating to this right at its web-page.  Other holders of personal health data which utilize it for secondary uses do not have as easily obtainable information regarding the possibility to exercise the right to object but the information is included in the general data protection documentation available at the web-pages of hospital districts, private health care providers and the Finnish Institute of Health and Welfare.

It should also be highlighted that the national Finnish data protection law complementing the GDPR requires that  the data controller assesses in each case whether it is necessary not to apply the right to object or other rights for a particular research project in terms of  Article 89.2 GDPR. The law provides for several conditions for this, including carrying out a data protection impact assessment (DPIA) for the processing of special categories of data. This also presupposes that utilizing the exception for a particular research project is properly communicated to data subjects. This is imperative since the data subject cannot contest the decision either in the court or to the data protection authority if they do not know that their data is being used in spite of the objection.

 

Conclusion

If the Council version of the EHDS Regulation of right to object is adopted this will very likely lead to legal uncertainty in terms of handling the rights in EU wide data sets. An opt-out is a de facto prohibition of certain type(s) of secondary uses of data whereas a right to object in terms of Article 21 is a conditional right the application of which is limited and subject to in casu interpretation. This includes an obligation to inform the data subjects for different processing activities where the right to object would not be permitted, including the possibility to appeal that decision. Moreover, the data subject would have to reveal a personal, possibly a sensitive reason for objecting to the processing in the first place, which reason could reveal also their identity.

We can also ask, given the sensitivity of the personal data in question and wide range of secondary uses, whether a limited conditional right to object would fulfil the requirements of Article 52(1) of the Charter of the European Union, which sets the general requisites for restricting fundamental rights for Members States. Such restrictions must be provided by law, respect the essence of rights and freedoms and, in case of sensitive data, limitations will have to be strictly necessary, and genuinely meet objectives recognised by the Union or to protect rights and freedoms of others. Since the Council Mandate gives space for different versions of the limitations for data subjects’ right to control the secondary use of their personal data, it may introduce even further legal uncertainty within the EHDS if in some Member States such limitations could be regarded as not being compatible with the Charter of Fundamental Rights.

If persons were to have different possibilities to object to the use of their personal data in different EU countries this would also amount to unequal treatment of data subjects in different Member States. What we do not want is to reproduce the present fragmented situation in terms of interaction of the GDPR and national sectoral laws regulating processing of health data for secondary purposes. The research sector has been particularly hard hit by this. It is difficult to share data for bio-medical research even between the Nordic countries which have a very similar legal framework.

In order to give all residents in the EU equal rights to control the secondary uses of their health related data in the EHDS framework, clear EU-wide rules relating to the right of the data subject to prohibit (opt-out) all or certain secondary uses of their personal health data as proposed by the Parliament is to be preferred in this respect. The practical implications would still need to be hashed out as to, for example, whether there is one general opt-out, or a possibility to opt-out only for certain type(s) of uses of personal data. The technological infrastructure for doing this could be developed at the European level in connection with setting-up EHDS technological framework.