In a joint opinion , EDPB and EDPS call for Union patient information to be stored only within the European Economic Area. No "secondary use" of info generated by wellness apps and other digital health apps 26 Jul 2022 L. O.
Full compliance with the rules set for the protection of European patients' data. This is what the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) recommend in their joint opinion on the European Commission's proposal for the European Health Data Space. Index of topics • What the European Health Data Space provides • The knots to be untied • Primary and secondary use of data • Risk of illegal access to data What the European Health Data Space provides The proposal aims to facilitate the creation of a European Health Union and to enable the EU to fully exploit the potential offered by the safe and secure exchange, use and re-use of electronic health data, both to provide better healthcare, including cross-border healthcare, to the entity whose data have been collected ('primary use'), or for scientific research purposes, personalized medicine, statistics, digital applications for health ("secondary use"). In welcoming the commitment to strengthen people's rights to their electronic health data, the EDPB and EDPS nevertheless express a number of general concerns. The knots to be untied In the first line, reads the note of the Privacy Guarantor, "the misalignment between the provisions of the proposal on the rights of the interested parties and the Gdpr". Furthermore, while recognising that the provisions of the proposal are aimed at facilitating the secondary use of electronic health data may generate benefits for the public good, the Board and the European Supervisor highlight the risks to the rights and freedoms of data subjects arising from these additional processing activities, in respect of which, unlike 'primary use', the data subject is not guaranteed the right to restrict third party access to their data. Primary and secondary use of data The EDPB distinguishes between the processing of personal data (including health data) collected specifically for scientific purposes ("primary use") and the processing of data initially collected for another purpose ("secondary use"). The Board and the European Supervisor consider that the purposes of the secondary use of electronic health data are not adequately defined by the proposal and therefore call on the co-legislators to further delimit those purposes, limiting them to those related to the pursuit of a public good in the health and/or social security sector. Regarding the health data generated by wellness apps and other digital health applications, EDPB and EDPS ask that this personal information not be made available for "secondary use", because it produces a huge amount of data, which is not of the same quality as that generated by medical devices and which can be processed together with additional information other than health information. Risk of illegal access to data "Although the objective of the infrastructure for the exchange of electronic health data envisaged in the proposal is to facilitate the exchange of health data, the large amount of data that would be processed, their highly sensitive nature, the risk of illegal access and the need to ensure effective control by independent data protection authorities require, according to the EDPB and the EDPS, that the European Parliament and the Council impose the obligation to store electronic health data exclusively within the European Economic Area (subject to further transfers in accordance with the guarantees prepared Gdpr). Finally, with regard to the governance model introduced by the proposal, the EDPB and the EDPS underline that the Data Protection Authorities are the only competent authorities for matters relating to the processing of personal data and should remain the only point of contact for individuals on these issues. Therefore, any overlap between those Authorities and the new entities introduced by the proposal should be avoided and their respective competences and clear cooperation obligations should be provided for.