Hostname: page-component-669899f699-g7b4s Total loading time: 0 Render date: 2025-04-26T04:40:35.971Z Has data issue: false hasContentIssue false
  • English
  • Français

Anonymisation, Pseudonymisation and Secure Processing Environments Relating to the Secondary Use of Electronic Health Data in the European Health Data Space (EHDS)

Published online by Cambridge University Press:  25 October 2024

Richard Rak Open the ORCID record for Richard Rak [Opens in a new window]
Richard Rak*
Affiliation:
University of Milan, Department of Legal Sciences “Cesare Beccaria”, Information Society Law Center, Italy
*
Email: [email protected]
Get access Rights & Permissions [Opens in a new window]

Abstract

By establishing a common data governance mechanism across the EU, the Regulation on the European Health Data Space (EHDS) aims to enhance the reuse of electronic health data for secondary use (e.g. public health, policy-making, scientific research) purposes and realise associated benefits. However, the EHDS requires health data holders to make available vast amount of personal and non-personal electronic health data, including electronic health data subject to intellectual property (IP) rights, for secondary use, which may pose risks for stakeholders (patients, healthcare providers and manufacturers alike). This paper highlights some conceptual legal problems which need to be addressed in order to provide clearer regulatory requirements to ensure effective and consistent implementation of key data minimisation measures (anonymisation or pseudonymisation) and data management safeguards (secure processing environments). The paper concludes that the EHDS has been drafted ambiguously (for example, its definition of “electronic health data” or the list of “minimum categories of electronic data for secondary use”), which could lead to inconsistent data management practices and may impair the rights and legitimate interests of data subjects and rights holders. To address legal uncertainties, prevent fragmentation and mitigate/eliminate risks, the EHDS requires closely coordinated implementation and legislative fine-tuning.

Keywords

European Health Data Space (EHDS)data protectionelectronic health data
Type
Articles
Information
European Journal of Risk Regulation , Volume 15 , Special Issue 4: Special Issue on Delegated Rulemaking in the European Union 15 Years Post-Lisbon, and Symposium on the Challenges of Cybersecurity in the Health Sector , December 2024 , pp. 928 - 938
Copyright
© The Author(s), 2024. Published by Cambridge University Press

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

Article purchase

Temporarily unavailable

References

1 Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space (henceforth: “EHDS”), compromise text. Available: https://eur-lex.europa.eu/legal-content/EN/HIS/?uri=celex:52022PC0197; https://www.consilium.europa.eu/en/press/press-releases/2024/03/15/european-health-data-space-council-and-parliament-strike-provisional-deal/. Note that the final adopted and published version of the EHDS may slightly differ from the compromise text analysed in this paper.

2 Judith Moore, Yasmin Dias Guichot, “How to harness the power of health data to improve patient outcomes,” World Economic Forum (5 January 2024). Available: <https://www.weforum.org/agenda/2024/01/how-to-harness-health-data-to-improve-patient-outcomes-wef24/>.

3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (henceforth: “GDPR”).

4 Gianclaudio Malgieri, Giovanni Comandé, “Sensitive-by-distance: quasi-health data in the algorithmic era” (2017) 26(3) Information & Communications Technology Law 229, 232. DOI: <https://doi.org/10.1080/13600834.2017.1335468>.

5 Article 29 Data Protection Working Party, Advice paper on special categories of data (“sensitive data”) (4 February 2011), 6. Available: <https://ec.europa.eu/justice/article-29/documentation/other-document/files/2011/2011_04_20_letter_artwp_mme_le_bail_directive_9546ec_annex1_en.pdf>.

6 Article 29 Data Protection Working Party, Letter from the ART 29 WP to the European Commission, DG CONNECT on mHealth, Annex – health data in apps and devices (5 February 2015), 3. Available: <https://ec.europa.eu/justice/article-29/documentation/other-document/files/2015/20150205_letter_art29wp_ec_health_data_after_plenary_annex_en.pdf>.

7 Dara Hallinan, Paul De Hert, “Many Have It Wrong – Samples Do Contain Personal Data: The Data Protection Regulation as a Superior Framework to Protect Donor Interests in Biobanking and Genomic Research” in Brent Daniel Mittelstadt, Luciano Floridi (eds), The Ethics of Biomedical Big Data. Law, Governance and Technology Series, vol. 29 (Springer, 2016), 119. DOI: <https://doi.org/10.1007/978-3-319-33525-4_6>.

8 Mahsa Shabani, Pascal Borry, “Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation” (2018) 26 European Journal of Human Genetics 149, 152. DOI: <https://doi.org/10.1038/s41431-017-0045-7>.

9 Article 29 Data Protection Working Party, Working Document on Genetic Data (14 March 2004), 4. Available: <https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2004/wp91_en.pdf>.

10 Taner Kuru, Iñigo de Miguel Beriain, “Your genetic data is my genetic data: Unveiling another enforcement issue of the GDPR” (2022) 47 Computer Law & Security Review 105752, 4. DOI: <https://doi.org/10.1016/j.clsr.2022.105752>.

11 DIGITALEUROPE, “European Health Data Space (EHDS): key issues to address in trilogues”

(22 December 2023), 3–4. Available: <https://cdn.digitaleurope.org/uploads/2024/01/EHDS-trilogues-DIGITALEUROPE-position-paper-1.pdf>.

12 Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques (10 April 2014), 8. Available: <https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf>.

13 Stakeholder coalition calls for legislative refinement of the EHDS (4 December 2023). Available: <https://www.digitaleurope.org/news/stakeholder-coalition-calls-for-legislative-refinement-of-the-ehds>.

14 European Data Protection Board, EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research (2 February 2021), 11. Available: <https://edpb.europa.eu/sites/default/files/files/file1/edpb_replyec_questionnaireresearch_final.pdf>.

15 DIGITALEUROPE (n 11), 8–10.

16 Case C-582/14, Patrick Breyer v Bundesrepublik Deutschland [2016] ECLI:EU:C:2016:779; Case T-557/20, Single Resolution Board v European Data Protection Supervisor [2023] ECLI:EU:T:2023:219.

17 Michèle Finck, Frank Pallas, “They who must not be identified—distinguishing personal from non-personal data under the GDPR2 (2020) 10(1) International Data Privacy Law 11, 17. DOI: <https://doi.org/10.1093/idpl/ipz026>.

18 Irene Schlünder, Michaela Th. Mayrhofer, Erdina Ene, “Elements of Secure Processing Environments” (HealthyCloud and EOSC-Life Workshop Report v1.0, Brussels/online, 19–20 June 2023), 12. DOI: <https://doi.org/10.5281/zenodo.8341642>.