Today, the Commission published a study on the “Assessment of the EU Member States’ rules on health data in the light of GDPR”. The study finds that while the General Data Protection Regulation (GDPR) lays down horizontal directly applicable rules in all Member States, there remains variation in the range of national-level legislation linked to its implementation in the area of health. This, the study suggests, has led to a fragmented approach in the way that health data processing for health and research is conducted in the Member States. This can negatively impact cross-border cooperation for care provision, healthcare system administration, public health or research. 

To ensure that European healthcare systems can make the best possible use of health data and to support the development of the European Health Data Space, a number of legal and operational issues need to be addressed in a multi-faceted approach. The study identified potential future EU level actions, including stakeholder-driven Codes of Conduct as well as new targeted and sector-specific EU level legislation. In addition to legal requirements and governance, the study also points to the need for a more harmonised approach across the Member States when it comes to technical infrastructure, technical and semantic interoperability. Data quality and acquisition, digital skills and capacity-building for primary and secondary use of health data were also areas identified where a harmonised approach could be beneficial. 

The study goes on to highlight that co-operation between the EU, Member States and relevant stakeholders is important, with a particular focus on the interests of patients. The study specifies that they should be supported as active agents in their own health and care, with full capacity to exercise their health data related rights. In conclusion, the development of the European Health Data Space, including specific legislation to be adopted to complement the proposal for a Data Governance Act, is believed to offer the ideal opportunity to build upon the suggestions outlined in the study. In addition, it is believed to ensure that health data can be used to promote better patient care, more resilient healthcare systems and stronger collaborative public health protection and healthcare research across the European Union. 

Background

The objective of the study was to examine and present the EU Member States’ rules that govern the processing of health data in light of the GDPR. The aim was to highlight possible differences and identify elements that might affect the cross-border exchange of health data in the EU for healthcare or for research, innovation and policy-making, and examine the potential for EU level action to support health data use and re-use.

The study is based on a series of expert workshops, organised in the first half of 2020, with the participation of representatives from Ministries of Health, stakeholders’ representatives, Data Protection Authorities and independent experts online consultations among stakeholders across the EU, desk research and legal analysis carried out by national legal experts.