A joint statement on the European Health Data Area
The European Data Protection Board, together with the European Data Protection Supervisor, has adopted an opinion on the European Commission’s proposal for a regulation establishing a European health data area (European Health Data Space Where EHDS English).
In this statement, they draw the co-legislators’ attention to a number of major concerns regarding this project and invite the co-legislators to:
- to speak out for localization in the European Union area of health data fall within the scope of the proposal, in particular due to their sensitivity and the scale they represent (500 million European citizens) .
- clarify the interaction between this proposal and the GDPR to ensure a coherent application of the two texts and in particular with regard to the rights of the persons concerned;
- team the sole competence of the data protection authorities in the processing of any matter relating to the protection of personal data ;
- strictly limit the exceptions to data subjects’ rights guaranteed by the GDPR;
- exclude data collected by wellness apps and other digital apps from the scope of the proposal;
- respect the principle of minimization by limiting access to health data to the strict needs of health professionals involved in the primary use of health data;
- better define the objectives pursued in secondary uses of health data, in particular by demonstrating a sufficient link with social protection and public health issues;
- define a coherent relationship between the tasks of the new EHDS committee and the “joint responsibility groups”, whose names are also confusing.
A procedure for identifying cross-border cases of strategic importance
During the plenary, the EDPS adopted an indicative list of criteria for identifying strategic cross-border cases for which compliance measures must be prioritized. It also selected the first 3 strategic pilot cases where cooperation between data protection authorities will be strengthened.
This work is a continuation of the declaration on European cooperation, in which the EU authorities reiterated their commitment to closer and more collective cross-border cooperation, especially with a view to obtaining faster and more structuring procedures against large digital actors.
In order to be identified as strategic, cases must meet one or more of the criteria below:
- the case is related to a structural or recurrent problem in several Member States, in particular if it raises a general legal question regarding the interpretation, application or implementation of the GDPR;
- the case in question lies at the intersection of data protection and other legal areas;
- a large number of people in several Member States are affected;
- numerous complaints have been received in several Member States;
- the case raises a fundamental question regarding the strategy of the EDPS;
- the matter may lead to a high risk under the GDPR, especially if:
- sensitive data is processed;
- vulnerable people, such as minors, are concerned;
- a Data Protection Impact Assessment (DPIA) is required for the processing in question.
In practice, a data protection authority such as the CNIL may refer a case meeting one of these criteria to its EDPS counterparts, who will then decide whether the case in question can be considered strategic.
Another document specifies the selection procedure, which includes two distinct phases:
- a phase of rapid selection of pilot cases before the summer period with the aim of rapidly experimenting with the cooperation procedure;
- a second phase, more structural and recurrent, of annual selection of strategic cases, which will begin in the summer of 2022.