By Wenkai Li, 19th October 2024
Introduction
In the paper The European Health Data Space: An expanded right to data portability? published earlier this year, Li and Quinn discussed one of the many ambitions of the upcoming European Health Data Space (EHDS) to enhance the right of natural persons to data portability and promote interoperability in the health sector. This paper seeks to delineate to what extent the EHDS leads to a new and expanded right building on the right to data portability provided in Article 20 of the General Data Protection Regulation (GDPR). Based on the initial EHDS proposal published by the Commission in March 2022, the authors argue that Article 3(8) of the EHDS proposal represents an important expansion with the potential to allow individuals more possibility to control and mobilise their electronic health data, especially those elements located within Electronic Health Records (EHRs). This will also be facilitated by the strengthened interoperability requirements foreseen by the EHDS proposal. However, this paper also identifies several limitations and inconsistencies in the new data portability right potentially hindering its functioning, in particular, the broad and unclear definition of primary use, and the absence of data portability rights for secondary use along with the permit-based data access mechanism.
Two years after the Commission's proposal, the EU institutions reached a compromise on the text of this regulation in March 2024. The newly agreed text is now pending approval by the Council, following the Parliament's approval at the end of April 2024. This blog post seeks to examine and report on whether there have been any updates to the provisions concerning the right to data portability in the current compromised text.
Separate articles for rights of natural persons in primary use
The latest text improved the clarity by restructuring the provisions concerning the rights of natural persons in primary use, with separate articles devoted to different rights. These rights can be separated into two groups. First, these include the rights that have their corresponding presence in the GDPR, such as the right of access, the right to ratification, and the right to data portability (now explicitly mentioned in the text). Second, there are also new rights dedicated to the primary use of electronic health data, such as the right to insert information in the EHRs (which is seen in the paper as another implicit element of data portability) and the right to opt out from primary use.
Exercising the right to data portability on inferred data
Concerning the right to data portability, in general, the aim to address the limitations of Article 20 of the GDPR remains unchanged in the iterations of the EHDS. This right in the EHDS context will apply to the processing of electronic health data, including inferred data, irrespective of the legal basis, which is seen as a major expansion compared to the limiting conditions in Article 20 of the GDPR. Additional requirements for a data holder/controller compared to the GDPR include “immediately, free of charge and without hindrance”. Also, a healthcare provider is obliged to “accept such data and be able to read it”, which is not mandatory for a data recipient under the GDPR.
However, Recital 12 of the latest text appears to restrict the scope of inferred data to only those in the European electronic health record exchange format (although the ambiguous wording of the sentence possibly leads to several nuanced meanings). The European electronic health record exchange format is the technical specifications to be laid down by the Commission for the transmission of personal electronic health data in primary use. In their paper, Li and Quinn argued that it is an important step to facilitate data transmission and interoperability in the health sector, as the GDPR does not provide much meaningful guidance on what constitutes “a structured, commonly used and machine-readable format”. That being said, the exchange format is primarily intended and mandatory for priority categories of electronic health data outlined in Article 5 and Annex I. If the scope of inferred data is limited in the described way, it could rule out potential data portability requests concerning many non-traditional sources of electronic data, e.g. AI-based analysis on a health app.
More clarity on the scope of the right to data portability
In the EHDS, the right to data portability falls in the rights of natural persons in primary use, which is defined as “the processing of electronic health data for the provision of healthcare to assess, maintain or restore the state of health the natural person to whom that data relates”. Supposedly, the right to data portability does not apply to secondary use. Nevertheless, the paper of Li and Quinn raised a question about the ambiguity of the wording in the initial proposal regarding the scope of the right: "Natural persons should have the right to give access to or request a data holder in the health or social security sector to transmit their electronic health data to a data recipient of their choice within the health or social security sector”. The problem lies in the broad and undefined term “health or social security sector”, leading to uncertain interpretations on whether a motivated individual can exercise the data portability right to transfer their electronic health data initially used for primary purposes to actors that might be able to use the data for purposes other than primary use. An example can be health-related research, provided that health research is considered to fall in “the health sector”.
The reformulated Article 8d in the agreed text addresses this ambiguity by making clear that, in a data portability request, both the initial data holder and the data recipient have to be either a “healthcare provider” or “a clearly identified recipient in the social security or reimbursement services sector”. For the terms “healthcare” and “healthcare provider”, the EHDS makes references to the definitions provided in Directive 2011/24/EU (Directive on Patients' Rights in Cross-Border Healthcare), which align with the definition of “primary use” in the EHDS. From this clarification, it can be concluded that the legislator did not intend to extend this right for mobilising data from primary use areas to secondary use.
Conclusion
The expanded and enhanced right to data portability envisaged by the EHDS, combined with the interoperability requirements and the introduction of the European electronic health record exchange format, represents considerable progress compared to Article 20 of the GDPR. The relevant provision in the latest text of the EHDS has indeed resolved some of the questions raised by the paper on the initial proposal, but also seemingly made changes, in particular, to exactly what data can be mobilised based on a data portability request, which is still yet to be confirmed.
Credit: Image created by Freepik
