The European Health Data Space
Large scale data spaces could be beneficial for research but risk increasing cross-border data sharing challenges
5 October 2023
- Data spaces typically consist of three main elements: data sharing infrastructure, data governance bodies and data sharing rules
- Large scale data spaces could be very beneficial for research but also risk increasing cross-border data sharing challenges
- The European Health Data Space (EHDS) was introduced in May 2022 by the proposed European Health Data Space Regulation and is outlined further in the EU Data Governance Act
- Implementation and governance challenges that could impact research activities can be grouped into four themes: variation in data sharing governance, mandatory data sharing, variation in resources and variation in language
- The EHDS will need political and economic commitment on harmonisation but this begs the question of whether Member State harmonisation is always appropriate
- The mandatory data sharing requirement could overcome data siloing issues but this may provoke a backlash from stakeholders
Who is this briefing for?
This policy briefing is aimed at UK-based health researchers whose work involves cross-border data sharing with EU Member States. Whilst there is currently little public information about how UK institutions will interact with the EHDS, Article 52(2) of the proposed European Health Data Space Regulation provides for third countries to become authorised participants if they allow the EHDS access to their data on the same terms, among other requirements.
The UK currently benefits from an EU ‘adequacy decision’ for processing personal data under the GDPR. This removes obstacles to data transfers between the UK and EU and will be a crucial enabler for participation in the EHDS. Additionally, the NHS Confederation is the lead authority for the UK in the EU Joint Action Towards a European Health Data Space programme (TEDHAS), suggesting that the NHS has interest in participating. Therefore, whilst the EHDS is an initiative focused on harmonising data sharing across the EU, it will likely be highly relevant for UK-based health researchers.
What is the EHDS?
The proposed EHDS is one of nine common European data spaces focusing on EU priority areas such as agriculture, finance and the green deal. It was introduced via the European Health Data Space Regulation, although further amendments are expected while the legislative process continues until the 31 October 2024. The current intention is for the EHDS to be fully operational by 2025.
The EHDS will be used for both primary purposes of patient care (e.g. cross-border access to health records) and secondary uses (e.g. research and innovation). It aims to create a ‘single market’ space for data. From the perspective of secondary uses, it aims to promote access to and sharing of health data to improve health outcomes while protecting citizens’ data rights.
It seeks to address the challenges faced by healthcare systems by not only enabling but mandating data sharing across the EU (for all data holders other than micro enterprises. The mandate applies to all individuals or entities who meet its access requirements. The EHDS seemingly applies to all forms of health data, including but not limited to clinical trial data, data from wearable devices, patient registries and questionnaires related to health. In some cases it may include IP and trade secrets. Data sharing with permitted users is mandated regardless of whether the data is held in public or private.
Infrastructure and development
The EHDS comprises three main elements: data sharing infrastructure, governance bodies and data sharing rules. Its infrastructure is outlined in the Data Governance Act (DGA), which introduces new terminology that differs from that of the GDPR.
The federated data infrastructure seeks to uphold the data minimisation principle by ensuring data remains with its original holder and is only shared between that holder and an authorised other for specified purposes.
The proposed regulation seeks to facilitate the secondary use of health data within a single unified system. Researchers will request access to the EHDS via the relevant national Data Access Bodies (DAB), will process personal data within the controlled secure processing environment provided by that DAB, with the requirement that any significant findings for health be reported back to them. Each Member State will appoint a digital health authority to monitor its national health data space and implement defined penalties (up to exclusion) for those misusing data.
In simple cases a data user could request a permit from a single health data provider as long as equivalent security and privacy mechanisms are in place. It is not clear whether an approved SPE must be used. The key rules of access are provided in the grey box above, notably that only anonymised data can be extracted. However, this may be difficult to implement given that there is a lack of uniformity in the interpretation of ‘anonymised data’ across Member States.
In March 2023, a two-year pilot for the secondary use of health data was launched by the HealthData@EUPilot. By December 2023, three nodes are expected (France’s Health Data Hub, Finland’s Findata and Denmark’s Health Data Authority) to be connected to the European Central Services (ECS) via an edelivery network. This will centralise national dataset catalogues to the ECS and forward data permit requests from ECS to the three nodes for researchers to request access to one or more national data hubs.
Barriers for health and genomic data sharing
There are a host of challenges with such an ambitious plan, many of them existing challenges for cross-border data sharing that will be magnified by the larger scale envisioned by the EHDS. These include:
Extensive variation in data processing rules
The complexity of the GDPR rules and variability in how they are interpreted are likely to cause implementation challenges and be burdensome for data controllers. Examples include:1
- variation created by the proliferation of different conditions and limitations for the processing of biometric, health and genetic data under Article 9(4) by Member States (MSs)
- the widespread dependency on consent as a lawful basis, barring further processing
- variation in standards set by the research community for deidentification genomic data
- differences in ethical review procedures
Expected impact of mandatory participation on public and industry trust
Requiring that data are shared, including in situations where consent would have previously been required, could have major implications for public and commercial trust and confidence. This will be the case particularly if a range of secondary uses are allowed, which are outside normally accepted forms of research. Examples include:
- 75% of Europeans in a recent Ipsos poll were against having their health data shared with third parties unless subject to their explicit consent
- mandatory data sharing could provoke a backlash from industry over concerns for intellectual property and industrial secrets protection
- the European Data Protection Supervisor’s tougher stance on industry’s use of ‘scientific research’ exceptions in recent guidance and calls for a wider debate on whether industry-held data should be made available to even the playing field evidence on-going tensions that will be highlighted by the EHDS
- it is currently unclear whether the nine databases will be linked and the impact this could have on public trust if, for example, the health and finance spaces were linked
Differing resource and technological capabilities
Resource and technological capabilities have resulted in extensive variation in interpreting the GDPR and other relevant legal regimes and are also likely to threaten the realisation of the EHDS. Examples include:
- the interpretation of anonymisation under Recital 26 hinges on resource capabilities to reverse engineer and reidentify sources, which differ among MSs2
- there is an additional onus on technologically advanced MSs to help realise the EHDS in less advanced territories, demonstrating the considerable political and economic buy-in needed
- not all MSs will benefit equally from the EHDS due to existing demographic or resource differences; this raises the politically sensitive question of whether harmonisation is desirable given MSs essential differences, e.g., for those with older, less digitally equipped populations or those who do not have an established research community but will have to share their territory’s health data
Technical and linguistic challenges
Existing terminological challenges remain and will be exacerbated magnified by the scale of the EHDS. Additionally, the number of data sharing regulations being enacted with slightly different terminology may also increase the burden on data controllers when trying to understand what obligations they hold. For example:
- key concepts in the GDPR such as anonymisation and pseudonymisation have been hotly debated but the Data Governance Act will now add less familiar terminology, adding potential confusion about who is responsible for what processing activities
The EHDS proposal presents an ambitious and significant step towards a more integrated and streamlined approach providing better access to health innovations and treatment for its citizens, as well as for health research. Additionally, the aim of promoting data sharing and standardisation has the potential to accelerate scientific progress, boost collaboration, and facilitate knowledge transfer between different scientific disciplines.
However, the scale of the challenges cannot be underestimated. Without addressing the many known barriers already facing cross-border research, this may only increase the scale of existing data sharing challenges. In particular, the mandatory nature of data sharing will likely be opposed by both private citizens and individual companies who want to introduce a consent requirement.
There will also be technical challenges, in addition to those discussed in this briefing, such as the challenges of integrating multiple datasets from different sources while preserving data quality and consistency. As such, the success of the EHDS will depend heavily on political will across the EU. However, health has long been under the remit of domestic law and consequently, the question of whether such harmonisation is appropriate and equally beneficial for all is likely to be a sticking point in the legislative amendment period.
1&2 DG Health and Food Safety, Assessment of the EU Member States’ rules on health data in light of the GDPR (2021). Doi:10.2818/546193