New EU health data law endangers medical secrecy

EU lawmakers have agreed on a compromise for the European Health Data Space (EHDS) which will expose everyone’s medical records to unnecessary security and privacy risks in the name of research and “innovation”.

By EDRi · April 3, 2024

After almost two years of legislative negotiations, lawmakers from the European Parliament and EU member states have agreed on a compromise for the new European Health Data Space (EHDS) last week.

Unfortunately, the EHDS compromise will expose everyone’s medical records to unnecessary security and privacy risks in the name of research and “innovation”. It mandates every hospital and every doctor to share the private medical data from every single patient—for the purpose of secondary use, i.e. unrelated to the patient’s treatment—with a national agency, the so-called health data access body. Exactly how and what patient data is going to be shared may vary from member state to member state.

Patient consent watered down

From the start, EDRi, many other organisations and over 112,000 people across Europe demanded a clear obligation to ask patients for their consent before this kind of health data sharing for secondary purposes takes place. While this has not found a majority, we successfully pushed EU parliamentarians to adopt at least a right for patients to opt out. Unfortunately, this opt-out right as a bare minimum level of protection has now been watered down with so many loopholes and exceptions by member states and the conservative lead negotiator, Tomislav Sokol, that the result can barely be called ‘opt-out right’ at all. As a result, even data from people who have opted out can now be shared for secondary use if requested by public authorities or other parties commissioned by public authorities.

Moreover, the amount of data that can be shared under the new ‘secondary use’ clause is still way too extensive – including data from wellness apps and genetic data – despite some important successes by more critical parliamentarians to remove problematic data categories from the list.

No limits on who can access health data

The EHDS still does not limit who can obtain access to everyone’s health data for secondary use and allows broad access purposes. Any “natural or legal person” can request an access permit, according to the compromise, as long as their research contributes to “public health or health technology assessment” or ensures “high levels of quality” of health care and related products and services. That expressly includes the training and testing of algorithms, AI systems, and digital health apps, and opens the door to data abuse by tech companies from all over the planet.

The forced central storage of highly sensitive medical information of millions of patients on government-run servers in member state that choose that model, and the lack of effective options for patients to object to the onward-sharing of their data with unknown third parties—even if those are now limited to public authorities and those commissioned by them—constitutes a fundamental breach of patient-doctor confidentiality. It will also create inherent and unnecessary risks for the security of our medical data against unintended leaks and malicious data breaches.

Jan Penfrat

Senior Policy Advisor

Mastodon: @ilumium