Rechtsanwalt, Legal Director
Out-Law Analysis | 30 Sep 2022 | 2:10 pm | 8 min. read
Pharmaceutical companies will get access to a wider pool of data for research and development purposes under EU plans to create a ‘European health data space’ (EHDS).
The EHDS, the legislation for which was tabled by the European Commission earlier this year, will operate as a form of data repository that pharmaceutical companies will be able to access. The initiative, which formed a central part of the Commission’s flagship digital strategy in 2020, promises to address what has long been a barrier to innovation in the sector – a lack of access to quality data.
As well as being able to access data, pharmaceutical companies are likely to be compelled to make data they generate from their own medical research available to others via the repository. A lack of clarity over the protections that will apply to this data, however, poses the risk that the EHDS will stifle, not promote, investment in medical research.
The EHDS seeks to address health-specific challenges to data access and sharing. In particular, the EHDS:
The Commission’s proposal for the EHDS is currently being assessed by the EU’s two law making bodies – the Council of Ministers and the European Parliament. There is significant overlap between the proposal and other legal regimes – it has, for example, already been subject to commentary by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS).
One feature of the EHDS that is likely to have a far-reaching impact on the pharmaceutical sector is the proposal to expand the availability of electronic health data for secondary use.
Associate, Pinsent Masons
The opportunities that the European health data space could unlock for the pharmaceutical sector are vast, but there is significant uncertainty too over the way the proposal is to be interpreted and over the protections it offers
Under the Commission’s draft EHDS regulation, electronic health data would be able to be further processed for a specific set of purposes, such as scientific research in the health and care sectors, development and innovation activities for products or services contributing to public health or social security, or for the purposes of training, testing and evaluating algorithms.
The EDPB and the EDPS have expressed concerns about secondary use for development and innovation activities, and for training, testing and evaluating algorithms, and strongly recommend that these purposes are further delineated and circumscribed to instances where there is a sufficient connection with public health and/ or social security.
Under the draft EHDS regulation, ‘data holders’ are required to make a very broad spectrum of electronic health data available to data users for secondary use. The definition of ‘data holder’ is wide and includes an entity in the health or care sector, or performing research in relation to these sectors, with the right, obligation or ability, to make available certain data. The EHDS makes clear that private entities are included in the scope of ‘data holders’, so the term could apply to pharmaceutical companies.
The categories of data to be made available include data processed for the provision of health or care services, or for public health, research, innovation, policy making, official statistics, patient safety or regulatory purposes. As currently expressed, this definition appears to cover all electronic health data that an entity may hold without any sort of limitation. For example, health data is not limited to data that is collected for the purposes of providing health or care services, and as such is likely to capture clinical trials and safety related data.
It is unclear whether unstructured data would need to be provided, or whether the data holder would be required to convert the format of electronic health data for secondary use if it is not in an interoperable format. Stakeholders would benefit from more guidance on exactly what data will need to be made available and by whom.
Health data access bodies, established by EU member states, will play a significant role in the provision of access to electronic health data for secondary use.
Generally, prospective data users will need to submit applications to the health data access bodies for access to datasets, and the health data access bodies will be empowered to decide on applications and authorise and issue data permits. Where a data permit is granted, the data holder will be required to deliver the dataset to the health data access body, who will in turn ensure that electronic health data is shared with the data user in an anonymised format through a secure processing environment, which the health access bodies will be tasked with coordinating.
Where a data user’s purpose cannot be achieved by processing anonymised data, the health data access body will be entitled to provide a data user with access to electronic health data in a pseudonymised format following consideration of the data user’s reasons for requiring such access – which will need to be detailed in the data access application. However, this would not override any national law requirements to obtain, for example, an ethical assessment from a research ethics committee or a data protection authority.
In circumstances where a data user seeks access to electronic health data from a single data holder in a single member state, the data user in question will be able to file a data access application or data request directly to the data holder. In this case, it will be the data holder’s responsibility to anonymise or pseudonymise data, as appropriate, prior to disclosure.
The opportunities that the EHDS could unlock for the pharmaceutical sector are vast, but there is significant uncertainty too over the way the proposal is to be interpreted and over the protections it offers. We have set out some examples of the opportunities and risks below.
The legal basis for processing health data under the General Data Protection Regulation (GDPR) requires careful consideration given its sensitive nature. The draft EHDS regulation seeks to support stakeholders by clarifying the legal bases for processing and the grounds for exception to the general prohibition on processing special categories of personal data, like health data, that applies under Article 9 of the GDPR.
However, the EDPB and the EDPS have expressed concerns that there is no reference to the principles of the GDPR in the draft EHDS regulation’s criteria for assessing data access applications. For example, there is no reference to an assessment of the legal basis on which data users can process electronic health data for secondary use.
There is also ambiguity as to how the draft EHDS regulation will interact with national laws on processing special categories of personal data that EU member states may have drawn up using the powers available to them under the GDPR, which might include local requirements to obtain research ethics committee assessments, for example.
Given the Commission’s express desire to ‘build upon’ the GDPR with the EHDS, it will be interesting to see whether more guidance and legislation will be forthcoming on this subject.
The EHDS seeks to ensure that electronic health data is accessed through secure processing environments which comply with high technical and security standards, thereby providing strong technical and security safeguards. Expert groups may be created under the draft EHDS regulation to advise on the minimal requirements and technical specifications of these environments to reduce privacy risks associated with processing health data.
So far, no information has been provided about the functionality of secure processing environments and how they will support the use of electronic health data for secondary use purposes in any meaningful way – for example, how learnings might be extracted from the secure processing environment where a dataset is used to train artificial intelligence systems.
However, there are some examples of ‘secure processing environments’ being set up by some member states already. The development of these programmes may give an early indication of how a centralised EHDS will operate.
The Health Data Lab, established by Germany’s Federal Institute for Drugs and Medical Services, is one such example. It is designed to provide researchers and public institutions with access to anonymised or ‘synthetic’ datasets relating to health claims in a secure processing environment for analysis by artificial intelligence tools.
Intellectual property (IP) rights are considered the crown jewels for pharmaceutical companies, so it is not surprising to see that the draft EHDS regulation tasks health data access bodies with taking all measures necessary to preserve the confidentiality of IP rights and trade secrets that might subsist in a dataset. That said, there is very little clarity offered on exactly what measures will be available to protect the rights of data holders when providing data, and data users when generating and extracting data from the secure processing environment.
In terms of the insights generated in the secure processing environment, the results or output of secondary use purposes, including information relevant for the provision of healthcare, must be made public by a data user in an anonymised format no later than 18 months after the processing has been completed or the data user has received the answer to its data request. The draft EHDS regulation provides limited details about how these insights will be protected.
Copyright might protect how an insight has been expressed, but it won’t apply to the insight itself. An insight could benefit from protection if it is patentable, is subject to the duty of confidentiality, or meets the requirements for protection as trade secrets. Database rights are unlikely to offer much protection to a data user’s findings.
A clear position on the protection of IP rights offered under the EHDS will be vital, as prolonged uncertainty risks disincentivising investment in R&D activities.
More clarity over the way the EHDS is to be interpreted and the protections that apply is needed if the initiative is to reach its full potential.
Public trust also needs to be fostered too. The safeguards offered by proposed secure processing environments might go some way to earning public trust, but transparency and user control are important factors too. Currently, there is no right for individuals to opt-out from their health data being used for secondary use – something that the EDPB and EDPS highlighted needs to change.
If these points are not addressed in full by the Council of Ministers and the European Parliament in the EHDS proposals, guidance and implementing acts will be important in addressing some of the concerns businesses may have with the original proposal the Commission published.
Written by Anita Basi of Pinsent Masons.
01 Jun 2022
30 Sep 2022
Rechtsanwalt, Legal Director