In the ongoing debate over the European Health Data Space (EHDS) proposal, the issue of consent for secondary use of health data has taken center stage. A petition signed by over 100,000 people, led by the European Digital Rights Association (EDRi), calls for patient empowerment in deciding the secondary use of their health records. The petition argues that the Commission’s proposal doesn’t give patients enough say in sharing their data for secondary use. The Parliament’s rapporteurs suggested an opt-out option, but the petition supporters insist on explicit patient consent for secondary use of medical records.
The EHDS proposal, however, doesn’t explicitly contain either opt-in or opt-out options. When the Commission proposed EHDS in May 2022, they described it as “a kind of GDPR+ system”. The idea is to move away from the consent system to one where citizens can control their data without needing to give specific consent. Most health data would be anonymised or pseudonymised, with strict guarantees in place to ensure that other parties can only view, not access, the patients’ data.
The EHDS proposal overlaps with other regulations such as the Data Act, the Data Governance Act, and GDPR. GDPR’s Article 21, focusing on the right to object to the use of personal data, applies here. According to Markus Kalliola, coordinator of TEHDAS, a project supporting EHDS, this aligns more with an opt-out option. However, he acknowledges that differing interpretations of GDPR law across EU member states pose a significant challenge to the use of health data.
The TEHDAS project has identified this fragmentation of GDPR as a major obstacle to cross-border use of health data. The project concluded that differences in national infrastructure, healthcare organization, and pre-existing legislation are the root causes of these varying GDPR implementations. Kalliola remains hopeful that EHDS will help harmonise these practices and stresses the need for individual roadmaps for each EU member state, along with strong data safeguards.