In Europe, health data are considered so sensitive that processing them is generally prohibited in the EU, unless that processing follows specific guidelines. For example, the prohibition does not apply when sharing data is essential to providing healthcare, where those data are handled by a Healthcare Professional (HCP) subject under national law and subject to professional secrecy laws. With the rapid growth in diversity of medical technologies though, more and more medtech companies are processing health data on behalf of HCPs.
Whereas under the current Directive, professional secrecy laws are considered sufficient at national level, article 81 of the draft General Data Protection Regulation, or GDPR (as approved by the European Parliament’s LIBE Committee), imposes on Member States the task to develop rules to safeguard the patient’s legitimate interests and fundamental rights, before the ban on processing of health data for purposes of providing healthcare can be lifted.
But how should EU Member States regulate this? No indication is given as to what exactly such national regulation should cover, regulate or prohibit. In one extreme potential scenario, an HCP who processes personal health data should receive, if possible, anonymized or pseudonymized data, leaving the knowledge of the identity only to the HCP who has requested the data processing. In this case, local law could require that all new medical devices should be able to pseudonymize and again re-identify personal data, depending on who exactly is involved in which part of the processing activities of a patient’s data.
While this example may be far-fetched, it is clear that this article 81, par. 1 (a), may open the flood gates to new legislation in an already heavily regulated area of medical technology. This sector-specific legislation safeguards European patient’s interests but also requires a high volume of data collection and processing. And such processing is likely to further increase with the growing trend of healthcare services provided by remote and electronic means.
To further complicate things, such national requirements may differ from country to country, making the collection and processing of health data so difficult and complex in some countries, that certain new data-heavy medical technologies may be brought to market later those countries or not at all. This would run counter to one of the most important aims of the new data protection measures, notably to further harmonise the protection of personal data in the different Member States. In the end it may actually spawn further fragmentation – slowing patient access to new therapies in some parts of Europe versus others.
Whereas the importance of the right to confidential and secure processing of health data is essential, the new GDPR should balance the benefits of increased privacy protection and the possible impediment to medtech developments as well as patients’ access to modern therapies. It should reconcile patients’ right to privacy with the evolution towards eHealth, mHealth and telemedicine.
The efforts of different stakeholders, such as the Health Care Coalition to promote further maintenance and clarification of the scope of the derogations of Article 81 (i.e. Health Exception) and Article 83 (i.e. Research Exception) and related Recitals can only be applauded and supported. The medtech industry has also has a legitimate interest in ensuring that the new GDPR can be read together and reconciled with sector-specific regulatory framework for medical technology to ensure legal certainty. Ultimately, we need to make sure EU citizens benefit—we need to make sure their privacy is respected without endangering their health.
- Chantal Vets, Senior Legal Manager, Medtronic