A joint opinion on the European Health Data Area
The European Data Protection Board, together with the European Data Protection Supervisor, has adopted an opinion on the European Commission’s proposal for a regulation on the creation of a European Health Data Area (European Health Information Site where EHDS in English).
In this opinion, they draw the attention of co-legislators to several key concerns related to the project and invite co-legislators to:
- to talk Localization of health information within the European Union Due to their sensitivity and the volume they represent (500 million European citizens) fall particularly within the scope of the proposal.
- Clarify the interaction between this proposal and the GDPR to ensure a consistent application of the two texts and in particular with regard to the rights of the persons concerned;
- keep The Data Protection Authority has exclusive competence in dealing with any question related to the protection of personal data ;
- Strictly limit exceptions to data subject rights guaranteed by the GDPR;
- exclude data collected by wellness applications and other digital applications from the scope of the proposal;
- Respect the principle of minimization by limiting access to health data to the strict needs of health professionals involved in the primary use of health data;
- better define the objectives to be pursued in the context of secondary uses of health data, particularly by demonstrating adequate links to social protection and public health issues;
- Define a coherent relationship between the mission of the new EHDS committee and the “joint responsibility groups”, whose names are, moreover, misleading.
A methodology for identifying cross-border cases of strategic importance
An indicative list of criteria for identifying strategic cross-border cases for which compliance measures should be prioritized was adopted during the EDPS plenary. It has also selected the first 3 pilot strategic areas for which cooperation with data protection authorities will be strengthened.
This act is a continuation of the Declaration of European Cooperation in which the EU authorities reiterated their commitment Closer and more integrated cross-border cooperation, especially with the aim of faster and more structured processes against major digital players.
To be identified as strategic, cases must meet one or more of the following criteria:
- The case relates to a structural or recurrent problem in several Member States, in particular if it raises a general legal question regarding the interpretation, application or implementation of the GDPR;
- Related cases lie at the intersection of data protection and other legal fields;
- Large numbers of people are affected in several Member States;
- Numerous complaints have been received in various Member States;
- The case raises a fundamental question regarding the strategy of the EDPS;
- The case may constitute a high risk under the GDPR, particularly if:
- sensitive information is processed;
- Weak people, such as minors, are anxious;
- A Data Protection Impact Assessment (DPIA) is required for the respective processing
In practice, a data protection authority, such as the CNIL, may present a case meeting one of these criteria to its EDPS counterparts, who will then decide whether the case in question can be considered strategic.
A second document specifies the selection process, which consists of two distinct phases:
- A phase of rapid selection of pilot cases before the summer aimed at rapid experimentation with collaborative approaches;
- A second phase of the annual selection of strategic cases, more structured and iterative, will begin in the summer of 2022.