I. Introduction
On May 3, 2022, the European Commission published its proposal to create a European Health Data Space (the “EHDS Proposal”) [
1]. The EHDS Proposal aims to introduce a new, unprecedented framework to make electronic health data available for re-use for various purposes, including research. This proposal is groundbreaking on two counts: (1) the electronic health data to be made available for re-use include data held by both public sector bodies and private sector organizations—meaning that private companies would be required to disclose certain electronic health data to third parties for re-use; and (2) the recipients of the data (called data users) are allowed to use the data for a number of purposes, including, among others, scientific research, product development, artificial intelligence (AI) training, and personalized healthcare—meaning that data can be used for commercial purposes. The background to this proposal is that, in the eyes of European policymakers, the coronavirus disease 2019 (COVID-19) pandemic highlighted the importance of having up-to-date health data to respond to public health crises.
The EHDS Proposal is anticipated to have wide-reaching consequences for the healthcare sector, transforming the way in which electronic health data will be shared and reused in Europe. The EHDS Proposal is still in draft form and progressing through the European legislative process, so it is likely to change. This article analyzes the EHDS Proposal as first published by the European Commission, with a focus on the provisions on secondary use of electronic health data. This article discusses the newly proposed mandatory data sharing regime for secondary use of electronic health data, and the responses to this proposal from industry and academia. The final section of this article discusses the potential policy implications of the EHDS Proposal in Korea.
III. Results
1. Background
The EHDS Proposal is a sector-specific component of the EU’s European Strategy for Data, announced in 2020 (EU Data Strategy) [
2]. The EU Data Strategy recognizes data as “the lifeblood of economic development.” The ultimate aim of the strategy is to ensure that Europe is able to capture the benefits of better use of data by increasing the use of, and demand for, data and data-enabled products and services throughout the EU.
The EU Data Strategy is operationalized through numerous horizontal legislative reforms—such as the Data Governance Act (entered into force in June 2022) and the Data Act (proposed in February 2022, not yet adopted)—and sector-specific, vertical legislative reforms targeting key sectors [
3]. Through the vertical legislative reforms, the EU will create “European Data Spaces” focused on specific sectors, such as healthcare, manufacturing, mobility, and energy. The EHDS is the first of the European Data Spaces to be formally proposed by the European Commission. Each of these legislative reforms are aimed at unlocking access to data—currently held in the hands of a few organizations—and making it available to a greater number of actors for re-use.
2. Overview
The EHDS Proposal is a lengthy and complex piece of proposed legislation [
4]. An overview of the EHDS Proposal can be found in (
Table 1). The EHDS Proposal creates a wide range of new rights and obligations in relation to access to and use of “electronic health data.” A chart setting out the defined terms in the EHDS Proposal can be found in
Table 2. The key components of the EHDS Proposal are as follows.
1) Primary use
The EHDS Proposal creates new rights for patients over their electronic health data processed in the context of primary use of electronic health data [
5]. The new rights granted to patients include the right to access, modify, and restrict access to electronic health data by healthcare professionals. The EHDS Proposal would also grant healthcare professionals access to electronic health data of their patients across EU member states, irrespective of the member state of affiliation and the member state of treatment. Patients are allowed to restrict access to certain electronic health data by their healthcare professionals on an “opt-out” basis.
2) EHR systems
The EHDS Proposal establishes a pre-market conformity assessment requirement for Electronic Health Record systems (EHR systems) and a voluntary labeling scheme for wellness applications. The conformity assessment would evaluate whether the service meets certain mandatory requirements relating to fitness for purpose and interoperability [
6].
3) Secondary use
The EHDS Proposal introduces new obligations for “data holders” to provide electronic health data for secondary use by third parties. Access to electronic health data would be mediated through a data permit system run by government-designated health data access bodies. The rules for secondary use of electronic health data are the focus of this article.
3. Rules for Secondary Use of Electronic Health Data
Chapter IV of the EHDS Proposal sets out rules applicable to the “secondary use” of electronic health data. Under these rules, “data holders” must make a wide range of specified categories of electronic health data available for secondary use by third parties, called “data users.” The term “data holder” is broad enough to include hospitals, biobanks, research institutes, academic institutions, and commercial companies, such as pharmaceutical companies and medical device manufacturers. The EHDS Proposal is clear that electronic health data “entailing protected intellectual property and trade secrets from private enterprises
shall be made available for secondary use” (our emphasis), although in such cases “all measures necessary to preserve the confidentiality of intellectual property (IP) rights and trade secrets shall be taken” (Art. 33(4)). A full list of the types of electronic health data that data holders would be required to share pursuant to these rules can be found in
Table 3.
To access the data for secondary use, any “natural or legal person may submit a data access application” to the health data access body “for the purposes referred to in Article 34” (Art. 45(1)). These purposes include, among others, “scientific research related to health or care sectors,” “development and innovation activities for products or services contributing to public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices,” and “training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices” (Art. 34(1)(e)–(g)). A full list of the allowed and prohibited purposes for which electronic health data can be re-used under the EHDS Proposal are set out in
Table 4.
It is notable that these allowed purposes may include revenue-generating commercial purposes, such as product development. It is also notable that the data user is not restricted to being in a particular sector, or to being an academic or public institution. This means that commercial organizations, such as technology companies, pharmaceutical companies, and medical device manufacturers can all take advantage of the EHDS rules on secondary use to gain access to data held by third parties. Before granting a permit, health data access bodies must assess “if the application fulfills one of the purposes listed in Article 34(1) of this regulation, if the requested data is necessary for the purpose listed in the application and if the requirements in this chapter are fulfilled by the applicant” (Art. 46(1)). If the applicant meets these requirements, the health data access body is required to issue a data permit within 2 months. Once the data permit is issued, the health data access body will request the data holder to provide the data to the health data access body, which will then make it available in a secure processing environment.
Where the applicant seeks data only from a single data holder in a single member state, the data user may submit a data access application to the data holder directly (Art. 49(1)), without going through a health data access body. A direct data access application must include the same elements required for an application to a health data access body, and the data holder must consider the same criteria that health data access bodies consider when determining whether to issue a data access permit (Arts. 49(1)–(2)). Where the criteria are met, the data holder “may issue a data permit” (Art. 49(2)) and grant access to the requested data.
Flowcharts showing the process for making data access applications and granting data permits are presented in
Figure 1.
4. Responses to the EHDS
In the EU, the EHDS has generally received positive feedback from the research community and some industry groups [
7,
8]. However, there are some aspects of the EHDS Proposal that have been called out as raising certain concerns. Some of these concerns are as follows.
1) Intellectual property/trade secrets protections
The current text of the EHDS Proposal contains only vague, high-level references to protecting IP and trade secrets for data holders. Article 33(4) states that “all measures” must be taken to protect such rights, and that public bodies should take “all specific measures” to protect IP and trade secrets. Many industry players are calling for strengthened protections in this regard [
9].
2) Fees
Health data access bodies and data holders are allowed to charge a fee to data users for making electronic health data available for secondary use (Art. 42). This fee must be “transparent and proportionate to the cost of collecting and making electronic health data available for secondary use, objectively justified and shall not restrict competition” (Art. 42(4)). This means that although data holders may be able to recoup the costs of making data available to data users, they are unlikely to be able to generate profit—or in some cases recoup the full cost of investments required to collect the data—from data sharing under the EHDS framework. The EHDS data sharing scheme may also threaten the business models of existing for-profit data sharing frameworks already in operation.
3) Medical confidentiality and ethics laws
Currently in the EU, medical confidentiality and ethics laws apply to patient health data. Concerns have been raised that the EHDS may challenge the differing traditions of member states regarding medical confidentiality and ethics relating to secondary use of data. This has led to the CPME (Standing Committee of European Doctors), an association representing European doctors, calling for granting patients the right to opt-out or opt-in to the collection and use of electronic health data for secondary use [
10]. The CPME has also called for systematically involving ethics committees or review boards within the EHDS framework.
4) Privacy and data protection law
The interplay between the EU’s General Data Protection Regulation (GDPR) and the EHDS is also unclear in places [
11]. The GDPR will apply to personal data processed under the EHDS framework. However, the EHDS Proposal does not create a legal basis under the GDPR for data users to access (pseudonymized) personal data, even if they obtain a data access permit. Rather, data users are responsible for identifying such a legal basis under EU or member state law, meaning that data users must identify the legal basis that would apply under both Article 6 and 9 of the GDPR. Currently in the EU, different member states take different approaches to whether patient consent is required to use data for research (Article 9(2)(a)) or whether organizations may rely on the research exemption in Article 9(2)(j) and Article 89(1) [
12]. The EHDS Proposal fails to harmonize the rules in this regard, leaving it open for the data user to identify the legal basis appropriate to the data processing in question. Without this harmonization, data users may in fact be limited in the types of data they will be able to access lawfully for secondary use.
IV. Discussion
The European Union has served as the model for Korea’s privacy and personal information policies. The EU’s GDPR has influenced Korea’s Personal Information Protection Act (PIPA) [
13]. The first question that pops into anyone’s mind, thus, is whether Korea can implement a secondary use pathway similar to that in the EHDS Proposal. It is undeniable that putting health datasets held by private entities to secondary use has the potential to benefit society. That said, requiring privately held datasets to be made available for secondary use by third parties on a mandatory basis will likely meet significant legal challenges under Korean law.
The Korean constitution provides that the property rights of citizens must be protected and that the scope and limitations of property rights are to be set forth in a statute (Constitution, Art. 23, Para. 1). The constitution also provides that commandeering, using, or limiting a citizen’s property out of public necessity must have legal basis in a statute and be justly compensated (Constitution, Art. 23, Para. 3). The concept of trade secrets is defined broadly as information, including a production method, sale method, useful technical or business information for business activities, which is not known publicly, is managed as a secret, and has independent economic value (Unfair Competition Prevention and Trade Secret Protection Act, Art. 2, Para. 2). This means that proprietary datasets will likely constitute a trade secret, a type of property protected by the constitution [
14].
Even if proprietary datasets constitute trade secrets or otherwise protected property under the constitution, one can argue that the takings clause under the Korean constitution will permit mandatory sharing of proprietary datasets for secondary use, provided that the legislature passes a law allowing it with just compensation [
15]. Besides, unlike tangible properties that can be used by only a single party at a time, intangible properties, such as datasets, do not necessarily diminish in value when used by multiple parties. However, it is not clear whether the “public necessity” component of the takings clause will be met if secondary use includes research and development activities with a commercial aim. In recent years, Korean authorities have rarely granted compulsory licenses on the grounds of public necessity, although the relevant IP law allows this if just compensation is also granted [
16].
This does not mean that creating a “health data space” of some kind in Korea would be impossible altogether. Many publicly held health datasets are already available for secondary use, mostly for research or public health endeavors (
Table 5). Korea could conceivably create a “health data space” that includes health datasets that have been created with research grants from the government. The current government research funding regulation bestows the property rights to all byproducts of research to the research institution or the individual researcher (National Research and Development Innovation Act [NRDIA], Art. 16, Paras 1 and 2), in a manner similar to the US Bayh-Dole Act [
17]. This property rights scheme was a utilitarian contrivance, after government ownership of IP created from government-funded research had failed to see active downstream development [
18]. By the same utilitarian token, permitting wider access to datasets created by government-funded research may bring about even more downstream use of the datasets than proprietary control by a single entity. There are three hurdles that need to be overcome to implement wider access to health datasets generated by government-funded research: legal basis for mandatory sharing of health datasets, privacy of research participants, and IP rights embedded in datasets.
The NRDIA would be the natural place to provide a legal basis to require sharing of scientific data, including health data, created during government-funded research. The current NRDIA conceptualizes a “data management plan” as a part of research proposals, which should include the researcher’s plan to generate, store, maintain and share scientific data created by government-funded research [
19]. However, a data management plan is required only selectively at the discretion of the funding ministry. The first step in widening access to health data for secondary research is to make data sharing the rule in publicly funded research, rather than the exception, as is the case in some jurisdictions [
20].
For health data, the privacy of the data subjects represented in the datasets will add to the legal complexity of mandatory sharing of health datasets for secondary use by third parties. In this regard, the government must provide guidance as to how health data may be made available for secondary research without compromising the privacy of research participants. The United States’ National Institutes of Health offers a good example [
21]. The “scientific research exemptions” under the PIPA as amended in 2020 provides some insights too [
22]. The research exemptions under the PIPA allow pseudonymized personal data to be used for statistical purposes, scientific research purposes, and archiving purposes in the public interest—without the consent of the data subject (PIPA Art. 28-2). This provision is similar to GDPR Article 9(2)(j) and Article 89(1), although the issue in the EU is one of fragmentation of how this provision is interpreted by different member states [
23]. While the constitutionality of the scientific research exemptions has not yet been tested, designing a Korean “health data space” along similar lines of the scientific research exemptions will at least find precedential support in the PIPA [
24].
Safeguarding IP rights embedded in or arising from the datasets will also be a critical issue. The EHDS Proposal reads “(e)lectronic health data entailing protected IP and trade secrets from private enterprises shall be made available for secondary use. Where such data is made available for secondary use, all measures necessary to preserve the confidentiality of IP rights and trade secrets shall be taken” (EHDS Proposal, Art. 33.4; similar provisions are found in Arts. 34.4 and 37.1). The proposed text is not clear on what “all measures necessary” would entail, and how any disputes that will surely arise between the parties about the appropriate measures to take would be resolved. It will be interesting to watch how the EU solves the puzzle [
25]. Interestingly, the European Commission’s Data Act Proposal contains more detailed provisions relating to dispute resolution in this regard, and we may see this being reflected in future iterations of the EHDS Proposal. The same issue will have to be overcome as well if Korea were to adopt the authors’ suggestion of making datasets from government-funded research available to the public for secondary use. Regardless of whether datasets are made available to the public or not, some IP rights may have to remain proprietary to the research organization or the individual researcher in order to make downstream development feasible, especially in the life sciences industry where IP rights become key assets [
26].
In conclusion, the EHDS Proposal is a reminder that facilitating secondary research by widening access to health data, whether held by the public sector or the private sector, will add value to society. It is a policy that Korea should consider in the long run. If a similar piece of legislation is not feasible in the short term in Korea, mandatory sharing of scientific data, including health data, generated by government-funded research will be a feasible and beneficial alternative.