The rule of law for medical scientists
We nowadays have a (fairly) well-functioning government. It’s sometimes forgotten that this used to be different, or that it still isn’t the case in many other countries. Lawyers learn during their training that it’s important to continue to defend the rule of law, so we never revert to dictatorship. As a medical scientist, you might think this isn’t your job, that you don’t need to know anything about it. Nothing could be further from the truth. Understanding the Trias Politica, for example, is important for knowing when to ignore the Data Protection Authority. It’s also helpful to understand that a lobbying campaign starts with the question of whether the Ministry of Health, Welfare and Sport is the right place to be. Therefore, I’ll outline some basic principles for medical scientists here.
The Data Protection Authority is sometimes wrong
A key element of our constitutional state is the separation of powers, the Trias Politica. The legislative branch establishes the rules (a Ministry drafts a law, but Parliament decides). If the rules are vague or there are exceptions, the judiciary provides further detail. In addition, we have the executive branch, which also includes enforcement authorities. They can impose fines. To prevent abuse of power, they may only implement rules and not establish or interpret them. This means that an authority like the Dutch Data Protection Authority cannot determine what the law entails (as also stated by Zwenne and Hallinan, p. 27).
The Data Protection Authority (DPA)’s position is similar to that of a police officer. While they can prioritize burglaries over public urination, for example, they cannot themselves determine that children on fat bikes will henceforth receive a fine. Similarly, the DPA may consider something to be part of its remit, but if the GDPR doesn’t stipulate that, no fine can be imposed. Even what’s stated on the DPA’s website isn’t necessarily correct. Just like the “opinions” of the EDPB, they are just that: opinions, ultimately up to a judge to determine their correctness. Similarly, it’s useful to question whether the IGJ’s code of conduct clearly stems from a law. If not, then, based on the principle of legality, no fine can be imposed for ignoring such rules. A critical attitude isn’t civil disobedience, but an important safeguard of the rule of law.
Trial Process Foundation useful for clarity
Related to this is the following point: if a problem is identified, a solution must be requested from the appropriate source. For example, the GDPR is a very unclear law. The medical-scientific sector is eagerly looking to the Ministry of Health, Welfare and Sport for clarification. But this Ministry cannot provide any explanation for an existing law, which, moreover, did not originate with it. The GDPR could be rewritten, but only the European Parliament can do that.
There’s also not always point in a governmental body paying someone to write codes of conduct. Because if they’re not actually used by judges to give substance to a vague law, then those codes simply have no legal standing. The GDPR can only be clarified by judges, but that would require submitting specific questions to the court. Generally, people are averse to litigation, but from a societal perspective, litigation serves an important function: it clarifies the law. That’s why it would be much more useful if, for example, the Royal Netherlands Academy of Arts and Sciences (KNAW) and the Dutch Trade Union Federation (FNV) established a foundation for test cases for medical scientists.
Furthermore, law isn’t a hard science. In many conflicts, both sides have a point; otherwise, litigation wouldn’t often go all the way to the highest court. It’s a high-level argumentation theory. Parties who understand this know that professors’ arguments carry considerable weight, which is why they sometimes open their wallets to appoint a special professor; it’s simply a form of lobbying.
And check whether you are adressing the right Ministry
If you want a new law, you also have to contact the correct Ministry. For example, there are complaints that scientists are not (or not always?) allowed to use the Citizen Service Number (BSN) to link files. (Pseudonymized) name and address data are regularly used, but this is worse from a privacy perspective and also leads to more errors. Therefore, there is lobbying for a change in the law at the Ministry of Health, Welfare and Sport (VWS). However, the BSN ban is in the implementing act for the GDPR. Therefore, it also makes sense to include a rule in that same act that scientists may use the BSN. After all, it doesn’t make sense to write different rules for medical scientists than for social scientists or criminologists. The Ministry of Justice is responsible for the GDPR, and therefore the Ministry of Justice is the right place to lobby for a change in the law. And if you can’t agree on the right Ministry for a draft law, remember that all laws are ultimately passed by Parliament. Lobbying the House of Representatives (which can add something to a bill that is already on the table) therefore makes more sense than lobbying the Ministry of Health, Welfare and Sport when it comes to addressing the BSN issue.
Conflict rules and logical reasoning
It’s also worthwhile to occasionally reflect on the broader legal system and its precise division of roles. For example, there are the conflict of laws rules. These days, many people use the term “lex specialis.” They call something a special law, which therefore takes precedence. That’s too simplistic. First, one must check whether there are two distinct rules pointing in different directions. Without conflict, the conflict of laws rules do not apply. Then, it’s important to establish that there is a sequence in the conflict of laws rules: (i) higher law always takes precedence over lower law, (ii) special law takes precedence over general law, and (iii) new law takes precedence over old law.
The second rule, the lex specialis rule, is therefore only applied if the first rule fails. Consequently, a special but lower-ranking law (such as the Medical Treatment Contracts Act) can never override European law. What is possible is for a national law (the Police Data Act) to apply instead of the GDPR, because the GDPR itself stipulates that it does not apply to police data. But that doesn’t make the Police Data Act a lex specialis. Also, beware of invalid reasoning. If a law stipulates that a file must be retained for two years, then there is nothing stipulated about what must happen in the third year. The law doesn’t state that the file must be destroyed after two years; that depends on whether, after those two years, there is a good reason other than the law for retaining it.
The Dutch WGBO is contract law
It’s also worthwhile to occasionally consider the broader legal system. For example, it’s often overlooked that the WGBO (Dutch Healthcare Act) is part of contract law; it’s simply included in the Civil Code, between tenancy law and employment law. This entails three things: first, it’s as soft as butter. Contract law is replete with open-ended standards such as reasonableness and fairness and good faith. What a care agreement entails in a specific case is therefore not determined purely by the letter of the WGBO, but equally by the circumstances of the case and what the parties could reasonably expect from each other. Moreover, as part of contract law, the WGBO constitutes a “right of redress.” This means it was written in case one party fails to comply with the agreement.
For example, suppose a doctor has made data available for research without asking permission. This can be brought before a judge, but the judge will simply assess: is there a breach of contract? Check. Has there been any damage? Probably not, except that it is considered annoying. And is there evidence of a causal link between the breach of contract and the damage? You will understand that the patient cannot always rely for remedies on the medical confidentiality obligation in the Medical Treatment Contracts Act (WGBO) while he can rely on the Individual Healthcare Professions Act. This is especially true because they may be able to receive €250 in damages, but the procedure (without legal aid) quickly costs €5,000. Contrary to popular belief, the WGBO is only enforced by the civil courts. After all, the governmental agencies overseeing health care must, based on the principle of speciality, limit themselves to those laws that state that they are enforced by that agency, and that is not the case with the WGBO. In short, don’t be blinded by the content of a single rule; always assess it within the larger system.
The EHDS is about data, not bodily material. The Dutch draft Bodily Material Act is about material, not data. This might lead one to believe there's no overlap. But if you extract data from material, you're doing something with both data and material. That's why I'm discussing my thoughts on the draft act here. Spoiler alert: it's not good.
The Ministry of Health, Welfare and Sport will soon determine who will become the HDAB; who will be the source of permits for the beneficial reuse of health data. Who can be this, and who cannot? And what will this HDAB be responsible for?
Under the EHDS, work must be performed in a Secure Processing Environment (SPE). Scientists don't receive data, but access it in a SPE that meets the strict technical and security standards established under the EHDS. What does this entail? And will everyone be required to work in such a SPE from now on? Will it become a supercomputer containing all our health data?
