The EHDS is about data, not bodily material. The Dutch draft Bodily Material Act is about material, not data. This might lead one to believe there's no overlap. But if you extract data from material, you're doing something with both data and material. That's why I'm discussing my thoughts on the draft act here. Spoiler alert: it's not good.
The Health Data Access Body
Who can become a HDAB?
The Dutch government must announce by March 2027 who will be the Health Data Access Body, the body that will make health data available for beneficial reuse. This HDAB issues permits, and is therefore automatically a government body. After all, anyone established under public law is a government. Furthermore, anyone vested with public authority is a government, meaning that they can unilaterally determine someone’s legal status, such as determining whether someone receives a permit. Therefore, when designating the HDAB, three legal options can be chosen:
1. A completely new government body is established under the EHDS Implementation Legislation;
2. An existing government body is designated as the body that will henceforth also assume the HDAB tasks; or
3. An (existing or new) private-law organization is chosen, which, through the implementing legislation and the ZBO Framework Act, is embedded in the public system and thus becomes a government.
Legal tasks
When establishing this government body, it must be borne in mind that the HDAB must perform both legal and practical tasks under the EHDS. All legal tasks (which constitute a government entity) cannot be outsourced. This includes issuing permits, imposing fines, or imposing administrative penalties. This administrative decision-making will not be simple. Permit applications must be assessed against the GDPR and the EHDS, but also, for example, against the prohibition of discrimination and the European free movement provisions. Furthermore, compliance with other European law must be ensured, such as the Data Governance Regulation, the Data Regulation, and the Open Data Directives (implemented in the Reuse of Government Information Act), as well as the General Administrative Law Act and Intellectual Property Law. Objections and appeals can be lodged against a permit (or its refusal). If data subjects refuse to make data available, an administrative enforcement order or administrative penalty must be imposed, and these can also be challenged. Therefore, the HDAB needs a considerable number of skilled lawyers.
Performing tasks
In addition, the HDAB is assigned various practical tasks under the EHDS, which can potentially be outsourced. The fact that a government is responsible for something doesn’t mean it has to carry it out itself. For example, the government is also responsible for good schools, but these are practical tasks, not administrative decisions, and therefore can be outsourced to various foundations. Similarly, the HDAB can commission tasks to carry out its practical tasks, such as setting up a catalog, anonymizing or pseudonymizing, linking databases, maintaining a National Control Register, monitoring Secure Processing Environments, or ensuring the interoperability of all BVOs. These are all practical tasks that the HDAB can perform itself, but which can also be outsourced to contractors who do not necessarily have to be government bodies.
Who cannot become HDAB
The HDAB must not have any interests in the data or the permit application, due to the prohibition on conflicting interests. This effectively eliminates Statistics Netherlands (CBS) as a possible option, given the commercial activities of microdata services. The HDAB also cannot be the Dutch Data Protection Authority, as these two organizations have conflicting tasks (keeping everything confidential versus sharing more data). Similarly, the Market Authority is mentioned separately in the EHDS, which seems to imply that the Netherlands Authority for Consumers and Markets (ACM) cannot become the HDAB either. Rumor has it that the Ministry of Health, Welfare and Sport (VWS) will opt to establish a single, entirely new body. It is important, however, that strict adherence to the EHDS requirement that there must be no conflicting interests within the HDAB is maintained, both at the organizational level and with regard to the people working there. Therefore, it is highly undesirable for an HDAB director to also be a member of, for example, the Supervisory Board of data holders or data users.
HDAB versus Data Protection Authority
Note that the HDAB also has responsibilities towards the natural persons to whom the data pertains (patients, or indeed all citizens). This concerns the way in which the HDAB itself handles personal data. The HDAB must comply with various GDPR requirements regarding transparency. In addition, the HDAB supervises data holders and data users; it assesses whether a permit application complies with the GDPR and whether work within the BVOs is being carried out in accordance with the GDPR. However, if it appears that someone else is violating the GDPR, for example, because the National Register of Authorities has not been respected, the HDAB will provide that information to the Data Protection Authority, which will take action. Regarding the latter, the HDAB must cooperate with the Data Protection Authority. Regarding the former, the HDAB, like other government bodies, is supervised by the Data Protection Authority.
Big enough
Finally, a single HDAB or multiple HDABs can be chosen, with one designated as the coordinating HDAB. Given that a significant number of well-trained lawyers are needed for the HDAB, and given our small size, it seems illogical to establish multiple HDABs. At the same time, care must be taken to ensure that the HDAB that is established is not too small. There is debate about when the EHDS applies. Some argue that this is only the case if researchers choose to use the HDAB route. If researchers are indeed free to choose whether or not to apply for a permit, then the HDAB does not need to be so large. If a permit is almost always required (unless one can invoke one of the exceptions in Article 1), then the HDAB must be large enough. After all, if scientists apply for more permits than the HDAB can process, scientific research in the Netherlands could stagnate due to capacity shortages at the HDAB. Of course that is not the intention.
The Ministry of Health, Welfare and Sport will soon determine who will become the HDAB; who will be the source of permits for the beneficial reuse of health data. Who can be this, and who cannot? And what will this HDAB be responsible for?
Under the EHDS, work must be performed in a Secure Processing Environment (SPE). Scientists don't receive data, but access it in a SPE that meets the strict technical and security standards established under the EHDS. What does this entail? And will everyone be required to work in such a SPE from now on? Will it become a supercomputer containing all our health data?