The Dutch Bodily Material Act must be rewritten

Posted on 26 augustus 202521 november 2025 by admin

The draft Bodily Material Act (WZL) must be rewritten

The WZL versus the EHDS

The European Health Data Space Regulation concerns data, not bodily material. The draft Bodily Material Act (WZL) concerns material, not data. Therefore, based on the names of the two laws, one might assume there is no overlap. Therefore, there would be no reason to discuss the WZL on this website. I will discuss it anyway, because there is more overlap than one might think. When you extract data from material, you are doing something with both data and material. Moreover, the Guidelines for Regulations (rules on how to write laws) stipulate that new laws must always be carefully considered to determine their true necessity. Moreover, they must be harmonized with existing regulations as much as possible. Moreover, many (incorrectly) believe that the WZL does indeed concern data from material, while the EHDS explicitly does. For these three reasons, I will discuss the draft WZL here. Spoiler alert: it’s rubbish.

Why the WZL?

First, a little background on the WZL. Scientists are usually concerned with data from the material, not the material itself (unless, for example, they need material for a surgery class). They find this so logical that the two get confused. For lawyers, bodily material is completely different from data from the material. Previously, these were clearly legally separated. The WGBO (Dutch Medical Treatment Contracts Act) contains a statutory provision on the reuse of material (7:467 BW) and a statutory provision on the reuse of patient data (7:458). Because people often want to extract data from material, the law states: “Research with anonymous substances and parts separated from the body is understood to mean research in which it is guaranteed that the bodily material to be used in the research and the data to be obtained from it cannot be traced back to the person.”

So, as soon as you extract patient data from the material, you no longer fall under the article about the material, but under the article about data. This prevented duplication, and that was perfectly arranged. The problem is that over time, the legal article about material has been interpreted differently. Some believed that if traceable data were extracted, consent was always required (perhaps based on invalid a contrario reasoning applied to Article 7:467 of the Dutch Civil Code?), while the other legal article (Article 7:458 of the Dutch Civil Code) states: consent unless unreasonable.

What is anonymous?

Moreover, bodily material was previously generally considered anonymous: you can’t tell who a drop of blood belongs to. But now that DNA can be extracted from a drop of blood, it was argued that bodily material is essentially no longer anonymous. This conflicts with European (GDPR) case law regarding when something is considered personal data. This is based on a relative concept. Whether privacy is at stake and therefore whether the GDPR applies depends on who is processing the data and what that processing entails. This (case law on the) GDPR is relevant because, when the GDPR Implementation Act was drafted (Article 24), specific reference was made to the Medical Treatment Contracts Act (WGBO): these articles were intended to provide the same framework. However, this relative approach to personal data seems to have had no effect on how bodily material is treated. This may be because the experts cited in this regard are medical scientists, not lawyers. They will have concluded that material is never technically anonymous again, but that is a different matter from the question of whether it is legally anonymous.

All those biobanks...

Because the law stipulates that one can opt out of material unless it is not anonymous, many now believe that bodily material is never anonymous and therefore (almost) always requires consent. This is often difficult for scientists to handle. In my opinion, this difficulty lies in a misreading of the legal provisions, and in this regard, a legislative amendment was therefore unnecessary. However, this doesn’t change the fact that the House of Representatives simultaneously became uneasy about the fact that a large amount of material (from millions of Dutch people) was now being stored in biobanks, with little oversight. A law was therefore necessary, and that argument hasn’t been dismissed yet: and therefore, “a” WZL (Wiseness of the Authorization of Bodily Material) is necessary. However, the confusion about material versus data from that material has only increased with this draft law on the control of bodily material.

Double rules

The WZL itself explicitly states, “This law applies to procedures involving bodily material (…).” This is problematic in itself. Firstly, because the article in the WGBO stipulated: this article applies to bodily material, unless (traceable) data is extracted from it, in which case you fall under the article on data. This “unless” provision is not in the WZL. This means that if personal data is extracted from bodily material, it will soon fall under the WZL because it involves bodily material, and it will also fall under the GDPR (and soon the EHDS) because it involves personal data (and health data). This means that under the WZL, you must check whether an objection has been filed (via a separate system), while under the EHDS, you must also check whether an objection has been filed in the National Control Register.

This is despite the fact that the intention is to reduce the administrative burden, and the Guidelines for Regulations stipulate that harmonization must be as high as possible. Why the WZL isn’t aligned with the EHDS is therefore a mystery to me. Moreover, it’s unacceptable to choose to have data extraction from material fall solely under the WZL, as that is a Dutch law that cannot override the European GDPR. It should be the other way around: it should be explicitly stated that if personal data is extracted from material, it no longer falls under the WZL but under the GDPR. This is currently lacking.

But the WZL is not about the data itself

But it’s also problematic because it escapes almost everyone’s attention that the WZL concerns actions with material (including data extraction), but not with that data itself. Even the Council of State recently wrote in an advisory opinion: “A regulation will also be introduced for the (further) processing of personal data (health-related) for this situation.” That’s not the case. But if even the Council of State is confused about this, then so must be almost the entire field. It becomes even more serious when one examines precisely when the law will apply: “This law applies to actions with bodily material that has been (…) collected (…) in connection with medicine (…) and which actions are intended for a purpose other than (…) assessing the patient’s state of health.”

Bodily material (such as drops of blood or a piece of skin) is often collected for the care of a specific patient. Afterward, it is stored, still for that specific patient, due to the obligation to keep records of what is done and why. The WZL will therefore not apply in this case, while the article from the WGBO (Dutch Medical Treatment Contracts Act) on material will be repealed. This means that as long as no scientist is interested in the material, no regulations apply. But it gets even stranger. Because if a scientist becomes interested in the material after three years, the WZL will apply, and it will then stipulate (in 2028) that information must be provided to the patient when collecting it. But that was three years earlier, in 2025. How can a law now stipulate that it will apply in 2028, which then prescribes that something must be done three years earlier? I really don’t get it.

Nobody owns it

Another problem is that the bill appears to be based on incorrect assumptions. The Consultation Version of the Second Amendment Memorandum to the Bill on Control of Body Material, dated June 10, 2024, refers four times to a report. This report contains several remarkable statements. For example, on page 55 it states: “Our law primarily considers materials separated from the body as ‘substances susceptible to human control’ (Article 3:2 of the Dutch Civil Code). Ownership can then be considered. The person from whom the body material originates becomes the owner of that material.” This is incorrect. Article 3:2 of the Dutch Civil Code states: “Things are tangible objects susceptible to human control,” to which Article 5:1 of the Dutch Civil Code adds: “Ownership is the most comprehensive right a person can have in a thing.”

This “possession” does not imply that every thing is subject to ownership. You can only own something if it is also subject to possession, because you can only become an owner through transfer of possession, taking possession, or possession plus prescription. Everything “outside of commerce,” as it has been defined for centuries, is not subject to possession and therefore also not subject to ownership. If too much skin is wrongly removed, this may be abuse, but you cannot report theft to the police. No one owns bodily material, just as no one owns health data (one cannot own “the sun is hot,” and therefore also not “the patient has a fever.”).

Provide control, but harmonize

Intuitively, we feel that patients should perhaps have some control over their bodily material, but this is separate from the concept of ownership. Similarly, under the GDPR, patients have control rights over data to protect their privacy, which are therefore entirely independent of the question of ownership. The GDPR stipulates that a balance must always be struck between the interests of privacy and the interests of data use. And this should also be the case with bodily material. Therefore, the WZL should, where possible, align as closely as possible with the GDPR and the upcoming EHDS, and the subtle balance sought in these two regulations between the interests of privacy and the interests of data freedom. However, the WZL wrongly fails to align with the EHDS at all. In that regard, the recent report from the Council of State was indeed correct. Such a lack of harmonization violates Article 2.45 of the aforementioned Guidelines for Regulations, which stipulates that this should be pursued as much as possible.

Physical integrity not at stake

The decision not to align fully with the GDPR and the EHDS also appears to be related (besides the confusion of data and material) to the confusion of body and bodily material. The moment material is taken from a patient, at that moment, bodily integrity is compromised. This is no longer the case when a sample is retrieved from an archive for research five years later. Three situations can be distinguished regarding collection: collection for care, collection for care and research, and collection solely for research. The Medical Research Involving Human Subjects Act (WMO) applies to this third issue. This Act contains strict safeguards to protect the patient’s health and bodily integrity. There was some uncertainty about the extent to which this law also applied in the second situation: when an additional tube of blood is collected. In that case, too, the patient’s body is at stake, and ethical questions arise. However, if an existing sample is retrieved for research, only privacy issues arise.

So why an ethical assessment?

Despite this, the WZL stipulates that material managers must always have regulations that have been approved by an ethics committee. But this is very odd for a situation in which there are no ethical questions at all: the situation in which material was collected solely for healthcare purposes. If one only realizes afterward that this material might also be useful for research, bodily integrity is not at stake at all. The only question then is whether the patient’s privacy is sufficiently protected, which is already addressed by the GDPR and the EHDS. Why a Medical Ethics Review Committee needs to be involved in this is incomprehensible. These review committees are extremely valuable in medical research involving human subjects. Patients who think they might die say yes to everything. And then a review committee has to look into whether the risk to the patient is not too great, or whether the chance of a beneficial effect from the research is not too small. This ethical constellation is completely irrelevant when a piece of skin taken three years earlier is used. Therefore, it is incomprehensible why the ethics review committee needs to be involved in this.

In short: back to the drawing board

All in all, the WZL is an incomprehensible law, while the Explanatory Memorandum precisely states that it aims to provide clarity. Furthermore, the WZL is not in line with the Guidelines for Regulations because it is not optimally aligned with the GDPR and the EHDS. Therefore, the draft WZL must simply be scrapped. No minor adjustments, as was previously the case. A completely new WZL needs to be written (i) that precludes the dual application of rules to the same action, (ii) that aligns as closely as possible with the GDPR and the EHDS, (iii) that regulates control through the National Control Register, (iv) that, following the GDPR, opts for a risk-benefit assessment, and (v) that omits the ethical review if privacy is at stake but physical integrity is not.

The Dutch Bodily Material Act must be rewritten

The EHDS is about data, not bodily material. The Dutch draft Bodily Material Act is about material, not data. This might lead one to believe there's no overlap. But if you extract data from material, you're doing something with both data and material. That's why I'm discussing my thoughts on the draft act here. Spoiler alert: it's not good.

The Health Data Access Body

The Ministry of Health, Welfare and Sport will soon determine who will become the HDAB; who will be the source of permits for the beneficial reuse of health data. Who can be this, and who cannot? And what will this HDAB be responsible for?

The EHDS and the Secure Processing Environment

Under the EHDS, work must be performed in a Secure Processing Environment (SPE). Scientists don't receive data, but access it in a SPE that meets the strict technical and security standards established under the EHDS. What does this entail? And will everyone be required to work in such a SPE from now on? Will it become a supercomputer containing all our health data?

The Health Data Access Body

Posted on 10 augustus 202521 november 2025 by admin

The Health Data Access Body

Who can become a HDAB?

The Dutch government must announce by March 2027 who will be the Health Data Access Body, the body that will make health data available for beneficial reuse. This HDAB issues permits, and is therefore automatically a government body. After all, anyone established under public law is a government. Furthermore, anyone vested with public authority is a government, meaning that they can unilaterally determine someone’s legal status, such as determining whether someone receives a permit. Therefore, when designating the HDAB, three legal options can be chosen:

1. A completely new government body is established under the EHDS Implementation Legislation;
2. An existing government body is designated as the body that will henceforth also assume the HDAB tasks; or
3. An (existing or new) private-law organization is chosen, which, through the implementing legislation and the ZBO Framework Act, is embedded in the public system and thus becomes a government.

Legal tasks

When establishing this government body, it must be borne in mind that the HDAB must perform both legal and practical tasks under the EHDS. All legal tasks (which constitute a government entity) cannot be outsourced. This includes issuing permits, imposing fines, or imposing administrative penalties. This administrative decision-making will not be simple. Permit applications must be assessed against the GDPR and the EHDS, but also, for example, against the prohibition of discrimination and the European free movement provisions. Furthermore, compliance with other European law must be ensured, such as the Data Governance Regulation, the Data Regulation, and the Open Data Directives (implemented in the Reuse of Government Information Act), as well as the General Administrative Law Act and Intellectual Property Law. Objections and appeals can be lodged against a permit (or its refusal). If data subjects refuse to make data available, an administrative enforcement order or administrative penalty must be imposed, and these can also be challenged. Therefore, the HDAB needs a considerable number of skilled lawyers.

Performing tasks

In addition, the HDAB is assigned various practical tasks under the EHDS, which can potentially be outsourced. The fact that a government is responsible for something doesn’t mean it has to carry it out itself. For example, the government is also responsible for good schools, but these are practical tasks, not administrative decisions, and therefore can be outsourced to various foundations. Similarly, the HDAB can commission tasks to carry out its practical tasks, such as setting up a catalog, anonymizing or pseudonymizing, linking databases, maintaining a National Control Register, monitoring Secure Processing Environments, or ensuring the interoperability of all BVOs. These are all practical tasks that the HDAB can perform itself, but which can also be outsourced to contractors who do not necessarily have to be government bodies.

Who cannot become HDAB

The HDAB must not have any interests in the data or the permit application, due to the prohibition on conflicting interests. This effectively eliminates Statistics Netherlands (CBS) as a possible option, given the commercial activities of microdata services. The HDAB also cannot be the Dutch Data Protection Authority, as these two organizations have conflicting tasks (keeping everything confidential versus sharing more data). Similarly, the Market Authority is mentioned separately in the EHDS, which seems to imply that the Netherlands Authority for Consumers and Markets (ACM) cannot become the HDAB either. Rumor has it that the Ministry of Health, Welfare and Sport (VWS) will opt to establish a single, entirely new body. It is important, however, that strict adherence to the EHDS requirement that there must be no conflicting interests within the HDAB is maintained, both at the organizational level and with regard to the people working there. Therefore, it is highly undesirable for an HDAB director to also be a member of, for example, the Supervisory Board of data holders or data users.

HDAB versus Data Protection Authority

Note that the HDAB also has responsibilities towards the natural persons to whom the data pertains (patients, or indeed all citizens). This concerns the way in which the HDAB itself handles personal data. The HDAB must comply with various GDPR requirements regarding transparency. In addition, the HDAB supervises data holders and data users; it assesses whether a permit application complies with the GDPR and whether work within the BVOs is being carried out in accordance with the GDPR. However, if it appears that someone else is violating the GDPR, for example, because the National Register of Authorities has not been respected, the HDAB will provide that information to the Data Protection Authority, which will take action. Regarding the latter, the HDAB must cooperate with the Data Protection Authority. Regarding the former, the HDAB, like other government bodies, is supervised by the Data Protection Authority.

Big enough

Finally, a single HDAB or multiple HDABs can be chosen, with one designated as the coordinating HDAB. Given that a significant number of well-trained lawyers are needed for the HDAB, and given our small size, it seems illogical to establish multiple HDABs. At the same time, care must be taken to ensure that the HDAB that is established is not too small. There is debate about when the EHDS applies. Some argue that this is only the case if researchers choose to use the HDAB route. If researchers are indeed free to choose whether or not to apply for a permit, then the HDAB does not need to be so large. If a permit is almost always required (unless one can invoke one of the exceptions in Article 1), then the HDAB must be large enough. After all, if scientists apply for more permits than the HDAB can process, scientific research in the Netherlands could stagnate due to capacity shortages at the HDAB. Of course that is not the intention.

The Dutch Bodily Material Act must be rewritten

The Health Data Access Body

The EHDS and the Secure Processing Environment

Posted on 10 augustus 202521 november 2025 by admin

The EHDS and the secure processing environment

Technical Requirements of the European Commission

Under the EHDS, work must be carried out in a Secure Processing Environment (SPE). Scientists will not receive data, but will have access to it in a SPE that meets the strict technical and security standards established under the EHDS. The exact nature of these requirements is not yet known. They will be established by the European Commission by March 2027 (see timeline). The European Commission will also assist Member States in promoting the security and interoperability of the various SPEs. Such security requirements cannot be prescribed in the EHDS itself. Risks and security evolve faster than new European legislation.

HDAB and Trusted Data Holders monitor

Please note: there are parties who claim that there will only be one single BVO, managed by the HDAB. This would then become a supercomputer containing all Dutch healthcare data. This is not the case. The EHDS clearly speaks of multiple SPEs. Every Trusted Data Holder (TDH) must also have an SPE, and it is likely that all the academic hospitals, among others, could become such. The HDAB and the TDHs must always monitor what exactly happens in their SPE, so that scientists are only granted access in line with the exact conditions of their permit.

Therefore, those who hold an SPE must be able to enforce compliance with both the GDPR and the EHDS. Scientists may not simply grant access to another scientist who is not also listed on the permit. And only non-personal data (i.e., anonymous or aggregated data) may be downloaded from such a SPE. They may, of course, be transferred from one SPE to another, for which interoperability must be achieved. The log data of processing operations within the SPE must be retained for at least one year to verify compliance with the permit conditions. In this way, the SPE is an essential safeguard for protecting the rights and freedoms of patients with regard to the processing of their health data for secondary use.

The SPE should always be mandatory

There is criticism (in The Netherlands) of the EHDS, which aims to make more health data available for beneficial reuse. It is important to keep in mind that the idea of this law is to make more data available, precisely by making it more secure; in the certified SPEs. It is important to note here that there are people who think that you will soon be able to freely choose whether to apply for a data permit, and that you will thereby ensure that you fall under the EHDS. It follows that you would also be able to choose whether or not you are obliged to work in a SPE. That you can choose whether you are obliged to do something seems an untenable position to me. But if it turns out that I am wrong, and people can indeed freely choose whether to apply for a permit, then the implementing legislation should include that working in a SPE (as described by the European Commission) will always be mandatory from 2029, even if one does not follow the route via the HDAB.

The Dutch Bodily Material Act must be rewritten

The Health Data Access Body

The EHDS and the Secure Processing Environment

When will the EHDS come into effect?

Posted on 10 augustus 202521 november 2025 by admin

When does the EHDS come into effect with regard to secondary use?

Primary use in 2027, secondary use in 2029

The EHDS requires considerable preparation. A Health Data Access Body must be established, various software and hardware components must be built or connected, and supplementary legislation must be drafted. Therefore, the EHDS will enter into force in several phases. The provisions regarding primary use will already take effect on March 26, 2027. Chapter IV, on the reuse of health data, will not apply until March 26, 2029. These are the broad outlines, but some parts of Chapter IV will also enter into force on March 26, 2027, while others will come into effect later.

A number of steps still need to be taken, by March 2027. The Member States must inform the European Commission who will be its Health Data Access Body. It must also inform the European Commission who will be the the digital gateway that links the Dutch Health Data Catalogue to the other European catalogues (the Netherlands has already decided that this will simply be the HDAB itself). The European Commission, in turn, must:

1. Establish models for requesting access to health data (a permit or a statistical request);
2. Establish the requirements that Secure Processing Environments must meet;
3. Establish further requirements for the HealthData@EU system;
4. Establish which metadata dataset holders must provide for the health data catalogue;
5. Establish quality and usage labels for datasets.

Subsequently, the bulk of Chapter IV will enter into force on March 26, 2029, meaning that users of health data can then apply for permits or submit statistical queries, while data holders are required to provide data. The Health Data Access Body (plus the national contact point) must then be fully operational. Furthermore, the European Commission’s 2027 determinations will then come into effect (see above).

However, the EHDS does not yet apply to the beneficial reuse of all types of EHDS data. Only on March 26, 2031, will the EHDS also apply to these more sensitive data:

1. Data on factors that influence health, including socio-economic, environmental, and behavioral determinants of health;

2. human genetic, epigenomic, and genomic data;

3. other human molecular data, such as proteomic, transcriptomic, metabolomic, lipidomic, and other “-omic” data;

4. data from clinical trials, clinical studies, clinical trials, and performance studies;

5. data from research cohorts, questionnaires, and health-related surveys, once the related results have been published.

Later again (26 March 2035), Article 75 paragraph 5 will also come into force, which provides that third countries or international organisations can join as participants in the European Health Data Space.

The initial obligations must therefore be fulfilled by the first quarter of 2027. The legislative process to make this possible will therefore begin in Q2 2025. It is therefore important that every stakeholder in the EHDS immediately considers their priorities regarding the correct interpretation and, above all, the optimal implementation legislation. It would be beneficial to use this law to resolve as many problems as possible simultaneously and constructively, for the benefit of public health.

The Dutch Bodily Material Act must be rewritten

The Health Data Access Body

The EHDS and the Secure Processing Environment

The EHDS leads to greater health (data) safety

Posted on 10 augustus 202521 november 2025 by admin

The EHDS actually leads to more health (data) safety

The introduction of the EHDS is causing public unrest. Will our health data still be safe? The regulation will indeed make more data available for beneficial reuse, such as scientific research. But the idea behind the regulation is to make more data available precisely by improving its security. To this end, the permit is being introduced and an HDAB must be established as a health data police. Moreover, the EHDS includes a list of prohibited uses, which could have far-reaching consequences for the tobacco industry, among others.

Permit required

First of all, the EHDS stipulates that working with health data requires a permit. There’s debate about whether one can choose whether to apply for one, as the Ministry of Health, Welfare and Sport (VWS) states. I find this a strange position: you can’t choose whether to apply for a tree-felling permit, a building permit, or a catering permit. The whole point of the permit is to allow the government to monitor the process, ensuring compliance with all (safety) regulations. As I read the regulation, a permit will almost always be required. The EHDS then stipulates that health data may only be used in accordance with the conditions stipulated in the permit. These conditions must include, among other things, the exact names of the researchers authorized to access the data. If a person isn’t listed in the permit, they can’t access the data. Moreover, it’s strictly forbidden to determine who the (anonymous or pseudonymous) data relates to.

HDAB supervises

The permit is being requested from the Health Data Access Body. In the Netherlands, they are currently busy designing all sorts of ICT tools for this HDAB. But anyone who carefully studies the EHDS will see that the newly established government agency will primarily act as the health data police. Failure to comply with the permit conditions or other legislation can result in the HDAB imposing substantial fines (up to €20 million or 4% of annual turnover). Moreover, interested parties can submit enforcement requests to the HDAB, forcing the government to take action if health data is handled too carelessly. You might think the Dutch Data Protection Authority already had this capability, but the EHDS goes much further. It contains a particularly interesting list: prohibited uses.

The following is prohibited under the EHDS:

taking decisions which adversely affect a natural person or a group of natural persons on the basis of their electronic health data; in order to be qualified as ‘decisions’ for the purposes of this point, they must produce legal, social or economic effects or significantly affect those natural persons in a similar manner;
taking decisions with regard to a natural person or a group of natural persons regarding job vacancies, offering less favourable terms for the supply of goods or services, including refusing to grant such persons or groups an insurance or credit agreement, changing their contributions and insurance premiums or loan terms, or taking other decisions with regard to a natural person or a group of natural persons which result in them being discriminated against on the basis of the health data obtained;
Carrying out advertising or marketing activities;
Developing products or services that may be harmful to individuals, public health, or society in general, such as illegal drugs, alcoholic beverages, tobacco and nicotine products, weapons, or products or services designed or modified in such a way that they lead to addiction, are contrary to public order, or pose a risk to human health;
Carrying out activities that violate ethical provisions laid down in national law.

Let what’s written here sink in: you may not use health data to develop addictive products. As mentioned, there’s some confusion about when the EHDS applies. The Ministry of Health, Welfare and Sport’s interpretation is that you can choose whether to apply for a permit and therefore whether you fall under the EHDS. This also allows the tobacco industry to choose whether to adhere to the prohibited list. That seems like an untenable position to me. The EHDS states: users of health data may only access and process health data for secondary use in accordance with a data permit. It seems to me that a permit is always required in that case (unless the EHDS does not apply under Article 1, which contains some exceptions). If my interpretation is correct, the effect of the list of prohibited uses will be significant! Because then it will be prohibited from now on to use health data to develop any addictive product whatsoever. Kudos to the authors of this regulation.

So the EHDS is great!

The introduction of the EHDS is causing social unrest. There are fears, for example, that secondary use could lead to someone losing insurance or a job. This shows that people haven’t read the EHDS, because this is explicitly stated in the list of prohibited uses. Because the EHDS is very beneficial to medical scientific research, it can be useful to emphasize that the EHDS explicitly prohibits all sorts of things. Another advantage of the list of prohibited uses is that the newly established HDAB is designated as the authority that must enforce it, and where enforcement requests can therefore also be submitted. But above all, we must realize that the EU seems to have, in a roundabout way, given us a legal tool against the tobacco industry. So far, it has not succeeded in banning tobacco, but it does seem to have succeeded in prohibiting research into how to make tobacco even more addictive. Time will tell how much pleasure we will get from this prohibited list. Perhaps it can also be used to combat the addictiveness of apps? Will HDAB soon get my child off social media? I’m eagerly anticipating the fantastic benefits EHDS can bring us.

The Dutch Bodily Material Act must be rewritten

The Health Data Access Body

The EHDS and the Secure Processing Environment

The rule of law for medical scientists

Posted on 10 juni 202521 november 2025 by admin

The rule of law for medical scientists

We nowadays have a (fairly) well-functioning government. It’s sometimes forgotten that this used to be different, or that it still isn’t the case in many other countries. Lawyers learn during their training that it’s important to continue to defend the rule of law, so we never revert to dictatorship. As a medical scientist, you might think this isn’t your job, that you don’t need to know anything about it. Nothing could be further from the truth. Understanding the Trias Politica, for example, is important for knowing when to ignore the Data Protection Authority. It’s also helpful to understand that a lobbying campaign starts with the question of whether the Ministry of Health, Welfare and Sport is the right place to be. Therefore, I’ll outline some basic principles for medical scientists here.

The Data Protection Authority is sometimes wrong

A key element of our constitutional state is the separation of powers, the Trias Politica. The legislative branch establishes the rules (a Ministry drafts a law, but Parliament decides). If the rules are vague or there are exceptions, the judiciary provides further detail. In addition, we have the executive branch, which also includes enforcement authorities. They can impose fines. To prevent abuse of power, they may only implement rules and not establish or interpret them. This means that an authority like the Dutch Data Protection Authority cannot determine what the law entails (as also stated by Zwenne and Hallinan, p. 27).

The Data Protection Authority (DPA)’s position is similar to that of a police officer. While they can prioritize burglaries over public urination, for example, they cannot themselves determine that children on fat bikes will henceforth receive a fine. Similarly, the DPA may consider something to be part of its remit, but if the GDPR doesn’t stipulate that, no fine can be imposed. Even what’s stated on the DPA’s website isn’t necessarily correct. Just like the “opinions” of the EDPB, they are just that: opinions, ultimately up to a judge to determine their correctness. Similarly, it’s useful to question whether the IGJ’s code of conduct clearly stems from a law. If not, then, based on the principle of legality, no fine can be imposed for ignoring such rules. A critical attitude isn’t civil disobedience, but an important safeguard of the rule of law.

Trial Process Foundation useful for clarity

Related to this is the following point: if a problem is identified, a solution must be requested from the appropriate source. For example, the GDPR is a very unclear law. The medical-scientific sector is eagerly looking to the Ministry of Health, Welfare and Sport for clarification. But this Ministry cannot provide any explanation for an existing law, which, moreover, did not originate with it. The GDPR could be rewritten, but only the European Parliament can do that.

There’s also not always point in a governmental body paying someone to write codes of conduct. Because if they’re not actually used by judges to give substance to a vague law, then those codes simply have no legal standing. The GDPR can only be clarified by judges, but that would require submitting specific questions to the court. Generally, people are averse to litigation, but from a societal perspective, litigation serves an important function: it clarifies the law. That’s why it would be much more useful if, for example, the Royal Netherlands Academy of Arts and Sciences (KNAW) and the Dutch Trade Union Federation (FNV) established a foundation for test cases for medical scientists.

Furthermore, law isn’t a hard science. In many conflicts, both sides have a point; otherwise, litigation wouldn’t often go all the way to the highest court. It’s a high-level argumentation theory. Parties who understand this know that professors’ arguments carry considerable weight, which is why they sometimes open their wallets to appoint a special professor; it’s simply a form of lobbying.

And check whether you are adressing the right Ministry

If you want a new law, you also have to contact the correct Ministry. For example, there are complaints that scientists are not (or not always?) allowed to use the Citizen Service Number (BSN) to link files. (Pseudonymized) name and address data are regularly used, but this is worse from a privacy perspective and also leads to more errors. Therefore, there is lobbying for a change in the law at the Ministry of Health, Welfare and Sport (VWS). However, the BSN ban is in the implementing act for the GDPR. Therefore, it also makes sense to include a rule in that same act that scientists may use the BSN. After all, it doesn’t make sense to write different rules for medical scientists than for social scientists or criminologists. The Ministry of Justice is responsible for the GDPR, and therefore the Ministry of Justice is the right place to lobby for a change in the law. And if you can’t agree on the right Ministry for a draft law, remember that all laws are ultimately passed by Parliament. Lobbying the House of Representatives (which can add something to a bill that is already on the table) therefore makes more sense than lobbying the Ministry of Health, Welfare and Sport when it comes to addressing the BSN issue.

Conflict rules and logical reasoning

It’s also worthwhile to occasionally reflect on the broader legal system and its precise division of roles. For example, there are the conflict of laws rules. These days, many people use the term “lex specialis.” They call something a special law, which therefore takes precedence. That’s too simplistic. First, one must check whether there are two distinct rules pointing in different directions. Without conflict, the conflict of laws rules do not apply. Then, it’s important to establish that there is a sequence in the conflict of laws rules: (i) higher law always takes precedence over lower law, (ii) special law takes precedence over general law, and (iii) new law takes precedence over old law.

The second rule, the lex specialis rule, is therefore only applied if the first rule fails. Consequently, a special but lower-ranking law (such as the Medical Treatment Contracts Act) can never override European law. What is possible is for a national law (the Police Data Act) to apply instead of the GDPR, because the GDPR itself stipulates that it does not apply to police data. But that doesn’t make the Police Data Act a lex specialis. Also, beware of invalid reasoning. If a law stipulates that a file must be retained for two years, then there is nothing stipulated about what must happen in the third year. The law doesn’t state that the file must be destroyed after two years; that depends on whether, after those two years, there is a good reason other than the law for retaining it.

The Dutch WGBO is contract law

It’s also worthwhile to occasionally consider the broader legal system. For example, it’s often overlooked that the WGBO (Dutch Healthcare Act) is part of contract law; it’s simply included in the Civil Code, between tenancy law and employment law. This entails three things: first, it’s as soft as butter. Contract law is replete with open-ended standards such as reasonableness and fairness and good faith. What a care agreement entails in a specific case is therefore not determined purely by the letter of the WGBO, but equally by the circumstances of the case and what the parties could reasonably expect from each other. Moreover, as part of contract law, the WGBO constitutes a “right of redress.” This means it was written in case one party fails to comply with the agreement.

For example, suppose a doctor has made data available for research without asking permission. This can be brought before a judge, but the judge will simply assess: is there a breach of contract? Check. Has there been any damage? Probably not, except that it is considered annoying. And is there evidence of a causal link between the breach of contract and the damage? You will understand that the patient cannot always rely for remedies on the medical confidentiality obligation in the Medical Treatment Contracts Act (WGBO) while he can rely on the Individual Healthcare Professions Act. This is especially true because they may be able to receive €250 in damages, but the procedure (without legal aid) quickly costs €5,000. Contrary to popular belief, the WGBO is only enforced by the civil courts. After all, the governmental agencies overseeing health care must, based on the principle of speciality, limit themselves to those laws that state that they are enforced by that agency, and that is not the case with the WGBO. In short, don’t be blinded by the content of a single rule; always assess it within the larger system.

The Dutch Bodily Material Act must be rewritten

The Health Data Access Body

The EHDS and the Secure Processing Environment

EHDS Data Collectors

Posted on 4 juni 202521 november 2025 by admin

EHDS Data collectors

The EHDS creates several new roles around the reuse of health data. A well-known example is the Health Data Access Body, a new government agency where licenses are requested to work with data in a secure processing environment. Much less attention is paid to the role of the trusted data holder, and the role of data collector is completely unknown. Yet, the data collector is crucial for unlocking data in a way that is more efficient, better for science, and, above all, can contribute to greater trust in the system.

Efficiency - as with the Dutch GGD

The EHDS obligates holders of health data to make them available for beneficial reuse, such as scientific research. To make the system more efficient, the Netherlands can designate certain organizations as intermediary entities. However, note that this is a different role than a data intermediary service as described in the Data Governance Regulation. Because this doesn’t make things any clearer, it’s wise to refer to these parties as data aggregators within the EHDS context; that is precisely what these parties do. They collect data from many similar data holders. The obligation to provide data to the Health Data Access Body is then taken over from the individual data holders by the aggregator. For example, in the Netherlands, there are many Municipal Health Services (GGDs), all of which hold data useful for medical-scientific research. It would be illogical for the HDAB to have to contact all the individual GGDs for every research project requiring GGD data. The Dutch government could therefore designate the GGD GHOR (umbrella organisaton for Municipal Health Services) as a data aggregator, assuming the EHDS responsibilities of all the individual GGDs.

Scientific interest - such as with general practitioners

The second area for which a data collector can be engaged is micro-data holders. The EHDS stipulates that small data holders are not required to provide data to the HDAB: that would be too much of an administrative burden for small organizations. However, some data that are scientifically extremely important are precisely in the hands of small data holders. In the Netherlands, for example, this is the case with general practitioners. If research is to be conducted on the earlier detection of lung cancer, the hospital patient records must be linked to the records of the general practitioners regarding previously reported health complaints. This is important research, but the data in question, due to the small size of the average general practice, will fall outside the scope of the EHDS. National legislation can therefore oblige such micro-data holders to provide data to a data collector, for example, a Nivel or an IPCI, thus making this data available securely and efficiently for important research. The same applies to data from, for example, dentists, physiotherapists, or dietitians.

For trust – such as with diabetes

The third purpose of data collectors is increasing trust in the system. For example, diabetes patients might worry about their privacy if commercial companies had direct access to their data. Because of this (very understandable) concern, they might therefore oppose the availability of their data. But imagine that Dutch legislation stipulates that real-time measurements are made available to the Dutch Diabetes Association, and that association (with the help of, for example, the Dutch Healthcare Institute) manages this data. Far fewer patients would likely object. The Dutch Diabetes Association could then anonymize the data or answer statistical questions. If, with the help of such organizations, trust in the system is increased, this will lead to broader data availability for scientific research and the development of new, useful healthcare products.

In secondary legislation

In short, there are many good reasons to make extensive use of the role of data collector: the system becomes more efficient, more data becomes available (securely) for medical research, and this can also lead to greater patient confidence in the system. The implementing legislation for the EHDS could stipulate that all data collectors will be assisted by the National Health Care Institute (Zorginstituut), which was already designated to oversee quality registrations. The specific data collectors should not, of course, be designated in the law itself, because if one of them proves to be dysfunctional, removing a data collector would have to go through Parliament. That would take too long. Therefore, the Minister of Health should be able to appoint data collectors (under Parliamentary supervision). I think it would be useful if we in the Netherlands thoroughly discussed at conferences how we can optimally design the EHDS system by using the role of data collector.

The Dutch Bodily Material Act must be rewritten

The Health Data Access Body

The EHDS and the Secure Processing Environment

The existing free flow of health data

Posted on 2 juni 202521 november 2025 by admin

The (already existing) free flow of health data

My data in my country?

In discussions about the reuse of health data, national borders are often discussed. This secondary use requires a proper balance between privacy on the one hand and the importance of, for example, scientific research or being able to assess the effectiveness of a certain policy on the other. Privacy advocates often believe that “our” data should not be allowed to cross borders when reused, or that you should at least be able to indicate in the National Register of Authorities that this is not permitted with “your” data. Scientists, on the other hand, argue that, for example, with rare diseases, they can only do their work effectively if data from different countries can be used. Therefore, they welcome the EHDS, which stipulates, among other things, that they will be able to request data from all over Europe. What both parties overlook is that the free flow of health data within the EU has long existed.

European law on data

One of the objectives of the EHDS is to support the free movement of health data. It says “support” because this free movement already exists. Completely unnoticed is the provision in Article 1 of the GDPR: “The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.” The GDPR only applies to personal data (where one can reasonably identify the individuals concerned). Therefore, alongside it exists the completely unknown Regulation 2018/1807 on “the free movement of non-personal data within the European Union.” The Open Data Directive 2019/1024 further stipulates: “The conditions for the re-use of documents shall not discriminate against comparable categories of re-use, including re-use across national borders.”

Scientists can already use this

The free movement of goods and services within the EU began in 1993 with the introduction of the internal market. It soon became clear that the internal market was not possible without the free movement of data. Data protection can easily be regulated in the law of an individual member state, but free movement required harmonization (alignment) of legislation. The free movement of data was precisely a key objective of the GDPR, hence its inclusion in Article 1. This means that people can already request data directly from, for example, FinData. This request may not be treated differently from requests from Finnish researchers, as there is also a prohibition on discrimination between Europeans. Therefore, no distinction may be made between Dutch or Finnish scientists in a request. The EHDS will soon make it possible to request data from all over Europe with a single request to the Dutch HDAB. However, it would be helpful if scientists and statisticians were aware that it is already prohibited to hold data at an internal border (a border between EU countries). They can therefore immediately submit requests to work with health data throughout Europe.

Data Subject control the same for the entire EU

And patients will soon be able to object to certain reuses of data about them via a National Control Register. The Ministry of Health, Welfare and Sport (VWS) must now determine the exact structure of this register. However, European law prohibits structuring this register in such a way that Dutch scientists can work with “our” data, but not Belgian scientists. Considering that these scientists are trying to find a cure for cancer, for example, a cure that will then become internationally available, it makes perfect sense for a legislator to ensure that every scientist in the EU has access to data, not just those from our own academic hospitals. Moreover, under the GDPR, data may already flow to countries for which the EU has issued an adequacy decision. This means that Brussels believes that privacy is adequately protected in countries like Japan. Countries like Japan may eventually join the EHDS, but because they are not part of the EU, you may be asked in the National Register of Control whether you object to data about you also being sent to such non-EU countries.

So the BSN may not be withheld either

Note: this free flow of data was intended to support the free movement of goods and services within the EU. The idea behind it was: the larger the market, the more competition, which will lead to higher quality at lower borders. Brussels wants a good winegrower in Italy to be able to sell directly to people in Wassenaar. Similarly, a good radiologist should be able to directly assess MRI scans in Greece. This will make better care available in Europe at a lower price. The underlying data traffic shouldn’t stand in the way of this. In the Netherlands, some people believe that the Citizen Service Number (BSN) cannot be used across the border because the law doesn’t say otherwise. But that seems to me to be a typical situation that, if Dutch law were to actually entail this, would be invalid under Article 1 of the GDPR. Personal data may not be withheld at an internal EU border, and that also applies to the Citizen Service Number (BSN).

The Dutch Bodily Material Act must be rewritten

The Health Data Access Body

The EHDS and the Secure Processing Environment

Control over health data under the EHDS

Posted on 2 juni 202521 november 2025 by admin

Control over health data under the EHDS

No one owns data

The European Health Data Space will bring major changes regarding patient control over the reuse of health data. To understand this section, we will first explain some terminology. Although health data is about a patient, it does not belong to the patient. Nor does the hospital own the data. Health data are facts, and just as one cannot own “the sun is hot,” one cannot own “the patient has a fever.” Therefore, the patient has no proprietary right to the data. They do, however, have a right to protection of data that concerns them, based on their right to privacy. Patients can exercise these rights themselves in various ways (in addition to the intervention of the Dutch Data Protection Authority). On the one hand, for example, they have the right to inspect what data someone holds about them and to have this data corrected if necessary. On the other hand, there may be a right to prior control over the potential use of patient data.

Three types of control

There are three forms of this. The first is that there is no control. This is the case, for example, with the data collected by Statistics Netherlands (CBS). Such data concerns large numbers of people and, moreover, is essential for the government to do its work. In this case, there is no control, based on the idea that every citizen wants a well-functioning government, and that is only possible through the use of data. The second option is opt-out control (no objection must have been raised) and the third option is opt-in control (prior consent must be obtained). Dutch law currently provides for an opt-in provision, unless this is unreasonable. Consent therefore means an opt-in, and this is a sub-form of control. The EHDS explicitly stipulates that the opt-in will be abolished (although the scope of this is debated and there are exceptions). Regarding reuse, the opt-out will henceforth be the form of control, unless the national government has (lawfully) determined that control cannot be exercised over specific data flows.

The National Control Register

For some sensitive data, national legislation may allow for an opt-in option. This applies, for example, to genetic data, data from wellness apps, and bodily tissue. Dutch legislation must also clarify how this control can be exercised. Discussions are currently underway in the Netherlands about a National Control Register, in which one can object to certain forms of reuse (and in which, if necessary, consent for sensitive data can be granted). This exercise of control will then apply to all subsequent data permits, until the objection is withdrawn. Therefore, the objection is not retroactive; once a permit has been issued, the data may be used until the end of the research. The exact details of this process are irrelevant for individual scientists. However, it is relevant to determine whether the register will be structured in such a way that the opt-out is frequently exercised for certain data, or not, as this could complicate data availability for a particular discipline within medical science.

The AP, the free flow of data and ethics

Finally, three comments: the EHDS is intended to strike the right balance between privacy protection and the benefits of data availability. The GDPR remains in effect, and the Dutch Data Protection Authority retains all its privacy enforcement duties. The HDAB is therefore the newly established government body tasked with serving the opposing interest: data availability. Given this division of tasks, it is logical that it is not the HDAB, but the Dutch Data Protection Authority, that will take enforcement action if the exercise of control in the National Control Register is not properly observed. Furthermore, some people believe that you should be able to indicate in the National Control Register that your data cannot cross borders, but that seems to me to be contrary to European law on the free flow of data. Finally, some parties believe that the opt-out is unethical and that consent must always be requested. To them, I would like to point out that the EHDS is a European law, enacted by the democratically elected European Parliament. The current Dutch government has also stated in its coalition agreement that an opt-out is sufficient. This suggests that the majority of society does not consider the opt-out unethical.

The Dutch Bodily Material Act must be rewritten

The Health Data Access Body

The EHDS and the Secure Processing Environment

The EHDS request and the post-COVID rule of law

Posted on 1 juni 202521 november 2025 by admin

The EHDS-request and the post-Covid rule of law

The EHDS is perceived by those who distrust the government as a manipulative tactic: the coronavirus pandemic would be used to learn everything about us citizens. The striking thing is that even these suspicious people will be enormously helped by the EHDS, even in times of a pandemic, and even if they don’t understand much about statistics. Besides a data permit, the EHDS also includes a request: a request for an answer to a statistical question. Anyone can request such a request, which is therefore excellent for our constitutional state, because it allows citizens to independently verify whether certain policy choices were a good idea.

No data to researcher, but answer to requestor

In addition to the health data permit, the EHDS also includes a request. This is translated as “vraag” (request) in the Dutch version. It might have been clearer if this had been translated as “EHDS vraag” (question). The result is simply receiving an answer. The EHDS stipulates that for a permit application that may not be granted, it must always be checked whether it can be treated as a question. You can also decide not to apply for a permit, but to submit a question instead. This option is related to privacy, which must be protected as much as possible. The idea is to—where reasonably possible—not make data available to researchers, but only to provide the answer to their question. Currently, there is no legal way to enforce such an answer to a question. Under the Open Government Act or the Reuse of Government Information Act, you can request electronic data, but not an analysis of it. Under the EHDS, however, you can request that someone perform a specific calculation for you. This makes potential knowledge much more widely available. The EHDS question should therefore be seen as a major step forward (although it will obviously not be for free).

Who will take this on? Free market against distrust

Surprisingly, there’s no consideration at all of who will carry out this process in the Netherlands. The decision on such an EHDS request is an administrative decision that the Health Data Access Body itself must make. However, generating the substantive answer (performing the analysis) is a practical task that can also be outsourced. The HDAB could, therefore, outsource this to a single government agency with experience analyzing health data, such as Statistics Netherlands (CBS) or the RIVM (National Institute for Public Health and the Environment). Alternatively, it could choose to allow some market forces to operate. Under the EHDS, the questions must be answered in a secure processing environment. All reliable data holders (which likely includes academic hospitals) also have such an SPE. Some market forces generally benefit price and quality, so it would be beneficial if the HDAB gave everyone with (access to) an SPE the opportunity to submit a bid for answering EHDS questions. Ideally, the applicant would also be given the opportunity to choose who would generate the answer to their question. That would be beneficial in countering suspicion in society. The EHDS, which is often seen as a trick of the evil government, could actually help reduce this distrust.