The EHDS is about data, not bodily material. The Dutch draft Bodily Material Act is about material, not data. This might lead one to believe there's no overlap. But if you extract data from material, you're doing something with both data and material. That's why I'm discussing my thoughts on the draft act here. Spoiler alert: it's not good.
Control over health data under the EHDS
No one owns data
The European Health Data Space will bring major changes regarding patient control over the reuse of health data. To understand this section, we will first explain some terminology. Although health data is about a patient, it does not belong to the patient. Nor does the hospital own the data. Health data are facts, and just as one cannot own “the sun is hot,” one cannot own “the patient has a fever.” Therefore, the patient has no proprietary right to the data. They do, however, have a right to protection of data that concerns them, based on their right to privacy. Patients can exercise these rights themselves in various ways (in addition to the intervention of the Dutch Data Protection Authority). On the one hand, for example, they have the right to inspect what data someone holds about them and to have this data corrected if necessary. On the other hand, there may be a right to prior control over the potential use of patient data.
Three types of control
There are three forms of this. The first is that there is no control. This is the case, for example, with the data collected by Statistics Netherlands (CBS). Such data concerns large numbers of people and, moreover, is essential for the government to do its work. In this case, there is no control, based on the idea that every citizen wants a well-functioning government, and that is only possible through the use of data. The second option is opt-out control (no objection must have been raised) and the third option is opt-in control (prior consent must be obtained). Dutch law currently provides for an opt-in provision, unless this is unreasonable. Consent therefore means an opt-in, and this is a sub-form of control. The EHDS explicitly stipulates that the opt-in will be abolished (although the scope of this is debated and there are exceptions). Regarding reuse, the opt-out will henceforth be the form of control, unless the national government has (lawfully) determined that control cannot be exercised over specific data flows.
The National Control Register
For some sensitive data, national legislation may allow for an opt-in option. This applies, for example, to genetic data, data from wellness apps, and bodily tissue. Dutch legislation must also clarify how this control can be exercised. Discussions are currently underway in the Netherlands about a National Control Register, in which one can object to certain forms of reuse (and in which, if necessary, consent for sensitive data can be granted). This exercise of control will then apply to all subsequent data permits, until the objection is withdrawn. Therefore, the objection is not retroactive; once a permit has been issued, the data may be used until the end of the research. The exact details of this process are irrelevant for individual scientists. However, it is relevant to determine whether the register will be structured in such a way that the opt-out is frequently exercised for certain data, or not, as this could complicate data availability for a particular discipline within medical science.
The AP, the free flow of data and ethics
Finally, three comments: the EHDS is intended to strike the right balance between privacy protection and the benefits of data availability. The GDPR remains in effect, and the Dutch Data Protection Authority retains all its privacy enforcement duties. The HDAB is therefore the newly established government body tasked with serving the opposing interest: data availability. Given this division of tasks, it is logical that it is not the HDAB, but the Dutch Data Protection Authority, that will take enforcement action if the exercise of control in the National Control Register is not properly observed. Furthermore, some people believe that you should be able to indicate in the National Control Register that your data cannot cross borders, but that seems to me to be contrary to European law on the free flow of data. Finally, some parties believe that the opt-out is unethical and that consent must always be requested. To them, I would like to point out that the EHDS is a European law, enacted by the democratically elected European Parliament. The current Dutch government has also stated in its coalition agreement that an opt-out is sufficient. This suggests that the majority of society does not consider the opt-out unethical.
The Ministry of Health, Welfare and Sport will soon determine who will become the HDAB; who will be the source of permits for the beneficial reuse of health data. Who can be this, and who cannot? And what will this HDAB be responsible for?
Under the EHDS, work must be performed in a Secure Processing Environment (SPE). Scientists don't receive data, but access it in a SPE that meets the strict technical and security standards established under the EHDS. What does this entail? And will everyone be required to work in such a SPE from now on? Will it become a supercomputer containing all our health data?