The Dutch Bodily Material Act must be rewritten

Posted on 26 augustus 202521 november 2025 by admin

The draft Bodily Material Act (WZL) must be rewritten

The WZL versus the EHDS

The European Health Data Space Regulation concerns data, not bodily material. The draft Bodily Material Act (WZL) concerns material, not data. Therefore, based on the names of the two laws, one might assume there is no overlap. Therefore, there would be no reason to discuss the WZL on this website. I will discuss it anyway, because there is more overlap than one might think. When you extract data from material, you are doing something with both data and material. Moreover, the Guidelines for Regulations (rules on how to write laws) stipulate that new laws must always be carefully considered to determine their true necessity. Moreover, they must be harmonized with existing regulations as much as possible. Moreover, many (incorrectly) believe that the WZL does indeed concern data from material, while the EHDS explicitly does. For these three reasons, I will discuss the draft WZL here. Spoiler alert: it’s rubbish.

Why the WZL?

First, a little background on the WZL. Scientists are usually concerned with data from the material, not the material itself (unless, for example, they need material for a surgery class). They find this so logical that the two get confused. For lawyers, bodily material is completely different from data from the material. Previously, these were clearly legally separated. The WGBO (Dutch Medical Treatment Contracts Act) contains a statutory provision on the reuse of material (7:467 BW) and a statutory provision on the reuse of patient data (7:458). Because people often want to extract data from material, the law states: “Research with anonymous substances and parts separated from the body is understood to mean research in which it is guaranteed that the bodily material to be used in the research and the data to be obtained from it cannot be traced back to the person.”

So, as soon as you extract patient data from the material, you no longer fall under the article about the material, but under the article about data. This prevented duplication, and that was perfectly arranged. The problem is that over time, the legal article about material has been interpreted differently. Some believed that if traceable data were extracted, consent was always required (perhaps based on invalid a contrario reasoning applied to Article 7:467 of the Dutch Civil Code?), while the other legal article (Article 7:458 of the Dutch Civil Code) states: consent unless unreasonable.

What is anonymous?

Moreover, bodily material was previously generally considered anonymous: you can’t tell who a drop of blood belongs to. But now that DNA can be extracted from a drop of blood, it was argued that bodily material is essentially no longer anonymous. This conflicts with European (GDPR) case law regarding when something is considered personal data. This is based on a relative concept. Whether privacy is at stake and therefore whether the GDPR applies depends on who is processing the data and what that processing entails. This (case law on the) GDPR is relevant because, when the GDPR Implementation Act was drafted (Article 24), specific reference was made to the Medical Treatment Contracts Act (WGBO): these articles were intended to provide the same framework. However, this relative approach to personal data seems to have had no effect on how bodily material is treated. This may be because the experts cited in this regard are medical scientists, not lawyers. They will have concluded that material is never technically anonymous again, but that is a different matter from the question of whether it is legally anonymous.

All those biobanks...

Because the law stipulates that one can opt out of material unless it is not anonymous, many now believe that bodily material is never anonymous and therefore (almost) always requires consent. This is often difficult for scientists to handle. In my opinion, this difficulty lies in a misreading of the legal provisions, and in this regard, a legislative amendment was therefore unnecessary. However, this doesn’t change the fact that the House of Representatives simultaneously became uneasy about the fact that a large amount of material (from millions of Dutch people) was now being stored in biobanks, with little oversight. A law was therefore necessary, and that argument hasn’t been dismissed yet: and therefore, “a” WZL (Wiseness of the Authorization of Bodily Material) is necessary. However, the confusion about material versus data from that material has only increased with this draft law on the control of bodily material.

Double rules

The WZL itself explicitly states, “This law applies to procedures involving bodily material (…).” This is problematic in itself. Firstly, because the article in the WGBO stipulated: this article applies to bodily material, unless (traceable) data is extracted from it, in which case you fall under the article on data. This “unless” provision is not in the WZL. This means that if personal data is extracted from bodily material, it will soon fall under the WZL because it involves bodily material, and it will also fall under the GDPR (and soon the EHDS) because it involves personal data (and health data). This means that under the WZL, you must check whether an objection has been filed (via a separate system), while under the EHDS, you must also check whether an objection has been filed in the National Control Register.

This is despite the fact that the intention is to reduce the administrative burden, and the Guidelines for Regulations stipulate that harmonization must be as high as possible. Why the WZL isn’t aligned with the EHDS is therefore a mystery to me. Moreover, it’s unacceptable to choose to have data extraction from material fall solely under the WZL, as that is a Dutch law that cannot override the European GDPR. It should be the other way around: it should be explicitly stated that if personal data is extracted from material, it no longer falls under the WZL but under the GDPR. This is currently lacking.

But the WZL is not about the data itself

But it’s also problematic because it escapes almost everyone’s attention that the WZL concerns actions with material (including data extraction), but not with that data itself. Even the Council of State recently wrote in an advisory opinion: “A regulation will also be introduced for the (further) processing of personal data (health-related) for this situation.” That’s not the case. But if even the Council of State is confused about this, then so must be almost the entire field. It becomes even more serious when one examines precisely when the law will apply: “This law applies to actions with bodily material that has been (…) collected (…) in connection with medicine (…) and which actions are intended for a purpose other than (…) assessing the patient’s state of health.”

Bodily material (such as drops of blood or a piece of skin) is often collected for the care of a specific patient. Afterward, it is stored, still for that specific patient, due to the obligation to keep records of what is done and why. The WZL will therefore not apply in this case, while the article from the WGBO (Dutch Medical Treatment Contracts Act) on material will be repealed. This means that as long as no scientist is interested in the material, no regulations apply. But it gets even stranger. Because if a scientist becomes interested in the material after three years, the WZL will apply, and it will then stipulate (in 2028) that information must be provided to the patient when collecting it. But that was three years earlier, in 2025. How can a law now stipulate that it will apply in 2028, which then prescribes that something must be done three years earlier? I really don’t get it.

Nobody owns it

Another problem is that the bill appears to be based on incorrect assumptions. The Consultation Version of the Second Amendment Memorandum to the Bill on Control of Body Material, dated June 10, 2024, refers four times to a report. This report contains several remarkable statements. For example, on page 55 it states: “Our law primarily considers materials separated from the body as ‘substances susceptible to human control’ (Article 3:2 of the Dutch Civil Code). Ownership can then be considered. The person from whom the body material originates becomes the owner of that material.” This is incorrect. Article 3:2 of the Dutch Civil Code states: “Things are tangible objects susceptible to human control,” to which Article 5:1 of the Dutch Civil Code adds: “Ownership is the most comprehensive right a person can have in a thing.”

This “possession” does not imply that every thing is subject to ownership. You can only own something if it is also subject to possession, because you can only become an owner through transfer of possession, taking possession, or possession plus prescription. Everything “outside of commerce,” as it has been defined for centuries, is not subject to possession and therefore also not subject to ownership. If too much skin is wrongly removed, this may be abuse, but you cannot report theft to the police. No one owns bodily material, just as no one owns health data (one cannot own “the sun is hot,” and therefore also not “the patient has a fever.”).

Provide control, but harmonize

Intuitively, we feel that patients should perhaps have some control over their bodily material, but this is separate from the concept of ownership. Similarly, under the GDPR, patients have control rights over data to protect their privacy, which are therefore entirely independent of the question of ownership. The GDPR stipulates that a balance must always be struck between the interests of privacy and the interests of data use. And this should also be the case with bodily material. Therefore, the WZL should, where possible, align as closely as possible with the GDPR and the upcoming EHDS, and the subtle balance sought in these two regulations between the interests of privacy and the interests of data freedom. However, the WZL wrongly fails to align with the EHDS at all. In that regard, the recent report from the Council of State was indeed correct. Such a lack of harmonization violates Article 2.45 of the aforementioned Guidelines for Regulations, which stipulates that this should be pursued as much as possible.

Physical integrity not at stake

The decision not to align fully with the GDPR and the EHDS also appears to be related (besides the confusion of data and material) to the confusion of body and bodily material. The moment material is taken from a patient, at that moment, bodily integrity is compromised. This is no longer the case when a sample is retrieved from an archive for research five years later. Three situations can be distinguished regarding collection: collection for care, collection for care and research, and collection solely for research. The Medical Research Involving Human Subjects Act (WMO) applies to this third issue. This Act contains strict safeguards to protect the patient’s health and bodily integrity. There was some uncertainty about the extent to which this law also applied in the second situation: when an additional tube of blood is collected. In that case, too, the patient’s body is at stake, and ethical questions arise. However, if an existing sample is retrieved for research, only privacy issues arise.

So why an ethical assessment?

Despite this, the WZL stipulates that material managers must always have regulations that have been approved by an ethics committee. But this is very odd for a situation in which there are no ethical questions at all: the situation in which material was collected solely for healthcare purposes. If one only realizes afterward that this material might also be useful for research, bodily integrity is not at stake at all. The only question then is whether the patient’s privacy is sufficiently protected, which is already addressed by the GDPR and the EHDS. Why a Medical Ethics Review Committee needs to be involved in this is incomprehensible. These review committees are extremely valuable in medical research involving human subjects. Patients who think they might die say yes to everything. And then a review committee has to look into whether the risk to the patient is not too great, or whether the chance of a beneficial effect from the research is not too small. This ethical constellation is completely irrelevant when a piece of skin taken three years earlier is used. Therefore, it is incomprehensible why the ethics review committee needs to be involved in this.

In short: back to the drawing board

All in all, the WZL is an incomprehensible law, while the Explanatory Memorandum precisely states that it aims to provide clarity. Furthermore, the WZL is not in line with the Guidelines for Regulations because it is not optimally aligned with the GDPR and the EHDS. Therefore, the draft WZL must simply be scrapped. No minor adjustments, as was previously the case. A completely new WZL needs to be written (i) that precludes the dual application of rules to the same action, (ii) that aligns as closely as possible with the GDPR and the EHDS, (iii) that regulates control through the National Control Register, (iv) that, following the GDPR, opts for a risk-benefit assessment, and (v) that omits the ethical review if privacy is at stake but physical integrity is not.

The Dutch Bodily Material Act must be rewritten

The EHDS is about data, not bodily material. The Dutch draft Bodily Material Act is about material, not data. This might lead one to believe there's no overlap. But if you extract data from material, you're doing something with both data and material. That's why I'm discussing my thoughts on the draft act here. Spoiler alert: it's not good.

The Health Data Access Body

The Ministry of Health, Welfare and Sport will soon determine who will become the HDAB; who will be the source of permits for the beneficial reuse of health data. Who can be this, and who cannot? And what will this HDAB be responsible for?

The EHDS and the Secure Processing Environment

Under the EHDS, work must be performed in a Secure Processing Environment (SPE). Scientists don't receive data, but access it in a SPE that meets the strict technical and security standards established under the EHDS. What does this entail? And will everyone be required to work in such a SPE from now on? Will it become a supercomputer containing all our health data?

The rule of law for medical scientists

Posted on 10 juni 202521 november 2025 by admin

The rule of law for medical scientists

We nowadays have a (fairly) well-functioning government. It’s sometimes forgotten that this used to be different, or that it still isn’t the case in many other countries. Lawyers learn during their training that it’s important to continue to defend the rule of law, so we never revert to dictatorship. As a medical scientist, you might think this isn’t your job, that you don’t need to know anything about it. Nothing could be further from the truth. Understanding the Trias Politica, for example, is important for knowing when to ignore the Data Protection Authority. It’s also helpful to understand that a lobbying campaign starts with the question of whether the Ministry of Health, Welfare and Sport is the right place to be. Therefore, I’ll outline some basic principles for medical scientists here.

The Data Protection Authority is sometimes wrong

A key element of our constitutional state is the separation of powers, the Trias Politica. The legislative branch establishes the rules (a Ministry drafts a law, but Parliament decides). If the rules are vague or there are exceptions, the judiciary provides further detail. In addition, we have the executive branch, which also includes enforcement authorities. They can impose fines. To prevent abuse of power, they may only implement rules and not establish or interpret them. This means that an authority like the Dutch Data Protection Authority cannot determine what the law entails (as also stated by Zwenne and Hallinan, p. 27).

The Data Protection Authority (DPA)’s position is similar to that of a police officer. While they can prioritize burglaries over public urination, for example, they cannot themselves determine that children on fat bikes will henceforth receive a fine. Similarly, the DPA may consider something to be part of its remit, but if the GDPR doesn’t stipulate that, no fine can be imposed. Even what’s stated on the DPA’s website isn’t necessarily correct. Just like the “opinions” of the EDPB, they are just that: opinions, ultimately up to a judge to determine their correctness. Similarly, it’s useful to question whether the IGJ’s code of conduct clearly stems from a law. If not, then, based on the principle of legality, no fine can be imposed for ignoring such rules. A critical attitude isn’t civil disobedience, but an important safeguard of the rule of law.

Trial Process Foundation useful for clarity

Related to this is the following point: if a problem is identified, a solution must be requested from the appropriate source. For example, the GDPR is a very unclear law. The medical-scientific sector is eagerly looking to the Ministry of Health, Welfare and Sport for clarification. But this Ministry cannot provide any explanation for an existing law, which, moreover, did not originate with it. The GDPR could be rewritten, but only the European Parliament can do that.

There’s also not always point in a governmental body paying someone to write codes of conduct. Because if they’re not actually used by judges to give substance to a vague law, then those codes simply have no legal standing. The GDPR can only be clarified by judges, but that would require submitting specific questions to the court. Generally, people are averse to litigation, but from a societal perspective, litigation serves an important function: it clarifies the law. That’s why it would be much more useful if, for example, the Royal Netherlands Academy of Arts and Sciences (KNAW) and the Dutch Trade Union Federation (FNV) established a foundation for test cases for medical scientists.

Furthermore, law isn’t a hard science. In many conflicts, both sides have a point; otherwise, litigation wouldn’t often go all the way to the highest court. It’s a high-level argumentation theory. Parties who understand this know that professors’ arguments carry considerable weight, which is why they sometimes open their wallets to appoint a special professor; it’s simply a form of lobbying.

And check whether you are adressing the right Ministry

If you want a new law, you also have to contact the correct Ministry. For example, there are complaints that scientists are not (or not always?) allowed to use the Citizen Service Number (BSN) to link files. (Pseudonymized) name and address data are regularly used, but this is worse from a privacy perspective and also leads to more errors. Therefore, there is lobbying for a change in the law at the Ministry of Health, Welfare and Sport (VWS). However, the BSN ban is in the implementing act for the GDPR. Therefore, it also makes sense to include a rule in that same act that scientists may use the BSN. After all, it doesn’t make sense to write different rules for medical scientists than for social scientists or criminologists. The Ministry of Justice is responsible for the GDPR, and therefore the Ministry of Justice is the right place to lobby for a change in the law. And if you can’t agree on the right Ministry for a draft law, remember that all laws are ultimately passed by Parliament. Lobbying the House of Representatives (which can add something to a bill that is already on the table) therefore makes more sense than lobbying the Ministry of Health, Welfare and Sport when it comes to addressing the BSN issue.

Conflict rules and logical reasoning

It’s also worthwhile to occasionally reflect on the broader legal system and its precise division of roles. For example, there are the conflict of laws rules. These days, many people use the term “lex specialis.” They call something a special law, which therefore takes precedence. That’s too simplistic. First, one must check whether there are two distinct rules pointing in different directions. Without conflict, the conflict of laws rules do not apply. Then, it’s important to establish that there is a sequence in the conflict of laws rules: (i) higher law always takes precedence over lower law, (ii) special law takes precedence over general law, and (iii) new law takes precedence over old law.

The second rule, the lex specialis rule, is therefore only applied if the first rule fails. Consequently, a special but lower-ranking law (such as the Medical Treatment Contracts Act) can never override European law. What is possible is for a national law (the Police Data Act) to apply instead of the GDPR, because the GDPR itself stipulates that it does not apply to police data. But that doesn’t make the Police Data Act a lex specialis. Also, beware of invalid reasoning. If a law stipulates that a file must be retained for two years, then there is nothing stipulated about what must happen in the third year. The law doesn’t state that the file must be destroyed after two years; that depends on whether, after those two years, there is a good reason other than the law for retaining it.

The Dutch WGBO is contract law

It’s also worthwhile to occasionally consider the broader legal system. For example, it’s often overlooked that the WGBO (Dutch Healthcare Act) is part of contract law; it’s simply included in the Civil Code, between tenancy law and employment law. This entails three things: first, it’s as soft as butter. Contract law is replete with open-ended standards such as reasonableness and fairness and good faith. What a care agreement entails in a specific case is therefore not determined purely by the letter of the WGBO, but equally by the circumstances of the case and what the parties could reasonably expect from each other. Moreover, as part of contract law, the WGBO constitutes a “right of redress.” This means it was written in case one party fails to comply with the agreement.

For example, suppose a doctor has made data available for research without asking permission. This can be brought before a judge, but the judge will simply assess: is there a breach of contract? Check. Has there been any damage? Probably not, except that it is considered annoying. And is there evidence of a causal link between the breach of contract and the damage? You will understand that the patient cannot always rely for remedies on the medical confidentiality obligation in the Medical Treatment Contracts Act (WGBO) while he can rely on the Individual Healthcare Professions Act. This is especially true because they may be able to receive €250 in damages, but the procedure (without legal aid) quickly costs €5,000. Contrary to popular belief, the WGBO is only enforced by the civil courts. After all, the governmental agencies overseeing health care must, based on the principle of speciality, limit themselves to those laws that state that they are enforced by that agency, and that is not the case with the WGBO. In short, don’t be blinded by the content of a single rule; always assess it within the larger system.

The Dutch Bodily Material Act must be rewritten

The Health Data Access Body

The EHDS and the Secure Processing Environment

The existing free flow of health data

Posted on 2 juni 202521 november 2025 by admin

The (already existing) free flow of health data

My data in my country?

In discussions about the reuse of health data, national borders are often discussed. This secondary use requires a proper balance between privacy on the one hand and the importance of, for example, scientific research or being able to assess the effectiveness of a certain policy on the other. Privacy advocates often believe that “our” data should not be allowed to cross borders when reused, or that you should at least be able to indicate in the National Register of Authorities that this is not permitted with “your” data. Scientists, on the other hand, argue that, for example, with rare diseases, they can only do their work effectively if data from different countries can be used. Therefore, they welcome the EHDS, which stipulates, among other things, that they will be able to request data from all over Europe. What both parties overlook is that the free flow of health data within the EU has long existed.

European law on data

One of the objectives of the EHDS is to support the free movement of health data. It says “support” because this free movement already exists. Completely unnoticed is the provision in Article 1 of the GDPR: “The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.” The GDPR only applies to personal data (where one can reasonably identify the individuals concerned). Therefore, alongside it exists the completely unknown Regulation 2018/1807 on “the free movement of non-personal data within the European Union.” The Open Data Directive 2019/1024 further stipulates: “The conditions for the re-use of documents shall not discriminate against comparable categories of re-use, including re-use across national borders.”

Scientists can already use this

The free movement of goods and services within the EU began in 1993 with the introduction of the internal market. It soon became clear that the internal market was not possible without the free movement of data. Data protection can easily be regulated in the law of an individual member state, but free movement required harmonization (alignment) of legislation. The free movement of data was precisely a key objective of the GDPR, hence its inclusion in Article 1. This means that people can already request data directly from, for example, FinData. This request may not be treated differently from requests from Finnish researchers, as there is also a prohibition on discrimination between Europeans. Therefore, no distinction may be made between Dutch or Finnish scientists in a request. The EHDS will soon make it possible to request data from all over Europe with a single request to the Dutch HDAB. However, it would be helpful if scientists and statisticians were aware that it is already prohibited to hold data at an internal border (a border between EU countries). They can therefore immediately submit requests to work with health data throughout Europe.

Data Subject control the same for the entire EU

And patients will soon be able to object to certain reuses of data about them via a National Control Register. The Ministry of Health, Welfare and Sport (VWS) must now determine the exact structure of this register. However, European law prohibits structuring this register in such a way that Dutch scientists can work with “our” data, but not Belgian scientists. Considering that these scientists are trying to find a cure for cancer, for example, a cure that will then become internationally available, it makes perfect sense for a legislator to ensure that every scientist in the EU has access to data, not just those from our own academic hospitals. Moreover, under the GDPR, data may already flow to countries for which the EU has issued an adequacy decision. This means that Brussels believes that privacy is adequately protected in countries like Japan. Countries like Japan may eventually join the EHDS, but because they are not part of the EU, you may be asked in the National Register of Control whether you object to data about you also being sent to such non-EU countries.

So the BSN may not be withheld either

Note: this free flow of data was intended to support the free movement of goods and services within the EU. The idea behind it was: the larger the market, the more competition, which will lead to higher quality at lower borders. Brussels wants a good winegrower in Italy to be able to sell directly to people in Wassenaar. Similarly, a good radiologist should be able to directly assess MRI scans in Greece. This will make better care available in Europe at a lower price. The underlying data traffic shouldn’t stand in the way of this. In the Netherlands, some people believe that the Citizen Service Number (BSN) cannot be used across the border because the law doesn’t say otherwise. But that seems to me to be a typical situation that, if Dutch law were to actually entail this, would be invalid under Article 1 of the GDPR. Personal data may not be withheld at an internal EU border, and that also applies to the Citizen Service Number (BSN).

The Dutch Bodily Material Act must be rewritten

The Health Data Access Body

The EHDS and the Secure Processing Environment

When can you ignore medical codes of conduct?

Posted on 1 juni 202521 november 2025 by admin

When can you ignore medical codes of conduct?

On LinkedIn, doctors and medical researchers regularly complain about unworkable rules. For example, as a radiologist, you have to ask the patient’s permission to use an MRI scan performed by someone else, and that permission is only valid for 72 hours. My response is: if it’s not in the law, then you can probably ignore it. Then I get a flood of responses. Dentists and pathologists explain to me that these are codes of conduct that the IGJ also uses and that “therefore” cannot be ignored. Here’s an explanation for them as to why and when certain (but not all) codes of conduct can indeed be ignored.

Soft law is not law

Codes of conduct are soft law, and contrary to what the name suggests, they (like ethics) are not law. They are rules based on ethics, mutually agreed-upon behavior, or contractual agreements that people adhere to, but they are not law. Soft law is used, for example, when one cannot enact or enforce laws, as in international law. It is also used when one does not want to enact formal law, because it is more flexible and one wants to wait and see how a new social phenomenon will develop (such as with franchising). Soft law is also chosen when the sector itself has considerable expertise and good intentions. In such cases, the sector is asked to draw up rules. Soft law is excellent for all of this. However, with soft law, you cannot ignore the rule (Article 5:4 of the General Administrative Law Act) that stipulates that the authority to impose a fine exists only insofar as it is granted by or pursuant to law.

There must be an open norm

But within healthcare, soft law is treated as part of the law. Sometimes this is correct, but sometimes it isn’t. Soft law can only become law if it includes an open standard. An example of such an open standard is: “The healthcare provider offers good care.” What constitutes good care? That means something different for a child psychiatrist than for a heart surgeon, and it’s different in 1995 than in 2025. Therefore, there are all sorts of codes of conduct and protocols by which (disciplinary) judges interpret the concept of good care. But, for example, the Coreon Code of Conduct requires that a medical ethics committee be consulted if there is a suspicion that research may raise privacy concerns, which is the case if personal data is used without consent. There is no open standard anywhere in the law that could lead to this, and therefore this rule is not part of the law.

There must be a judge who applies this

The second thing needed to turn soft law into law is a (disciplinary) judge who actually uses those codes of conduct to give substance to the open standard. Consider the Trias Politica: the legislature can write laws, the judiciary dictates how this should be implemented in practice. The executive branch implements, but cannot write rules. For example, the police cannot decide for themselves that children riding fat bikes will now receive fines. And the Dutch Data Protection Authority may have some opinions on how the GDPR should be interpreted, but that’s all it is. The European Court of Justice recently said precisely that about the European Data Protection Board: an “opinion” is simply an opinion. The IGJ, therefore, also only has an opinion and cannot write rules. The IGJ can indeed impose fines based on codes of conduct, but it is then up to the judiciary to verify whether the fine is justified or whether it should be overturned.

And it must comply with administrative law

And in that test, the judge examines whether there is an open standard that could be fulfilled with a code of conduct. Moreover, the judge assesses whether all administrative law principles, such as the principle of legal certainty and the principle of legality, have been met. Or how about the rule: no punishment without guilt? Wasn’t there also an emergency or an exception? A judge assesses all of that, but of course, your doctors and researchers have to submit it to that judge. He can’t take action on his own. So if you believe the IGJ or the AP is going too far, just take a stand and appeal to the administrative court. After all, the court is there to protect you and the rule of law. When assessing whether a code of conduct might be non-binding, pay close attention to whether we’re talking about the Medical Treatment Contracts Act (WGBO) or administrative law. The Dutch Contracts Act (Wgbo) is part of contract law, and its content is as soft as butter: the supplementary effect of reasonableness and fairness always applies there, meaning there’s always an open standard by which soft law can become part of the law. However, in administrative law (anything that can lead to a fine), the principle of legality applies, and therefore there’s much less room for soft law.

And if not, then you may ignore it

In short: certain codes of conduct or protocols are indeed part of the law, but that doesn’t apply to all codes of conduct. When are you, as a physician or medical researcher, required to follow a code of conduct? (i) If the law contains an open standard, such as “good healthcare provider,” which is much more often the case in contract law than in administrative law; (ii) if a (disciplinary) judge has actually used those codes of conduct to give substance to the open standard; and (iii) if all of this is lawful, predictable, and the violation of the rule was also culpable, meaning there was no emergency situation or anything like that. Isn’t all of that the case? Then ignore the code of conduct if it makes you a lesser healthcare provider. Because that’s ultimately what it’s all about: trying to be a good healthcare provider.

The Dutch Bodily Material Act must be rewritten

The Health Data Access Body

The EHDS and the Secure Processing Environment

The law is not the same as ethics

Posted on 1 juni 202521 november 2025 by admin

The law is not the same as ethics

Is ethics superior? Or is the law?

To properly understand our legal system and what the EHDS will bring us, it’s important to make a clear distinction between law and ethics. Morality is the question of whether we believe something is right, and the basis for that is ethics (although they are also referred to collectively as ethics). It is therefore a reasoned value judgment. Law, on the other hand, is the set of rules that determine what we may or may not do. Some believe that ethics is superior to law, more important, and more valuable. Others believe that ethics is simply an opinion, while law has been established by the majority of society through the democratic process. It is therefore more valuable than ethics. The question of who is right is irrelevant, as long as the difference is properly understood, and how they relate to each other.

Law is rules plus application

These rules of law are established by the legislature and then applied by courts in a specific case: for example, in the question of whether someone must pay damages. Law is therefore the totality of rules as applied by courts in specific cases. The system is structured in such a way that the highest court is always right; what the highest court declares to be law is, by definition, law. This ensures consistency in the application of law, allowing society to adjust its behavior accordingly. If the law is very clear, the court adds little, but rules are often somewhat vague; judges then elaborate on them. Law is therefore a sum of applied rules.

Ethics complements and forms new law

Ethics can be used by judges to flesh out open-ended norms, as is the case with the terms “good care” or “reasonableness and fairness.” Such vague terms are explained using interpretative methods such as dogmatics (what professors think), legislative history (what has been discussed in parliament), a purely linguistic application, or simply ethics. But when there is no open-ended norm, when it is crystal clear what a rule entails in a specific case, then ethics cannot really play a role; for example, with a statutory term of three years. Ethics is therefore used to give substance to open-ended norms. Moreover, ethics is an important guideline in determining what future law should look like. It then serves as an argument for legislative amendments. In this way, in a democratic society, law and ethics are achieved without significant differences, but that is not necessarily the case. Law is sometimes called “solidified ethics” in healthcare. But that’s only the case if ethics influenced the creation or interpretation of law. The rules on how to establish a private limited company are not solidified ethics, and the law of Nazi Germany was law, but not ethical.

A description of the law is not unethical

In discussions about the law surrounding medical research, which often has ethical implications, ethics and law are often confused. This complicates the discussions, which is why it’s important to clearly distinguish between them. One might feel that you should have a property right to data about yourself, for example, but as long as there’s no legal provision or case law (court rulings) that creates such a right, you don’t have one. One might argue on ethical grounds that an opt-in for secondary use of data would be preferable, but once the EHDS comes into effect, this European law will stipulate that an opt-out is sufficient. Lawyers who explain the law are sometimes accused of being unethical. But they don’t make any pronouncements on ethics; they merely explain how certain rules (probably or certainly) should be interpreted.

This is what the European Parliament thought

Ethics is thus used to define open standards. It also serves as a basis for drafting new laws. This also applies to legislators in Brussels. All Europeans have been patients at some point. They voted collectively on who should sit in the European Parliament. It was recently decided there that an opt-out is sufficient. Apparently, the majority considered this ethical.

The Dutch Bodily Material Act must be rewritten

The Health Data Access Body

The EHDS and the Secure Processing Environment

European law

Posted on 1 april 202521 november 2025 by admin

European Law

The EHDS is European law. But what is that exactly? Does it have direct effect? What is the difference between a directive and a regulation? Does European law always override national law? Can the EU even write rules on public health? What does the EHDS implementing legislation entail? And can privacy be protected beyond what Europe prescribes?

In the past, treaties were concluded between states. Initially, these were contracts between those in power, with obligations imposed solely on those powers themselves. Later, treaties also included the rights and obligations of citizens. Then came the European Union. This was something completely different from an international organization or a treaty. A new layer of government was created; Europe became a federation similar to the United States. The EU drafted legislation that had direct effect on national legal systems, regardless of whether a European country wanted it or not. Therefore, there is frequent debate about whether the EU even has the authority to legislate on a particular topic.

The EU initially acquired powers primarily in the economic sphere: the free movement of people, goods, services, and finance. It had no jurisdiction over (among other things) government transparency or public health. Subsequently, the view on data changed; it is now seen as an economic asset, on which the EU can therefore legislate. It was also recognized that free movement could only truly function if there was also an underlying free movement of data. In that context, the EU began working on a European data strategy, with little dispute that the EU has the authority to create the free movement of data, similar to the free movement of goods and services. The competence (the authority to write regulations) regarding public health is now being shifted from the national governments to Brussels—accelerated by the coronavirus pandemic; a European Public Health Strategy is being developed. However, it is still emphasized that the competence in this regard lies primarily with the Member States.

The unique thing about the EU is that (in the areas for which it has been granted powers) it is essentially a federation, a new layer of government. European law has direct effect, whether a country wants it to or not. The European Convention on Human Rights (ECHDS) will soon become a directly applicable law, which can be directly invoked in court. The ECHDS is a regulation. The EU also writes directives. Directives are essentially mandates for national states to write certain laws, with some freedom in how they are implemented. However, in both cases, you cannot simply withdraw from them (although you can always leave the EU, but that would be a rather extreme approach).

Even though a Regulation (unlike a Directive) has direct effect as law, an Implementing Act usually needs to be written alongside it, such as the GDPR Implementing Act. Such laws are necessary to integrate European law into our national system; for example, an EHDS licensing system must be in line with the provisions of the General Administrative Law Act on licensing. Authorities also often need to be designated; in the case of the EHDS, this is the HDAB. In addition, the Implementing Act must regulate matters that are explicitly left open in the Regulation, or in respect of which the Member States are given a task; a task similar to a Directive. For example, Article 13(1) of the EHDS begins with the words: “Member States shall ensure that…”

When drafting such implementing legislation, it is also important to consider whether a rule is intended as minimum or maximum harmonization. Minimum harmonization sets a lower limit; all Member States must provide at least a certain level of legal protection, but more is also acceptable. Maximum harmonization requires the implementation of precisely that rule. Deviations from it are not permitted, which is often overlooked with regard to the GDPR. Therefore, when drafting implementing legislation for European law, consideration should always be given to: (1) how the whole should be integrated into national legislation, (2) which areas allow clear choices to the countries, and (3) which areas concern minimum or maximum harmonization and whether deviations are therefore permitted. Regarding health data, it is important that the GDPR states (in Article 9, paragraph 4) that Member States may draft additional rules. However, the European Data Protection and Security Council (EHDS) explicitly states (recital 52) that this paragraph 4 will no longer apply to EHDS-data.

Finally, there are rules regarding the hierarchy of rules if the court finds they are truly in conflict; these are the so-called conflict rules. There are three: (i) higher law always takes precedence over lower law, (ii) a specific rule takes precedence over general rules, and (iii) new rules on the same subject take precedence over older rules. These three are applied in this order. This means, among other things, that the WGBO (Dutch law) can never override European law, because that is higher law. National law, such as the WGBO, can only override European rules if those European rules explicitly state that this is permitted. We must therefore carefully study the text of the EHDS to assess whether our Dutch law conflicts with it, and if so, whether it is permitted. If it is not permitted, the Dutch rule automatically no longer applies.

The Dutch Bodily Material Act must be rewritten

The Health Data Access Body

The EHDS and the Secure Processing Environment

Contracts in medical research

Posted on 29 maart 202521 november 2025 by admin

The forest of contracts in medical research

On this page I attempt to explain to medical scientists what all the different contracts are that they might encounter. Imagine the following case: A scientist from the academic center LUMC conducts research funded by X, in a project together with another academic center UMCG, with data (or also cooperation) from village hospital Ter Gooi. Dutch law is described here.

1) The employment contract

First and foremost, there’s obviously an agreement between the scientist and the LUMC. This will usually be an employment contract. It could also be a self-employed person arrangement, but beware: if the scientist works almost exclusively and structurally for the LUMC, the court might still consider this an employment relationship, even if the parties call it something else. The tax authorities determine the exact difference, but the (very) short summary is: the more independent the scientist, the greater the chance that the self-employed relationship will not be considered employment.

Regarding the tangle of contracts, it is important to note the following: many contracts in this project will be in the name of the legal entity LUMC. In agreements with external parties, this entity can grant rights to its own scientists, but not obligations (Plien and Bianca cannot contract together that Annie has to do something). So if, for example, the funder X wants everything to remain confidential, then the agreement between X and LUMC will have to include that LUMC in turn includes in the agreement with the scientist that the latter must keep something confidential. The obligation that X wants will go through LUMC. The same applies to agreements about, for example, copyrights, which automatically arise with the author (scientist), but which may have to end up elsewhere. Perhaps, for example, X wants open source teaching materials to be written, which LUMC will then have to arrange with the scientist.

2) The relationship with financier X: subsidy or commerce?

If the research is funded by X, then this relationship must be legally constituted in some way. The question that must be asked is whether the funding is a grant or a commercial assignment. Note: the parties cannot decide this themselves.

A subsidy is money from a government (such as ZonMw), provided for certain activities, other than as payment for goods or services supplied to that government. The crux of the matter is therefore who you deliver something to. When funding oncological research, you are accountable to ZonMW, but you are not delivering a product to that government, but to society. What is delivered is solely the proof that the activity has taken place. That is therefore a subsidy. However, if the point is that the private financier obtains X patent rights with which its investment can be recouped, then you deliver the result to the financier itself and it is therefore not a subsidy.

With a real assignment, you enter into an agreement under the Civil Code (so all provisions regarding breach of contract apply). With a subsidy, the government (unilaterally) makes a subsidy decision in accordance with the General Administrative Law Act and the subsidy conditions. However, that decision doesn’t force the recipient to actually carry out the activity: you can simply repay the amount. Because the government often wants certainty that the activity will actually be carried out, a subsidy implementation agreement is then concluded, which is therefore not the same as a contract for services.

3) The consortium agreement

If the UMCG and LUMC have jointly secured funding, the financier doesn’t want the parties to pocket it and refer the results to the other. They also don’t want disputes to lead to no results, to the results being kept confidential, or to legal violations during project implementation. Therefore, financiers often require a consortium agreement.

From a legal point of view, however, this is something that is difficult to define. After all, the contractual collaboration could be the implementation of a subsidy or a commercial assignment. It could be decided that the subsidy implementation agreement also serves as a consortium agreement (and in that case X is also a party), or it could be separate.

The agreement is usually intended to be nothing more than a contractual collaboration for this specific project. However, care must be taken to avoid unintended consequences under corporate law; it’s important to ensure the collaboration doesn’t accidentally qualify as a general partnership or partnership. Note that this can even happen if there’s no written agreement at all, only a de facto collaboration. It can therefore be helpful to explicitly state that this is not the intention.

When only two parties are involved in the collaboration, it’s often called a collaboration agreement. When more parties are involved, an agreement is often drawn up called a consortium agreement. Legally speaking, this makes no difference; both are simply covered by contract law. The difference is that a consortium agreement always contains provisions regarding who can make which decisions; although there is no legal entity (such as a private limited company), bodies are established between which decision-making authority is divided. These are usually the consortium leader, the work package leaders, and the entire group.

Note that contract law is actually quite soft. The content of the agreement (under Dutch law) is richly supplemented by considerations of reasonableness and fairness, unforeseen circumstances, what the parties could reasonably expect from each other, and how the collaboration has evolved over time. We’ve adopted the practice of writing lengthy contracts from the Americans, where none of these requirements apply, but in the Netherlands, it’s not really necessary.

4) Clinical Trial Agreement

When, instead of research with data, or in addition to research with data, research is also conducted with or on human subjects, the laws concerning medical research involving human subjects apply. In that case, too, an agreement must be concluded: the clinical research agreement, or CTA. This could, of course, simply be the consortium agreement, although there are two differences.

Firstly, in addition to the UMCG and LUMC (which are designing the research), Ter Gooi is now also a party to the agreement, because that’s where the research is (also) conducted. Previously, they only provided data, but that will change. The second difference is that the WMO (Social Support Act) now applies, meaning that various tasks and responsibilities under that law must be contractually established. For example, the WMO stipulates that research results must be made public, so it must be determined who will actually do that (not all three, of course). This publication requirement does not currently apply to purely data research, but that will change once the European Health Data Space Regulation comes into effect.

5) The Joint-Controllers Agreement

When LUMC doesn’t simply allow others to participate in the research, but actually designs the research together with UMCG (and a joint research plan has been drawn up), these two parties jointly determine the purposes and means of processing personal data, as defined by the GDPR (Data Protection Act). Note that this only applies if personal data is actually being processed, as this is not the case if the data has already been pseudonymized by Ter Gooi Hospital (or, for example, ZorgTTP, a party other than UMCG and LUMC themselves) in such a way that they can no longer determine which natural persons are involved. Therefore, just because data concerns individuals doesn’t automatically constitute personal data. The question is whether privacy is at stake because it can reasonably be determined who the data concerns; only then does the Privacy Act apply. If you have any doubts about this, simply call your data protection officer.

If the data is not (yet) sufficiently pseudonymized, UMCG and LUMC are required to sign a joint controller agreement (or a joint controller agreement). The most important aspect of this agreement is that the GDPR responsibilities are properly allocated. For example, a DPIA (Data Protection Impact Assessment) must be performed for high-risk processing, and UMCG is not supposed to assume that LUMC has performed this, or vice versa. Incidentally, patients don’t have much to do with this agreement: they can still contact either party to exercise their GDPR rights.

6) Joint-Data-Registry-Agreement

Yet another agreement governs the rights between LUMC and UMCG regarding the data, prior to the completion of the research. This can, of course, also be included in the consortium agreement or the joint controllers’ agreement. It is also sometimes concluded separately. There are no IP or property rights on raw data. If the plan is to jointly produce scientific publications after three years of data collection, it would be undesirable if UMCG publishes halfway through without LUMC having access to the data, or if LUMC denies UMCG access to the data halfway through. The law doesn’t automatically prohibit all of this (due to the lack of IP or property rights on raw data), so this must also be contractually agreed upon. A funder may also have requirements regarding the raw data, for example, that it be made FAIR immediately after publication of the results.

7) License Agreement

Where IP rights (such as copyrights or patents) do exist, agreements must also be made. These too can be included in the consortium agreement, or they can be dealt with separately. There are two types of IP rights: what is contributed to the collaboration is called Background. What arises during the collaboration is called Foreground. Existing IP rights may be necessary for the research. The party contributing these rights wants to protect these IP rights by stipulating that they may be used exclusively for this research. The other party, on the other hand, wants to be sure that the research will not be disrupted by a refusal to share the IP. The contributed Background is described in the agreement for this purpose. Subsequently, new IP is created during the research. The scientists at LUMC and UMCG simply want to be able to publish their articles (for the benefit of their careers) without encountering problems with these IP rights. They also want to be able to conduct follow-up research with the knowledge they have acquired, without the other party restricting this. If X is a commercial financier, he or she may want to keep the IP for himself or, as a philanthropist, ensure that it is made available to everyone. In order to do justice to everyone’s wishes and interests, contractual agreements must be made about this.

8) The Data Transfer Agreement with Ter Gooi

Suppose the research is not involving human subjects; Ter Gooi Hospital has only been asked to contribute data. Ter Gooi has no say in the research’s design. The hospital’s Data Protection Officer will have to determine, based on the GDPR, whether this data transfer is permitted. If all requirements are met (fulfillment of the principles of Article 5, a legal basis as in Article 6, an exception to the prohibition in Article 9, the requirements of Article 24 GDPR, and the security measures in accordance with Article 89 GDPR), Ter Gooi may transfer the data for the research.

LUMC and UMCG are then automatically obligated to comply with the GDPR when using data from Ter Gooi. This law does not, therefore, require a data transfer agreement (DTA), but to ensure the data is used exclusively for the purpose for which it was requested, one is usually done anyway. At most hospitals, the requirement to use a DTA is stipulated in their internal policy.

Since Open Data Regulation 2019/1024, certain organizations are also required to enter into a Data Protection Agreement (DTA): institutions entrusted with a public task, government-owned companies, and publicly funded research organizations. A contractual agreement must stipulate that recipients of pseudonymized data may absolutely not attempt to identify the individuals.

Note: in this case, there is no legal requirement for Ter Gooi and LUMC to enter into a data processing agreement, as LUMC does not act on behalf of Ter Gooi or vice versa. Nor is a joint controller agreement required, as LUMC and Ter Gooi are not jointly conducting the research. One of these three agreements is always entered into, never multiple.

The Dutch Bodily Material Act must be rewritten

The Health Data Access Body

The EHDS and the Secure Processing Environment

Subsidy or assignment

Posted on 28 maart 202521 november 2025 by admin

Subsidy or assignment?

It is not always immediately clear whether there is a subsidy or a commercial assignment. A subsidy is legally defined as: “the claim to financial resources, provided by an administrative body for the purpose of certain activities of the applicant, other than as payment for goods or services supplied to the administrative body.” The latter is important for the distinction between a subsidy and a commercial agreement. For example, if the police purchase bulletproof vests, then it is a commercial contract, because although the police work for the benefit of society, those vests are actually purchased for, and supplied to, the police themselves. This is different when an academic hospital receives government funding to conduct research into a rare disease. Any new treatment developed is intended for patients, not for the government. Moreover, the treatment is not delivered to the government, but only proof that the subsidized activity has actually been carried out. To determine whether we are dealing with a commercial assignment or a subsidy, we must therefore look in particular at what exactly must be delivered and for whom it is intended; is a service or product provided to the grant provider, or is only evidence of the activity provided?

No free choice

Parties may not, or cannot, decide for themselves whether something is a contract or a subsidy. If it falls under the above definition, it is a subsidy, and vice versa. If the above still doesn’t lead to a decision, the court will also consider: (i) is the payment (lower than) the cost price or is there a profit margin, and (ii) who initiated the activity. The underlying idea is that a commercial contractor wants to make a profit and generally doesn’t start work until it’s clear whether someone will pay. The distinction between subsidies and commercial contracts is important for VAT; VAT doesn’t have to be paid on subsidies, which is why opposing parties can argue that something is a subsidy when in fact it isn’t. Also note that the definition of a subsidy doesn’t specify whether there was a call for tenders or a call for tenders. Therefore, a call for tenders (contrary to popular belief) doesn’t mean it’s not a subsidy; one could be mistaken, and moreover, under European law, subsidies are increasingly required to be put out to tender.