The EHDS is about data, not bodily material. The Dutch draft Bodily Material Act is about material, not data. This might lead one to believe there's no overlap. But if you extract data from material, you're doing something with both data and material. That's why I'm discussing my thoughts on the draft act here. Spoiler alert: it's not good.
European Law
The EHDS is European law. But what is that exactly? Does it have direct effect? What is the difference between a directive and a regulation? Does European law always override national law? Can the EU even write rules on public health? What does the EHDS implementing legislation entail? And can privacy be protected beyond what Europe prescribes?
In the past, treaties were concluded between states. Initially, these were contracts between those in power, with obligations imposed solely on those powers themselves. Later, treaties also included the rights and obligations of citizens. Then came the European Union. This was something completely different from an international organization or a treaty. A new layer of government was created; Europe became a federation similar to the United States. The EU drafted legislation that had direct effect on national legal systems, regardless of whether a European country wanted it or not. Therefore, there is frequent debate about whether the EU even has the authority to legislate on a particular topic.
The EU initially acquired powers primarily in the economic sphere: the free movement of people, goods, services, and finance. It had no jurisdiction over (among other things) government transparency or public health. Subsequently, the view on data changed; it is now seen as an economic asset, on which the EU can therefore legislate. It was also recognized that free movement could only truly function if there was also an underlying free movement of data. In that context, the EU began working on a European data strategy, with little dispute that the EU has the authority to create the free movement of data, similar to the free movement of goods and services. The competence (the authority to write regulations) regarding public health is now being shifted from the national governments to Brussels—accelerated by the coronavirus pandemic; a European Public Health Strategy is being developed. However, it is still emphasized that the competence in this regard lies primarily with the Member States.
The unique thing about the EU is that (in the areas for which it has been granted powers) it is essentially a federation, a new layer of government. European law has direct effect, whether a country wants it to or not. The European Convention on Human Rights (ECHDS) will soon become a directly applicable law, which can be directly invoked in court. The ECHDS is a regulation. The EU also writes directives. Directives are essentially mandates for national states to write certain laws, with some freedom in how they are implemented. However, in both cases, you cannot simply withdraw from them (although you can always leave the EU, but that would be a rather extreme approach).
Even though a Regulation (unlike a Directive) has direct effect as law, an Implementing Act usually needs to be written alongside it, such as the GDPR Implementing Act. Such laws are necessary to integrate European law into our national system; for example, an EHDS licensing system must be in line with the provisions of the General Administrative Law Act on licensing. Authorities also often need to be designated; in the case of the EHDS, this is the HDAB. In addition, the Implementing Act must regulate matters that are explicitly left open in the Regulation, or in respect of which the Member States are given a task; a task similar to a Directive. For example, Article 13(1) of the EHDS begins with the words: “Member States shall ensure that…”
When drafting such implementing legislation, it is also important to consider whether a rule is intended as minimum or maximum harmonization. Minimum harmonization sets a lower limit; all Member States must provide at least a certain level of legal protection, but more is also acceptable. Maximum harmonization requires the implementation of precisely that rule. Deviations from it are not permitted, which is often overlooked with regard to the GDPR. Therefore, when drafting implementing legislation for European law, consideration should always be given to: (1) how the whole should be integrated into national legislation, (2) which areas allow clear choices to the countries, and (3) which areas concern minimum or maximum harmonization and whether deviations are therefore permitted. Regarding health data, it is important that the GDPR states (in Article 9, paragraph 4) that Member States may draft additional rules. However, the European Data Protection and Security Council (EHDS) explicitly states (recital 52) that this paragraph 4 will no longer apply to EHDS-data.
Finally, there are rules regarding the hierarchy of rules if the court finds they are truly in conflict; these are the so-called conflict rules. There are three: (i) higher law always takes precedence over lower law, (ii) a specific rule takes precedence over general rules, and (iii) new rules on the same subject take precedence over older rules. These three are applied in this order. This means, among other things, that the WGBO (Dutch law) can never override European law, because that is higher law. National law, such as the WGBO, can only override European rules if those European rules explicitly state that this is permitted. We must therefore carefully study the text of the EHDS to assess whether our Dutch law conflicts with it, and if so, whether it is permitted. If it is not permitted, the Dutch rule automatically no longer applies.
The Ministry of Health, Welfare and Sport will soon determine who will become the HDAB; who will be the source of permits for the beneficial reuse of health data. Who can be this, and who cannot? And what will this HDAB be responsible for?
Under the EHDS, work must be performed in a Secure Processing Environment (SPE). Scientists don't receive data, but access it in a SPE that meets the strict technical and security standards established under the EHDS. What does this entail? And will everyone be required to work in such a SPE from now on? Will it become a supercomputer containing all our health data?