The EHDS is about data, not bodily material. The Dutch draft Bodily Material Act is about material, not data. This might lead one to believe there's no overlap. But if you extract data from material, you're doing something with both data and material. That's why I'm discussing my thoughts on the draft act here. Spoiler alert: it's not good.
GDPR, Purpose Limitation, Science and Corona
Medical scientists trying to gather data for (undeniably useful) research are sometimes faced with rejection due to “purpose limitation.” For example, someone had collected data for research into unexplained excess mortality after COVID-19. When she subsequently wanted to use that same data for research on Long-Covid, it was denied. Purpose limitation! But is that correct?
The principle of purpose limitation can be found in the GDPR. It states that (1) personal data may only be collected for specified and legitimate purposes, and (2) it may not subsequently be used in a way “incompatible with those purposes.” The latter is the principle of purpose limitation, and it logically follows from the first. Prescribing that you may only collect data for specific, legitimate purposes is pointless if you can then do something completely different with it. Whether there are valid “purposes” must be assessed against the GDPR article that sets out the “grounds.” This is often taken for granted, while it simply boils down to the question: do you have a legitimate and good purpose for doing what you’re doing?
The GDPR article on lawful purposes or conditions, also explains when you’re allowed to do something slightly different with that data; if there’s a compatible purpose. For example, Netflix primarily collected customers’ personal data to provide paid streaming services. However, the company is also allowed to use that data to take action against subscription abuse. These are sufficiently connected, and customers can reasonably expect such a thing to happen. That’s therefore “compatible” use of personal data. If that’s not the case, if it’s not sufficiently connected, then there are three possibilities: a law prescribes that it’s allowed anyway, you have permission, or you simply have to collect new data.
The latter is, of course, a problem for scientists. Because if data has been collected to provide care to someone with complaints, that’s quite different from using that data to investigate whether AI can help identify someone’s condition sooner. The connection becomes even more remote if you’ve collected data to track down cybercriminals, and then criminologists want to study that data to investigate why someone becomes a cybercriminal in the first place. Can such a thing be prevented? Then the use is truly no longer related to the previous purpose, nor is it use that the data subjects could reasonably expect. Asking those cybercriminals for consent is a rather hopeless mission, but so is generating new data. Therefore, a law is needed that stipulates that such a thing is permitted.
The good thing is that they’ve already addressed this in the GDPR itself. The article on purpose limitation immediately states: further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes is not considered incompatible with the original purposes. In simpler terms: the principle of purpose limitation simply doesn’t apply to science and statistics.
Of course, this doesn’t mean that everything is suddenly permitted under the guise of science, statistics, or archiving. Although there is a general exception to the principle of purpose limitation for scientific purposes, specific research can still be prohibited. After all, you must also meet other requirements of the GDPR, such as taking sufficient technical and organizational measures to secure everything; for example, anonymization or pseudonymization, or working in a highly secure processing environment that you can only access with a crowbar (as criminologists have devised).
If the data you’re working with is special personal data (which is what health data is), you also need an exception to the prohibition on using it. This prohibition is essentially medical confidentiality. It’s not in healthcare law, but in the GDPR. It doesn’t apply to people with a specific profession, but to everyone, with regard to certain types of data. Very useful. One such exception to medical confidentiality is: you may use health data for medical research if you’ve asked for consent, unless that’s unreasonable. When it comes to big data research, that’s unreasonable, and consent isn’t required.
All this means: if you’re conducting big data research on, for example, excess mortality and long-term COVID, if the government funds it because it’s well-designed and genuinely useful, and if the requirements are met because you’re working in a highly secure processing environment, then the principle of purpose limitation doesn’t apply. In that respect, you don’t need consent. You might still need consent to breach (universal) medical confidentiality, but that’s a different matter. And in that case, consent isn’t required if the data involves a large amount of data. Incidentally, the rules regarding consent will change under the EHDS. However, the GDPR will remain in effect, and the rule that there’s a general exception to the principle of purpose limitation for the purposes of science and statistics remains unchanged.
The Ministry of Health, Welfare and Sport will soon determine who will become the HDAB; who will be the source of permits for the beneficial reuse of health data. Who can be this, and who cannot? And what will this HDAB be responsible for?
Under the EHDS, work must be performed in a Secure Processing Environment (SPE). Scientists don't receive data, but access it in a SPE that meets the strict technical and security standards established under the EHDS. What does this entail? And will everyone be required to work in such a SPE from now on? Will it become a supercomputer containing all our health data?