The EHDS is about data, not bodily material. The Dutch draft Bodily Material Act is about material, not data. This might lead one to believe there's no overlap. But if you extract data from material, you're doing something with both data and material. That's why I'm discussing my thoughts on the draft act here. Spoiler alert: it's not good.
The (already existing) free flow of health data
My data in my country?
In discussions about the reuse of health data, national borders are often discussed. This secondary use requires a proper balance between privacy on the one hand and the importance of, for example, scientific research or being able to assess the effectiveness of a certain policy on the other. Privacy advocates often believe that “our” data should not be allowed to cross borders when reused, or that you should at least be able to indicate in the National Register of Authorities that this is not permitted with “your” data. Scientists, on the other hand, argue that, for example, with rare diseases, they can only do their work effectively if data from different countries can be used. Therefore, they welcome the EHDS, which stipulates, among other things, that they will be able to request data from all over Europe. What both parties overlook is that the free flow of health data within the EU has long existed.
European law on data
One of the objectives of the EHDS is to support the free movement of health data. It says “support” because this free movement already exists. Completely unnoticed is the provision in Article 1 of the GDPR: “The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.” The GDPR only applies to personal data (where one can reasonably identify the individuals concerned). Therefore, alongside it exists the completely unknown Regulation 2018/1807 on “the free movement of non-personal data within the European Union.” The Open Data Directive 2019/1024 further stipulates: “The conditions for the re-use of documents shall not discriminate against comparable categories of re-use, including re-use across national borders.”
Scientists can already use this
The free movement of goods and services within the EU began in 1993 with the introduction of the internal market. It soon became clear that the internal market was not possible without the free movement of data. Data protection can easily be regulated in the law of an individual member state, but free movement required harmonization (alignment) of legislation. The free movement of data was precisely a key objective of the GDPR, hence its inclusion in Article 1. This means that people can already request data directly from, for example, FinData. This request may not be treated differently from requests from Finnish researchers, as there is also a prohibition on discrimination between Europeans. Therefore, no distinction may be made between Dutch or Finnish scientists in a request. The EHDS will soon make it possible to request data from all over Europe with a single request to the Dutch HDAB. However, it would be helpful if scientists and statisticians were aware that it is already prohibited to hold data at an internal border (a border between EU countries). They can therefore immediately submit requests to work with health data throughout Europe.
Data Subject control the same for the entire EU
And patients will soon be able to object to certain reuses of data about them via a National Control Register. The Ministry of Health, Welfare and Sport (VWS) must now determine the exact structure of this register. However, European law prohibits structuring this register in such a way that Dutch scientists can work with “our” data, but not Belgian scientists. Considering that these scientists are trying to find a cure for cancer, for example, a cure that will then become internationally available, it makes perfect sense for a legislator to ensure that every scientist in the EU has access to data, not just those from our own academic hospitals. Moreover, under the GDPR, data may already flow to countries for which the EU has issued an adequacy decision. This means that Brussels believes that privacy is adequately protected in countries like Japan. Countries like Japan may eventually join the EHDS, but because they are not part of the EU, you may be asked in the National Register of Control whether you object to data about you also being sent to such non-EU countries.
So the BSN may not be withheld either
Note: this free flow of data was intended to support the free movement of goods and services within the EU. The idea behind it was: the larger the market, the more competition, which will lead to higher quality at lower borders. Brussels wants a good winegrower in Italy to be able to sell directly to people in Wassenaar. Similarly, a good radiologist should be able to directly assess MRI scans in Greece. This will make better care available in Europe at a lower price. The underlying data traffic shouldn’t stand in the way of this. In the Netherlands, some people believe that the Citizen Service Number (BSN) cannot be used across the border because the law doesn’t say otherwise. But that seems to me to be a typical situation that, if Dutch law were to actually entail this, would be invalid under Article 1 of the GDPR. Personal data may not be withheld at an internal EU border, and that also applies to the Citizen Service Number (BSN).
The Ministry of Health, Welfare and Sport will soon determine who will become the HDAB; who will be the source of permits for the beneficial reuse of health data. Who can be this, and who cannot? And what will this HDAB be responsible for?
Under the EHDS, work must be performed in a Secure Processing Environment (SPE). Scientists don't receive data, but access it in a SPE that meets the strict technical and security standards established under the EHDS. What does this entail? And will everyone be required to work in such a SPE from now on? Will it become a supercomputer containing all our health data?