The EHDS is about data, not bodily material. The Dutch draft Bodily Material Act is about material, not data. This might lead one to believe there's no overlap. But if you extract data from material, you're doing something with both data and material. That's why I'm discussing my thoughts on the draft act here. Spoiler alert: it's not good.
When can you ignore medical codes of conduct?
On LinkedIn, doctors and medical researchers regularly complain about unworkable rules. For example, as a radiologist, you have to ask the patient’s permission to use an MRI scan performed by someone else, and that permission is only valid for 72 hours. My response is: if it’s not in the law, then you can probably ignore it. Then I get a flood of responses. Dentists and pathologists explain to me that these are codes of conduct that the IGJ also uses and that “therefore” cannot be ignored. Here’s an explanation for them as to why and when certain (but not all) codes of conduct can indeed be ignored.
Soft law is not law
Codes of conduct are soft law, and contrary to what the name suggests, they (like ethics) are not law. They are rules based on ethics, mutually agreed-upon behavior, or contractual agreements that people adhere to, but they are not law. Soft law is used, for example, when one cannot enact or enforce laws, as in international law. It is also used when one does not want to enact formal law, because it is more flexible and one wants to wait and see how a new social phenomenon will develop (such as with franchising). Soft law is also chosen when the sector itself has considerable expertise and good intentions. In such cases, the sector is asked to draw up rules. Soft law is excellent for all of this. However, with soft law, you cannot ignore the rule (Article 5:4 of the General Administrative Law Act) that stipulates that the authority to impose a fine exists only insofar as it is granted by or pursuant to law.
There must be an open norm
But within healthcare, soft law is treated as part of the law. Sometimes this is correct, but sometimes it isn’t. Soft law can only become law if it includes an open standard. An example of such an open standard is: “The healthcare provider offers good care.” What constitutes good care? That means something different for a child psychiatrist than for a heart surgeon, and it’s different in 1995 than in 2025. Therefore, there are all sorts of codes of conduct and protocols by which (disciplinary) judges interpret the concept of good care. But, for example, the Coreon Code of Conduct requires that a medical ethics committee be consulted if there is a suspicion that research may raise privacy concerns, which is the case if personal data is used without consent. There is no open standard anywhere in the law that could lead to this, and therefore this rule is not part of the law.
There must be a judge who applies this
The second thing needed to turn soft law into law is a (disciplinary) judge who actually uses those codes of conduct to give substance to the open standard. Consider the Trias Politica: the legislature can write laws, the judiciary dictates how this should be implemented in practice. The executive branch implements, but cannot write rules. For example, the police cannot decide for themselves that children riding fat bikes will now receive fines. And the Dutch Data Protection Authority may have some opinions on how the GDPR should be interpreted, but that’s all it is. The European Court of Justice recently said precisely that about the European Data Protection Board: an “opinion” is simply an opinion. The IGJ, therefore, also only has an opinion and cannot write rules. The IGJ can indeed impose fines based on codes of conduct, but it is then up to the judiciary to verify whether the fine is justified or whether it should be overturned.
And it must comply with administrative law
And in that test, the judge examines whether there is an open standard that could be fulfilled with a code of conduct. Moreover, the judge assesses whether all administrative law principles, such as the principle of legal certainty and the principle of legality, have been met. Or how about the rule: no punishment without guilt? Wasn’t there also an emergency or an exception? A judge assesses all of that, but of course, your doctors and researchers have to submit it to that judge. He can’t take action on his own. So if you believe the IGJ or the AP is going too far, just take a stand and appeal to the administrative court. After all, the court is there to protect you and the rule of law. When assessing whether a code of conduct might be non-binding, pay close attention to whether we’re talking about the Medical Treatment Contracts Act (WGBO) or administrative law. The Dutch Contracts Act (Wgbo) is part of contract law, and its content is as soft as butter: the supplementary effect of reasonableness and fairness always applies there, meaning there’s always an open standard by which soft law can become part of the law. However, in administrative law (anything that can lead to a fine), the principle of legality applies, and therefore there’s much less room for soft law.
And if not, then you may ignore it
In short: certain codes of conduct or protocols are indeed part of the law, but that doesn’t apply to all codes of conduct. When are you, as a physician or medical researcher, required to follow a code of conduct? (i) If the law contains an open standard, such as “good healthcare provider,” which is much more often the case in contract law than in administrative law; (ii) if a (disciplinary) judge has actually used those codes of conduct to give substance to the open standard; and (iii) if all of this is lawful, predictable, and the violation of the rule was also culpable, meaning there was no emergency situation or anything like that. Isn’t all of that the case? Then ignore the code of conduct if it makes you a lesser healthcare provider. Because that’s ultimately what it’s all about: trying to be a good healthcare provider.
The Ministry of Health, Welfare and Sport will soon determine who will become the HDAB; who will be the source of permits for the beneficial reuse of health data. Who can be this, and who cannot? And what will this HDAB be responsible for?
Under the EHDS, work must be performed in a Secure Processing Environment (SPE). Scientists don't receive data, but access it in a SPE that meets the strict technical and security standards established under the EHDS. What does this entail? And will everyone be required to work in such a SPE from now on? Will it become a supercomputer containing all our health data?