Insurance Europe has responded to a consultation conducted by the European Commission on its proposal for the establishment of a European Health Data Space (EHDS). The proposal lays out a new governance framework for the primary and secondary use of health data in the EU.
Under the proposal, individuals would have the right to access a minimum set of health data and share it with third parties free of charge (a primary use of health data).
Insurance Europe welcomes the initiative, as there is a need for practical solutions that allow individuals to exercise control over their own data.
Furthermore, the proposal lays out a new mechanism for facilitating the re-use of health data in the EU (a secondary use of health data). Insurance Europe welcomes the Commission’s efforts to facilitate better exchange and access to different types of electronic health data for re-use. At present, EU member states have made significantly divergent uses of the specification clauses of the General Data Protection Regulation (GDPR). The resulting fragmentation creates significant challenges when conducting cross-border services, as well as for innovation and scientific research involving health-related data.
However, the Commission’s proposal requires refinements regarding:
- Vague definitions and the unclear scope of several provisions within the Commission’s text that threaten to prevent its goals from being achieved. In particular, the definition of “primary use of electronic health data” and “data holder” should be clarified to avoid legal uncertainty. These definitions are too broad and may cover a variety of health-related services. If the text does not clearly define who falls under these definitions, it may lead to legal uncertainty as to who has the obligation to make data available for primary or secondary use, which, in turn, might undermine the rights to privacy and data protection of individuals.
- A specific prohibition in relation to premium setting in insurance, which would impede insurers from accessing re-used health data to underwrite and assess risks more accurately. In fact, greater availability of anonymized health data for insurers could lead to improved and more effective risk monitoring and assessment. This can enable insurers to offer more affordable rates or to offer insurance for risks that were previously uninsurable, due to information gaps that can now be filled due to the increased availability of data. For example, the increasing availability of data together with medical progress has made it possible, under certain conditions, to provide more affordable insurance cover to individuals with HIV.
To support the ambition of ensuring that individuals have access to and control over their own data, it is important to focus not only on making data available, but also on building an infrastructure that facilitates seamless sharing of data — based on consent — between relevant partners regardless of whether these are private or public entities.
A better digital bond between the public and private sector will not only improve the user experience of individuals. It will also ensure the availability of efficient administrative procedures for both public and private entities, which is a necessity considering the strain on resources that will impact the health sector in the coming years.
At present, EU member states have made significantly divergent use of the specification clauses of the General Data Protection Regulation (GDPR). The resulting fragmentation creates significant challenges when conducting cross-border services and for innovation and scientific research involving health-related data.
The Commission’s proposal can help to both ensure that EU citizens have increased control over their electronic health data, and promote better exchange and access to different types of electronic health data for the common good.
The proposal is a step in the right direction, but it is important to consider that different member states have different maturity levels in relation to digitalisation of healthcare. It is, therefore, crucial that the proposal does not introduce measures that undermine initiatives already introduced in member states with well-developed health digitalisation that allow individuals to share their data with entities of their own choice.
What is GDPR, the EU’s new data protection law?
What is the GDPR? Europe’s new data privacy and security law includes hundreds of pages’ worth of new requirements for organizations around the world. This GDPR overview will help you understand the law and determine what parts of it apply to you.
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence.
The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).
We created this website to serve as a resource for SME owners and managers to address specific challenges they may face. While it is not a substitute for legal advice, it may help you to understand where to focus your GDPR compliance efforts. We also offer tips on privacy tools and how to mitigate risks. As the GDPR continues to be interpreted, we’ll keep you up to date on evolving best practices.
If you’ve found this page — “what is the GDPR?” — chances are you’re looking for a crash course. Maybe you haven’t even found the document itself yet (tip: here’s the full regulation). Maybe you don’t have time to read the whole thing. This page is for you. In this article, we try to demystify the GDPR and, we hope, make it less overwhelming for SMEs concerned about GDPR compliance.