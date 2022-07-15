U.S. markets close in 2 hours 54 minutes

  • S&P 500

    3,851.70
    +61.32 (+1.62%)
     

  • Dow 30

    31,199.76
    +569.59 (+1.86%)
     

  • Nasdaq

    11,406.72
    +155.54 (+1.38%)
     

  • Russell 2000

    1,740.74
    +33.24 (+1.95%)
     

  • Crude Oil

    98.18
    +2.40 (+2.51%)
     

  • Gold

    1,703.00
    -2.80 (-0.16%)
     

  • Silver

    18.58
    +0.36 (+1.98%)
     

  • EUR/USD

    1.0091
    +0.0070 (+0.70%)
     

  • 10-Yr Bond

    2.9280
    -0.0320 (-1.08%)
     

  • GBP/USD

    1.1860
    +0.0036 (+0.30%)
     

  • USD/JPY

    138.5270
    -0.4430 (-0.32%)
     

  • BTC-USD

    20,741.75
    +525.78 (+2.60%)
     

  • CMC Crypto 200

    451.07
    +2.06 (+0.46%)
     

  • FTSE 100

    7,159.01
    +119.20 (+1.69%)
     

  • Nikkei 225

    26,788.47
    +145.08 (+0.54%)
     

Europe's health data reuse plan needs some surgery, say privacy supervisors

Natasha Lomas
·12 min read

A proposal put forward by European Union lawmakers in May, to establish a legal framework to make it easier to share electronic health records and other medical data -- across borders and care institutions and with researchers and developers of innovative health products -- should be revised to ensure citizens' health data is stored locally, inside the European Economic Area (EEA), to avoid the risk of unlawful access, a joint opinion by two key EU data protection supervisory bodies has recommended.

That looks like wise council -- given ongoing legal uncertainty clouding personal data exports to third countries, following major privacy rulings by the bloc's top court since 2015.

"[Due] to the large quantity of electronic health data that would be processed, their highly sensitive nature, the risk of unlawful access and the necessity to fully ensure effective supervision by independent data protection authorities, [we] call on the European Parliament and on the Council to add to the Proposal a requirement to store the electronic health data in the EEA," the two supervisors write in a summary of their joint opinion on the Commission's European Health Data Space (EHDS) proposal.

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), two EU bodies which advise on the interpretation and application of laws, adopted their 32-page joint opinion on the EHDS yesterday.

In it they make a series of other suggestions for tightening the draft regulation and clarifying the interplay with existing data protection laws, warning that the Commission's first pass falls short on that front in a number of areas.

There is already extensive regulation of health data across Europe, both nationally and at Union level (where processing this type of sensitive data with user consent requires an explicit ask, per purpose). Simplifying the process of sharing this sensitive, 'special category' data is thus a key driver for the EHDS -- with lawmakers talking up the potential for the continent if fragmentation can be banished and citizens' health data more easily pooled, processed and reused for purposes such as research into diseases and drug discovery, or for innovative health tech (like AI diagnosis).

Homegrown European health tech startups, like telehealth platform Kry, have also weighed in with some supportive words for the EU's plan.

But the introduction of a new legal framework that's geared towards data sharing and reuse could have negative impacts on individual rights like privacy and data access if the legislation is not rigorously drawn.

The EDPB and EDPS opinion highlights a number of areas where the two bodies believe the EHDS risks creating legal inconsistencies; generating confusion for data subjects; and even undermining existing regulations -- such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive -- warning, for example, that it's not clear how individual rights, like the GDPR's right to rectification of personal, would be impacted by the framework (since the EHDS envisages not one data controller but multiple sources and recipients of personal data, at a national, EU and potentially even international level).

They are also unhappy about the proposal suggesting restricting data subjects' right to information over so-called "secondary" uses of their health data -- which the draft legislation envisages health data access bodies regulating via a data permit system.

"The EDPB and the EDPS underline that the right to information and the right to object are inextricably linked. By restricting the right to information under the GDPR, the EDPB and the EDPS are of the view that the Proposal may not achieve the objectives laid down in Article 1(2)(a) of the Proposal. In fact, the envisaged approach appears to undermine the rights of natural persons to privacy and to the protection of personal data, especially taking into account the very broad definition of secondary use and the minimum categories of electronic data for secondary use introduced by the Proposal, which is not only limited to scientific research but also includes other purposes, such as innovation," they warn in the opinion.

"Given the wide scope of the rights and obligations set out in the Proposal with regard to the access, use and sharing of special categories of personal data as is the case for health data, general references to the GDPR and the EUDPR [data protection regulation] may not suffice. In this regard, the EDPB and the EDPS consider that there may be a risk of misinterpreting key provisions related to data protection which, in turn, may lead to a lowering of the level of protection currently granted to data subjects under the existing EU data protection legal framework (GDPR, EUDPR and ePrivacy Directive). Therefore, the EDPB and the EDPS consider further specifications necessary," they add.

In an accompanying statement, EDPB chair, Andrea Jelinek, also warns: “The EU Health Data Space will involve the processing of large quantities of data which are of a highly sensitive nature. Therefore, it is of the utmost importance that the rights of the EEA's individuals are by no means undermined by this Proposal. The description of the rights in the Proposal is not consistent with the GDPR and there is a substantial risk of legal uncertainty for individuals who may not be able to distinguish between the two types of rights. We strongly urge the Commission to clarify the interplay of the different rights between the Proposal and the GDPR.”

Europe’s top court strikes down flagship EU-US data transfer mechanism

Risks of 'Quantified self' data

The two data supervisors are also recommending that the proposed for a European Heath Data Space is revised to shrink the types of information in scope -- to only include bona fide health data -- advocating for the removal of a reference that would also draw in data from wellness and other consumer health/fitness apps (such as behavioral/lifestyle data) too, where it has been uploaded to a person's electronic health record (EHR).

The pair argue that including such data would pose a major privacy risk for individuals, since such high dimension lifestyle/behavioral data could be used to make sensitive inferences about the data subjects linked to their health.

They also raise a further concern -- warning that consumer-grade tech does not generate the same quality of data as professional health services and medical devices. Ergo, bundling it with robust health data could lead to other problematic and potentially discriminatory linkages being made.

"The EDPB and the EDPS are aware that the COVID-19 pandemic has greatly accelerated the use of medical devices, wellness applications or wearables amongst the general population. However, this kind of technology generates an enormous amount of data, often special categories of personal data, and can be highly invasive. More than tracking humans’ actions and decisions, it is now possible to track humans’ bodies, minds and emotions at a level that even humans themselves might not be able to do. These data can then be used to predict people’s actions and manipulate their behaviour, even at a group level," they write in the opinion.

"Mandatory availability of electronic heath data generated by medical devices, wellness applications or other digital health applications for secondary use must be assessed against the rapid technological developments in mobile and wearable technology and the increasing popularity of 'quantified self' apps and devices, that allow people to register all kinds of aspects about their personality, mind, body, behavioural patterns and whereabouts," they also recommend. "Clearly these types of data processing deserve significant attention, since it is not easy to recognize as the processing of health data by the concerned data subjects. However, at the same time this brings real privacy risks, especially in the case where such data are processed for additional purposes and/or combined with other data or transferred to third parties.

"These types of data processing may create specific risks, including the risk of unequal or unfair treatment based on data about a person's assumed or actual health status derived, for example through profiling, of very intimate details concerning his/her private life, irrespective of whether these conclusions concerning his/her health status are accurate or not. In fact, those risks may also be linked to the reliability and accuracy of data generated by medical devices, wellness applications or other digital health applications. Against this background, the EDPB and the EDPS acknowledge that Article 33(3) attempts at delimiting which data generated by medical devices, wellness applications or other digital health applications shall be made available for secondary uses. However, the EDPB and the EDPS underline that it is still unclear either what kind of data fall under this category or who would assess its validity and quality once inserted by individuals in their own EHR pursuant to Articles 3(6)."

If EU lawmakers are set on maintaining such data in scope of the sharing framework, the pair recommend the proposal is amended to ensure individuals remain free to decide "if and which of their personal data generated by wellness application and other digital applications... shall be shared with other recipients and further processed for secondary uses".

Any further processing must also clearly comply with data protection legislation, they stress, and there must also be "suitable mechanisms" put in place to ensure that data subjects' choices are respected. (Which could be a warning against any moves to replicate adtech style 'consent' systems, which certainly get people's data moving but have been found to breach the GDPR... )

“Health data generated by wellness applications and other digital health applications are not of the same quality as those generated by medical devices. Moreover, these applications generate an enormous amount of data, can be highly invasive and may reveal particularly sensitive information, such as religious orientation. Wellness applications and other digital health applications should therefore be excluded from being made available for secondary use,” said EDPS supervisor Wojciech Wiewiórowski in another supporting statement.

The two data supervisors go on to warn that the "success" of the EHDS will depend on what they summarize as "a robust legal basis for processing in line with EU data protection law, the establishment of a strong data governance mechanism and effective safeguards for the rights and interests of natural persons that are fully compliant with the GDPR" -- which they emphasize must be accompanied by "sufficient assurances of a lawful, responsible, ethical management anchored in EU values, including respect for fundamental rights".

"In this regard, the EDPB and the EDPS consider that the EHDS should serve as an example of transparency, effective accountability and proper balance between the interests of the individual data subjects and the shared interest of society as a whole," they add.

The Commission was contacted for a response to the recommendations. At the time of writing it had not sent a reply.

Data strategy

The process of EU lawmaking typically loops in the European Parliament and Council, as co-legislators, who vote on and can amend Commission proposals -- so there is an established path for addressing the two data supervisors' concerns if there is consensus that the framework needs to be bolstered to protect fundamental rights.

The EHDS fits into an overarching strategy by the bloc's lawmakers, set out by the Commission back in 2020, to boost data reuse for economic and societal gain.

Since then, the EU's executive has been busy slotting in key regulatory planks, such as the Data Governance Act (introduced at the end of 2021, it was adopted by the co-legislators this year and entered into force on June 23); and the Data Act (proposed February 2022).

Internal market commissioner, Thierry Breton, has suggested the data strategy will help Europe tip the scales away from US-dominated Big Tech -- by putting enabling rules and infrastructure in place that will make the region “the most data-empowered continent in the world”, as he has put it.

However critics who blame the EU's relative lack of homegrown tech giants on its penchant for high dimension regulation are unlikely to be won round to a 'medicine' of (yet) more rules delivering a winning innovation formula.

Time will tell which side is right -- but the Commission is pressing on in the meanwhile.

The EHDS is the first of what it hopes will be a series of bespoke common "data spaces" to boost industrial data sharing and reuse and to encourage citizens to donate personal data for "altruistic" causes (like heath research or fighting climate change).

Its plan to spin up these spaces involves coming with dedicated rules and requirements for specific sectoral or topic-based information-sharing hubs -- like the EHDS -- in order to create conditions for "secure and privacy-preserving access and interoperability" via dedicated trusted infrastructure and processes -- and thereby grease the pipes of data sharing for research and innovation. And for economic gain -- with huge store being placed by lawmakers on improving access to data as a strategy to charge up development of Europe's AI ecosystem.

Other data spaces the Commission has mooted include one for the region's manufacturing industry, another for mobility and one for the EU's green deal, to support the bloc's decarbonization and emissions reduction goals.

The rapid adoption of the Data Governance Act suggests there's broad backing among EU lawmakers for the data reuse strategy. Although certain sectoral/thematic data spaces rules -- such as health -- may generate more debate/dispute as commercial imperatives intersect with individual rights.

Health is certainly one of the most sensitive areas to encourage data sharing so it may seem an odd choice for the Commission to prioritize for the first common data space. However the COVID-19 pandemic has concentrated lawmakers' minds on having smoother mechanisms for getting health data moving to be ready for the next emergency.

Since each data space will be accompanied by its own set of bespoke rules it will inevitably amp up compliance complexity for those wanting to tap in but the idea is the benefits will outweigh the administrative burden.

But, as the EDPB and EDPS are warning, the EU increasing the sprawl of digital regulation raises the risk of inconsistencies being introduced into its legal framework which could harm individual rights in areas like data protection as more rules overlap and/or get meshed together.

It could also create fresh legal uncertainties for business if regulatory requirements fail to line up.

Security and privacy researcher, Lukasz Olejnik, who has worked on health tech policy in Europe, agrees this is a growing risk. "In the previous, and the next five years, policies towards technologies are constantly popping up. Their confluence and fusion may create additional risks: Of compliance, even lesser protections," he tells TechCrunch.

"I don’t deny that digitisation of health data may help lower costs, perhaps even contribute in improving healthcare or even saving lives. But it also carries risks. Of misuse, of leaks, of theft. Such centralised 'spaces' could become a tempting point for cyberattacks," he adds.

Europe’s data strategy aims to tip the scales away from big tech

Recommended Stories

  • Amazon has handed Ring video footage to police without user consent

    Amazon has provided Ring doorbell footage to law enforcement 11 times this year without the user’s permission, a revelation that’s bound to raise more privacy and civil liberty concerns about its video-sharing agreements with police departments across the country.

  • Nation’s supply chain hurt by railroad workers being ‘ground to dust,’ AFL-CIO head says

    Railroad workers have been without a contract for three years, and many are leaving the industry due to what the unions said were cost cutting measures by freight rail carriers.

  • Secret Service Deleted Jan. 6 Text Messages, Watchdog Says

    The DHS inspector general says messages were erased after he requested them, an accusation the Secret Service denies.

  • Secret Service members erased Jan. 5-6 text messages, watchdog says

    The texts were erased after the DHS inspector general requested electronic communications records from the Secret Service as part of its examination of Jan. 6 events.

  • FDA warns synthetic vaping companies, but sidesteps total crackdown

    The Food and Drug Administration (FDA) on Wednesday sidestepped a major crackdown on companies that make popular synthetic nicotine products, drawing ire from Democrats and anti-tobacco advocates. Synthetic nicotine is made in a lab and enabled companies to skirt FDA regulation since the agency previously did not have the ability to regulate it like it…

  • Lawmakers, Biden, sports leagues press for new action on drone threats

    Lawmakers and U.S. sports leagues on Thursday backed a bid by the White House for expanded powers from Congress to detect and disable threatening drones. Congress in 2018 expanded authority of the Justice Department and the Department of Homeland Security to disable or destroy threatening drones, which are formally known as unmanned aircraft systems (UAS).

  • Amazon’s Proposed EU Antitrust Settlement Won’t Make Tech Regulatory Concerns Go Away

    The tech giant pledges to refrain from using nonpublic data derived from independent seller activity.

  • Booz Allen Hamilton launches $100M corporate venture arm focused on early-stage startups

    Booz Allen Hamilton, the Virginia-based, defense-focused IT consulting firm, today announced the launch of a corporate venture capital arm, Booz Allen Ventures, that will initially put $100 million toward "strategic" defensive and offensive technologies. The move signals Booz Allen's desire to shape startups in areas it considers aligned with its core business, mainly AI and machine learning, defense, and cybersecurity. Brian MacCarthy, Booz Allen's VP of ventures, said that the new fund will invest primarily in early-stage (seed, Series A, and Series B) companies and build on Booz Allen's existing Tech Scouting program, which connects with entrepreneurs to vet emerging security technologies.

  • Jan. 6: Secret Service deleted texts requested by investigators, watchdog report says

    A new watchdog report claims that the Secret Service deleted text messages from Jan. 5 and Jan 6, 2021, that were requested by officials investigating the Jan. 6 Capitol riot.

  • Circle’s Detailed Reserve Report Shows Only Cash, Short-Term Treasurys Back USDC Stablecoin

    The asset breakdown comes at a time when crypto firms and their finances are under increased scrutiny in the on-going crypto credit crisis.

  • Investors Saved Almost $7 Billion in Falling Fund Fees: Are You Overpaying?

    Asset manager competition and fee-based models keep slashing investor fees, according to independent research firm Morningstar. The group's annual fund fee report, which evaluates trends in the cost of U.S. open-end mutual funds and exchange-traded funds, found that the asset-weighted average expense ratio … Continue reading → The post Investors Saved Almost $7 Billion in Falling Fund Fees: Are You Overpaying? appeared first on SmartAsset Blog.

  • Analyst slams Netflix-Microsoft ad agreement, says deal conceals 'hidden agenda'

    Netflix shares are still a sell, warns Goldman Sachs in a bearish note to clients. Here's why.

  • Warner Bros Discovery extends contracts of CFO, key executive

    Chief Financial Officer Gunnar Wiedenfels will stay with the company until July 2026, whereas Chief Revenue and Strategy Officer Bruce Campbell's contract was extended to July 2025. Campbell, along with Jean-Briac Perrette, president of Warner Bros Discovery Global Streaming and Interactive Entertainment, played pivotal roles in launching Hulu, the streaming service now majority owned by Disney. Discovery in April had announced a host of appointments to Warner Bros Discovery's executive team, including those of Campbell and Wiedenfels.

  • MATIC crypto skyrockets as Polygon joins Disney accelerator

    Polygon was selected as one of the 2022 participants for Disney’s accelerator program on Wednesday, triggering the project’s cryptocurrency MATIC to rise by more than 15%. See related article: Aespa, NCT’s SM Entertainment builds metaverse studio Kwangya Fast facts The Walt Disney Company did not announce any of its own crypto projects, but the 2022 […]

  • Analysis-Bank of Canada uses 'shock and awe' to bolster inflation-fighting credibility

    The Bank of Canada unveiled a 'shock-and-awe' full-percentage-point interest rate hike on Wednesday, a surprise move that marked a change in messaging for a central bank desperate to show it can tame the worst inflation since 1983, analysts said. Two previous 50-basis-point rate hikes in April and June were clearly signaled by Governor Tiff Macklem.

  • Apple’s AirPods Are Everywhere. So Why Is This Stock in the Dumps?

    Varta makes cutting-edge lithium micro-batteries. But the company is also weighed down with slow-growing businesses, supply shortages, and rising competition. Lifting the share price is a major challenge.

  • How a New Supreme Court Decision Could Help You Save For Retirement

    Most people follow a pretty standard glide path when it comes to retirement investing: focus on stocks when you're young and shift to bonds as you get older. But a new study from David Blanchett (Prudential Financial) and Michael Finke … Continue reading → The post Want to Enjoy Retirement More? Shift Your Assets to Annuities appeared first on SmartAsset Blog.

  • Bankers Tout ESG Bond Bonanza Amid Credit Market Mayhem

    (Bloomberg) -- ESG financiers are in fighting spirits as the $4 trillion market for socially responsible credit stays open while the broader primary market shutters on spiking recession risk.Most Read from BloombergIvana Trump, First Wife of Former President, Dies At 73Chinese Homebuyers Across 22 Cities Refuse to Pay MortgagesWall Street Texting Habit Sticks Banks With Rare $1 Billion BillChina Growth Slows Sharply, Putting GDP Target Out of ReachAlthough volumes have dipped, sales of new green

  • Mosaic Stock Strength Rating Climbs Amid Soaring Profits

    On Thursday, Mosaic reached an important technical milestone, seeing its Relative Strength (RS) Rating jump into the 80-plus percentile. Mosaic stock, like most stocks, has taken a hit in the 2022 bear market. The RS Rating hike puts Mosaic stock in that elite group.

  • Celsius' Mining Unit Files for Bankruptcy

    Celsius Network's mining unit, which said in March it planned to go public, filed for chapter 11 bankruptcy protection along with its parent company. CoinDesk Managing Editor for Companies Aoyon Ashraf discusses the developing story and potential impact on the mining industry at large.