Zina Chatzidimitriadou and Francesca Blythe explain how a revolutionary EU regulation, expected to come into force in 2025, will allow life sciences companies to request health data for secondary re-use, but will also expose them to more data requests.
Companies operating in the health research space – potentially even those which are located outside of the EU – need to familiarize themselves with the draft European Health Data Space (EHDS) Regulation (the Regulation) and would also be well advised to participate in ongoing dialog with the legislators about it.
The Regulation, which is likely to come into force in 2025, is intended to provide individuals with increased control and access to their personal health data and to enable cross-border access to such data by healthcare professionals and healthcare systems. Crucially, it aims to promote and facilitate the responsible sharing of health data for secondary research purposes, which is the main point of interest for life science companies.
In this context, the Regulation requires companies processing electronic health data (data holders) to make certain data available to other companies (including potential competitors) on request. As presently drafted, this captures a very broad set of data, potentially including raw data, medical images, registry data, and analyzed data, which embed proprietary know-how.
Under the Regulation, data users can apply for and obtain a permit from a national health data access body to access electronic health data, including both personal and non-personal data. Applications will need to meet certain requirements, including fulfilling one of the prescribed purposes for using the data; for example, the R&D of products or the validation of algorithms. An application fee will also need to be paid.
The Regulation proposes that data holders be given only two months to comply with a request to disclose electronic health data before facing a fine. In practice, this may pose timing challenges to identify the necessary data within the scope of the request and convert all such data – which can include large-size medical images – into the desired technical format, which has yet to be officially determined. Data holders will then be required to upload the data onto an interoperable decentralized platform (the so-called HealthData@EU). The result is likely to be that unprepared companies risk being caught short and could potentially face penalties.
Data holders will also need to consider how, in practice, they will be able to avoid disclosing data, which is either commercially confidential or subject to intellectual property restrictions. They should also consider how they will meet their transparency requirements under the GDPR, which are requirements to inform individuals about the disclosure of their personal data.
To avoid these problems and to ensure clarity on the way in which the EHDS will operate in practice under the finalized legislation, life sciences companies might consider commenting on key points while the European Council and Parliament amend the draft. They should also start thinking now about the impact of the Regulation on their operations and the steps they will need to take to deal with its requirements should the proposal be finalized.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.