In February 2021, the European Commission (“Commission”) released a report on European Union (“EU”) Member States’ laws governing the processing of health data. The report discusses three general types of health data uses:

  • primary use for health care services;
  • secondary use for public health purposes; and
  • secondary use for scientific research purposes.

For each of these general purposes, the report assesses real-world use cases. For example, for health care services, the report considers e-health applications, among others. For public health purposes, the report considers pharmacovigilance and product approvals. The section on scientific research purposes, meanwhile, considers issues such as research by public bodies, sharing of data with third-party researchers, and the use of genetic data.

Among other things, the Commission’s report also discusses a number of horizontal data use issues, such as data subject rights and national data governance models.

At a high level, these sections of the report demonstrate that, first, there is a substantial degree of regulatory divergence across Europe with respect to the processing of health data, and second, there is a great deal of legal uncertainty in this area. This is apparent from the views expressed by stakeholders in this area, the overwhelming majority of whom consistently ask for more guidance (and even legislation) to clarify the legal landscape around this topic. Overall, it is quite clear that regulatory complexity and a lack of legal certainty significantly hamper the use health data for valuable public health and scientific research initiatives in Europe.

The final section of the Commission’s report considers possible actions to resolve the identified concerns. One element of a potential solution could be the adoption of health data codes of conduct under the framework of the EU’s General Data Protection Regulation (“GDPR”). The report indicates that while such a code is unable to solve all identified problems, it can be “a strong tool to support trusted health data use and re-use, and contribute to understanding and proper application of the GDPR in the health sector.”

The report points out that such GDPR codes are not swiftly approved and adopted, but that fact has not discouraged the pharmaceutical sector from continuing to forge ahead in this area. For some time, Covington has been assisting the European Federation of Pharmaceutical Industries and Associations (“EFPIA”) in developing an EU GDPR Code of Conduct that would help address some of the concerns raised in the Commission’s report, at least in the area of clinical trials and pharmacovigilance, with the possibility of later expanding the code into other areas, such as real-world data (“RWD”). We hope to report more on the progress of this important initiative in the months ahead.