The lead committees of the European Parliament, LIBE and ENVI, are to give their final nod to the regulation on the creation of a “European Health Data Space” (EHDS) tomorrow. According to this regulation, information on all medical treatment, including vaccination status, medication and pregnancies, laboratory and discharge reports, is to be stored digitally for all patients – including privately insured patients who are currently not covered by the electronic patient file in Germany. These files will be accessible to a large number of organisations throughout Europe. As shadow rapporteur and co-negotiator of the regulation for the Committee on Home Affairs (LIBE), Pirate Party MEP Dr. Patrick Breyer, warns of a loss of control by patients over sensitive health data and a loss of medical confidentiality.
“Information about our physical and mental health is extremely sensitive. If we cannot rely on this information being treated confidentially by our doctors, we may no longer seek treatment and may even increase the risk of suicide. The EU is allowing the most sensitive patient files to be accumulated, networked and passed on without ensuring that patients have control and self-determination over their data. ‘Anything goes, nothing has to’ is not an approach that patients can trust. Without trust, a European Health Data Space cannot work. According to surveys, more than 80% of EU citizens want to decide for themselves about the sharing of their patient records. The majority of them want to be asked for consent. The EU deal is far from this. It betrays the interests and will of patients in order to sell their data to Big Tech and pharmaceutical giants. We Pirates strongly reject the disenfranchisement of patients that this regulation entails.
A Europe-wide obligation to use electronic patient records was prevented, among other things, thanks to my initiative. According to Article 8h and Recital 13a of the Regulation, the German and Austrian right to object to the establishment of an electronic patient file has been preserved. In the event of an objection, the mandatory information will only be stored by the treating doctor. I myself will object to this electronic patient file so as not to lose control over my health data. However, we know that very few patients who object to external access to their data actually go through the complicated objection procedure.
Anyone who does not object to the electronic patient file or its analysis as a whole will probably also inevitably allow cross-border access to it by foreign practitioners, researchers, and governments. The right to object specifically to cross-border data access planned by the German government is not provided for in the regulation in a legally secure manner. This is contrary to the interests and wishes of patients, only a minority of whom, according to opinion polls, want cross-border access to their patient records across Europe. Moreover, it does not come close to doing justice to the sensitivity of health data, which ranges from addictions, mental disorders, and abortions to sexually transmitted diseases and reproductive disorders.
Furthermore, the regulation is designed to maximise the exploitation of our personal health data and does not serve the interests of patients. Contrary to the European Parliament’s original position, for example, sensitive health data does not have to be stored in Europe, meaning that non-European storage in US cloud services, for example, is also permitted. The EU Parliament has also abandoned its call for independent certification of the security of European health data systems.
The EU regulation does not require Germany to protect health data any better than the German government has decided. In future, doctors treating patients throughout Europe will be able to view their entire patient file without their consent – unless they explicitly object. In future, health ministries and health authorities, universities, technology companies, and the pharmaceutical industry will also have access to anonymised and personally identifiable (only pseudonymised) patient files throughout Europe without the patient’s consent – unless the patient expressly objects. In Germany, there is no right to object to the disclosure of medical register data records and billing data records. Patients are only asked for their consent before their genetic data is accessed, but not for information on psychological and addiction therapies, abortions, sexual, and reproductive disorders. For us Pirates, patient control over their data and the protection of medical confidentiality take centre stage, so that access to treatment records by third parties is only acceptable after obtaining patient consent.“
Anja Hirschel, medical computer scientist and top candidate of the Pirate Party for the 2024 European elections, adds: “Centralised data storage awakens desires in a wide variety of directions. However, this does not only entail hacker attacks, but also so-called ‘secondary use’. This refers to access that is to be granted in full for research purposes. The patient data is then to be passed on to third parties. From a data protection perspective, even the centralised collection of data is problematic, and at least an opt-in procedure (active consent) is the right way to go. This would allow each individual a certain degree of decision-making autonomy over their personal data. However, if not even an opt-out procedure (active objection) is established, this ultimately means the abolition of the confidentiality of all medical information. And this despite the fact that doctors in Germany are rightly subject to professional confidentiality in accordance with Section 203 of the German Criminal Code (StGB), as are, among others, lawyers. This protection of our most private information and the right to confidential care and counselling are now at stake.“
The German government supports the EU plans. In contrast, the European Consumer Organisation BEUC and the data protection network EDRi have criticised them.