Conference on the European Health Data Space (EHDS) - Report
On 24 and 25 March, an online conference "European Health Data Space – Secondary Processing of Personal Data and the Rights of Individuals" was held, organised by the Personal Data Protection in cooperation with the Faculty of Law and Administration at the University of Warsaw, the Institute of Law Studies of the Polish Academy of Sciences, and the Faculty of Medical University of Warsaw. Its participants – lawyers, sociologists, medics and specialists in other fields – discussed the opportunities offered by the EHDS regulation for better protection of the health of future generations, but also the doubts that such large data systems raise in societies.
Day One: The Decade Project and Its Philosophy
On the first day of the event, introductory words, emphasising the ground-breaking nature of the EHDS in the perspective of a common European circulation of data on health and biomedical data, were delivered by Mirosław Wróblewski, President of the Personal Data Protection Office, Prof. Anna Zbiegień-Turzańska, Vice-Dean of the Faculty of Law and Administration at the University of Warsaw, Prof. Celina Nowak, Director of the Institute of Environmental Engineering of the Polish Academy of Sciences.
On 24 March, the conference, held in English, was divided into four discussion panels, preceded by an introductory lecture. Their topics mainly concerned the main theme of the first day – data altruism and the importance of this approach to data processing in the context of EHDS.
In her keynote speech, Prof. Barbara Prainsack from the University of Vienna emphasised that the latest European research and surveys indicate that European citizens are neither great supporters of sharing data about their health nor opponents of this procedure. It all depends on what information they receive about the method and purposes of data processing. It is therefore more a matter of awareness and dialogue aimed at making EU citizens generally interested in the subject of personal data, as well as in other types of data. It can also be noticed, according to the expert, that those to whom medical data relate trust doctors much more and would be most willing to entrust their data to them, and not, for example, to private companies or organisations.
As Prof. Prainsack pointed out, citizens do not distinguish between personal and non-personal data and do not understand the purposes for which the data is processed (which has a major impact on understanding the functioning of such large systems as EHDS). It should also be noted that there is a tendency to treat data resources as if they were a currency or a material good, while data should be perceived in a broad perspective of social life and it must be remembered that they come from each of us, from our everyday life and from the fields of activity we deal with.
Later in the meeting, the speaker elaborated on the three pillars on which the EHDS is to be based in the sphere of data altruism. These are the three main objectives for which the European Health Data Space was established: to support human development (medical data is to improve the quality of life in many aspects), to exclude bias in the general interpretation of data and information (data is to be interpreted only as facts in research and statistics) and to increase trust in institutions and science (awareness that everyone acts for the benefit of the public).
Prof. Praisnack also discussed the PLUTO tool – it is an additional system that is to help assess the value of the public and social mission that the EHDS is to fulfil. It is about independently verifying how effective data altruism is for all social groups to the same extent.
Panel I speakers discussed the issues of privacy, autonomy, data altruism and trust, which are the basis of the European Health Data Space. The exchange of remarks on the tension that arises between the altruism of data postulated by the EHDS and the assumed default consent to their processing and the autonomy of data was the main point of summary of this part of the debate. During the discussion, the question was also clearly highlighted: is full control over consent in the sense required by the GDPR more effective than the protective factors included in the EHDS?
In the next panel, the following issues were specified as essential issues: understanding the concept of consent to data processing in the context of the EHDS, or rather the opt-out mechanism, the differences between primary and secondary data processing (primary/secondary use), the risk of security in the planned EHDS systems. As one of the basic conclusions of this part of the event, it was indicated that the final success of the EHDS will be able to be determined not on the basis of the ability to absorb huge data resources that will be processed in a common space, but on the basis of the security standards that the EHDS will stand out with, expanding the space of trust for data sharing.
The point of interest of the panelists of Panel III were issues related to the functioning of the EHDS in the legal structure, including in relation to the AI Act, the Digital Services Act, the Biotech Act and other regulations of the European Union. As it was pointed out, overlapping definitions from some EU regulations may cause challenges in the future, for example, in the field of using artificial intelligence technologies in the creation of data sets.
On the last day of the panel, the discussion focused on the issues of health data access authorities, secure data processing environments, interoperability and data quality as key pillars of implementation. During the debate, the topic of helpful medical databases already existing in Europe also appeared, as well as the value and usefulness of the analysed data in the EHDS structure.
One of the conclusions from that day of the meeting was also posed: how to redistribute the profits from data processing for the common good of all communities?
Day two: EHDS – rights and obligations
On 25 March, the second day of the conference, this time held in Polish, during his introductory speech, the President of the Personal Data Protection Office, Mirosław Wróblewski, noted that the regulatory changes necessary for the full implementation of the EHDS are still ahead of us and in this perspective there are still many discussions ahead, but inter alia The Ministry of Health is already building space for cooperation between the institutions involved in the implementation of the EHDS, which allows us to predict success in this matter.
The first part of the debate raised the issue of cooperation between institutions in the implementation of the EHDS. Katarzyna Bis-Płaza, Director of the Department of Projects and Strategy at the Ministry of Digital Affairs, pointed out that currently, as part of the cooperation between the ministries of health and digitization, the modernisation of registers collecting biomedical and health data is being carried out, and the popularisation of the strategy of keeping Electronic Medical Records in healthcare entities and its connection with cross-border infrastructure may prove to be crucial. In the expert's opinion, the introduction of the EHDS has also been included in the State Digitisation Strategy, in which the digital transformation of the medical sphere remains one of the main tasks to be performed. The draft Strategy envisages actions aimed at increasing the resources of reliable data: inter alia implementation of operational activities in connection with the entry into force of the EHDS and the Data Governance Act, promotion of the idea of medical data donation among patients, regulation of the rules of access to data and setting a standard for anonymisation and pseudonymisation of medical data.
In turn, Łukasz Sosnowski, Director of the eHealth Department at the Ministry of Health, pointed out that three authorities should be urgently appointed to fulfil the three basic tasks resulting from the EHDS: the eHealth Authority, the Data Market Supervisory Authority and the Data Access Authority. According to Łukasz Sosnowski, the basic implementing acts introduced by the European Commission will also be important for the introduction of the EHDS.
Łukasz Jankowski, President of the Supreme Medical Council, presented the medical point of view at the EHDS and explained that recently there has been an awareness in society that medical data no longer concern only doctors and their patients, but are also processed by systems. These systems must necessarily give rise to some concern; There is also a fear of data being used by artificial intelligence systems. As the President of the SMC also emphasised, a huge problem is also the lack of distinguishing between primary and secondary use of data. Therefore, it is important to educate and raise awareness of the society, which was also emphasised by Milena Szuchnik-Kamińska, a representative of the Patients' Rights Ombudsman’s Office.
Monika Krasińska, Director of the Law and New Technologies Department of the Personal Data Protection Office, also took part in the discussion and drew attention to the need for effective cooperation between the authorities competent for the application of the EHDS. According to the expert, everything starts with the patient's trust in the doctor, and in the context of the EHDS, it is extremely important to build the patient's trust in both the organisations processing data and the authorities that are in synergy and protect personal data. The idea is that data protection authorities speak with one voice.
In Monika Krasińska's opinion, the EHDS is also a space that reminds of GDPR standards. The solutions contained in the EHDS exist with regard to the right to respect for personal data, known from the General Regulation – this applies directly to the issue of lodging complaints, for example. The EHDS philosophy is also based on the principle of data minimization, which directly corresponds to the GDPR. The expert also pointed to the problem of the functioning of medical registers in Poland that are not authorised by law, which will require legislative corrections to ensure data security.
During the discussion, the question was also raised about how to deal with the tension that results from the fact that in the EHDS the same medical information is to serve both the individual and the system.
The next panel primarily addressed issues related to data cybersecurity in the EHDS, especially the use of artificial intelligence systems. Cybersecurity regulations are generally included in the EHDS and in fact the EHDS is subject to many other EU regulations focusing on cybersecurity (NIS2, Cyber Resilience Act). However, it is impossible to ensure cybersecurity in Polish conditions without funds allocated for the training and education of medical staff.
It was also noted that insufficient data quality and lack of interoperability of data systems, as well as low data diversity, are often a problem. Thus, a kind of paradox occurring in medicine is the full readiness and advancement of AI technology with a simultaneous deficit of well-selected data. Regulatory complexity, the lack of unified standards for anonymisation and pseudonymisation of data, and the lack of a legal basis in the GDPR for using medical data to train AI systems are also a problem (fortunately, the EHDS is helping to change this).
Panel VI discussed, inter alia, the legal liability regime resulting from the EHDS. It also highlighted once again the ongoing and difficult to resolve issues relating to the interest of the individual, including the right to privacy, and the public interest, which includes the fundamental importance of health datasets. These issues are a field of controversy in the EHDS.
Ph D Arwid Mednis from the University of Warsaw, a member of the Social Team of Experts at the President of the Personal Data Protection Office, explained that the challenge for the implementation of the EHDS is transparency and precision of language. The researcher also emphasised the issue of control over the new European system: according to him, the rights provided for under the GDPR are not limited in any way by the EHDS. The right of access to data, the right to rectification or the right to restrict access – all of these should be treated as control over the EHDS.
Prof. Grzegorz Sibiga from the Polish Academy of Sciences also referred to the concept of control over the functioning of the EHDS. In his opinion, the European Union in this regulation focuses on administrative obligations and distinguishes between control bodies at national and international level. According to Prof. Sibiga, the right to complain also proves the broad control aspect taken into account by the EHDS.
Later in the debate, the issue of the quality of the data that will be sent to the EHDS was also returned. As it was pointed out, if it is possible to systematically verify this aspect of health data, then the EHDS will be able to fundamentally change the image of medicine in the future, and thus the lives of all citizens.
During the last panel of the conference, topics such as the regulation of biomedical research in Poland, the technical enforceability of the right to refuse (exclude) the processing of health data in the perspective of their secondary use, the unification of authorisations to access medical data, and the special importance of data from transplantation procedures for future generations were discussed.
The participants of the event agreed that it was no coincidence that a year ago, the President of the Personal Data Office, together with the Faculty of Law and Administration at the University of Warsaw, the Institute of Law Studies of the Polish Academy of Sciences chose the date of the conference on the European Health Data Space at the end of March (it was the time when the EHDS partially entered into force in 2025). The next editions of the conference, organized on 24 March in the following years, will allow all interested parties to check at what stage of the European Health Data Space we are at as a society.