Secondary use of health data: a few hints on the EU legal landscape and how to anticipate this use in R&D contracts?

Cécile Theard-Jallu,

De Gaulle Fleurance, Paris

ctheardjallu@dgfla.com

Introduction

In our increasingly digitised and interconnected economy, the reuse of health data represents a major opportunity for research, development, innovation (R&D&I) and improving healthcare delivery. Over the past few years, it has become one of the key topics at the forefront of concerns and expectations among stakeholders in the healthcare ecosystem due to its now undeniable impact.

In practice, for example, electronic medical record data can be analysed to identify or even anticipate epidemic trends, enabling faster and more effective public health responses. Patient data can also fuel medical research to discover new treatments and better understand disease progression. Connected health devices and applications generate continuous data that allow for the monitoring of chronic illnesses and the personalisation of treatment protocols. Furthermore, artificial intelligence and machine learning can leverage large datasets to enhance diagnostic accuracy, predict treatment outcomes, improve logistical flow management and optimise resource allocation in healthcare systems. By integrating and analysing diverse sources of health data, healthcare providers can improve prevention, reduce the risk of medical errors, and ultimately achieve better patient outcomes.

According to the European Commission, the reuse of health data is expected to generate €5.5bn in savings within the European Union over ten years, thanks to improved access to and exchange of data within healthcare. Additionally, €5.4bn in savings are anticipated in research, innovation and policy development. The digital health market itself is expected to experience an additional growth of 20–30 per cent driven by the data economy.[1]

With the upcoming establishment of the European Health Data Space (EHDS), supported by the collaborative European program known as TEHDaS (Towards the European Health Data Space)[2], and the European Regulation on the EHDS, whose text was approved by the European Parliament on 3 May 2024[3] and is expected to be published by the end of 2024 or early 2025,[4] the EU aims to promote the secure use of health data across borders. This initiative is based on the understanding that data is essential for more effectively preventing and treating diseases through both primary and secondary uses. The primary goals are to:

• empower citizens to take control of their health data and facilitate data exchange for healthcare services across the EU (primary use of data);
• promote a genuine single market for electronic health record systems;
• establish a coherent, reliable, and efficient system for the reuse of health data for research, innovation, policy-making, and regulatory purposes (secondary use of data).

By doing so, the EHDS should enable the EU to leverage the potential offered by the interoperable exchange, secure use and reuse of health data – benefitting patients, researchers, innovators and regulators[5]. More specifically, R&D&I actors are expected to gain clarity and harmonisation of practices across Member States through the EHDS.

Given that they generate, process, enhance, store, transfer, share and utilise large volumes of data, the various professional actors in the healthcare market (research centres, healthcare facilities, industrial players developing products, service providers, platform and software publishers, database producers, etc) are particularly concerned with the strategic opportunities presented by this data. For these actors, the secondary use of health data is a key issue.

However, it also presents numerous legal challenges, such as the necessary protection of patients’ personal data and the respect for intangible assets, among other technical, operational, ethical, or administrative obstacles. To address these challenges, the EU has established a new and highly ambitious legal framework to govern data-related issues, including their reuse.

The goal of this framework is to strike a balance between the benefits of data sharing and the need to comply with existing laws and regulations, particularly the General Data Protection Regulation (GDPR)[6] and intellectual property laws, in line with the challenges raised.

Based on the rules outlined in this new framework, consisting of key texts such as the Data Governance Act (DGA), the Data Act (DA) and the EHDS Regulation, research and innovation actors must develop good contractual practices to anticipate, secure, organise and accelerate the secondary use of data collaboratively.

An ambitious European regulatory framework for the secondary use of healthcare data

The Data Governance Act

The DGA,[7] in force since 24 September 2023, is an essential element of EU strategy. Its primary objective is to establish and connect European data spaces by encouraging the pooling and sharing of data, improving its interoperability and sharing services, and building on existing standards at European, international or national level. The aim is to create a more efficient data economy, where data can circulate freely while being secure.

The DGA is based on the notion of ‘FAIR Data’ (findable, accessible, interoperable and reusable data), a principle promoted by the European Commission in a report and action plan published in 2018.[8] 

The DGA applies to a wide range of entities, including public sector bodies and organisations that voluntarily share data for public interest purposes. It addresses several key issues, such as fair access, user rights and data protection.

Aiming to foster an economy based on data, both personal and non-personal, in flows that are intended to be cross-sectoral, the DGA aims to regulate the reuse of public/held and protected data, by stimulating data sharing, by regulating new data intermediaries and encouraging data sharing for altruistic purposes.

It will be interesting to follow the implementation of the DGA in collaboration contracts between public and private players, or among private players themselves – for example, consortium contracts for the creation of databases or research platforms, prototype development contracts, and clinical research contracts or service provision contracts intended to lead to subsequent innovative projects with compatible aims.

Data Act regulation

The DA,[9] in force since 11 January 2024, complements the DGA by further encouraging data sharing between sectors. It introduces comprehensive measures to enhance interoperability and establish strong safeguards against illegal data transfers. In particular, the text focuses on facilitating the sharing of B2B (business-to-business) and B2C (business-to-consumer) data from connected products and related services.

Under this regulation, connected products and their related services will have to be designed and manufactured in such a way as to enable users (whether businesses or consumers) to access, use and share the data generated easily and securely.

Like the DGA, the DA is a cross-sectoral piece of legislation. It does not modify existing data access obligations, but any future legislation will have to be aligned with its principles.

One of its primary aims is to increase legal certainty for businesses and consumers who produce data, particularly in the context of the Internet of Things, by establishing clear rules on the authorised use of data and the associated conditions, while supporting efforts to ensure that data holders continue to invest in the production of high-quality data. In this spirit, the obligation to share data is considered by the DA to prevail over the sui generis right of database producer, but data access and preparation services can be valorised.

The DA also provides for the development of interoperability standards to ensure that the data concerned can be reused in different sectors and applications.

To guard against illegal data transfers, the DA requires rigorous safeguards and compliance measures, which include ensuring that all data-sharing activities comply with existing legal frameworks, such as the GPDR.

Furthermore, the DA intends to mitigate the abuse of contractual imbalances that hinder the fair sharing of data. This means protecting companies from unfair contractual clauses imposed by a party with a considerably stronger market position. The DA therefore strongly supports SMEs in the sharing and use of data.

The DA enables public sector bodies to access and use data held by the private sector for specific public interest purposes.

Finally, among other rules, the DA establishes a new framework enabling customers to effectively and more easily switch from one edge or cloud data processing service provider to another, in order to unlock the EU cloud computing market.

These clauses, or their direct or indirect impact, will be taken into account in B2B R&D contracts that provide for or allow the reuse of data, particularly with regard to storage.

The European Health Data Space (EHDS) Regulation

The EHDS Regulation is an important initiative aimed at using health data to improve healthcare delivery, research and policy-making within the EU. It is part of the European data strategy, which aims to create a single market to ensure Europe’s competitiveness on the international stage.

The EHDS operates under the guidelines of the GDPR and the EU Data Protection Regulation. Its main objectives are to:

• help individuals manage their health data more effectively and make informed decisions about their health;
• facilitate the use of health data for scientific research, innovation and the development of new healthcare solutions;
• enable the EU to fully exploit the potential offered by the safe and secure exchange, use and reuse of health data within the EU.

The EHDS regulation distinguishes between primary and secondary use of electronic data:

• primary use refers to the use of health data to provide health services, such as diagnosis, treatment and care; and
• secondary use involves the use of health data for research, innovation and policy-making. This includes data that is initially collected for primary use, but is subsequently reallocated to secondary purposes.

The regulation lists a range of permitted uses, including supporting public authorities in the performance of their tasks, education, scientific research, the development of innovative solutions for public interests and the training of algorithms with medical applications. The regulation also identifies certain prohibited purposes, such as supporting decisions taken against individuals and having legal effects, including insurance premiums, commercial advertising and the sale of data to third parties.

With a view to contractualising the secondary use of data, it is worth noting that electronic data relating to the health of EU citizens can only be made available for research and innovation subject to strict privacy and security guarantees. Thus, the use of such health data may only concern anonymous or pseudonymous data with additional guarantees and subject to identifying and fulfilling a valid legal basis for processing.

Data access will be carried out under the strict supervision of an authority, to be set up by each Member State for access to health data in a secure processing environment. Such a health data access body (HDAB) is a prerequisite for the secondary use of health data within the EHDS framework. At the time of writing, this HDAB has not yet been identified in France, but the Health Data Hub (HDH) is being considered for this role.

In practice, organisations will be able to ask a HDAB to access electronic health data held by a third party for one of the authorised secondary purposes.  At the HDAB’s request, the company holding the health data will then have to provide it to the HDAB to satisfy the access request. The HDAB will be responsible for ensuring that the data is adequate, relevant and limited to what is necessary for the purpose of processing indicated in the data access request. By default, data will be provided in anonymous form. However, if the applicant can demonstrate that the purpose of the processing cannot be achieved with anonymous data, the HDAB may grant access to the data in a pseudonymised format.

Parties to collaboration contracts providing for secondary use of data intending to use data through the EHDS will need to take into account the impact of this procedure through an HDAB when designing and negotiating the terms of their contracts, and in particular the conditions governing the nature of the data and the conditions of access to it.

Secondary use of data to be anticipated, secured, organised and accelerated in R&D contracts between healthcare players

The European regulatory framework, as shown above by a few reminders of its new rules, will have a direct or at least indirect impact on B2B contracts concerning the secondary use of health data, or announcing such use after the contract. These rules should therefore be taken into account when drafting and negotiating contracts.

Prior to drafting contracts on a case-by-case, project-by-project basis, stakeholders will need to design their databases or platforms, if applicable jointly, in such a way as to enable more efficient subsequent reuse of the data. 

Best practices for the governance of data spaces and platforms

The variety of players, their numbers and their levels of maturity mean that a major coordination effort is required to homogenise best practices around data sharing in the field. It is necessary to agree on common rules and make clear decisions in the event of a lack of consensus.

The following measures, drawn up as part of the roadmap of the European Space Agency’s and European Centre for Space Studies’ working group on the future European Space Data Space,[10] could contribute to some of these best practices:[11]

Combined with these principles, various contractual schemes may be necessary to structure data sharing (eg, organisational, functional, operational, technical, liaison and commercial agreements).[12]

Impact on the drafting of secondary data use clauses in B2B contracts related to healthcare R&D

Without prejudice to the recommendations already made, health data reuse clauses in R&D-related contracts will have to comply with both EU and national regulations, including the new principles of the European data market framework (DGA, DA and the EHDS Regulation). More generally, they will also need to comply with all European and national texts dealing with data whether personal or non-personal, in particular:

• the GDPR;
• the Free Flow of Data Act;
• rules on cybersecurity and its specificities applicable to the healthcare sector; including the NIS 2 Directive on the cybersecurity of information systems;
• the Cyber Resilience Act on the cybersecurity of connected products;,
• the European Regulation on AI;
• specific rules on the hosting of health data; and
• other national rules in the domain of intellectual property, contracts, competition or insurance.

To take the single example of personal data protection, contractors will need to ensure that their data processing activities comply with the GDPR and national personal data protection laws.

This involves checking that the individuals whose data is intended to be reused have validly consented to this reuse, or else carrying out a purpose compatibility test on a case-by-case basis to verify that the secondary use of the data aligns with the purpose of the initial processing.

To this end, it is essential to clearly define the roles of data controllers and processors or joint data controllers at the level of primary use, anticipating the purposes of any secondary use(s), carried out either collectively or separately by the various players or some of them. The principles of the GDPR will have to be respected: in particular, the information and exercise of individual rights of individuals, as well as the establishment of adequate documentation of the new use, by both parties. The parties – data controllers and processors – will have to formalise their agreement accordingly. If consent has not been obtained upstream (because the individual has refused, or because the project promoters have not anticipated the secondary use of the data), it will be necessary to obtain and record in writing in the contract the authorisation of the data controller for the secondary use by the other protagonist(s).

In this respect, and if the context lends itself to it, it is strongly recommended to follow the French Data Protection Authority (CNIL)’s guidelines of January 2022 on the transformation of subcontractors into data processors.[13]

In addition, CNIL’s recommendations of 8 April 2024 in respect of personal data in the development of AI[14] underline the importance of verifying the legality of data processing; more specifically, the source of the data before any secondary use of said data. Thus, the data controller must ensure that the data is published lawfully (if it is public data), and that its content complies with the GDPR and other relevant laws or regulations. The contractual guarantees to be obtained by the recipient reusing the data will include mention of the source, the context of collection, its legal basis, description of the database, assurance that the data is not linked to crimes or public sanctions, and verification of the data's lawfulness and usability, particularly if it contains sensitive personal data, impact assessment and guarantees provided to individuals.

In summary, the body of the contract should:

1. clearly define the primary and secondary purposes of data processing and obtain explicit consent if necessary from the (initial) controller;
2. clearly define the roles of data controllers, any joint data controllers and data processors;
3. ensure that secondary use processing has an appropriate legal basis, such as legitimate interest or consent (verifying and applying both Article 6 and Article 9 of the GDPR);
4. carry out privacy impact assessments to evaluate and mitigate the risks associated with data processing;
5. implement data anonymisation or pseudonymisation techniques to protect the privacy of individuals; and
6. maintain transparency with data subjects about how their data will be used and reused, and ensure accountability through robust data governance practices.

A rhetoric of questions will have to be systematically implemented to frame and anticipate as effectively as possible the secondary use of data by stakeholders, including:

• When does the GDPR apply to data sharing and reuse projects?
• What about national legislation? Who are the parties involved in these projects? What is the distribution of roles? For what purpose?
• Who is responsible for ensuring GDPR compliance? At what level?
• What guarantees must be put in place to ensure GDPR compliance?
• How are contractual rights and obligations translated, and what are the ex ante and ex post control procedures (adding contractual specifications)?
• Under what business model?
• How can one continue to protect and add value to investments, including intellectual property?
• What role, if any, should cross-border certification play?
• How can one ensure flexibility and comprehensive coverage while structuring contracts (contractual engineering)?

The reuse of healthcare data in B2B R&D contracts offers considerable potential for innovation and improved healthcare outcomes. However, contractors need to be attentive to applicable legal and regulatory considerations, which requires a thorough understanding of the legal environment, and the implementation of robust data governance practices across the entire project value chain, including the constitution of data spaces or platforms.

In other words, project sponsors will have to follow a key principle acting like a red thread: anticipating the possible secondary use of health data as soon as projects for their primary use are launched, both with a view to greater and earlier transparency towards the people whose health data is processed, and to saving time and increasing the value of the investment.