With a second wave of Covid-19 upon us, the practical challenges and urgent need of unlocking the power of data for health are ever more evident. Cambre was proud to join the 16th World Congress on Public Health to discuss the impact of GDPR on eHealth. Here is what senior consultant Andrea Tognoni presented, unpacking the perspective of developers in a thought-provoking session organised by the European Public Health Association.
Covid-19 is exposing the vulnerability of healthcare systems and the complexity of public health decisions. It is also unleashing public debate about tracing apps, privacy and health data. Everyone had a glimpse of the practical challenges that eHealth faces worldwide. Against this backdrop, GDPR ensures high privacy standards in handling the data needed to fight the virus. But it also creates barriers, notably to re-use of data for research, swift response and aggregation of datasets across the EU. From the perspective of eHealth developers, these issues pre-date Covid-19 and sit at the heart of their role in delivering the potential of digital health. The interplay of GDPR and health reveals fundamental regulatory tensions between privacy and public health needs, which translate into challenges for eHealth developers. It is easy to say that “GDPR or privacy should not get in the way if a life must be saved” – but the reality is not that simple.
High privacy standards support trust in eHealth, thus favour the development and uptake of apps. Public health results from the better use of data are also key to create citizens’ awareness that their personal health data holds great potential for patients and healthcare professionals. But for start-ups that often do not have legal teams and need to apply standards since the very first iteration of the apps, this is a barrier to access the eHealth market, which becomes the exclusive realm of big, specialised players. So as eHealth developers comply with GDPR and many other requirements on cybersecurity and data localisation, including for the suppliers they use (e.g. cloud services), they may shift focus and leave their creative potential for health untapped.
GDPR is creating market and legal fragmentation, as it allows Member States to have specific conditions on health data. Conversely, developers would need to focus on the largest possible markets and datasets. This fragmentation limits incentives and investment in the sector, because different systems at national or regional level make scaling-up difficult. Smaller geographic or medical realities are therefore in danger of being left behind.
Developers are between a privacy rock and a hard healthcare and public health place. It is hard for private entities to strike a balance between digital rules and public health goals, especially if they don’t know what data they are ultimately using. Competition and innovation are also particularly hard in this space: software and services cannot be conditioned on long-term or exclusive contracts as governments need flexibility; open source protocols are normally required, and code should be available for auditing; monetisation of health data is usually discouraged. All this clearly reduces investments and ability to plan, so with a GDPR definition of health data that is blurry and hard to apply, many developers tend to solve the problem by staying away, typically by not linking to healthcare or public institutions’ databases – which in turn would really be the whole point and potential of eHealth.
Developers need to move in a highly complex landscape. They are engineers seeking the most technically-savvy solutions, who must take into account the needs of healthcare and public health practitioners who will give life to their tools, as well as those patients who are also citizens and users, whose life and privacy should be protected. Moreover, end users are not customers, which are typically hospitals, insurances, pharma companies or a mix of public authorities delivering services. To each of them, start-ups need to demonstrate quality, security, compliance and trust.
All is not lost. Some EU solutions may be in sight. The EU proposed a toolbox and gateway on Covid-19 to make tracing apps interoperable and exchange of information with the ECDC. Action on this issue heralds wider hope. The European Health Data Space may address existing barriers, as it should strengthen cross-border access to eHealth and harmonise standards, notably with a Code of Conduct on processing data, as well as foster interoperability with substantial infrastructure and investment, notably via the EU Electronic Health Records (EHRs) and an EHRs Exchange Format. This might configure GDPR not as a framework or limit, but as a tool, as the cornerstone of an eHealth environment where developers can experiment and thrive.
EU action based on the internal market competence can help European public health. Other strong EU competences can also help, such as competition measures that stop players from accumulating too much power on personal data, thus favouring people’s trust, or industrial policies to ensure network security, resilience and innovation. This holistic EU approach is key, as it can contribute to informing people on the potential of health data and its responsible use – we can look at the European Patient’s Forum’s “Data Saves Lives” initiative for a great example.
If Covid-19 has taught us anything, it is that the stakes are high.
- We risk mirroring the current fragmentation of health data with countless eHealth apps that curb the potential of data aggregation and running AI through databases.
- With 80% of health data still unstructured and untapped, when not deleted, we risk having an industry that does not become competitive and falls behind approaches with lowers privacy standards.
- We risk losing the Covid-19 moment. We are all now used to teleworking, and with the massive investment and perception shift that the pandemic has brought, we might lose the opportunity to make a transition to digital health.
The eHealth transition should be inclusive, fostering privacy and access for all, as well as interoperability and data use for research purposes. These are debates are not only technical, but also political and academic – and they need to happen as soon as possible. Rules can only be made with proper input and communication – and new rules are opportunities to empower, not block. The health, data and privacy worlds need to talk more: developers need to work with everyone, from public health academics and healthcare professionals to privacy lawyers and policy-makers – and these in turn need to consider all “mindsets”.
The prize of harnessing the EU digital single market for health is huge. GDPR changed privacy rules worldwide. A successful EU approach to eHealth can be a golden standard, ensuring the highest privacy and security, gaining trust, and delivering revolutionary health outcomes for all, making our healthcare systems more sustainable and resilient.