- 1338 views
Abstract: Free access to a copy of personal data included in a medical record is guaranteed under EU law. The legal basis, scope and reach of this right were addressed for the first time by the European Court of Justice in F.T. v D.W. The case triggers a number of considerations on the protection offered to individuals, and most notably patients, as well as on the coherence of the relevant legal framework and future perspectives for the digitalization of healthcare services. This Insight analyses the judgment focusing on the multifaced nature of (electronic) medical records in light of the GDPR, Directive 2011/24 on patient’s rights in cross-border healthcare and Regulation on the European Health Data Space.
Keywords: Regulation 2016/679 – Directive 2011/24 – Patients – Access to Medical Records – Right to Obtain a Copy Free of Charge – European Health Data Space.
I. Introduction
The facts of the case are plain and straightforward. F.T. provided dental care to DW. In order to evaluate possible errors in the treatment, the latter requested a copy of his medical records free of charge. Based on the relevant provisions of German law, F.T. refused to comply unless the patient accepted to cover the pertinent costs. This generated a lawsuit that ultimately reached the Bundesgerichtsof. The Amstgerich upheld DW’s action and the Landgericht dismissed the appeal brought by F.T. In particular, the German Regional Court considered that the underlying claim under medical liability law did not nullify the right of the claimant to receive from the controller a copy of the personal data undergoing processing pursuant to art. 15(3) of the GDPR. This provision should be read in conjunction with art. 12(5), which, on its part, allows for charges to be applied, but only when the requests are “manifestly unfounded or excessive”, most notably by reason of their “repetitive character”. As anticipated this decision was challenged before the Bundesgerichtsof.
Having doubts on the interpretation of these and other provisions of the GDPR, the German Federal Court decided to stay the proceedings and to refer three questions to the European Court of Justice (ECJ), namely: 1) does art. 15(3), read together with art. 12(5) GDPR, actually apply to this case notwithstanding the apparently ultroneous use of the corresponding right (i.e. to bring a claim for medical malpractice)? 2) can the domestic piece of legislation – predating the entry into force of the GDPR – be justified by reason of the fact that it is intended to protect the economic interests of the controller (i.e. the dentist) in accordance with art. 23(1)(i) GDPR? 3) does the right to obtain a copy of personal data within the meaning of art. 15(3) GDPR imply that the controller must provide the data subject (i.e. the patient) with a full copy of the documents included in the medical record containing their personal data, or uniquely with a copy of those data as such?[1]
These questions trigger multiple reflections, especially since on March 15, 2024 the Council of the European Union and the European Parliament reached a provisional agreement with respect to the European Health Data Space (EHDS Regulation).[2] As is well known, the Regulation proposed by the Commission in May 2020 aims, inter alia, at improving “access to and control by natural persons over their personal electronic health data in the context of healthcare (primary use of electronic health data)”.[3] In this sense, the case under review is rather singular in that – to the best of the author’s knowledge – it constitutes the first and only instance in which the Luxembourg judges were asked to interpret the GDPR in relation to (electronical) medical records.
F.T. v D.W. is a good case study to test the current and future regime applicable to (electronic) medical records, both in merely internal and in cross-border situations. Indeed, when reading the Advocate’s General Opinion and the Judgement one cannot refrain from wondering how the ECJ would have solved the case had the patient been seeking treatment in Germany from another EU country and the situation were covered by Directive 2011/24 on patient’s rights in cross-border healthcare. On the other hand, it cannot be ignored that the EHDS Regulation recognizes natural persons specific prerogatives in relation to their personal electronic health data, including the right to access them through dedicated online services and the right to download an electronic copy free of charge.[4]
The present Insight assesses the Court’s decision taking into account the rules laid down in these legal instruments: the GDPR, Directive 2011/24 and the EHDS Regulation. This triple normative dimension will be considered when appraising the answers to the three questions put forward by the German Federal Court. Thus, the Insight will begin by ascertaining on what grounds the ECJ reached the conclusion that the reason for asking access to one’s personal data included in a medical record is irrelevant for the purposes of usefully invoking art. 15(3), regardless of the objective pursued by the GDPR, whether in a cross-border situation Directive 2011/24 would have applied and whether the situation in F.T. v D.W. could in the future be caught by the EHDS Regulation (section II). Subsequently, the attention will turn towards how the EU legislator has tried to accommodate personal data protection with the rights of others, if similar balancing operations are also present in Directive 2011/24, and what are the additional, if any, guarantees offered by the EHDS Regulation (section III). Lastly, this Insight will dwell on the extension of the rights recognized in these three acts (section IV). Some final remarks will consider the prospects opened up by the EHDS Regulation in terms of accessibility and control over health data (section V).
II. Defining the scope of the right to obtain a free copy of the personal data contained in medical records
As anticipated, in this section we shall: firstly, ascertain how the ECJ managed to bring the case at stake within the reach of the GDPR; secondly, verify whether the presence of a cross-border element would have triggered the application of Directive 2011/24; thirdly, assess the potential relevance of the EHDS Regulation in situations akin to the one under review.
ii.1. Under the GDPR
With its first question, the referring judge wonders whether the GDPR is applicable since the final goal of D.W. is to use the content of the medical record to press charges against F.T. for medical malpractice. In this respect, it is useful to recall that the declared aim of the GDPR is to establish “rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data”.[5] The objective of the Regulation is therefore, in essence, to enable unrestricted flow of personal data without impinging on the protection of personal data.
In relation to healthcare, recital 63 GDPR states that individuals should have access to medical records “containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided”.[6] This right is designed to allow the data subjects “to be aware of, and verify, the lawfulness of the processing”. For present purposes, the communication duties imposed on the controller essentially concern the reasons for processing personal data, the period of processing (where possible), the recipients of the data and the logic applicable to any automatic processing. Interestingly enough, the recital also insists on the circumstance that the “controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data”. As will be seen shortly hereafter (section II.3.), this is a central aspect of the EHDS Regulation, which expressly requires Member States to establish electronic health data services at the national, regional or local level to enable natural persons to access their electronic health data free of charge.[7]
Despite the reasons behind D.W.’s request, according to Advocate General Emiliou and the First Chamber of the Court a textual, contextual and systemic reading of the GDPR suggests that the situation is caught by arts 12 and 15 thereof. Under these provisions, access is discretionary, unconditional and free of charge,[8] and recital 63 “cannot be relied on either as a ground for derogating from the actual provisions of the act in question or for interpreting those provisions in a manner that is clearly contrary to their wording”.[9]
This is consistent with settled case law on the legal status of the preamble of EU acts, and on the reach of the right of access to processed data under the GDPR, which is understood as instrumental to allow the data subject “to carry out the necessary checks”.[10] Two additional factors indicated by the Advocate General support this reading: on the one side, art. 8(2) of the Charter of Fundamental Rights of the European Union construes the right of access as a self-standing right[11] and, on the other side, the 2022 Guidelines of the European Data Protection Board (EDPB) clarify that the controller should make the data available regardless of whether it could be used by the data subject in court.[12]
ii.2. Under Directive 2011/24 on the application of patients’ rights in cross-border healthcare
Directive 2011/24 aims at establishing “rules for facilitating access to safe and high-quality cross-border healthcare” in the Union and to ensure patient mobility by promoting cooperation between Member States.[13] In order to ensure continuity of care, individuals must have access to their medical records regardless of where they are in the European Union and whether they relied on the public healthcare system or on private providers. Diagnosis, examination results, assessments by treating physicians, treatments and interventions represent pivotal information in terms of efficiency and quality of care.
The Directive applies “to the provision of healthcare to patients, regardless of how it is organised, delivered and financed” and it covers “health professionals” within the meaning of Directive 2005/36/EC (i.e. doctors of medicine, nurses responsible for general care, dental practitioners, midwives and pharmacists). This means that in the presence of a cross-border situation F.T. v D.W. could have been decided (also) under the Directive. In this regard, it is worthwhile noting that in accordance with arts 4(2)(f) and 5(d) of the Directive, the Member State of treatment and the Member State of affiliation must ensure that “patients who seek to receive or do receive cross-border healthcare have remote access to or have at least a copy of their medical records, in conformity with, and subject to, national measures implementing Union provisions on the protection of personal data”.
The detailed regulatory regime resulting from the GDPR is fully applicable to situations of cross-border healthcare (see section IV.2.),[14] but the Directive effectively creates, at least in cross-border situations, a duty to generate and update a medical record of the patient, as well as an obligation to make available to the interested person a copy of that medical record (including more than just personal data), but not necessarily free of charge.
ii.3. Under the new European Health Data Space Regulation
The EHDS represents a crucial component of the European Health Union[15] and according to the compromise text adopted by the EU Council and the European Parliament last Spring individuals should be able to access their health data immediately after the personal electronic health data has been registered in the pertinent health record system in an electronic format recognized and accepted throughout the Union. Unlike the GDPR, where the controller has up to a month to respond to a request by the interested person,[16] the EHDS Regulation grants patients, or their representatives, the right to directly access a minimum set of data, regardless of where it is processed, the type of healthcare provider, the sources of data or the country of affiliation.[17]
The Regulation stops short of affirming an outright obligation to go digital,[18] but health data are increasingly contained in electronic health records, shared and processed through electronic health records systems, which implies that the rules affirmed therein will ultimately be applicable to internal and cross-border situations alike.[19] Based on these premises – and assuming that the data requested by D.W. was included in an electronic medical record[20] – it can be said that the situation in question would (also) have been caught by the EHDS Regulation.
That being the case, it is important to underline that the Regulation specifically entitles the legal representatives of patients “to download an electronic copy, free of charge via dedicated electronic health data access services set up under the EHDS Regulation”.[21] Moreover, as will be seen below (section IV.3), the minimum content of the health record is spelled out in art. 5 and goes beyond the notion of personal data pursuant to the GDPR.[22]In other words, had the EHDS Regulation already been applicable, D.W. or his lawyer would have been able to personally selected the documents useful to support his claim of medical malpractice and to obtain a copy without having to pay any cost related to compensation for the work of the professional.
III. When access to health data intersects other rights: the normative balancing of potentially conflicting interests
The right to data protection is not an absolute right. It must be weighed against other public interests and private freedoms, but also against ethical values.[23] This section will examine: firstly, how the GDPR balances potentially conflicting rights; secondly, to what extent the Directive on patients’ rights in cross-border situations takes the interests of others into consideration; thirdly, the rules laid down in the EHDS Regulation.
iii.1. Under the GDPR
The second question put forward by the Bundesgerichtsof concerned, in essence, the compatibility of domestic legislation with art. 23(1)(i) GDPR, which allows EU and national law to derogate from the general rule to safeguard freedoms of others, such as the right to conduct a business enshrined in art. 16 of the Charter and recalled in recital 4 GDPR. Pursuant to paragraph 630f of the German civil code, to obtain a copy of their personal data patients must reimburse the interested professional for the cost incurred.
Art. 12(5) GDPR contemplates specific exceptions to the duty to provide a copy of the personal data free of charge. This is the case, in particular, when “requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character”. Moreover, to be sure, art. 15(3) enables the data controller to “charge a reasonable fee based on administrative costs” for any further copy requested by the data subject.
Although the Advocate General and the ECJ agreed that the GDPR applied regardless of the fact that the domestic legislation in question pre-dated its entry into force, the Opinion and the Judgement differ in their assessment concerning the conformity of the national measure with EU law. The Advocate General opines that the national measure can be allowed under art. 23(1) GDPR and believes it is necessary and proportionate, but leaves the final determination to the national judge.
The possibility to impose a fee is based on a legislative measure, in compliance with art. 52 of the Charter. The goal pursued by the German legislator is to safeguard, inter alia, the freedom to conduct a business protected under art. 16 of the Charter, and is incapable – assuming the amount of the costs would in any case not be significant[24] – of impinging on the essence of D.W.’s right to obtain a copy of his personal data included in the medical record.[25] Of course, the real impact of the pecuniary burden depends both on the context and the format of the medical record. As convincingly argued by AG Emiliou, self-employed, operating alone or in multi-doctor cabinets, and employed, working in a public hospital or large private clinic, cannot be fully equated: in some cases, the individual professional will have to intervene; in others, there will be dedicated staff to carry out the necessary administrative tasks.[26] That being said, dentistry is an efficiency-driven and highly digitalized sector and it can be assumed that in most instances there will be an electronic medical record (i.e. documents are generated digitally), which avoids to print, select and/or scan the pertinent documentation.
Perhaps more importantly, in reaching the conclusion that German law struck the correct balance between the rights of the data subject and the freedom of others and did therefore comply with the GDPR, the Advocate General felt the need to underscore that, in accordance with art. 6 TFEU, the protection of public health falls within the category of supporting competences and that, based on the case law of the ECJ, “it is for the Member States to determine the level of protection which they wish to afford to public health and the way in which that level is to be achieved”.[27] It is the discretion they enjoy in this area that ultimately justifies recourse to art. 23(1) GDPR.
By contrast, the Court found that the EU legislator struck the balance between personal data protection and the freedoms of others, and clearly prescribed that the first access must be free of charge. If – as it appears – the national measure merely defends the economic interests of the controller (i.e. the dentist), a determination which is left to the referring judge, it cannot justify a derogation from the general rule under art. 23(1) GDPR.[28]
In the First Chamber’s view, moreover, arts 12(5) and 15(3) GDPR realize a complete harmonization, which effectively means that Member States are pre-empted from regulating the matter. These provisions are endowed with direct effect and should therefore be applied by the referring judge instead of the conflicting national measure.[29] This can be said to be the unspoken, but most significant, consequence of the ECJ’s answer to the second preliminary question.
iii.2. Under Directive 2011/24 on the Application of Patients’ Rights in Cross-border Healthcare
While recognizing patients a right to obtain a copy of the medical record in cross-border situations, the Directive does not specify whether access to the relevant information must be free of charge or whether the professional can ask for a (reasonable) fee. Hence, whilst access to the copy of the personal data included therein must be provided for free in accordance with arts 12(5) and 15(3) GDPR, the right to receive a copy of the medical record (which includes more than the patient’s personal data[30]) in situations falling within the scope of application of Directive 2011/24 can be conditioned to the payment of a fee.
There is no equivalent of art. 23(1) GDPR in Directive 2011/24 and the interests of others are not expressly considered. Art. 8 of the Charter on the right to the protection of personal data is the only fundamental right mentioned in the Directive; no reference can in fact be found to art. 16 of the Charter, nor to art. 35 of the Charter, on the right to healthcare, or to art. 1 of the Charter, concerning human dignity. This is most probably because the Directive is about eliminating restrictions to cross-border healthcare services in terms of authorization schemes and reimbursement procedures, and not about patient’s rights, treatment conditions or abortion and assisted reproduction. These are issues that, pursuant to art. 168(7) TFUE, fall under the responsibility of the Member States.
On the other hand, as recalled by AG Emiliou in his Opinion, the protection of public health falls within the supporting competences of the Union and no obligation to grant the right free of charge should be imposed under EU law given the margin of discretion afforded to national legislators. The costs covered by a professional for the necessary underlying operations, moreover, would in any case be limited and not capable of impinging on the essence of the right itself. In this respect, what appears to be relevant is not so much the context (public hospital/private clinic) but the format. And although medical records referred to in arts 4 and 5 of the Directive may be written or electronic, the trend indicates that in the short/medium term the latter kind will prevail in daily practice.[31]
iii.3. Under the new European Health Data Space Regulation
The EHDS Regulation, on its part, focuses on the data that must be provided to individuals to ensure quality, efficiency, and continuity of care. The digitalization of health brings about important cost-savings and avoids time-consuming operations like those related to preparing a copy of the medical record. Thus, there is no reason to compensate professionals for their administrative services.
The interests of the individuals concerned, however, are taken into consideration. The Regulation, most notably, recognizes that “it could be unethical to inform a patient through an electronic channel about a diagnosis with an incurable disease that is likely to lead to their swift passing instead of providing this information in a consultation with the patient first”.[32] Therefore, in line with art. 23 GDPR, Member States are allowed to delay the right to (immediately) access personal electronic health data until a health professional can adequately illustrate and explain to the patient the clinical picture.[33]
IV. The reach of the right to obtain a faithful reproduction of personal data vis-à-vis the right to obtain a copy of an (electronic) medical record
The function of the right to obtain a copy of the personal data undergoing processing within the meaning of art. 15(3) GDPR was clarified by the ECJ in F.F.[34] On that occasion – concerning the trustworthiness of creditors – the Court affirmed that the right to obtain faithful and intelligible reproduction of personal data undergoing processing “entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her” by the GDPR.[35] Waiting for the entry into force of the EHDS Regulation, F.T. v D.W. offers a good opportunity to test the latitudes of the right to obtain a copy of one’s medical record. In order to have a better understanding of how that prerogative varies depending on the factual context, this section will assess: firstly, the GDPR-tailored answer provided by the ECJ to the referring judge; secondly, the regime applicable to cross-border situations under Directive 2011/24; thirdly, the added value of the EHDS Regulation.
iv.1. Under the GDPR
The third question concerns the material reach of the right to obtain a copy of the personal data which is being processed pursuant to art. 15(3) GDPR. On this point, AG Emiliou and the Court share the view that the relevant determination depends on the single case. Their reasoning largely relies on the formulation of recital 63. According to the First Chamber, whilst the term “copy” pursuant to art. 15(3) GDPR refers to the personal data contained in a document, as opposed to the document as such, the reproduction of extracts from documents or even of entire documents may be the only way to ensure the effectiveness of the provision, particularly where the “contextualisation of the data” processed is necessary in order to ensure the data are accurate, exhaustive and intelligible.[36]
As noted by the Advocate General, however, there can be “a variety of documents” which do not qualify as personal data of the patient, like, for instance, scientific articles concerning pathologies or medical treatments; documents which can turn out useful in malpractice claims.[37] In this regard, it is interesting to note that by granting patients the right to obtain a copy of the medical record (as such), the domestic provisions applicable in the F.T. v D.W. case offered a higher standard of protection than that affirmed in the GDPR.[38] After all, the latter is not intended to create rights for patients and is therefore not tailored to the needs of the healthcare sector. The control of individuals over their health data for treatment purposes through the use of electronic clinical records, instead, lies at the heart of the EHDS Regulation and will be examined below, just after verifying the notion of medical record pursuant to Directive 2011/24.
iv.2. Under Directive 2011/24 on the application of patients’ rights in cross-border healthcare
Turning the attention towards the material scope of the right to receive a copy of a medical record under the Directive, art. 3(m) states that the latter includes “all the documents containing data, assessments and information of any kind on a patient’s situation and clinical development throughout the care process”. When confronted with the answer of the ECJ to the third question in F.T. v D.W., the different material scope of the Directive and the GDPR – the former covers medical records; the latter concerns personal data – would not necessarily impact significantly on the reach of the right to receive a copy pursuant to the two instruments. Indeed, the documentation to be provided under the two regimes might not in concreto be that different from the perspective of the patient.
Yet, it is true that, despite the vague terminology, art. 3(m) identifies a number of essential elements that should be acquired in order to ensure the quality of the diagnosis and the consequent treatment. In truth, even before the advent of the Directive, trying to promote the digitalization of healthcare in the Member States, the Commission tackled the issue. In its recommendation of 2 July 2008 on cross-border interoperability of electronic health record systems it defines “electronic health record” as “a comprehensive medical record or similar documentation of the past and present physical and mental state of health of an individual in electronic form, and providing for ready availability of these data for medical treatment and other closely related purposes”,[39] and specifies that “patient’s summary, emergency data set, medication record’ mean subsets of electronic health records that contain information for a particular application and particular purpose of use, such as an unscheduled care event or ePrescription”.[40]
The recommendation was more concerned with the exchange of the data than with the data itself, but testifies to the progressive realization that the standardization of the content of health records is a precondition to fully exploit the many benefits, individual and collective, that come with the digitalization of health. To be sure, the matter was resumed some years later, when the Commission adopted Recommendation 2019/243 on a European Electronic Health Record exchange format, inviting Member States to ensure that the following health information domains elements are present: a) patient summary; b) ePrescription/eDispensation; c) laboratory results; d) medical imaging and reports; (e) hospital discharge reports. Further developments in this area are left to the work of the e-Health Network, in collaboration with the Commission pursuant to art. 14 of the Directive. Most notably, among the task assigned to the e-Health Network there is the elaboration of guidelines on the specific domains and relevant specifications,[41] and there are ad hoc guidelines on each of these domains.[42]As is well known, the contribution of this network connecting the competent national authorities has been significant and the experience developed therein effectively represented a pilot-project for the EHDS Regulation, which expands the set of domains included in the medical record and turns the ongoing cooperation form voluntary to compulsory.
iv.3. Under the new European Health Data Space Regulation
While Directive 2011/24 makes reference to printed or electronic “medical records”, to be understood as the sum of documents, assessments and more generally information related to the patient’s situation and clinical development, the EHDS Regulation uses the term electronic health record (EHR) to identify, comprehensively, “data related to a natural person and collected in the health system, processed for the purpose of the provision of healthcare[43], and the electronic health record system to identify “any system where the appliance or software allows to store, intermediate, export, import, convert, edit or view” the relevant data that “is intended by the manufacturer to be used by healthcare providers in providing patient care or by patient to access to their health data”.[44] One of the most prominent features of the EHDS Regulation is indeed the harmonization of the EHR systems marketed in the Single Market of the Union, with a mandatory scheme of self-conformity assessment for the manufacturers proving “compliance with the requirements on interoperability, security and logging for communication of personal electronic health data”.[45]
The content of electronic health records is detailed in the EHDS Regulation and comprises a list of items that enable better prevention and care. According to the compromise text, the scope of personal electronic health data is vast, being able to comprise data related to both the physical or mental health of an individual, “including the provision of health care services, which reveal information about their health status, personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, as well as data determinants of health, such as behavior, environmental, physical influences, medical care, social or educational factors”.[46]
More precisely, building on the work of the e-Health Network, where health data is processed in electronic format the following priority categories must be included in the relevant (electronic) health record: a) patient summaries; b) electronic prescriptions; c) electronic dispensations; d) medical imaging studies and related imaging reports; e) medical test results, including laboratory and other diagnostic results and related reports; f) discharge reports.[47] The essential features of these categories of personal electronic health data can be found in Annex I. Accordingly, for instance, the patient summary will comprise, inter alia, personal details, contact information, information on insurance, allergies, medical alerts, vaccination/prophylaxis information, as well as medical devices and implants and plan of care.[48] All information – it goes without saying – that would be extremely useful in law suits for malpractice like that brought by D.W. against F.W.[49]
As previously mentioned, there is no straightforward obligation to generate electronic health records in the EHDS Regulation, but the migration to digital (also) in the healthcare sector is already a reality and Member States will be called upon to ensure that that healthcare providers effectively register the relevant health data in the electronic health record system.[50]
In a cross-border situation, D.W.’s request would have been facilitated by the interoperability of health records created within the European Health Data Space via the use of European electronic health record exchange format, with the relevant technical requirements for these priority categories spelled out in implementing acts adopted by the Commission.[51] With respect to Directive 2011/24, this marks a decisive step forward in the field of patient mobility, also considering that the EHDS Regulation is in principle directly applicable.
All in all, the control over one’s health record purported by the EHDS Regulation greatly contributes to legal certainty, accurate diagnosis and effective treatment but also promotes patient empowerment and in cases like F.T. v D.W. can even contribute – at least to a certain extent – to the sound and expedite administration of justice.
V. Waiting for sunrise… the (true) added value of the European Health Data Space Regulation
F.T. v D.W. raises a number of interesting points: not only is it the first instance where the ECJ deals with medical records in the context of the GDPR; it also exemplifies very well the intriguing complexity of the concurring applicable legal regimes.
Firstly, the case confirms the extensive, and at the same time restrictive, interpretation of the GDPR by the Court. Although it is difficult to deny that the medical record requested by D.W. comprises his personal data, it is still true that access was requested to bring a claim for malpractice. The applicability of the GDPR in this particular situation is largely dependent on recital 63, the sole provision mentioning the healthcare sector. The same Recital, moreover, contributed to determine the reach of the right of access of D.W., with the result that the protection offered by the GDPR closely resembles that ensured under Directive 2011/24. On the other hand, the decision to prioritize the right of the data subject pursuant to arts 12 and 15 GDPR over the interests of others (namely the dentist) seems to betray a rather bias approach, especially considering that – as recalled by the Advocate General in his Opinion – the creation, updating and use of medical records for treatment purposes falls within the responsibilities of the Member States.
Secondly, and more importantly, the case demonstrates the added value of the EHDS Regulation, both in terms of efficiency and effectiveness. On the one side, it will offer the interested person immediate, direct access to a (harmonized) pre-determined minimum set of data. On the other side, it will enable the interested person to delegate a representative to exercise the pertinent rights.
Once the Regulation enters into force, Member States will be pre-empted from regulating aspects falling within its scope of application but will continue to govern the creation and content of written health records, save for those aspects covered by the GDPR and by Directive 2011/24 in cross-border situations. As a matter of fact, it should not be forgotten that under the EHDS Regulation Member States retain their competences regarding the choice of the format and that the right to obtain a paper copy of the electronic health data remains as one of the guarantees enshrined in the GDPR.[52]
That being said, national healthcare systems unwilling or uncapable of going digital will not be sufficiently resilient and just like the zombies of the movies recalled in the title of this contribution will ultimately succumb. To be sure, the digitalization of healthcare has become mainstream in the Union,[53] it is one of the ten objectives pursued by the EU4Health Programme[54] and is capable of bringing enormous economic benefits over the next decade.[55] Because of the different level of digitalization of healthcare services in the Member States, it will take some time to truly appreciate the added value of systematic, reliable, portable and secure electronic health data.[56] Above and beyond the specificities of F.T. v. D.W., ambition, confidence, responsibility and vigilance are key factors in making this transition possible, to the benefit of all European
--------------------
European Papers, Vol. 9, 2024, No 2, European Forum, Insight of 30 July 2024, pp. 463-477
ISSN 2499-8249 - doi: 10.15166/2499-8249/767
* Professor of European Union Law, University of Bologna, giacomo.difederico@unibo.it.
[1] Case C-307/22 FT (Copies du dossier médical) ECLI:EU:C:2023:811 para. 70.
[2] The final compromise text was approved by the European Parliament on 24 April 2024 and at the time of writing represents the latest available “consolidated” version. The recitals and articles quoted in this Insight refer to the text included in document P9_TC1-COD(2022)0140 of the European Parliament but from now onwards, for the sake of brevity, reference will be made to the EHDS Regulation. For a synthesis of the main amendments to the Commission’s proposal, see www.consilium.europa.eu.
[3] Recital 1 EHDS Regulation cit.
[4] Arts 8a(1) and 8g(1) EHDS regulation cit.
[5] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, art. 1 (emphasis added).
[6] This is one of the few specific references to the healthcare sector contained in the GDPR.
[7] Art. 8g(1) EHDS Regulation.
[8] The EDPB Guidelines on the Right of Access and Letter in Cookie Consent of 2022, state that “[t]he controller must ensure that the first copy is free of charge, even where it considers the cost of reproduction to be high (example: the cost of providing a copy of the recording of a telephone conversation)” (pt. 22).
[9] FT (Copies du dossier médical) cit. para. 44.
[10] Joined cases C‑141/12 and C‑372/12 YS and Others ECLI:EU:C:2014:2081 para. 44. On the need to ensure full transparency in the interest of the individuals, see G Zanfir-Fortuna, ‘Article 15. Right of Access by the Data Subject’, in C Kuner, L Bygrave and C Docksey (eds), The EU General Data Protection Regulation (GDPR). A Commentary (Oxford University Press 2020) 452; and L Naudts, P Dewitte and J Ausloos, ‘Meaningful Transparency through Data Rights: A Multidimensional Analysis’ in E Kosta, R Leenes and I Kamara, Research Handbook on Eu Data Protection Law (Edward Elgar 2022) 546 ff.
[11] Case C-307/22 FT (Copies du dossier médical) ECLI:EU:C:2023:315, opinion of AG Emiliou, para. 27. According to the Advocate General this is because the provision severs the right to access data from the right to have that data rectified.
[12] FT (Copies du dossier médical), opinion of AG Emiliou, cit. para. 28.
[13] Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare, recital 10 and art. 1(1).
[14] Recital 25 of the latter expressly recalls Directive 95/46/EC – the GDPR’s predecessor.
[15] Communication COM(2024) 206 final from the Commission of 22 May 2024 on the European Health Union: acting together for people's health.
[16] Art. 12(3) Regulation 2016/679 cit.
[17] It is important to underline that the notion of healthcare provider corresponds to that offered under art. 3(g) of Directive 2011/24 (cf. art. 2(1)b EHDS Regulation).
[18] Recital 9a EHDS Regulation clarifies that the Regulation “does not affect Member States competences concerning the initial registration of personal electronic health data, such as making the registration of genetic data subject to the natural person’s consent or other safeguards. Member States may require that data is made available in an electronic format prior to the application to this regulation. This should not affect the obligation to make personal electronic health data, registered after the application of this Regulation, available in an electronic format”. This obligation is not spelled out in the text of the regulation, and even the duty for healthcare providers to register the relevant personal health data established in art. 7 of the EHDS applies (only) “where electronic health data is processed for the provision of healthcare”.
[19] Nonetheless, the EHDS Regulation acknowledges that “[T]he right of access to health data is still commonly implemented in many places through the provision of the requested health data in paper format or as scanned documents, which is time-consuming for the controller, such as a hospital or other healthcare provider providing access” (recital 8).
[20] Given the level of digitalization of the dentistry sector and considering that dentists are among the (limited number of) categories of professionals in Germany that can actually create, access and update an electronic medical record it is possible to assume that – absent any indication to this effect in the file – the copy requested by D.W. was indeed that of his electronic medical record.
[21] Art. 8a(2) EHDS Regulation.
[22] But not necessarily to that established under national law.
[23] The paramount role of ethics in the regulation of healthcare falls well beyond the remit of this Insight. Nonetheless, it is worthwhile noting that the entry “ethnic” totalizes 26 hits in the EHDS Regulation and that the e-Health Network (set up under art. 14 of Directive 2011/24 on the application of patients’ rights in cross-border healthcare) has recently adopted European ethical principles for digital health (26 January 2022). With regard to the EHDS, see also C Staunton, M Shabani, D Mascalzoni, S Mežinska and S Slokenberga, ‘Ethical and social reflections on the proposed European Health Data Space’ (2024) European Journal of Human Genetics 498.
[24] FT (Copies du dossier médical), opinion of AG Emiliou, cit. para. 38.
[25] In support of his argument, which ultimately tilts the balance in favor of the possibility to (usefully) invoke art. 23(1) GDPR, AG Emiliou insists on the relative nature right to the protection of personal data (Recital No 4 GDPR) and on the specific needs of micro, small and medium-sized enterprises (recital 13).
[26] FT (Copies du dossier médical), opinion of AG Emiliou, cit. paras 58 and 64.
[27] Ibid. para 68.
[28] This view is reflected in the EDPB Guidelines 10/2020 on restrictions under Article 23 GDPR where to illustrate a restriction to protect the rights and freedoms of others, the Board offered as an example that of “an administrative inquiry and/or disciplinary proceedings or investigation on allegations of harassment in the workplace” (pt. 34). The Guidelines, however, are not mentioned in the judgement.
[29] This is notoriously the substitution-effect generated by the combination of primacy and direct effect. On the pervasive effect of this doctrine on domestic law, see D Gallo, The Direct Effect of European Union Law (Oxford University Press, forthcoming).
[30] The content of the medical record will be examined in section IV.2.
[31] This trend is also evoked in recital 20 of the EHDS Regulation. See also European Commission, Recovery and Resilience Scoreboard. Thematic analysis. Digital public services ec.europa.eu.
[32] Recital No 9 EHDS Regulation.
[33] Ibid. Art. 8a.
[34] Case C-487/21 Österreichische Datenschutzbehörde ECLI:EU:C:2022:1000.
[35] Österreichische Datenschutzbehörde cit. para 45.
[36] FT (Copies du dossier médical) cit. para 74-79.
[37] FT (Copies du dossier médical), Opinion of AG Emiliou, cit. para 80.
[38] Ibid. para 81.
[39] Commission Recommendation of 2 July 2008 on cross-border interoperability of electronic health record systems, pt. 3(c).
[40] Ibid. pt. 3(e).
[41] Commission Implementing Decision 2019/1765 of 22 October 2019 providing the rules for the establishment, the management and the functioning of the network of national authorities responsible for eHealth, and repealing Implementing Decision 2011/890/EU, art. 4. See also Commission Recommendation (EU) 2019/243 of 6 February 2019 on a European Electronic Health Record exchange format, pt. 12.
[42] For direct access to these documents the reader is referred to the website of the e-Health Network: health.ec.europa.eu.
[43] Art. 2(m) EHDS Regulation.
[44] Ibid. art. 2(n).
[45] Recital 27 EHDS Regulation. According to art. 13(a) the harmonizazion concerns two components: on the one side, the “European interoperability component for EHR systems” and, on the other side, the “European logging component for EHR systems”. These two components, defined by means of implementing acts, “should be based on the use of the European electronic health record exchange format” and “should be designed to be reusable and to integrate seamlessly with other components within a larger software system”.
[46] Recital 5 EHDS Regulation.
[47] Ibid. art. 5(1).
[48] Moreover, the system is designed to be flexible, and the Commission is empowered to adopt delegated acts adding, modifying or removing the main characteristics of the priority categories of personal electronic health data provided the amendments are relevant for primary use and they reflect the state of the art in terms of technical standards shared by the majority of Member States (art. 5(2)).
[49] This detailed description of the various components of the electronic health record does not prevent Member States from contemplating additional categories of personal electronic health data for primary use (art. 5(1)).
[50] Art. 7 EHDS Regulation cit.
[51] More precisely, this means establishing harmonized datasets and coding systems, technical interoperability specifications for the exchange of electronic health data, including its content representation, standards and profiles (art. 6).
[52] Recital 8 EHDS Regulation cit. Member States are also free to foresee opt out mechanisms for the primary use of electronic health data (Point II of the compromise text).
[53] See further European Commission, Recovery and Resilience Scoreboard. Thematic analysis. Digital public services ec.europa.eu.
[54] Regulation 2021/522 of 24 March 2021 establishing a Programme for the Union’s action in the field of health (‘EU4Health Programme’) for the period 2021-2027.
[55] Proposal for a Regulation on the European Health Data Space COM(2022) 197 final, Impact assessment.
[56] In this respect, it should also be noted that the entry into force of the EHDS Regulation does not coincide with its application. In truth, whilst the provisions on primary use shall take effect after two years, those on secondary use of health data will only start to be applicable after four years (art. 72).