Dr2 Consultants’ monthly newsletter on EU Data Policy developments will keep you updated on all political and policy developments at EU level related to the data economy, from cybersecurity to smart energy to e-mobility.
In this third issue, you will receive a deep dive into the most important elements of the new European Health Data Space on the one hand, and UK’s Data Bill Reform on the other. This newsletter will also provide an update on the “dark patterns” in social media platform interfaces, as well as the latest developments of the Conference on the Future of Europe (CoFoE) and digital transformation, and Dr2 Consultants’ Breakfast Webinar on the impact of the Data Act on European competition and sustainability goals.
Deep dive: European Health Data Space (EHDS)
On 3 May, the European Commission released its legislative proposal on the Regulation on European Health Data Space (EHDS). This initiative aims to create a system for health data exchange and access governed by common rules, procedures, and technical standards to ensure that health data can be accessed within and between the Member States, fully in line with the General Data Protection Regulation (GDPR) and Member State competences. As highlighted by the COVID-19 pandemic, governments are set to collect higher shares of health data in the future. The European Commission claims its use can add up to €11 billion over the next 10 years – with half coming from improved data exchanges in health care itself, and the other half from the use of health data in research and policy. To that end, the EU has set a fund of 810 million to build the necessary infrastructure.
Link with EU digital legislation
The EHDS is the EU’s first sector-specific regulation under its 2020 Data Strategy. It supplements the Data Governance Act and the Data Act which cannot address the specificities of sensitive data, such as health or genetic data. It provides more specific rules for ‘data altruism’ in the health sector and introduces limits to international transfers of non-personal health data.
More concretely, EHDS will improve:
Healthcare and timely access to data (primary use of data)
All Member States will be required to participate in the digital infrastructure MyHealth@EU to ensure that EU citizens can share their health data with health professionals in other EU Countries and therefore contribute to better cross-border healthcare. As of today, only 10 Member States have implemented the platform.
Research (secondary use of data)
This new legal framework and infrastructure will allow researchers, innovators, decision-makers, and regulators to re-use health data for cross-border research, policy making, educational activities, and personalised medicine.
Requirements and obligations specific to electronic health record (EHR) systems will ensure that EHR systems placed on the market and used are interoperable, secure and respect the rights of individuals over their health data.
Brussels Tech lobby DIGITALEUROPE saluted this initiative as an ambitious framework for health data, while adding that more harmonisation in the Single Market for digital health and data was needed. They also called on the Commission to clarify the scope and interactions of EHDS with other pieces of legislations such as GDPR, Data Act, Medical Device Regulation and AI Act. This reaction comes on the back of the release of their report on 7 April identifying two main roadblocks to developing and scaling life-saving health technologies in Europe: the lack of a framework for health data flows, and a fragmented market for digital health. The European Confederation of Pharmaceutical Entrepreneurs (EUCOPE) emphasised the need to set European Health Union that aims to reinforce the EU’s preparedness and response during health crises. On top of that, they also recommended the promotion of data interoperability.
The proposal will now be sent to the Parliament and Council for examination. The Commission is optimistic that the first results will start to show in 2025, especially for the exchange of data in health care itself, the MyHealth@EU program.
Dr2 Consultants’ Breakfast Webinar Series on the EU Data Act
WEBINAR 2/3: The impact of the Data Act on the EU’s smart mobility goals
UK’s Data Bill Reform
During the Queen’s Speech on 10 May, the British government announced the reform of the country’s data protection regime. According to the executive, this Data Reform Bill is expected to create “a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection”. In its legislative agenda for the next 12 months, London said it wanted to “take advantage of the benefits of Brexit to create a world class data rights regime” by updating its local privacy rules to “fuel responsible innovation and drive scientific process.” The bill will make up part of a wider package of data protection reforms.
As it stands, the UK’s data protection rulebook is still modelled on the EU’s General Data Protection Regulation (GDPR). With this reform, the UK government remains cautious that any changes to its data protection regime would not imperil its data flows agreement with the EU, as it requires the UK to maintain an equivalent level of privacy protection compared with the Continent. Brussels is concerned of the UK’s stated desire to establish new data flows with countries including the U.S., Australia, South Korea, Singapore or India, which could lead to the transfer of EU individuals’ data to third countries with inadequate privacy standards.
Data flow deal with India
In parallel, Britain’s trade negotiators are under pressure to strike a trade deal with India this year. Prime Minister Boris Johnson has given the UK team until October to seal a post-Brexit deal on the liberalisation of data with New Delhi.
Nevertheless, experts claim that landing a deal will be a big challenge given that both sides are currently at opposite ends on their data policies. India is in the midst of setting up a new Data Protection Bill to manage the way commercial and personal data is handled. This draft law would require data to stay on Indian soil, as regulators believe the move is necessary to generate local jobs, and protect national security and the privacy of its citizens.
On its part, London is pushing hard to allow for the free flow of data between the two countries. More than 67% of UK services exports are digitally delivered. Britain currently imports more services from India than it exports.
According to a report from the UK-India Business Council (UKIBC) and think tank “The Dialogue”, if approved by the Parliament, the Indian draft law would restrict “the transfer and processing of critical personal data abroad, but also mandate commercial and nonpersonal anonymized datasets to be shared with the Indian government”. In other words, British companies selling goods or services online in India would have to set up data servers there to exclusively store payment data from national citizens. As a result, this setup could cost significant resources to UK businesses. It would limit the data they could transfer, and the value derived from analysing it with tools like machine learning, putting to the test the digital supply chains between London and New Delhi.
The EDPB and “dark patterns” in social media platform interfaces
On 2 May, the European Data Protection Board (EDPB) closed the feedback period on the “Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them”. These guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid so-called “dark patterns” in social media interfaces that infringe on GDPR requirements. These patterns aim to influence users’ behavior and hinder their ability to effectively protect their personal data and make conscious choices. They can be divided into these categories:
- Overloading: confronting users with a large number of requests, information, options or possibilities in order to prompt them to share more data or unintentionally allow personal data processing against the expectations of the data subject.
- Skipping: designing interfaces or user experiences in a way that users forget or do not think about all or some of the data protection aspects.
- Stirring: affecting the choice users would make by appealing to their emotions or using visual.
- Hindering: obstructing or blocking users in their process of becoming informed or managing their data by making the action hard or impossible to achieve.
- Left in the dark: designing interfaces in a way to hide information or data protection control tools or to leave users unsure of how their data is processed and what kind of control they might have over it regarding the exercise of their rights.
These dark patterns are practices that are not only relevant for personal data protection, but sit at the intersection between several fields of law, in particular consumer law, digital market and data protection law. The Digital Markets Act (DMA) and Digital Services Act (DSA) contain specific provisions prohibiting these types of practices. They are also addressed in other instruments regulating the digital sphere which are currently under discussion, such as the European Data Act.
Conference on the Future of Europe (CoFoE) and the digital transformation
On Europe day, the Conference of the Future of Europe’s Executive Board gave the final report on the outcome of the Conference to the Presidents of the European Parliament, Commission and Council in Strasbourg. As a reminder, the CoFoE is a one-year bottom-up exercise for Europeans to have their say on what they expect from the European Union. European citizens of different geographic origin, gender, age, socioeconomic background and/or level of education were encouraged to take part in the Conference, with young Europeans playing a central role. Strong of 49 proposals, this final document includes concrete objectives and more than 320 measures for the EU institutions to follow up on under nine topics, including digital transformation.
In the digital chapter, authors brought to the fore the importance of “long-term consequences of the seizure of personal information and the illegitimate use of that data in the future” especially following the Russian invasion of Ukraine. To tackle this issue, they suggested avoiding “data concentration and dependence on third countries in relation to infrastructure and services” and building “a data infrastructure based on European values.”
EU Data Act and its impact on EU competition and sustainability goals
On 5 May, Dr2 Consultants hosted a Breakfast Webinar to discuss the impact of the Data Act on European competition and sustainability goals. The event was moderated by Cathy Kremer, Senior Consultant at Dr2 Consultants.
Mr. Paolo Falcioni, Director-General of APPLiA, representing the home appliance sector in Europe, and Mr. Radu Surdeanu, Senior Director Government Affairs at Siemens Energy, a large energy company offering products and services along the entire value chain, were invited to shed light on the Data Act from an association and business perspective.
Both speakers agreed with the key ambition of the Data Act, its potential to increase Europe’s competitiveness and contribute to the EU’s sustainability goals, but they underlined there is still a long way to go for this proposal. The rules for the industry need to be more clearly defined, trade secrets should be protected, innovation should be stimulated, and the text should be strengthened in a participatory manner with all stakeholders.
Register for the upcoming two sessions in this series of webinars here.
Learn more about our EU Data Policy services
Dr2 Consultants offers tailor-made solutions to navigate the evolving policy environment at EU level and anticipate the impact of the EU data-related legislation on your organization. Visit this webpage to learn more about our EU Data Policy services.
For more information on Dr2 Consultants’ full range of services, don’t hesitate to contact us.