Paradigm shift in data protection: opt-out yes or no?
The healthcare system is facing a fundamental change with the planned digitization projects. Politicians are preparing legal rules that turn traditional patient confidentiality and medical confidentiality upside down: Pseudonymised patient data should always be available for research purposes, unless those affected expressly object by opting out. Neither consent nor an opt-out was and will be required for anonymous data.
If the opt-out rule for highly sensitive health data prevails, other areas such as mobility will follow. The European Parliament intends to present a voting proposal for the European Health Data Space (EHDS) this week. Federal Minister of Health Karl Lauterbach has presented plans for an opt-out for the electronic patient file (EHR). Among critical data protection experts and civil rights organizations, the opinion tends to be in favor of an opt-out. There is no clear line in this regard.
Opt-out only with rights of objection
Thilo Weichert from the data protection expertise network believes it is possible that the risks of an opt-out can be managed legally, but in particular with technical and organizational precautions. The transparency requirements for those affected would have to be improved, combined with the possibility of being able to object to specific data uses. The data should “of course” be processed in a secure environment.
Central to the secondary use of the data from the ePA is “that an independent authority decides on this and that it is guaranteed that only public interests in the common good are pursued and that strict earmarking is observed”. Therefore, the data protection supervisory authorities urgently need to be included in the discussion. It is precisely here, however, that Lauterbach wants to reduce the federal data protection officer’s right to a say to purely advisory work. So far, he has had to reach an agreement with the Federal Data Protection Commissioner.
Bijan Moini from the Society for Freedom Rights GFF also considers an opt-out to be justifiable if there are sufficient security precautions. It is important, however, that “a comprehensive right of objection is guaranteed,” he explains to heise online. People who do not object to the use of their health data should also be able to be sure that their data is really needed for a specific research project and that “everything currently possible is being done to protect this most sensitive of all personal data from misuse and theft”.
Deciding to opt out can overwhelm patients
The European civil rights organization EDRI, on the other hand, does not consider an “opt-out” rule, as proposed in the draft report by the rapporteurs in the European Parliament, to be an appropriate solution, since it “displaces the burden of knowledge, understanding and decision-making in an unreasonable way on patients ” burden. EDRI therefore demands that the disclosure of health data to persons other than the care providers involved in the treatment of the patient must remain voluntary. In addition, an obligation to register such highly sensitive data in electronic health records should be rejected.
That is also what Patrick Breyer, MEP for the Pirate Party, thinks. The shadow rapporteur in the European Parliament on the EHDS project says: “For many patients who are not privileged, who have little time, limited language skills or education, who are older, in practice it is too high a hurdle to actively deal with a specific Authority to interfere – just think of your own parents, your neighbors.” He advocated ensuring that everyone is asked their decision before disclosing their very sensitive medical data for various purposes, which is also in line with the Helsinki Declaration. In doing so, he relies on the classic instrument of voluntary and informed consent.
Consent – neither voluntary nor informed
The problem with informed and voluntary consent, explains Stefan Brink – director of the scientific institute for the digitization of the working world – to heise online is that it is reaching its limits in the health sector. In emergencies, the patient can hardly consent voluntarily. In addition, informed consent can hardly be given, since the research approaches are often difficult to convey to the patient and at the same time are subject to constant adjustments. If, for example, blood and tissue samples are examined for certain genetic characteristics in cancer research, it could be that in the course of research a few years later, further genetic characteristics become of research interest, but the person concerned could not consent to their examination due to a lack of prior knowledge.
“Broad Consent” undermines data protection
The “broad consent” approved by the data protection conference is intended to absorb these changing research purposes. However, this ultimately undermines self-determination more and more, says Brink. At the same time, consent is a complex instrument for research institutions. Therefore, instead of sticking to the gutted consent, the legislature must strike a fair balance between the different user interests.
This is possible because the GDPR contains a strong research privilege. Accordingly, the researchers would have to ensure “suitable guarantees” for those affected. A simple pseudonymization is sufficient, in which the personal reference to the patient is not lost. In addition, it is enough that the patient is fully informed about the use of his data.
Brink emphasizes that the GDPR under Article 89 (2) in the case of secondary use abolishes the rights of those affected to information, solution and objection, which the Bavarian data protection officer Thomas Petri also points out. At the same time, the informational self-determination of patients in medical treatment or primary use remains unaffected.