Ersi Michailidou is a lawyer based in Greece; she has 20 years experience in Data Privacy for Clinical Trials. Ersi is in charge of several clients of PharMarketing GDPR Life Sciences Data Protection, Data Privacy across the globe. She is one of the most knowledgeable person on Privacy and Medical Research. Ersi is preparing a PhD on GDPR and Clinical Research.

Ersi spoke at the Annual Conference of ACDM: Association for Clinical Data Management in March 2024 in Copenhagen on “Data Altruism and Data Sharing under the new EU Regulatory Landscape of the Data Governance Act and the European Health Data Space”.

“ Data Altruism and Data Sharing under the new EU Regulatory Landscape of the Data Governance Act and the European Health Data Space”

The ‘post-pandemic’ era in the EU is marked by legislative initiatives, such as the Data Governance Act ('DGA') and the European Health Data Space ('EHDS'), that create a new regulatory landscape for the sharing of health data for purposes of general interest, including research, innovation and public policy.

About the Data Governance Act ('DGA'):

The DGA, which entered into force as an EU-Regulation on September 2023 (Regulation 868/2022), focuses on three key pillars:

• (1) to provide rules on the use and re-use of data held by public sector bodies,
• (2) to regulate data intermediation services and,
• (3) to establish a data altruism mechanism through EU recognized data altruism organizations.

Data altruism under the DGA is defined as the voluntary sharing of personal data by data subjects based on consent and of non-personal data based on permissions of ‘data holders’, without seeking reward and for objectives of general interests, as provided for in national law (such as healthcare, climate change and scientific research purposes).

Under the data altruism mechanism, this sharing of data is handled through data altruism organizations (D.A.O.s), defined as entities of non-profit seeking to support purposes of general interest by making data available based on data altruism at large scale.

Data users, i.e. natural persons or legal entities who wish to process data for a general interest purpose, may address a respective request to a D.AO. Based on this request, the D.A.O will either seek consent, through an EU template consent form, from data subjects for personal data to be altruistically shared, or a permission from data holders for the sharing of non-personal data. Data will then be provided to data users by the D.A.O under the terms of the granted consent/permission, in a secured processing environment.

About the European Health Data Space ('EHDS'):

The EU’s proposal for a European Health Data Space ('EHDS'), which is the first sectoral law on the EU’s Data Strategy for the creation of a single market for data, sets out a regime for the primary and secondary use of health data through a secure EU data space.

The rules on the primary use of a person’s electronic health data aim at the provision of direct individual health services throughout the EU and the empowerment of EU citizens’ rights over their health data, especially of their right to data portability. The secondary use of health data under the EHDS, allows electronic personal and non-personal health data (all deemed as electronic personal data), to be further processed for a specific set of “secondary use” purposes, such as research and innovation activities, policy-making, personalized medicine, regulatory activities etc.

Sharing of electronic health data would take place between data holders and data users, through designated national authorities at member state level, called the Data Access Bodies. The latter are responsible for granting access to electronic health data to data users upon a data access application filed by a data user.

Most entities in the pharmaceutical, healthcare, and MedTech sectors, including hospitals and public health bodies, as well as companies undertaking research in relation to these sectors fall under the definition of ‘data holders’, whereas there is a broad definition of data users, covering any legal or natural person having lawful access to personal and non-personal electronic health data for secondary use.

Under the EHDS, Data Holders would be required to allow access to certain categories of data, ranging from data from health registries and clinical trials; however, access may only be granted where the intended purpose for processing satisfies Article 34(1) of the Proposal, which includes, amongst others:

• (a) activities for reasons of public interest, development and innovation activities in the area of public and occupational health,
• (b) scientific research related to health or care sectors,
• (c) ensuring high levels of quality and safety of health care, medicinal products, or devices,
• (d) training, testing, and evaluating of algorithms, including in medical devices, AI systems, and digital health applications contributing to the public health or social security, as well as
• (e) providing personalised healthcare consisting in assessing, maintaining, or restoring the state of health of individuals.

All data holders need to communicate to the HDAB a general description of the data set they hold, so that each HDAB can make available a public national dataset catalogue. Any data user can address a data access application for one of the permitted purposes to the HDAB. The HDAB reviews the application and issues a permit for access to the requested data set within 2 months. In this case, the data holder needs to make the requested EHD available to the HDAB within 2 months, for the latter to provide the data to the data user within a secure processing environment.

Interplay between the DGA, the EHDS and Clinical Research:

Undoubtedly, the new regime of the DGA and the EHDS may multiply interact with the complex universe of clinical research, since hospitals and sponsors definitely fall under the definition of “data holders”, whereas patients, which are data subjects offering their personal data in the context of a research protocol, may also wish to engage in data altruism activities.

Starting with the DGA, it is essential to understand that it is not a mandatory framework, as data altruism depends on the voluntary sharing of data. In this sense, the DGA cannot enforce of fine sponsors or sites to grant a permit for the sharing of non-personal data for purposes of public interest. As public interest purposes will be defined at national level of member states and that the DGA doesn’t actually shed light on how compliance of data users with the purpose of the permit will be ensured, the burden of evaluating the intended purpose towards possible risks in sharing the data actually lies upon the data holder. For example, although the DGA speaks of data holders sharing non-personal data, if a sponsor is requested to share clinical trial data for a rare disease, there is definitely a re-identification risk for the sponsor to consider. However, if an enrolled study subject provides a data altruism consent for the sharing of data collected in the context of a clinical trial protocol, the Sponsor, as Controller of the data, is indirectly engaged in an obligation to make personal health data available to this study subject, most probably through enabling the exercise of GDPR rights, such as the right to data portability or the right of access.

When the EHDS becomes applicable, all data holders, including sponsors and sites based in the EU and processing e-health data of EU-citizens (as well as of third country citizens residing in the EU) will have the legal obligation to provide a general description of the data set they hold to the HDAB. Subsequently, they will be mandated to make electronic data available in two months from receiving the request from the HDAB, even if the data is protected by IP rights and trade secrets, when a respective permission is granted by the HDABs. The EHDS (art. 33) speaks of obtaining all necessary measures to protect IP and trade secrets, but it remains to be seen how protection of these rights will actually be safeguarded.

It goes without saying, that these new provisions run in parallel with existing obligations of the clinical trials regime, such as the EU Clinical Trial Regulation ('CTR'), Godd Clinical Practices ('GCP') rules and, of course the GDPR, which includes the obligation to rely on a valid legal basis for each processing activity.

Consent is one of the legal bases used for clinical research, however -and due to its strict conditions- it is not considered as a privileged legal basis for clinical studies. So, the legal basis actually depends on the approach of each country where the clinical trial is run. It should be noted, that the European Data Protection Board ('EDPB') disfavors consent as a legal basis, in cases where the GDPR requirement for the latter to be the expression of a person’s free will cannot be ensured. In other words, an enrolling patient may be considered under circumstances as being unable to express a conscious choice to participate in a clinical study, given his poor health condition and a possible difficulty to understand how data will be processed in the complex regime of a clinical trial; this information asymmetry would create a situation of dependency between the patient and the doctor/healthcare institution, which would put the legal validity of a provided consent at stake.

Now a lot of ink has been spilled over the nature of the new data altruism consent, especially when it comes to health research projects. The DGA speaks of a GDPR consent, as the legal basis for data altruism activities; however, given the GDPR requirement to provide consent for specific purposes, an issue for discussion is whether the data altruism consent will be deemed as a broad research consent, considering that the Preamble of GDPR acknowledges broad research consent, however a relevant provision in not included in its main body of rules. Also, it will be interesting to see how data altruism consent will interact with the clinical research environment and, especially, the consequences of consent withdrawal, given that consent will be gathered by D.A.O.s as controllers, not the sponsors through the Informed Consent Form ('ICF').

Finally, it should be mentioned that the EHDS disfavors consent as a legal basis (art.33.5) and provides the necessary EU framework for the secondary use of data under the legal bases of substantial public interest, healthcare provision and management, public health and scientific research. However, the Final Text of the EHDS Proposal, accepting the EU Parliament’s Report, includes an ‘opt out’ clause from the secondary use health data in favor of patients, which definitely resembles consent withdrawal, although consent is not actually an acceptable legal basis for secondary use under the EHDS.

In any case, the inclusion of an opt-out clause, demonstrates that the EU has come across a big dilemma, as the EHDS obligatory sharing of e-health data for secondary use may result in a strong imbalance with the right to privacy and self-determination. So, there is a danger that the EU’s vision of a data driven economy may backfire, if EU citizens have the feeling that their health data are not adequately safeguarded and they are actually being materialized, instead of used for a novel cause.

To conclude with, there is no doubt that the new regulatory landscape of the DGA and the EHDS raises challenges and uncertainties, as to how it will be implemented in the field of clinical research. Some authors speak of a possible exemption of clinical trials from the scope of data altruism, as sharing of data could potentially jeopardize the quality of the final data analysis of a clinical trial’s data set. Also, there is an obvious fear of an industry spending so much money and effort in collecting and evaluating health data, when having to share this data for free with third parties, who are allowed to use them for commercial purposes, if this is justified under a ‘public interest’ shield.

To resolve such concerns, the EU must work in two ways:

1. Firstly, as regards health research organizations, providing incentives for engaging in data altruism activities, such as free access to data analysis tools, as well as building up on measures to substantially protect IP rights and trade secrets.
2. Secondly, as regards data subjects and especially patients involved in clinical trials, transparency and digital literacy, would result in diminishing the digital gap and in gaining their trust in data altruism.

Gaining the bet of people’s trust, will eventually provide benefits to organizations involved in clinical research: if more members of society participate in data altruism, we will be having access to better balanced, high-quality and non-biased data, which will contribute to the reduction of time and costs for health research.

You can contact Ersi Michailidou at a.c.michailidou@pharmarketing.net