In 2021, the European Commission published its Assessment of the EU Member States’ rules on health data in the light of General Data Protection Regulation. The Commission concluded that the GDPR has been interpreted in many ways in the EU as regards health research, and national implementation legislation has resulted in a fragmented legal landscape. Several lawful bases are used as a legitimation for the secondary use of health data. I address the Dutch legislation on the re-use, or secondary use of health data for scientific research where explicit consent is the general rule. However, both the GDPR, the Dutch GDPR Implementation Act and sectoral health legislation leave room for alternatives. I conclude that a further review of these alternatives is required to enhance scientific health research with the secondary use of health data, and I sketch a few avenues for further exploration.
More than three years have passed by since the advent of the General Data Protection Regulation (GDPR).1 Unfortunately, one of the primary objectives of the GDPR, i.e., to provide a set of harmonised data protection laws across all member states,2 has not yielded full effects as regards the secondary use of health data for scientific health research. A truly coherent European approach has not been achieved yet, since member states have adopted various implementation laws whilst the interpretation of the GDPR framework substantially differs as well.3 As a result, a fragmented legal landscape has arisen. The GDPR provides for six lawful bases for the processing of personal data, as well as a number of exemptions for the processing of health data for scientific research purposes. The different approaches by member states obstruct transnational, multi-centre research, for instance because research consortia have to use several lawful bases or different consent mechanisms. This has a material impact on scientific research and public health.4
This article elaborates on the following themes. I start with a delineation of this article (Section 1.1) after which I explain its structure and purpose (Section 1.2). I continue with the EU data protection framework, in particular the lawful basis of the data subject’s explicit consent, and alternatives to consent for health research (Section 2). Then, I outline the legal framework in the Netherlands, with a focus once again on the lawful basis of consent and alternatives to consent for health research (Section 3). A few examples exemplify the quest for the (most) appropriate lawful basis and the hurdles to overcome with the lawful basis of consent in health research (Section 4). Subsequently, I sketch a few avenues for further exploration (Section 5). This article ends with some concluding remarks (Section 6).
1.1 Delineation of This Article
Pursuant to the GDPR, personal health data encompass all data about the health status of an individual.5 Health data are used for diagnosis and care, and these data are also used for other purposes than the original purpose, for instance the secondary use for health research. When health data are used for secondary health research, no (additional) intervention is asked from the (former) patient. In other words, the health data already exist and have been acquired for diagnosis and care. This secondary use must be distinguished from the use of health data for clinical trials, inter alia, when an (additional) intervention from the patient is required. This article focuses on the secondary use of health data for research purposes. This use may encompass big data research and research with the techniques of artificial intelligence.6
A second delineation concerns the focus on the Dutch implementation legislation. Whilst discussing other lawful bases for the secondary use, I focus on the Dutch situation. Implementation legislation in other EU member states will slightly be touched upon as well, to illustrate other legislative options. Furthermore, I will confine myself to the secondary use of health data for scientific research, both by public and private organisations. Thus, for now, the (further) use of health data for public health or international health emergencies, for instance, will not be discussed.7
On a semantic level, I generally refer to the identified or identifiable natural person as the data subject.8 When elaborating on sectoral health legislation, I also refer to the individual as the patient. Additionally, words importing the masculine shall include the feminine and words importing the singular shall include the plural or vice versa.
1.2 Aim and Research Questions
The aim of this article is to shed light on the Dutch implementation of the GDPR as regards data processing for secondary health research. I exemplify some hurdles which impede secondary health research. I elaborate on the following main question: in which way is the data processing for secondary health research solidified in the Dutch GDPR Implementation Act, as well as in sectoral health law and the Code of Conduct for health research?9 And, which lacunas can be observed?
I address the following two sub-questions. First, in which way is the lawful basis of consent reflected in the GDPR and Dutch legislation, in particular the Dutch GDPR implementation act,10 sectoral health legislation and the Code of Conduct for health research? Secondly, in which way do the GDPR and Dutch legislation provide for alternatives to fill the lacunas?
2 EU Legal Framework
The right to the protection of personal data is a fundamental, but not an absolute right.11 It must always be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.12 The GDPR provides for rules that aim to give data subjects control over their own personal data.13 To this end, the GDPR stipulates that personal data may be processed on the basis of consent by the data subject or another legitimate basis.14
As health data are, by their nature, particularly sensitive, the GDPR contains strict rules for the processing of such data.15 At the same time, the GDPR recognises the importance of scientific research and the use of health data to this end.16 Under the conditions set-out in the regulation, member states are allowed to implement a regime for the use of health data for scientific research.17 Moreover, the regulation acknowledges that the explicit consent by data subjects may not always be the most appropriate lawful basis for processing their health data for such scientific research.18 The lawful basis of public interest19 and legitimate interest,20 all in combination with Article 89 GDPR, are other lawful bases for processing health data. Furthermore, the GDPR incorporates a number of principles which foster scientific research as referred to above.21 For instance, Article 5 (1)(b), second sentence of the GDPR leaves room for “further processing (…) for research purposes (…) in accordance with Article 89 (1), which is not considered incompatible with the initial purposes.” In the next paragraphs, I consider the lawful basis of consent in health research without an (additional) intervention, thus answering sub-question 1. Furthermore, I elaborate on alternatives to the lawful basis of consent, thus answering sub-question 2. Both the GDPR (primary law), as well as Opinions and Recommendations by the European Data Protection Board (EDBP) and the European Data Protection Supervisor (EDPS) will be included in the analysis.
2.1 GDPR Consent
Consent, as defined in Article 4 (11) GDPR, means
(…) [A]ny freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.22
Article 9 (1) GDPR prohibits the processing of special categories of personal data, including health data. Subsequently, Article 9 (2) GDPR lists exceptions to this prohibition, one of which is the data-subjects’ explicit consent. The concept of this explicit consent emphasises the data subject’s autonomy and informational self-determination with regard to the (re-)use of his data whilst he is also entitled to share in scientific advancement and its benefits.23 Then, the GDPR neither defines the scope of consent to certain areas of scientific research, nor does it define the scope of scientific research itself.24
The EDPB Guidelines on consent under Regulation 2016/ 679 state that
(…) [G]enerally, consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment (…).25
This leaves the door ajar for a somewhat broader interpretation of the concept of consent. Recital 33, for instance, recognises that it is often not possible to fully identify the purpose of the processing for scientific research purposes at the time of data collection and, therefore, allows data subjects to consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research.26 Nevertheless, the EDPB adds that that “applying the flexible approach of recital 33 will be subject to a stricter interpretation and requires a high degree of scrutiny.”27 In case of health research, the element “informed” may not be completely achieved at the time when the research is initiated. In this respect, the patient’s consent is reflected in the trust and the reasonable expectations based on his relationship with the controller, i.e., the health research institute.28
Thus, the Guidelines set extra conditions to safeguard that the notion of scientific research may not be stretched too far. The Guidelines require that a research project be established pursuant to relevant sector-related methodological and ethical standards. For instance, the concept of broad consent is included in the World Medical Association’s Declaration of Taipei,29 the Organisation for Economic Cooperation and Development’s Guidelines on Human Biobanks and Genetic Research Databases,30 and the Council of Europe’s Recommendation of the Committee of Ministers to member States on research on biological materials of human origin.31
Recital 33 GDPR allows for some flexibility to the degree of specificity of consent within the framework of scientific research.32 In a research project, it occurs that the purpose(s) cannot completely be specified yet at the time of data collection, but only in a high-level way. However, the EDPB reiterates that the phrase ‘broad consent’ has neither been included in the recitals nor in the GDPR itself. So, although consent for scientific research can be provided on a more general level, the scope of consent may not be stretched too far either.
The lawful basis of consent poses other dilemmas in scientific health research as well. Explicit consent requires an action from the data subject. Health research often consists of longitudinal research over a prolonged period of time. When the health data were collected from the data subject, the researchers may not have been aware of findings that became known at a later stage and which may give rise to new research. From an ethical perspective, asking repetitive consent may pose an additional burden on the data subject. And, the data set will hardly ever be complete as a result of which a research bias may exist. Additionally, the use of data for another research purpose is considered incompatible with the original data processing and consent asked from the patient at an earlier stage. Furthermore, EU member states give different interpretations to the concept of consent.33 Finally, the concept of explicit consent as one of the exceptions to the processing of special categories of personal data has not been defined separately in the GDPR. In view of this, I will explore to what extent other lawful bases, notably the lawful bases of public and legitimate interest may be alternatives for explicit consent in health research.34
2.2 Alternatives to Consent for Secondary Health Research in the GDPR
The GDPR encourages scientific research, including health research. Be that as it may, the processing must be fair, lawful and transparent and the data subject’s rights must be observed.35 Some exceptions apply to the information requirement, the right to erasure and the right to object. In recital 54, the GDPR refers to the processing of special categories of personal data for reasons of public interest in the areas of public health, without consent from the data subject.
The first alternative to consent is enunciated in Article 6 (1)(e) together with Article 9 (2)(i) GDPR. However, the exception must be based on national or EU law, where the legislation must include the protection of rights and freedoms of the data subject. One example to this end is the implementation into national law of the WHO regulations on infectious, transmittable diseases, such as the COVID-19 virus.36 Another example are public based registries, such as tumour or cardiovascular registries or registries with regard to chronical illnesses. Recital 157 of the GDPR refers to these registries, but the acknowledgment of the public interest as the lawful basis with (additional) national legislation is still subject to discussion. These registries are an important source of data for scientific research. I turn to the Dutch situation in Section 3.2 below.
The second alternative to consent concerns Article 6 (1)(e) together with Article 9 (2)(j) and Article 89 (1) GDPR which provides for the research exception.37 In this regard, the controller must implement the necessary safeguards and conditions which have also been laid down in Article 5 GDPR to protect the rights and freedoms of the data subject. Article 89 (2) GDPR and Recital 156 GDPR allow member states to adopt a longer list of derogations. Similar to the principle of the processing of health data in the public interest, this exception must also be based on national law. Additionally, Article 9 (2)(j) together with Article 89 (1) and (2) GDPR require a proportionality test, i.e., the balancing between the processing of personal data in the interest of health research and the minimum use of personal data with the required safeguards and conditions accounted for. Again, the controller must adopt the necessary safeguards, i.e., data minimisation, technical and organisational measures, privacy by design and default, and guidelines as regards pseudonymisation and further processing.38 Furthermore, the ethical standards must be recognised parallel to the lawful parameters.
Although the GDPR does not provide for a definition of scientific research, Recital 159 refers to the objective of achieving a European research area, as laid down in Article 179 of the Treaty on the Functioning of the European Union (TFEU).39 Therefore, personal data may be processed for research purposes, including technological developments. Furthermore, the GDPR recognises the importance of the compilation of data in registries for research purposes and the difficulty which could arise from the fact that a subsequent purpose of data processing for research does not exist yet at the beginning of the data collection.40
The third alternative to the lawful basis of consent is the legitimate interest in Article 6 (1)(f) GDPR, together with Article 9 (2)(j) and Article 89 (1) GDPR.41 This lawful basis provides for three conditions that must be met, i.e., the processing must be necessary (the necessity-test), it must serve a well-defined purpose (the purpose-test), and it serves a right that goes beyond the individual rights and freedoms (the balancing test).42
3 Legal Framework in The Netherlands: Consent and Other Lawful Bases
The Dutch legal framework includes a wide array of legislation in addition to the GDPR and the Dutch GDPR Implementation Act (Uitvoeringswet AVG).43 First, the Dutch Constitution, in particular Article 10 (right to privacy) and Article 11 (right to integrity) protects the individual’s privacy which is inherent in his informational and physical self-determination.44 Then, the processing of personal data concerning health is governed by the Medical Treatment Contracts Act (Wet Geneeskundige Behandelingsovereenkomst).45 The Authority over Bodily Material Act (Wet Zeggenschap Lichaamsmateriaal, Wzl) is a draft act on the collection and usage of human tissue and other bodily materials. This act has been under construction by the Dutch Parliament since 2004 but it has not been implemented yet.46 Then, in January 2022, a new Code of Conduct for Health Research (Gedragscode Gezondheidsonderzoek) was published.47 It has replaced the previous Code of Conduct for Health Research (2004) and the Code of Conduct for Responsible Use of Human Tissue (2011).48 The codes are self-regulatory codes of conduct.
The next two paragraphs elaborate on the provisions as regards the secondary use of health data for research in Dutch law.49 The focus is on the Medical Treatment Contracts Act, the GDPR Implementation Act and the Code of Conduct for health research. Reference is also made to the draft Authority over Bodily Material Act, although this act has not been adopted yet by the Dutch Parliament. Similar to the elaborations on the EU legal framework, I start with the lawful basis of consent in Dutch law, followed by alternatives to consent in secondary health research.
3.1 Consent in Dutch Law
The Dutch Medical Treatment Contracts Act provides for the general rule of consent for the (further) use of health data for research purposes (Article 7:457), followed by the exception (Article 7:458).50 The exception is subject to the following conditions pursuant to Article 7:458 para. 1: a) asking consent is reasonably not possible and, in the execution of the research, there are safeguards such that the data subject’s privacy is not disproportionately harmed; or b) considering the nature and objective of the research, asking consent cannot be asked in reasonableness and the physician has ensured that the data be issued in such a way that the retracement of the data to individual, natural persons is reasonably prevented. Furthermore, Article 7:453 para. 2 dictates that the data only be issued pursuant to these exceptions, provided that the research is carried out in the public interest, the research cannot be carried out without these data and in so far as the patient involved has not explicitly objected to the submission of these data. Then, Article 7:453 para. 3 provides that a notification be included in the medical record as regards the submission of data to this end.
The draft Authority over Bodily Material Act includes similar provisions in Article 14 (consent) together with Article 17 (exception to the general rule of consent).51 However, Article 6 on the use of sensitive human tissue is subject to consent only.52 Article 1 (definitions) of the draft provides for a definition of consent which has the same components as the GDPR consent in Article 4 (11) GDPR. The Dutch GDPR Implementation Act imposes four cumulative obligations on the controller when the exception to the general rule of consent is invoked.53 These conditions are as follows. First, the processing must be necessary with a view to, inter alia, scientific research pursuant to Article 89 (1) GDPR. Secondly, the investigation must be for purposes in the public interest. Thirdly, asking explicit consent proves to be impossible or requires a disproportionate effort on the part of the controller. Fourthly, in its execution, there are safeguards such that the data subject’s privacy is not disproportionately harmed.
The Code of Conduct for health research also provides for the general rule of explicit consent as regards the secondary use of health data for research, pursuant to Article 6 (1)(a) together with Article 9 (2)(a) GDPR and Article 14 of the draft Authority over Bodily Material Act.54 In summary, explicit consent is the general rule for the secondary use of health data. However, both the Dutch Medical Treatment Contracts Act, the Dutch GDPR Implementation Act, the draft Authority over Bodily Material Act and the Code of Conduct for health research provide for an exception to this general rule. The next paragraph focuses on alternatives for explicit consent in Dutch law.
3.2 Alternatives to Consent for Secondary Health Research in Dutch Law
The exception to explicit consent in the Dutch legislation as referred to above in Section 3.1, leaves room for the data processing in the public interest by a research institute.55 The four cumulative conditions must be met and the institute must guarantee that the relevant technical and organisational measures have been implemented. Furthermore, the data subject must individually be informed about the main facts of the research, its purpose and the further use of his data. Additionally, the data subject has the right to object and he must be able to easily exercise this right. This system is also referred to as ‘opt-out-plus’.56
In other words, if explicit consent as referred to in Article 6 (1)(a) together with 9 (2)(a) GDPR is not feasible, then recourse can be taken to the exception in Article 7:458 Dutch Medical Treatment Contracts Act, Article 24 together with Article 28 Dutch GDPR Implementation Act, Article 17 draft Authority over Bodily Material Act and Section 5 Code of Conduct for health research.57 In these instances, the further processing must be in the public interest. The lawful basis of the legitimate interest is not used in the Netherlands as opposed to its application in some other member states.58 In my view, the focus on the lawful basis of consent with room for few alternatives obstruct scientific health research. Other lawful bases merit further exploration to enhance the secondary use of health data for further research. The next paragraph continues with a few examples where the search — and struggle — for the (most) appropriate lawful basis come to light and which call for a solution.59
4 In Search for the (Most) Appropriate Lawful Basis for Secondary Health Research: A Few Examples
The first example concerns the data processing by population-based registries and further research carried out with these data.60 I consider that the further use of data collected by these registries could either fall within the lawful basis of the public interest,61 the legitimate interest,62 or within the exception of 7:458 Dutch Medical Treatment Contracts Act. Furthermore, new legislation is designed for population-based registries in the Netherlands at present.63 However, this new legislation finds its lawful basis in Articles 6 (1)(c) together with Article 9 (2)(i) GDPR, i.e., the processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care.64 The further processing for scientific research has not been included. National health registries, for instance the Netherlands Cancer Registry (Nederlandse Kanker Registratie, NKR), provide statistics on different diseases in the Netherlands, such as cancer. The Netherlands Cancer Registry is an important source of data for the Netherlands Comprehensive Cancer Organisation (Integraal Kankercentrum Nederland, IKNL) which carries out scientific research with these data.65
Additionally, the legislative proposal does not include all registries (yet) whereas the recent pandemic has given rise to the necessity for new registries, with similar questions about the lawful processing of health data. I mention the initiative by Health-RI for a national COVID-19 citizen control registry.66 On one hand, this initiative focuses on the expression by citizens via a web-based register to consent and/ or object to the use of their healthcare data and samples for COVID-19 studies. On the other hand, the web service enables researchers and caregivers to verify whether the participants in their research have consented or objected to the use of their data. In my view, a further clarification about the lawful basis proves useful for the public communication to inform citizens about the use of health data for research purposes. As of now, both the opportunity to consent or to object are mentioned in the National COVID-19 citizen control registry as part of the Data Support Programme. In other EU member states, such as Sweden, Denmark and Finland, health data are processed for all patients according to their National Policy on Data Registries and Epidemiologic Research.67 An exception is made for those patients who explicitly deny access, i.e., opt out for this further use. A shared feature of legislation in these Nordic countries is that informed patient consent is not required for the collection of large-scale data in national registries such as the National Cancer Registries.
The second example concerns those situations in which the (former) patient is unable to give his explicit consent. In the Dutch Code of Conduct for health research reference is made, inter alia, to (former) patients who have died, or (former) patients whose current address is not known in the national key register of persons (Basisregistratie Personen), as a result of which the risk for a data breach arises. Additionally, asking (repetitive) consent could pose an unethical burden on the data subject, for instance when he finds himself in a vulnerable position or when he would like to continue with his life and leave the period of his illness behind.68 In these instances, the risk of incomplete data sets and, therefore, a bias in the data, may occur.
The third example concerns the complexity as regards the concept of consent itself. The GDPR includes extra requirements for consent.69 As a result, it is difficult to determine further conditions for explicit consent. And, the data subject himself may be confused about the different types of consent that he gives in various situations. For instance, the informed consent by a patient in a clinical trial is somewhat different from the explicit consent in the GDPR.70 Additionally, the EU member states have approached the concept differently. In the Netherlands, the former Dutch Data Protection Act (Wet bescherming persoonsgegevens) provided that the data subject could express his explicit consent in words spoken or written, or acts performed by him.71 The EDPB refers to “an unambiguous indication of wishes” by means of a statement or by a clear affirmative action.72 In my view, consent could lose its value in practice with the different interpretations of consent.73 The lawful basis of consent serves the data subject’s interests, but the concept deserves clarification as a lawful basis for health research.74
In Europe, other methods for data processing of health data for research are sought which equally serve the individual’s and the societal interest.75 The GDPR provides for alternatives to explicit consent, i.e., the lawful bases of the public interest or the legitimate interest in combination with Article 9 (2)(i) or (j) GDPR. However, the comparison in Europe referred to above shows a varied approach in this respect. For instance, Germany allows for the further use of health data in case of ‘an overriding legitimate interest’, and other member states allow for the data processing in the public interest. In my view, the advantage of the lawful basis of the public interest is the disadvantage at the same time. When does the processing take place ‘in the public interest’? As regards the lawful basis of the legitimate interest, both the advantage and disadvantage is vested in defining the principle as well.
In summary, all lawful bases encompass both advantages and disadvantages. However, the largest hurtle to overcome, in my view, are the varied approaches across Europe with the application of various lawful bases. This results in a delay of international multi-centre research. Secondly, the lawful basis of explicit consent may not be feasible in certain researches, such as longitudinal research where multiple sub-researches are carried out which were not known from the outset. Thirdly, the lawful basis of explicit consent may impose a disproportionate burden on the individual whereas the data controller is actually accountable and responsible for the data processing, regardless of the individual’s rights as a data subject, and regardless of whichever lawful basis is invoked. The next paragraph continues with some avenues for further exploration.
5 Avenues for Further Exploration
The current legal framework, both in Europe and the Netherlands, neither solves pending, practical questions nor provides for a comprehensive structure as regards the secondary use of data for health research. I sketch some avenues for further exploration upon answering the following questions:
(1) Does the existing European or Dutch (health) legislation require further harmonisation or, perhaps, additional sectoral health legislation for secondary research?
(2) If such harmonisation is desirable, what would be the optimum regulatory approach by the EU or the Dutch legislator? Is primary law required or does soft law, such as recommendations and guidelines, together with Codes of Conduct, suffice?
I will shortly elaborate on these avenues. First, though the GDPR aimed at further harmonising the free flow of data on one hand, and the data protection on the other, a coherent approach across Europe cannot be observed. In my view, the GDPR provides for a general framework as the regulation states itself, and it includes the necessary provisions for enhancing health research within the EU borders and beyond. I do not deem a revised GDPR necessary as such, but I welcome a further clarification on certain concepts by the EDPB and/ or EDPS. For instance, a further opinion on Article 89 GDPR is currently prepared by the EDPB. In particular, an opinion from the EDPB is awaited on appropriate safeguards for scientific research under Article 89 (1), following a previous study which was carried out in 2019.76
Additionally, I welcome the adoption of specific EU legislation which promote the transfer of data across borders, thereby supporting both delivery of care as well as research and innovation. In this respect, the European Commission and the European Data Protection Supervisor (EDPS) advocate the creation of a European Health Data Space.77 I also refer to the proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act),78 as well as the Data Act.79
As regards Dutch law, a further harmonisation can be realised on the interpretation of the relevant provisions of the Dutch Medical Treatment Contracts Act, in particular Article 7:457 together with Article 7:458. At present, the patient either gives his consent for the use of his health data for further research, or he is individually informed about this further use and he may object to this.80 In this respect, I welcome a more flexible approach to the scope of consent in the first place. For instance, a patient gives his broad(er) consent to the use of his health data for further research, when he has his first appointment at the health institute. He is properly and individually informed and he has the right to withdraw his consent.81 Secondly, when asking consent is not feasible as explained in para. 3.2 above, then recourse can be taken to the exception in Article 7:458.
Another solution, in the long run, includes the introduction of sectoral health legislation for the purpose of scientific research.82 Several explorations have already been carried out in this respect, which vary from an extension of the Dutch Medical Research Involving Human Subjects Act (Wet medisch-wetenschappelijk onderzoek met mensen) to integral sectoral health legislation.83 Apart from the question whether integral sectoral health legislation is feasible considering the large scope, it will definitely be a lengthy process whilst a speedy solution is necessary at the same time. Besides, the scope for change also depends on the trust expressed by the population in legislative initiatives and the institutions which process the health data.84
With regard to the second question, i.e., regarding the optimum regulatory approach, I view that codes of conducts could be helpful in a further harmonisation.85 International and European initiatives have been launched with a Code of Conduct in health research, developed by BBMRI-ERIC, the Code of Conduct for Healthcare Professionals and Scientific Organisations, developed by the Alliance for Biomedical Research in Europe, and the Framework for Responsible Sharing of Genomic and Health-Related Data, developed by the Global Alliance for Genomics and Health.86 The EDPB issued Guidelines on Codes of Conduct and Monitoring Bodies in 2019.87 However, the EDBP introduced the obligation of a monitoring body pursuant to Article 41 (1) and (4) GDPR, whereas Article 41 (1) GDPR refers to the possibility (“… may be carried out by a body …”) rather than an obligation.88 Because of this additional requirement and the fact that not all member states would want to rely on self-regulatory codes of conduct, it is unlikely that this instrument will be implemented in Europe in the short run. In the Netherlands, the new Code of Conduct for health Research provides for an extensive framework so as to equally protect the individual and enhance health science. At present, an implementation and communication plan is drafted for further dissemination.
In summary, the European and Dutch legal frameworks echo the need for further guidelines and an insight into the general framework that the GDPR provides. The Dutch sectoral legislation has resulted in a legislative patchwork throughout the years, with ‘old’ and ‘new’ legal answers to the secondary use of data in health research. I recommend a further harmonisation on the interpretation of the Dutch Medical Treatment Contracts Act whilst a further elaboration continues on sectoral health legislation. On a European level, the initiative for a European Health Data Space and specific legislation on data exchange can enhance both innovation and research across Europe and beyond. I recommend that the EDPB and EDPS continue to provide answers to legal, practical dilemmas with guidelines and opinions.
6 Concluding Remarks
Several lawful bases can be sought for the further processing of health data for scientific research. Still, the member states are at the heart of the national implementation as a result of which a fragmented approach has arisen as regards this data processing which does not favour pan-European and international data sharing. The lawful basis of explicit consent serves the individual’s expression at best, whereas the lawful bases of the public and legitimate interest aim to serve the public and societal interest of data sharing as well. All lawful bases seek to protect the individual’s data and to guarantee that the individual may exercise his rights as a data subject. The GDPR is a framework regulation and does not show a regulatory preference between explicit consent and the other lawful bases.
In this article, I have considered in the first place that the lawful basis of explicit consent is one of the lawful bases for the secondary data processing of health data for research. Another lawful basis currently used in the Netherlands, is the ‘opt-out-plus’ system as incorporated into the Dutch Code of Conduct and Dutch sectoral legislation, provided that the four cumulative conditions as laid down in the Dutch GDPR Implementation Act and the sectoral legislation are met. Furthermore, the lawful bases of the public and legitimate interest are applied in some countries in Europe as well, and deserve further attention in the Netherlands.
To this end, I welcome a further harmonisation on the interpretation of the Dutch Medical Treatment Contracts Act, and I encourage sectoral health legislation in the long run. As regards the Code of Conduct for health research, I conclude that this framework provides for relevant, practical solutions. However, if a monitoring body need be implemented, then I advise to have a close look at existing monitoring bodies for health research within the health institutions rather than introducing yet another monitoring body.
The author wishes to express her gratitude to prof. dr. mr. Gerrit-Jan Zwenne and prof. dr. ir. Marjanka Schmidt for their valuable comments.
Conflict of interest
The author declares that there is no conflict of interest.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). To be referred to hereafter as GDPR.
European Commission, Assessment of the EU Member States’ rules on health data in the light of General Data Protection Regulation (Brussels: European Commission, 2021), available online at https://ec.europa.eu/health/sites/default/files/ehealth/docs/ms_rules_health-data_en.pdf (accessed 10 January 2022); European Data Protection Supervisor, Preliminary Opinion 8/2020 on the European Health Data Space, https://edps.europa.eu/sites/default/files/publication/20-11-17_preliminary_opinion_european_health_data_space_en.pdf (accessed 4 February 2022).
Recital 3, 5, 7, 8 and 9 GDPR.
For an overview of the different approaches as regards health data systems and governance in Europe, see L. Abboud, S. Cosgrove, I. Kesisoglou, R. Richards and F. Soares, Summary of Milestone 5.1 & 5.2 Annex A | Case studies: different governance and health data systems in Europe (Helsinki: TEHDAS, 2021), available online at https://tehdas.eu/app/uploads/2021/09/tehdas-annex-a-case-studies-different-governance-and-health-data-systems-in-europe-2021-09-28.pdf (accessed 29 April 2022).
Consortium Partners Towards European Health Data Space, Deliverable 5.1, Report on secondary use of health data through European case studies. Barriers on cross-border sharing of health data for secondary use and options to overcome these (Brussels: European Commission, 28 February 2022), available online at https://ec.europa.eu/research/participants/documents/downloadPublic?documentIds=080166e5dad1464c&appId=PPGMS.
Article 4 (15) GDPR: definition of ‘data concerning health’.
M. Mostert, A.L. Bredenoord, B. van der Sloot, and J.J.M. van Delden, ‘From Privacy to Data Protection in the EU: Implications for Big Data Health Research’, European Journal of Health Law 25 (2018) 43–55; M. Bourassa Forcier, H. Gallois, S. Mullan and Y. Joly, ‘Integrating artificial intelligence into health care through data access: can the GDPR act as a beacon for policymakers?’ Journal of Law and the Biosciences (2019) 317–335; L. Moerel and C. Prins, ‘Privacy voor de homo digitalis: proeve van een nieuw toetsingskader voor Gegevensbescherming in het licht van big data en Internet of Things’, Handelingen Nederlandse Juristen Vereniging 146 (2016) 9–124.
See, inter alia, the statement by the Science Academies of the Group of Seven (G7) nations, Data for international health emergencies: governance, operations and skills (London: Royal Society, 2021), available online at https://royalsociety.org/-/media/about-us/international/g-science-statements/G7-data-for-international-health-emergencies-31-03-2021.pdf (accessed 12 January 2022); World Health Organisation, Regional office for Europe, The protection of personal data in health information systems — principles and processes for public health (Copenhagen: WHO, 2020); R. Becker, A. Thorogood, J. Ordish and M.J.S. Beauvais, ‘COVID-19 Research: Navigating the European General Data Protection Regulation’, Journal of Medical Internet Research 22 (2020) e19799; B.M. Knoppers, M.J.S. Beauvais, Y. Joly, M.H. Zawati, S. Rousseau, M. Chassé and V. Mooser, ‘Modeling consent in the time of COVID-19’, Journal of Law and the Biosciences 7 (2020) lsaa020.
Article 4 (1) GDPR; M. Finck and F. Pallas, ‘They who must not be identified — distinguishing personal from non-personal data under the GDPR’, International Data Privacy Law 10 (2020) 11–36.
See https://www.coreon.org/gedragscode-gezondheidsonderzoek/ (accessed 4 February 2022); L. Ramerman, E.B. van Veen and T. Schermer, Inventarisatie herziening gedragscode gezondheidsonderzoek (Utrecht: Nivel, 2019).
V.E. Dörenberg and A.C. Hendriks (eds), Grondrechten in de gezondheidszorg. Liber Amicorum voor prof. mr. J.K.M. Gevers. (Houten: Bohn Stafleu van Loghum, 2010); M.C. Ploem, ‘Towards an Appropriate Privacy Regime for Medical Data Research’, European Journal of Health Law 13 (2006) 41–64.
Recital 4 GDPR. See European Data Protection Supervisor, ‘EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data’, 19 December 2019; G. Pavlakos, ‘Between Reason and Strategy: Some Reflections on the Normativity of Proportionality’, in: G. Huscroft, B.W. Miller and G. Webber (eds.), Proportionality and the Rule of Law: Rights, Justification, Reasoning (New York, NY: Cambridge University Press, 2014) 90–122.
Recital 7 GDPR.
Recital 40; Article 6 (1) GDPR.
Recital 51; Article 6 (1) together with Article 9 (1) and 9(2) GDPR. In this respect, I follow the interpretation that Article 9 (2) is complementary to Article 6 GDPR. E.S. Dove, ‘The EU General Data Protection Regulation: Implications for international scientific research in the digital era’, Journal of Law, Medicine and Ethics 46 (2019) 1013–1030.
See Recital 159 GDPR which clarifies that the research objectives pursued by the Regulation should take into account the Union’s objective under Article 179 (1) TFEU of achieving a European Research Area.
Recitals 52, 156 and 159; Articles 9 (2)(j) and 89 GDPR.
Recitals 33 and 156; Article 89 GDPR; Article 6 (1)(a) together with Article 9 (2)i or (j) GDPR. See Dove, supra note 15, who argues that other equally valid and lawful bases exist which may be more appropriate indeed. I follow this line of argument.
Article 6 (1)(e) together with Article 9 (2)(i) or (j) GDPR.
Article 6 (1)(f) together with Article 9 (2)(j) GDPR.
G. Schneider and G. Comandè, ‘Differential Data Protection Regimes in Data-driven Research: Why the GDPR is More Research-friendly Than You Think’, German Law Journal (4) (2022) 1–55.
See also the Opinion of Advocate General Szpunar of 21 March 2019 in Case C-673/17, Planet 49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband e.V. (Request for a preliminary ruling from the Bundesgerichtshof (Federal Court of Justice, Germany)), in particular paras 68–70, CURIA — DOCUMENTS (EUROPA.EU) (ACCESSED 12 January 2022).
F. Thouvenin, ‘Informational Self-Determination: A Convincing Rationale for Data Protection Law?’ JIPITEC 12 (2021), available online at https://www.jipitec.eu/issues/jipitec-12-4-2021/5409; T. Hooghiemstra, ‘Informational Self-Determination, Digital Health and New Features of Data Protection’, European Data Protection Law Review 5 (2019) 160–174; A. Rouvroy and Y. Poullet, ‘The Right to Informational Self-Determination and the Value of Self-Development: Reassessing the Importance of Privacy for Democracy’, in: S. Gutwirth & Y. Poulet et al (eds), Reinventing Data Protection? (Dordrecht: Springer, 2009) pp. 45–76.
Recitals 33, 50, 51, 52, 156 and 159 GDPR; Articles 9(2)(j) and 89 GDPR.
European Data Protection Board (EDPB), ‘Guidelines 05/2020 on consent under Regulation 2016/679’, version 1.1, adopted on 4 May 2020, para. 3, p. 5.
E. Gefenas, J. Lekstutiene, V. Lukaseviciene, M. Hartlev, M. Mourby and K. Ó Cathaoir, ‘Controversies between regulations of research ethics and protection of personal data: informed consent at a cross-road’, Medicine, Health Care and Philosophy 25 (2022) 23–30.
Guidelines on consent, supra note 25, para. 157, 31.
Recital 50 GDPR; Articles 9(2)(j) and 89 GDPR. N.C. Halmsted Kongsholm and K. Kappel, ‘Is consent based on trust morally inferior to consent based on information?’ Bioethics 6 (2017) 432\–442; S. Kalkman, J. van Delden, A. Banerjee, B. Tyl, M. Mostert and G. van Thiel, ‘Patients’ and public views and attitude towards the sharing of health data for research: a narrative review of the empirical evidence’, Journal of Medical Ethics 48 (2022) 3–13; S. Holm, T. Birk Kristiansen and T. Ploug, ‘Control, trust and the sharing of health information: the limits of trust’, Journal of Medical Ethics 47 (2021) e35.
Article 12, WMA Declaration of Taipei on ethical considerations regarding health databases and biobanks, adopted by the 53 WMA General Assembly, Washington, DC, USA, October 2002 and revised by the 67 WMA General Assembly, Taipei, Taiwan, October 2016.
Article 4.6 OECD Guidelines on Human Biobanks and Genetic Research Databases, 2009.
Article 11 Recommendation CM/Rec (2016)6 of the Committee of Ministers to member States on research on biological materials of human origin (Adopted by the Committee of Ministers on 11 May 2016 at the 1256th meeting of the Ministers’ Deputies).
EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research. Adopted on 2 February 2021, para. 25, 7. The forthcoming Guidelines by the GDPR on the processing of personal data for scientific research purposes will elaborate on this matter. R. Becker, D. Chokoshvili, G. Comandé, E.S. Dove, A. Hall, C. Mitchell, F. Molnár-Gábor, P. Nicolàs, S. Tervo and Adrian Thorogood, ‘Secondary use of Personal Health Data: when is it “Further Processing” under the GDPR, and what are the Implications for Data Controllers?’ European Journal of Health Law (2022) in press, DOI: 10.1163/15718093-bja10094.
Article 4 (11) GDPR.
Articles 6 (1)(e) and 6 (1)(f) GDPR.
The organisation that processes the personal data is vested with the requirements of fairness, lawfulness and transparency. In my view, the GDPR provides for a general framework that has to be shaped by the respective data controllers or processors. See also P.J. van de Waerdt, ‘Information asymmetries: recognizing the limits of the GDPR on the data-driven market’, Computer Law & Security Review 38 (2020) 105436.
For Dutch legislation in this respect, see: Public health act (Wet publieke gezondheid), available online at https://wetten.overheid.nl/BWBR0024705/2022-03-01 (accessed 22 March 2022), concept Act Quality registrations healthcare (Wet kwaliteitsregistraties zorg), available online at https://www.internetconsultatie.nl/wetkwaliteitsregistratieszorg (accessed 22 March 2022). See also G. Richter, C. Borzikowsky, W. Lesch, S.C. Semler, E.M. Bunnik, A. Buyx and M. Krawczak, ‘Secondary research use of personal medical data: attitudes from patient and population surveys in The Netherlands and Germany’, European Journal of Human Genetics 29 (2021) 495–502, DOI:10.1038/S41431-020-00735-3.
M. Beauvais, ‘The public interest and the GDPR’, brief on the online platform of the Global Alliance for Genomics and Health (GA4GH) (accessed 29 January 2022). D. Townend, ‘Conclusion: harmonization in genomic and health data sharing for research: an impossible dream?’ Human Genetics 137(8) (2018) 657–664.
C.F. Mondschein and C. Monda, ‘The EU’s General Data Protection Regulation (GDPR) in a Research Context’, in: P. Kubben, M. Dumontier and A. Dekker (eds), Fundamentals of Clinical Data Science (Cham: Springer, 2019) pp. 55–71, p. 67.
Consolidated version of the Treaty on the Functioning of the European Union, 26 October 2012, OJ L. 326/47–326/390; 26 October 2012.
Recitals 33, 157 and 159 GDPR.
Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (Article 70.1.b)), Adopted on 23 January 2019, available online at https://edpb.europa.eu/sites/default/files/files/file1/edpb_opinionctrq_a_final_en.pdf (accessed 21 July 2022). See in particular paras 25–32 and 34. European Data Protection Supervisor (EDPS), A Preliminary Opinion on data protection and scientific research (6 January 2022), available online at https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf (accessed 21 July 2021). See in particular para. 7.4, on p. 26.
I. Kamara and P. de Hert, ‘Understanding the balancing act behind the legitimate interest of the controller ground: a pragmatic approach’, Brussels Privacy Hub Working Paper 4 (12) (August 2018). For an overview of relevant case law on the legitimate interest, see G. Zanfir-Fortuna and T. Troester-Falk (The Future of Privacy Forum and Nymity), Processing Personal Data on the Basis of Legitimate Interests under the GDPR: Practical Cases, available online at https://www.ejtn.eu/PageFiles/17861/Deciphering_Legitimate_Interests_Under_the_GDPR%20(1).pdf (accessed 21 July 2022); E.B. van Veen, ‘Observational health research in Europe: understanding the General Data Protection Regulation and underlying debate’, European Journal of Cancer 104 (2018) 70–80. Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, WP 217, available online at https://ec.europa.eu/justice/Article-29/press-material/public-consultation/notion-legitimate-interests/files/20141126_overview_relating_to_consultation_on_opinion_legitimate_interest_.pdf (accessed 21 July 2022); M. Donnelly & M. McDonagh ‘Health Research, Consent and the GDPR Exemption’, European Journal of Health Law 26(2) (2019) 97–119, Section 3.1.
For an analysis of the relationship between European (data protection) law and Dutch health law, see A.C. Hendriks, ‘Europeesrechtelijke dimensies van het gezondheidsrecht: de vooruitziende blik van Leenen (Henk Leenenlezing 2020)’, Tijdschrift voor Gezondheidsrecht 45 (2021) 131–140.
See www.eerstekamer.nl/behandeling/20211015/verslag_inzake_regels_voor/document3/f=/vln5g2qe69zw.pdf; C.M. Ploem, Wetsvoorstel ‘zeggenschap lichaamsmateriaal’: nog veel om over na te denken …’, Tijdschrift Zorg & Recht in Praktijk 2 (2017) 21–26.
M.C. Ploem, T. Rigter and J.K.M. Gevers, ‘Medisch data-onderzoek in het AVG-tijdperk: een zoektocht naar de juiste regels’, Tijdschrift voor Gezondheidsrecht 44 (2020) 162–181.
Dutch Medical Treatment Contracts Act, available online at https://wetten.overheid.nl/BWBR0005290/2019-11-15/#Boek7_Titeldeel7_Afdeling5.
Article 6 draft Authority over Bodily Material Act, available online at https://zoek.officielebekendmakingen.nl/dossier/kst-35844-2.html; see also para. 5.13 Explanatory Memorandum, available online at https://zoek.officielebekendmakingen.nl/kst-35844-3.html, 27.
Article 24 Dutch GDPR Implementation Act.
Chapter 5 of the Code of Conduct for Health Research.
Articles 24 and 28 Dutch GDPR Implementation Act; Article 7:458 Dutch Medical Treatment Contracts Act. Also, Assessment of the EU Member States’ rules on health data in the light of GDPR, supra note 2, at 67.
S. Rebers, T. van der Valk, G.A. Meijer, F.E. van Leeuwen en M.K. Schmidt, ‘Zeggenschap over nader gebruik van lichaamsmateriaal: patiënt is het best gediend met ‘geen bezwaar’-procedure’, Nederlands Tijdschrift voor Geneeskunde 156 (2012) a4485; S. Rebers, E. Vermeulen, A.P. Brandenburg, T.J. Stoof, B. Zupan-Kajcovski, W.J.W. Bos, M.J. Jonker, C.J. Bax, W.J. van Driel, V.J. Verwaal, M.W. van den Brekel, J.C. Grutters, R.A. Tupker, L. Plusjé, R. de Bree, J.H. Schagen van Leeuwen, E.G.J. Vermeulen, R.A. de Leeuw, R.M. Brohet, N.K. Aaronson, F.E. Van Leeuwen and M.K. Schmidt, ‘A Randomised Controlled Trial of Consent Procedures for the Use of Residual Tissues for Medical Research: Preferences of and Implications for Patients, Research and Clinical Practice’, PLoS ONE 11(3) (2016) e0152509; E. Vermeulen, M.K. Schmidt, M.C. Cornel, B.M. Knoppers, F.E. van Leeuwen and N.K. Aaronson, ‘Connective tissue: Cancer patients’ attitudes towards medical research using excised (tumour) tissue’, BioSocieties 6 (2011) 466–486; E. Vermeulen, M.K. Schmidt, N.K. Aaronson, M. Kuenen, M.-J. Baas-Vrancken Peeters, H. van der Poel, S. Horenblas, H. Boot, V.J. Verwaal, A. Cats and F.E. van Leeuwen, ‘A trial of consent procedures for future research with clinically derived biological samples’, British Journal of Cancer 101 (2009) 1505–1512.
See https://www.coreon.org/wp-content/uploads/2022/01/Gedragscode-Gezondheidsonderzoek-2022.pdf (accessed 23 March 20220.
Assessment of the EU Member States’ rules on health data in the light of GDPR, supra note 2.
I follow the conclusions reached in the following report: J. Gerritsen and P. Verhoef, Datasolidariteit voor gezondheid — Verbeterpunten met oog voor ieders belang, (Den Haag, Rathenau Instituut, 2020).
Advies Commisie Governance en Kwaliteitsregistraties (Advice by the Committee Governance and Quality Registrations), Kamerstukken (Parliamentary papers) II, 2018–2019, 31476, nr. 28 (Annex), available online at https://zoek.officielebekendmakingen.nl/kst-31476-28.html (accessed 26 April 2022).
Article 6 (1)(e) and 9 (2)(j) together with Article 89 (1) GDPR; Article 24 and 30 Dutch GDPR Implementation Act. ECIS, European Cancer Information System, available online at https://ecis.jrc.ec.europa.eu/info/cancer_registries.html (accessed 24 March 2022). As regards the lawful basis, the Register of the Data Protection officer refers to scientific or statistical research purposes in para. 2, available online at https://ec.europa.eu/dpo-register/detail/DPR-EC-00417.
Article 6 (1)(f) together with Article 89 (1) GDPR. J.A.L. Krabben, Onderzoek Landelijke Zorgregistraties, Rapport 3 (Research on National Care registries, report 3), College Bescherming Persoonsgegevens (predecessor of the Dutch Supervisory Authority) (The Hague: College Bescherming Persoonsgegevens, 2005), p. 28; G.J. Zwenne, A.-W. Duthler, M. Groothuis, H. Kielman, W. Koelewijn and L. Mommers, Eerste fase evaluatie Wet bescherming persoonsgegevens. Literatuuronderzoek en knelpuntenanalyse (First evaluation phase Dutch data protection act. Literature research and constraint analysis), Dutch Ministry of Justice, 2007.
Dutch Quality registrations in Care act (Wet Kwaliteitsregistraties Zorg, available online at https://www.internetconsultatie.nl/wetkwaliteitsregistratieszorg (accessed 24 March 2022). This act finds its origin, inter alia, in the final report by Hugo Keuzenkamp, ‘Een programma voor regie op kwaliteitsregistraties en verbetering van datagovernance’ (A program aimed at the control of quality registrations and improvement of data governance), 2020.
See also Recitals 52, 53 and 54 GDPR.
See https://www.health-ri.nl/national-covid-19-citizen-control-registry (accessed 24 March 2022).
Swedish act on health data registers, available online at https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/lag-1998543-om-halsodataregister_sfs-1998-543 (accessed 4 April 2022). K. Laugesen, J.F. Ludvigsson, M. Schmidt, M. Gissler, U.A. Valdimarsdottir, A. Lunde and H. Toft Sørensen, ‘Nordic Health Registry-Based Research: A Review of Health Care Systems and Key Registries’, Clinical Epidemiology 13 (2021) 533–554.
Dutch Code of Conduct for health research, 68–71.
Recitals 32 (conditions for consent), 42 (burden of proof and requirements for consent) and 43 (freely given consent); Article 4 (11) and 7 GDPR. D. Hallinan, ‘Broad consent under the GDPR: an optimistic perspective on a bright future’, Life Sciences, Society and Policy 16 (2020) 1. O. O’Neill, ‘Some limits of informed consent’, Journal of Medical Ethics 29 (2003) 4–7. T. Ploug and S. Holm, ‘Meta consent — A flexible solution to the problem of secondary use of health data’, Bioethics 30 (2016) 721–732.
Regulation (EU) No 536/2014 of the European Parliament and of the Council on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC of 16 April 2014 (hereinafter: CTR). See in particular Article 2 (2)(21) as regards the definition of informed consent.
Parliamentary Papers II, 1997–1998, 25 892, no. 3, in particular pp. 21 and 67: “(…) [D]e betrokkene dient in woord, schrift of gedrag uitdrukking te hebben gegeven aan zijn wil toestemming te verlenen aan de hem betreffende gegevensverwerking” (The data subject must have given an express statement of his consent in words spoken, written or acts performed by him as regards the data processing concerning him).
European Data Protection Board, ‘Guidelines 05/2020 on consent under Regulation 2016/679 Version 1.1’, adopted on 4 May 2020, para. 3.4., p. 18. See also ‘Article 29 Working Party Opinion 15/2011 on the definition of consent (WP 187)’.
B. Schermer, B. Custers and S. van der Hof, ‘The crisis to consent: how stronger lawful protection may lead to weaker consent in data protection’, Ethics and Information Technology 16 (2014) 171–182, on p. 171:
In our opinion, the overemphasis on autonomous authorization in data protection is the result of a positive and laudable, but ultimately flawed idea about human behavior in the context of privacy and data protection. The current and future legislation is based on the idea that all data subjects are rational actors that will read all privacy statements and carefully weigh and balance the consequences of consent (…).
E.S. Dove and J. Chen, ‘Should consent for data processing be privileged in health research? A comparative lawful analysis’, International Data Privacy Law 10 (2020) 117–131, on p. 117:
(…) [W]e argue that there is merit in distinguishing research ethics consent from data processing consent, to avoid what we call ‘consent misconception’, and come to advocate a middle-ground approach in data protection law, i.e., one that does not mandate consent as the lawful basis for processing personal data in health research projects — but does encourage it. This approach, we argue, achieves the best balance for protecting data subject/ research participant rights and interests and promoting socially valuable health research.
As has also been recommended by the Council of Europe, Recommendation CM/Rec (2019)2 of the Committee of Ministers to Member States on the protection of health-related data (Adopted by the Committee of Ministers on 27 March 2019 at the 1342nd meeting of the Ministers’ Deputies).
Study on the appropriate safeguards under Article 89 (1) GDPR for the processing of personal data for scientific research, Final Report, EDPS/2019/02–08, available online at https://edpb.europa.eu/system/files/2022-1/lawfulstudy_on_the_appropriate_safeguards_89.1.pdf (accessed 7 February 2022); Opinion 3/2019, supra note 42; European Data Protection Supervisor, Preliminary Opinion 8/2020 on the European Health Data Space, 17 November 2020, available online at https://edps.europa.eu/sites/edp/files/publication/20-11-17_preliminary_opinion_european_health_data_space_en.pdf (accessed 26 April 2022).
‘Legislative train schedule: promoting our European way of life after 2022–01’, available online at https://www.europarl.europa.eu/legislative-train/theme-promoting-our-european-way-of-life/file-european-health-data-space (accessed 5 April 2022. Digital Health Europe, ‘Recommendations on the European Health Data Space’, 2021, https://digitalhealtheurope.eu/wp-content/uploads/DHE_recommendations_on_EHDS_July_2021.pdf (accessed 5 April 2022).
COM/2020/767 final of 25 November 2020, available online at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0767 (accessed 5 April 2022).
COM(2022) 68 final, Proposal for a regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act) of 23 February 2022, available online at https://digital-strategy.ec.europa.eu/en/library/data-act-proposal-regulation-harmonised-rules-fair-access-and-use-data (accessed 26 April 2022).
See, for instance, the information leaflet for patients of Antoni van Leeuwenhoek hospital, available online at https://www.avl.nl/media/3645/gebruik-van-uw-gegevens-en-materiaal-voor-wetenschappelijk-onderzo.pdf; and Radboud University Medical Center, available online at https://www.radboudumc.nl/patientenzorg/uw-afspraak/patient-in-een-umc/gebruik-van-uw-medische-gegevens-en-lichaamsmateriaal. The Amsterdam University Medical Center provides the patients with information about the use of their health data for further research, see https://www.amsterdamumc.nl/nl/rechten-plichten/locatie-amc/dossier-inzien.htm, at para. ‘beroepsgeheim & privacy, final sentence. The Groningen University Medical Center also informs the patients about the use of their health data for further research: see https://www.umcg.nl/medisch-wetenschappelijk-onderzoek, at para. ‘Gebruik van lichaamsmateriaal en/of medische gegevens voor toekomstig wetenschappelijk onderzoek’. Websites retrieved 22 July 2022.
A study was carried out in 2019 as regards the choice for a system either based on consent or on opt-out: R. Stüssgen, R. Coppen, E.-B. van Veen, T. Urbanus and R.A. Verheij, Zorggegevens voor onderzoek: bezwaar of toestemming? De wet en de praktijk (Utrecht: Nivel, 2019). See also R. Coppen, P.P. Groenewegen, J.M.W. Hazes, J.D. de Jong, J. Kievit, J.N.D. de Neeling, S.A. Reijneveld, R.A. Verheij and E. Vroom, ‘Hergebruik van medische gegevens voor onderzoek: Wat vindt de Nederlander van het toestemmingsvereiste?’ Nederlands Tijdschrift voor Geneeskunde 160 (2016) a9868. Also, the Netherlands Patients Federation carried out a research as well: ‘Delen van data in de zorg’, februari 2021, available online at https://www.datavoorgezondheid.nl/binaries/datavoorgezondheid/documenten/publicaties/2021/03/31/rapport-delen-van-data-voor-de-gezondheidszorg---onderzoek-patientenfederatie-nederland/210325+Definitieve+rapportage+Delen+van+Data.pdf (accessed 22 July 2022).
J.G. Maessen, R.P. Peeters, E.F. Smit, C.B. Hoyng and M. Bennema, Adviesrapport Knelpunten oplossen bij opstarten van wetenschappelijk onderzoek door medisch specialisten (Utrecht: Federatie Medisch Specialisten, 2019); Health-RI, Afsprakenstelsel Health-RI, Ambitie, Uitgangsprincipes, Obstakels, Oplossingsrichtingen, Governance (Utrecht: Health-RI, 2021); M. Boeckhout, M. Beusink, L. Bouter, I. Kist, S. Rebers, E.-B. van Veen and M. Schmidt, Niet-WMO-plichtig onderzoek en ethische toetsing. Verkenning in opdracht van het Ministerie van VWS (Amsterdam: NKI and MLC Foudantion, 2020).
Position adopted by the Dutch Federation of University Medical Centres (NFU, Nederlandse Federatie van Universiteiten) Federation of Medical Specialists (FMS, Federatie Medische Specialisten), Committee on Regulations of Health Research (COREON, Commissie Regelgeving in Onderzoek) and Health-RI, Inbreng op wetsvoorstel ‘Wet zeggenschap lichaamsmateriaal (October 2021).
Kalkman et al., supra note 29. M. Boyd, M. Zimeta, J. Tennison and M. Alassow Secondary use of health data in Europe (London: Open Data Institute, 2021).
Kamerstukken (Parliamentary Papers) II, 1989–1900, 21 561, no. 3, 16–17. The initiative for a Code of Conduct for health research was applauded in the Explanatory Memorandum. See also pp. 40–41 on which Article 1653m (old) of the Dutch Medical Treatment Contracts Act is exemplified.
B.M. Knoppers, J.R. Harris, I. Budin-Ljøsne and E.S. Dove, ‘A human rights approach for an international code of conduct for genomic and clinical data sharing’, Human Genetics 133 (2014) 895–903.
EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, adopted on 4 June 2019.
See Guidelines 1/2019, supra note 86, para. 27, p. 12:
(…) [A] draft code which involves processing activities of private, non-public authorities or bodies must also identify a monitoring body and contain mechanisms which enable that body to carry out its functions as per Article 41 of the GDPR (…).