Digital Omnibus and health data: impacts on the reuse of medical data
The Digital Omnibus project aims to harmonize the GDPR and the AI Act to simplify the reuse of health data and promote medical innovation in Europe. By clarifying the identifiability of pseudonymized data, this reform could transform research practices while requiring strengthened governance.
In autumn 2024, the European Commission initiated, A legislative project of magnitude known as Digital Omnibus. Presented as a project to simplify and harmonize the European digital regulatory framework, this text aims to adjust several structuring texts, including the GDPR, the AI Act, the Data Act and the ePrivacy Directive.
Although this project is still only at the stage of proposals and inter-institutional discussions, it is already giving rise to a lot of questions, especially in the health sector. The question of the reuse of health data, at the heart of many research, innovation and artificial intelligence projects, seems to be one of the most sensitive points of the Digital Omnibus.
At this stage, no changes have been definitively adopted. However, the proposed guidelines deserve a thorough analysis in order to anticipate their potential impacts on Governance health data and on the obligations of the actors concerned.
The Digital Omnibus: a project to rationalize European digital law
The Digital Omnibus is part of the European Commission's stated desire to reduce complexity normative of digital law.
The objective is twofold:
- On the one hand, facilitate the compliance of organizations by harmonizing certain obligations common to several texts
- On the other hand, support innovation, particularly in the fields of artificial intelligence and data exploitation, while maintaining a level of protection considered sufficient for fundamental rights
In this context, the RGPD is not called into question in principle, but some key concepts could be specified or redefined. These adjustments, if confirmed, would have a direct impact on the regime applicable to health data, which currently constitute a particularly protected category of data.
It is essential to remember that the Digital Omnibus is not an adopted reform. The text is still the subject of debate, legal analysis and possible amendments. The positions of the Member States, the European Parliament and the data protection authorities will play a decisive role in its final version.
{{newsletter}}
The reuse of health data: a strategic and sensitive issue
Health data is busy A central square in European public policies. They are essential for medical research, for the improvement of care pathways, To surveillance sanitary and to the development of artificial intelligence solutions in health.
The RGPD strictly regulates their processing, In principle forbidden except for specific exceptions, such as explicit consent of the person concerned, The public interest in terms of health or scientific research with strengthened guarantees.
The reuse of health data, i.e. their use for purposes other than those originally intended, is already possible in a demanding legal framework. It requires rigorous analysis. purposes, legal bases and protective measures put in place. The Digital Omnibus could change this balance.
Planned evolutions and impacts on artificial intelligence in health
Among the approaches mentioned in the Digital Omnibus project is a clarification of the concept of personal data and, by extension, health data. The identifiability of people could be assessed in a more contextual way, depending on the means sensibly available to the data controller.
In the field of health, this approach could facilitate the reuse of pseudonymized data sets, in particular for the purposes of researching Or oftraining artificial intelligence models. However, it also raises questions about the risk of re-identification and on protection effective of the persons concerned.
Another evolution discussed concerns the legal bases that can be used for certain treatments, with a possible increased emphasis on legitimate interest, including in contexts involving sensitive data. If confirmed, this focus would significantly change current consent and transparency practices, in particular for secondary uses of health data.
Finally, the Digital Omnibus is part of a larger regulatory environment, marked by The gradual entry into force of the AI Act and by the development of the European Health Data Space. The relationship between these texts will be decisive in defining a coherent and secure framework for the reuse of medical data.
A legislative project with still uncertain outlines
A fundamental point should be emphasized. The Digital Omnibus is a project. At this stage, no modification of the RGPD is legally applicable. The proposals may change, be amended, or be abandoned.
Data protection authorities, health actors, researchers and civil society organizations are actively participating in the debate. The next few months will be decisive to determine whether current guidelines will be maintained and to what extent existing safeguards will be reinforced or adapted.
For organizations dealing with health data, it is not a question of immediately changing their practices, but of remaining attentive to changes and preparing adaptation scenarios.
Best practices for health and compliance actors
For actors dealing with health data, some good practices remain essential:
- Maintain accurate mapping the processing of health data and their purposes, by clearly identifying secondary uses and reuse projects
- Strengthen impact assessments relating to data protection, they must remain at the heart of the procedures, by integrating the risks associated with new technologies, inferences and re-identification
- Ensuring transparency towards patients and those affected, as this remains a key factor of trust
- Informing in a clear and accessible way the persons concerned, even when consent is not the legal basis used
- Documenting legal and technical choices in order to demonstrate continued compliance regardless of the future evolution of the regulatory framework
- Set up one governance robust data, combining lawyers, DPOs, technical teams and business departments, making it possible to anticipate regulatory changes and to secure innovation projects
At Adequacy, we are following the discussions closely around the Digital Omnibus and we support DPOs and compliance managers in the analysis and adaptation of their compliance practices by anticipating regulatory changes, in particular on sensitive treatments such as health data, in order to transform legal uncertainty into a lever for governance mastered.
Digital Omnibus FAQ
Is the Digital Omnibus already changing the GDPR?
No The GDPR remains fully applicable in its current version. The Digital Omnibus is a project under discussion.
Could health data be less protected?
Some proposals call for a redefinition of the scope of sensitive data or the legal bases for processing. However, no final decision has been taken and the current guarantees remain fully applicable.
Do impact assessments need to be updated?
Not immediately. On the other hand, it is relevant to identify the AIPD existing ones on the reuse of health data and to assess their robustness in the face of future changes.
Will the reuse of health data be facilitated?
The project aims to clarify and potentially simplify certain legal frameworks, in particular for research and artificial intelligence. This could facilitate certain uses, in particular the facilitation of the reuse of pseudonymized data, subject to appropriate guarantees.
Do healthcare institutions need to anticipate immediate changes?
No On the other hand, it is recommended to follow regulatory news, to raise awareness among teams and to document existing practices in order to be ready to adapt when the time comes.
{{newsletter}}
