Europe must guard against knee-jerk reaction on health data, post-ECJ ruling

By European Alliance for Personalised Medicine Executive Director Denis Horgan

The ongoing debate on Big Data and data protection will surely take another turn after the European Court of Justice (ECJ) struck down the Commission’s ‘Safe Harbour’ agreement on data exchanges with the US. 

In its ruling, the ECJ blasted the US government for “compromising the essence of the fundamental right to respect for private life”.

The EU’s Data Protection Directive provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data.

But the court decided that Safe Harbour, which has been in operation for almost 15 years, is illegal due to inadequate protection given to data once transferred to the United States. Safe Harbour was found by the court to undermine the ability of national data protection authorities to determine whether data transfers to the US had privacy safeguards up to EU legal standards.

The agreement allows the transfer of consumers' personal data from Europe to the US under adequate privacy standards, with more than 4,400 companies using Safe Harbour to operate in Member States.

The case was referred to the ECJ by an Irish court in respect of 27-year-old Max Schrems, who has been a Facebook user since 2008. The social media giant has its European headquarters in Ireland. Data provided by Austrian law graduate Schrems - and everyone else on in the EU who uses the site - is transferred from Facebook’s Irish subsidiary to servers located in the US.

Schrems lodged a complaint with the Irish Data Protection Commissioner, according to the ECJ: “Taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country”.

The Irish commissioner told Schrems his department had no legal means to investigate under Safe Harbour provisions, eventually leading to the casing landing in front of the ECJ.

The latter’s report states that: “The advocate general of the European Court of Justice has recommended ending a practice that allows US companies to fast-track the transfer of EU citizens’ data abroad, over concerns that it is being accessed by US intelligence services in contradiction of European law and citizens’ fundamental rights.”

The court’s advocate general Yves Bot also criticised the European Commission for ignoring its own concerns and not ending the practice earlier.

The above will set alarm bells ringing among the health community who are campaigning for the sensible use of ‘Big Data’ for research and urging the Commission, member states and the European Parliament to ensure that robust safeguards are in place to protect the privacy of patients, while crucially allowing the necessary flow of data for health research purposes.

This was already a complex area, even prior to this week’s data-exchange ruling, and the Brussels-based European Alliance for Personalised Medicine (EAPM) is hopeful that the trilogue between the three EU institutions is not provoked into a knee-jerk reaction as the talks on the upcoming Data Protection Regulation continue.

The Alliance’s multistakeholder membership, which includes patients, scientists, clinicians, researchers, academics and industry representatives, firmly believes that Europe needs a responsive system of regulation that offers high levels of protection for individuals and high-quality data access for researchers and healthcare providers.

Back in the under-fire US, President Obama’s precision medicines initiative will follow health outcomes over many years, identifying biomarkers predictive of the development of many diseases and bringing new opportunities for prevention and therapy. Meanwhile, Europe’s potential access to huge health information can already match that of the US. If it can be shared responsibly down the line, the sky will be the limit for new treatments for Europe’s 500 million potential patients across 28 Member States.

Data protection is a fundamental and clearly growing issue. EAPM believes that the next steps in improving European healthcare are critically dependent on the use of data; which requires an eco-system in which it can be accessed in a secure and efficient way for appropriate purposes.

We are clearly not there yet, as the ECJ ruling illustrates, but if Europe can begin with a robust but not over-protective system that both safeguards privacy yet allows for vital health data to be shared responsibly, this will be an excellent start. This clearly must begin soon, not because of panic, but because Big Data will not go away.

Share this article: