One of the goals of the European Commission has been to build a robust health union, including by addressing eHealth regulations. eHealth regulation feeds into eHealth policies, which can be defined as “a set of statements, directives, regulations, laws, and judicial interpretations that direct and manage the life cycle of eHealth” (Scott 2002); among other things, the Commission considers them to be a part of ‘healthcare services’ in the digital single market (COM(2018) 233).
One of the challenges of the Commission when regulating eHealth is the division of competences: while the EU can complement national public health policies according to art. 168 of the Treaty on the Functioning of the EU (TFEU), most of the powers remain firmly in the hands of member states. EU can act to fight against the major health scourges; it can promote research into the causes of diseases, their transmission, and their prevention, as well as health information and education; and monitoring, early warning of and combating serious cross-border threats to health. Nevertheless, the EU has certain limited explicit competences, inter alia to regulate standards of quality and safety for medicinal products and devices for medical use (art. 168(4)(c) of the TFEU).
This means that frameworks that (indirectly) impact eHealth regulation will often be adopted based on other competences: e.g., data protection, approximation of laws, non-discrimination clause. Different bases and fragmentation of frameworks are one of the most important barriers to comprehensive eHealth regulation at the EU level (Aluttis and others 2014).
Examples of eHealth regulation
For example, art. 114 of the TFEU is underpinned by the regulation of the single market in the pursuit of better competition, and allows for approximation to national laws, including eHealth regulations as an alternative to art. 168 (Greer and Jarman 2021, European health union 2020). Based on art. 114 several frameworks have already been adopted, such as the Medical Devices Regulation, Regulation on Health Technology Assessment, and the proposed Data Governance Act. The regulation of the digital single market also functions as a base upon which European data spaces are built, which in turn contributes to data altruism and improved health data sharing across the union. High-quality data, especially in connection with big data, are the essential force behind not only technological design, but also decision-making in eHealth; here, the role of the European health data space is especially important (Kisseleva and de Hert 2021). Data spaces are fed by different types of data such as health and epidemiological data, lab data, and all datatypes which can be used in AI development (EP-STOA 2021).
Similarly, the General Data Protection Regulation (GDPR), which was adopted on the basis of the data protection clause of Article 16(1) of TFEU, impacts developers and providers of eHealth technologies with obligations such as privacy by design in its art. 25. While it is primarily a data protection instrument, eHealth providers will need to abide by it insofar they qualify as controllers or processors.
On top of this, the EU has often used “softer” approaches such as support activities, coordination, and informal collaboration. For example, the interoperability of electronic health records (EHR) is a voluntary scheme based on the Recommendation on a European Electronic Health Record exchange format. Member states that sign up allow their citizens to receive health services and pharmaceutical products in other member states more easily.
What does it mean for TeNDER?
Project partners have adopted a three-step methodology to address the regulation of eHealth technologies, its gaps, and inconsistencies, and provide good practices on lawful and ethical implementation. The initial framework report (D1.1, submitted 2020) identified applicable laws and ethical principles, and analysed the initial concerns about the nexus between technology and applicable frameworks. Building upon its findings, the three follow-up impact assessments (D1.4, submitted 2021, and D1.5, due April 2023) take into consideration privacy, data protection, ethical-societal aspects, and the regulation of medical devices. The final legal report (D1.6, due April 2023) will provide a final evaluation from a legal and ethical perspective of the technologies developed during the project.
In projects like TeNDER, a variety of legal frameworks apply, intersect and overlap. Concerning the development, we have focussed on the requirements found in the GDPR, such as the legal basis for processing health data, privacy by design, and pseudonymisation measures, and addressed the potential applicability of the Medical Devices Regulation. Once the product is marketed to potential adopters, it could be a part of a “bigger story”— a part of a care home setup or charity organisation to support assisted living. This means that the product will interact with internal organisation policies, as well as any additional frameworks that apply on the European or national level. For example, the pilots in the project are based on small patient groups, where a data protection impact assessment (DPIA) is not always necessary per the art. 35 of the GDPR, while in a larger organisational context it may well be obligatory. Keeping in mind future obligations for adopters, we nevertheless provide guidance on carrying out DPIAs in a post-project setting, which can be based upon the impact assessments carried out during the project itself.
While the fragmentation of EU eHealth frameworks can be a barrier to bringing new technologies into the market, we hope that our work will bring more clarity to the field by resolving as many legal gaps as possible before the end of the project.