Greetings from Brussels!
I feel compelled to comment upon an interesting exchange of late with a start-up entrepreneur based out of Italy, whose company helps app developers store health data according to EU privacy and security laws. There is a level of concern amongst the innovation start-up community that while we move towards a revised GDPR, national Member State IT security laws in parallel are continuing to impose complex obstacles for our innovators regarding data protection and security provisions when providing EU-wide services.
In short, at the technical level, the view from innovators is that national legislation, such as the new German Federal Cybersecurity law, will potentially have a far higher impact on business in terms of requirements then the GDPR. The new German IT security law will push for firms and federal agencies to certify for cyber-security standards and obtain BSI (Federal Office for Information Security) clearance, affecting more than 2,000 essential service providers across the spectrum of transportation, health, water, utilities, telecoms, financial services and insurance firms.
France, in a similar vein, created a law that took effect in 2009 specifically for entities that process and store patient data. In essence, entities that are neither licensed healthcare establishments nor HCPs (Health Care Professionals) must obtain an authorization from the French Ministry of Health in order to lawfully store patient health data originating from such establishments or HCPs. The authorization requires implementation of rigorous measures to ensure security and confidentiality of patient health data at all phases of the data lifecycle; these requirements are generally seen as some of the most robust in all of Europe. However, a bill now pending in French Parliament would simplify the requirements to obtain authorization and notably align the security requirements with globally recognized standards (to be defined). Among the provisions of this particular bill, it has been proposed that a technical compliance assessment would be conducted by an accredited certification body. This assessment would encompass the applicant’s procedures, organization, material and human resources. The security standard to be adopted would facilitate the security aspects of the accreditation. Nonetheless, data protection laws would still apply in addition to the accreditation. Furthermore, it is possible that either ASIP Santé or the CNIL would not be implicated in the accreditation.
The convergence of data privacy as well as security (by design) seems to be an area that is getting increasing attention. France, for one, appears to be trying to address a balance of sorts. Generally speaking, and considering the GDPR in the broader context of heath care considerations, is there a danger in the drive to protect consumers from commercial exploitation of their data that we will also impact patients from significant potential benefits of health data science innovations? These benefits are much needed to address failing healthcare systems across Europe.
Currently, what I am hearing is of the challenge faced by nimble small- and medium-sized enterprises in Europe—operating in healthcare—to comply with diverse Member State requirements.
As I wrote in earlier notes, the European Commission has clearly stated the competitive need for a European Digital Single Market; the knock on effects into areas of legislation that are not of EU-exclusive competence but of shared competence with Member States will surely bring about additional complex discussions in the coming years. What remains to be seen is if there is a collective political will in Europe to continue to address a common approach (as with the GDPR) in other parallel legislative areas that benefits digital innovation and entrepreneurship for the betterment of society and the economy.
What is evident is that it can’t come soon enough for the digital innovators. More to follow.
If you want to comment on this post, you need to login.