National electronic health record systems and consent to processing of health data in the European Union and Australia

This study focuses on the single most important regulatory aspect of data processing, namely consent to data processing. It compares approaches to consent under the General Data Protection Regulation (EU 2016/679) of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (and on the free movement of such) (GDPR) in the context of European Union (EU) national electronic health record (NEHR) schemes (also referred to as “national digital health networks”) with the approach of the Australian national health record scheme called My Health Record (MHR). The GDPR, subject to derogation in limited circumstances, is binding on all 27 EU member countries. Under Articles 168 (2) and (7) of the Treaty on the Functioning of the European Union (2007), while the EU has a duty to “encourage cooperation between the Member States…to improve the complementarity of their health services in cross-border areas,” the European Union Member States retain the power to manage their own health services. However, in doing so, subject to narrow derogations, the management of their NEHR systems must conform to the GDPR. The GDPR governs the processing of data in any form including data contained in national electronic health systems (European Commission Recommendation on a European Electronic Health Record exchange format (C(2019)800) of 6 February 2019. Available at: https://ec.europa.eu/digital-single-market/en/news/recommendation-european-electronic-health-record-exchange-format. Accessed 13 May 2019). Given that, unlike the Australian MHR scheme, national electronic medical/health records systems of EU Member States are at different stages of development, and that derogations enable a measure of variance in compliance, individual European systems will not be discussed. Australia is a non-EU jurisdiction, and does not have the European Commission’s certificate of adequate level of data protection (GDPR Article 45 empowers the European Commission to determine whether a country outside the EU offers an adequate level of data protection, whether by its domestic legislation or of the international commitments it has entered into. For further discussion, see below). One of the reasons for the absence of certification might be the effectively non-consensual nature of the My Health Record system that administers, collects, stores, and provides access to health and clinical data of Australians.