Supreme Court urges privacy by design

Since 2013, the Association of Practising GPs has been waging a fundamental legal battle against the private successor to the Electronic Patient Record: the National Switch Point (LSP). Late last week, the Supreme Court decided that, for now, the LSP does not violate current privacy law. However, the Supreme Court's ruling includes the instruction that the LSP will soon have to start complying with the legal requirement of 'privacy by design'. This sets an important precedent and raises the bar for the future.

Private go-ahead SPD: Landelijk Schakelpunt

In April 2011, the Electronic Patient Record (EPD) was unanimously rejected by the Senate, mainly due to privacy concerns. However, various market players (including health insurers) subsequently pushed ahead with virtually the same EHR in private form as the National Switch Point (LSP) for large-scale, centralised exchange of medical data. The LSP has since been 'rolled out' nationally: many GPs are now connected to the LSP (under pressure from health insurers). Also, millions of Dutch citizens have now given 'consent' to exchange their medical data via the LSP. However, the problem with this 'consent' is that it is so broad and general that it is almost impossible to consider it legitimate. This was therefore one of the principled objections to which the Association of Practising GPs' (VP Huisartsen) lawsuit against the LSP related. Other objections to the LSP relate, among other things, to the fact that the architecture of the LSP is inherently unsafe and privacy-invading: via the LSP, every connected medical record can be viewed by thousands of healthcare providers. This violates the patient's right to privacy and the medical confidentiality of treating physicians. Moreover, this does not involve privacy by design, for example through end-to-end encryption. In essence, this makes the LSP as leaky as a basket, ideal for function creep (goal shifting) and possible misuse by malicious parties.

Campaign SpecificAuthorisation.co.uk

Privacy First has raised numerous alarms about this towards politicians and media in recent years. Even at the UN level, Privacy First has actively pushed the Dutch LSP raised. Moreover, on the initiative of Privacy First and the Civil Rights Protection Platform, a large-scale internet campaign has been running since April 2014 launched to preserve and promote the right to medical privacy: www.SpecifiekeToestemming.nl. This campaign has since been supported by numerous civil society organisations, healthcare providers and academics. The core of the campaign is that specific consent should (again) become the guiding principle in the sharing of medical data. Specific consent allows patients to determine prior to sharing their medical data whether, and if so which, data may be shared with which healthcare providers for which purposes. This limits risks and allows patients to retain control over the sharing of their medical data. This is in contrast to the generic consent that applies with the LSP. With generic consent, it is not foreseeable by whom someone's medical data can be viewed, used, exchanged, etc. Generic consent is thus by definition contrary to two classic principles in privacy law: the principle of purpose limitation and the right to free, prior and fully informed consent when processing personal data.

Privacy by design

Partly due to pressure from our SpecificAuthorisation.com campaign, the bill was Client rights in electronic health care data processing (bill 33509) were tightened by the House of Representatives in 2014 and two crucial motions were passed by the Senate in 2016: the Bredenoord motion (D66) et al on the further elaboration of data protection-by-design as the starting point for the electronic processing of medical data and the Teunissen motion (PvdD) et al on keeping medical records accessible decentrally (instead of centrally). Under this new law, specific ("specified") consent becomes mandatory; this should now be implemented in all existing and future medical data exchange systems, including the current LSP. Moreover, under the new European privacy law privacy by design a hard legal duty: privacy and data protection should be built into all relevant hardware and software right from the very first design. In this regard, several market developments are already underway in recent years that indicate that specific consent is becoming the norm in new systems and that privacy by design become the new standard. A good example of this in the medical context is Whitebox Systems which already received a National Privacy Innovation Award in 2015 won.

Lawsuit VP GPs

Since March 2013, VP Huisartsen had been pursuing a large-scale civil lawsuit against the private operator of the LSP: the Association of Healthcare Communication Providers (VZVZ). After disappointing rulings by the Utrecht District Court and the Arnhem Court of Appeal, VP Huisartsen filed an appeal in cassation with the Supreme Court at the end of 2016. In cassation, this case (via Pro Bono Connect, on the advice of Privacy First) support by law firm Houthoff Buruma. At the Supreme Court, Privacy First subsequently filed a amicus curiae-letter (PDF) in support of the views of VP GPs, in line with our joint campaign SpecificAuthorisation.co.uk. In the advice ("Opinion") of the Advocate General to the Supreme Court was then given in detail to these amicus curiae-letter referenced. On 1 December this year, the Supreme Court finally ruling done. In this ruling, the Supreme Court unfortunately largely concurs with the earlier argument of the Arnhem Court of Appeal. In doing so, however, Privacy First cannot escape the impression that (even for the Supreme Court) the LSP is apparently "too big to fail": this flawed system is now so large that one might not dare declare it unlawful. Nevertheless, there is also an important bright spot, and that is in the Supreme Court's final consideration:

"[The court of appeal has] recognised that the healthcare infrastructure can also be set up in a way in which a greater distinction can be made between (types of) data and (categories of) healthcare providers, and in which in particular data sharing on the basis of consent can be limited in advance to urgent cases if so desired. In its opinion, this arrangement is more and better in line with the principles underlying the Privacy Directive and the Wbp, but could not yet be required of VZVZ at the time of the delivery of the judgment under appeal. According to the Court of Appeal, VZVZ may be expected, as soon as this is technically possible and feasible for it, to adapt the system by offering more freedom of choice in it.

These considerations are not incomprehensible. It is also worth noting that in view of VZVZ's (...) ambitions with the system and the changes in the regulations (...), in which 'privacy by design' and 'privacy by default' are explicitly taken as a starting point (art. 25 paragraphs 1 and 2 General Data Protection Regulation), once again what the court expects from VZVZ is reasonable." (5.4.4)

Like the Arnhem Court of Appeal, the Supreme Court is thereby clearly steering towards implementation of specific consent and privacy by design in the LSP. The Supreme Court thus creates a positive precedent that also sets the tone for the future in a broader sense (for other systems). Privacy First will continue to actively monitor developments in this regard and, if necessary, take the matter to court again.

Read HERE the entire judgment of the Supreme Court and HERE The earlier conclusion of the Advocate General.
The amicus curiae letter from Privacy First and the Civil Rights Protection Platform can be found HERE in pdf.

Comment VP GPs: http://www.vphuisartsen.nl/nieuws/cassatieberoep-vphuisartsen-verloren-toch-winst/

Comment SpecificAuthorisation.co.uk: http://specifieketoestemming.nl/werk-aan-de-winkel-na-teleurstellend-vonnis-over-lsp/ .