The health sector in the European Economic Area (EEA) and the UK is one of the most highly regulated sectors in terms of data protection, given the sensitive nature of the personal data it handles. Since the introduction of the General Data Protection Regulation (GDPR) in 2018, data protection authorities (DPAs) have been actively enforcing compliance, focusing on issues like data security, cross-border data transfers, and patient consent. With the advent of the EU-US Data Privacy Framework (DPF) in 2023, cross-border data transfers have gained some clarity, but Standard Contractual Clauses (SCCs) remain a critical tool for companies not adhering to the DPF.

This article examines how DPAs are enforcing GDPR in the health sector, the current challenges, and what organizations can expect going forward.

Enforcement in the EEA/UK: A Country-Specific Overview

France: CNIL's Emphasis on Security and Consent

The French data protection authority, CNIL, remains at the forefront of enforcing GDPR compliance in the health sector, where the processing of large volumes of sensitive data demands strict adherence to data protection rules. Recognizing the risks associated with health data, CNIL has focused on ensuring robust security practices and obtaining explicit consent, particularly in research settings.

On January 24, 2024, the CNIL fined a pharmaceutical wholesale company for inadequate data security measures, highlighting the importance of encryption and secure data handling to prevent unauthorized access. This action is part of CNIL’s broader strategy to reinforce GDPR standards in the health sector.

A month later, on February 29, 2024, the CNIL fined a scientific research company for unlawful data processing and insufficient cooperation during an investigation. This case underscored the need for transparency and strict adherence to GDPR, especially when handling research data.

On August 28, 2024, the CNIL issued a significant fine of €800,000 to a company specializing in statistical studies of health data. The company managed a data warehouse containing pseudonymized health data used for research purposes. The CNIL determined that the data could be re-identified and thus required specific authorization under French data protection law. The absence of this authorization led to the fine, emphasizing the necessity of regulatory compliance when handling sensitive health information.

These enforcement actions by the CNIL demonstrate the critical need for health organizations to adopt rigorous data protection practices to ensure compliance with GDPR.

Spain: AEPD’s Focus on Data Security

The AEPD has actively enforced GDPR compliance in the health sector, focusing on data security and data sharing.

On March 3, 2022, a healthcare data processor was fined €60,000 for failing to establish a proper data processing agreement with a subcontractor, leading to a breach that affected 136,000 individuals, including health data. In July 2022, another entity received a €132,000 fine for insufficient data protection measures that allowed unauthorized access to sensitive medical data. In June 2023, a fine of €80,000 (later reduced to €48,000) was imposed after a data breach exposed sensitive health information, with delayed notifications and inadequate security measures. These cases underline the AEPD's emphasis on securing sensitive health data and ensuring robust contractual compliance.

The UK: ICO’s Ongoing Enforcement Post-Brexit

Following Brexit, the UK's Information Commissioner's Office (ICO) continues to enforce data protection standards under the UK GDPR, maintaining a strong focus on the health sector due to the sensitivity of patient data. A recent high-profile enforcement action involved a provisional decision to fine a software provider £6.09 million after a ransomware attack in August 2022. This breach caused significant disruptions to NHS services, impairing access to crucial patient records and impacting healthcare delivery. The ICO’s investigation revealed that the software provider had failed to implement essential security measures, such as multi-factor authentication, which allowed unauthorized access through a customer account. The incident exposed the personal data of around 82,946 individuals, including sensitive health information.

The ICO underscored the responsibility of data processors to secure personal data, even when acting on behalf of organizations like the NHS. This case serves as a critical reminder for organizations to adopt robust cybersecurity practices, particularly when managing sensitive health information. While the decision remains provisional, it illustrates the high standards expected in data protection within the healthcare sector.

In another notable case from April 2024, the ICO reprimanded a healthcare trust for failing to address Data Subject Access Requests (DSARs) within the required timeframes. This action highlights the obligation of healthcare providers to respect patients' rights to access their personal data, underscoring the need for efficient internal processes and staff training to ensure timely compliance. These cases collectively demonstrate the ICO’s active role in upholding stringent data protection practices within the UK healthcare landscape.

Key Challenges in GDPR Enforcement

1. Cybersecurity and Data Breaches:

Healthcare is increasingly targeted by cyberattacks, including ransomware. DPAs have imposed fines on organizations that fail to implement adequate cybersecurity measures to protect patient data. Moving forward, DPAs are expected to further tighten requirements around cybersecurity in healthcare.

2. Automated Decision-Making and AI in Healthcare:

As AI technologies gain prominence in healthcare—especially in diagnostics and personalized medicine—GDPR enforcement is extending into automated decision-making. DPAs are ensuring that organizations comply with the transparency and data protection principles when using AI, requiring that patients are informed when their data is used by AI systems.

3. Cross-Border Data Transfers and Global Collaboration:

With healthcare organizations increasingly collaborating across borders for clinical trials and research, compliance with GDPR’s data transfer requirements remains a challenge. The DPF provides a pathway for compliant transfers to the US, but SCCs are still critical for organizations working with partners not adhering to the DPF. Further guidance from the European Data Protection Board (EDPB) is anticipated to help clarify the use of both frameworks.

Conclusion

The enforcement of GDPR in the health sector across the EEA and the UK underscores the high regulatory standards expected for handling sensitive health data. Authorities like the CNIL, AEPD, and Germany’s decentralized DPAs have focused on ensuring robust data security, lawful processing, and compliance with cross-border data transfer requirements. Recent enforcement actions demonstrate that health organizations must adopt comprehensive security measures, ensure transparency in data handling, and maintain compliance with evolving regulatory frameworks. Moving forward, these standards will continue to shape the landscape of data protection in healthcare, emphasizing the critical role of patient data privacy and security.

For organizations in the health sector, staying ahead of GDPR requirements is essential to safeguarding patient trust and maintaining compliance. As regulations continue to evolve, adopting best practices in data protection will be key to navigating future challenges.

Need guidance on data protection in healthcare? Let's connect!

Regards,

Diana