Skip to main content
3 July, 2024

Europe is currently spearheading its approach towards the future of health-care data. This is aimed towards two main functions: promoting the digitalization of health records and to stimulate research. Notably, the former will be archived through facilitating patient access to their records while the latter allows access to health data in an anonymized or pseudonymized format, including other ‘secondary’ uses within the public interest. Moreso, this entails a myriad of benefits, which includes foreign consultation where the patient chooses so.

Our previous article provided the baseline of the elements concerning the European Health Data Space (EHDS), such as its main purposes, origin of the proposal, elements regarding this framework as well as its main challenges. The regulatory procedure to implement the EHDS is at at advanced stage. Therefore, now is the time to analyze the EHDS’s developments and the progress made by both the European Institutions and Member States alike.

The Legislative Pathway

The relevance of this framework cannot go unnoticed, and this is one of the mains reasons for the time elapsed between the proposal made by the European Union (EU) Commission’s proposal for this regulation (May 2022) and the recent political agreement between the European Parliament and the Council on the Commission’s proposal in Spring 2024.

Despite the divergences and fragmented approach within Member States regarding the proposed framework towards digital health data in the EU, significant progress has been achieved during the last months. Crucially, the Council and European Parliament reached a provisional agreement on the EHDS’s final text on 15th March 2024, serving as a warm welcome to the life sciences (and related) industries. This means the EHDS is within the final stages of its adoption, whereby the most pertinent points have been agreed upon.

Interoperability is Key

Even when the adoption of the regulation has been finalized, the framework’s intended nature is reliant on Member State’s active participation in order to success. Admittedly, the latter does not currently impose a material obligation to set up systems or align existing ones for the cross-border sharing of electronic health records (EHRs). That said, certain jurisdictions have already taken the initiative in this regard, outside of the negotiations at EU-level. This could be due to multiple factors. For example, the market awareness of the benefits this would have on national healthcare delivery, research and innovation or the anticipation that the EHDS would be approved at EU-level, leading to a pro-active approach.

For instance, 13 Member States have initiated the development of more centralized national systems to facilitate data access. However, there is currently no coordination at the EU level, resulting in fragmented systems with varying tasks despite shared similarities. Some Member States have established Health Data Access Bodies like Findata, French Data Hub, German Forschungsdatenzentren, among others.

In its attempt to proper digital health, and streamline these efforts across all Member States, the EHD remains an ambitious proposal. That said, the EHDS has ample potential, should its implementation be done appropriately across-the-board.

In any event, standardized interoperability is crucial, and the approved text contains several considerations to achieve this:

  • It lays down two mandatory software components directed to the handling of EHRs when being used for a primary purpose. One is identified as the ‘European interoperability component for EHR systems’ and the other is the ‘European logging component for EHR systems’;
  • It establishes a cross-border infrastructure, thereby enabling the use of electronic health data both for both primary and secondary purposes; and
  • It establishes coordination and governance and at the National and European level to accomplish its goals.

Main Elements in the EHDS

It is important to highlight that the EHDS will be complementary to the GDPR. Therefore, all roles and players within the latter shall play an important role in this new landscape. That said, the EHDS will bring about new parameters to the equation, alongside the need for their efficient interplay:

  • Health Data Holder: 2.2(y) of the proposal. This mainly refers to any natural and legal person, public authority, entity, agency, or other body, including Union institutions, in the healthcare or care sectors as well as entities in close relation to them. This includes the ones performing research in relation to the healthcare or care sectors, among others, that either:
    • Are under the legal obligation to process personal electronic health data, or
    • Have the ability to handle non-persona electronic health data through control of the technical design of a product and related services.

Notably, this extensive concept is directly linked to Art. 33 of the text, which foresees the obligation of these bodies to make electronic data available for secondary use in the terms of such clause.

  • Health Data User: 2.2(z) of the proposal. It involves any natural or legal person, including EU institutions, which has been granted lawful access to electronic health data for secondary use pursuant to a data permit, data request or an access approval by an authorized participant in Health Data@EU. While this permit is directly linked to the lawful purposes listed in Art. 34, the industry to which these users belong is not relevant for such a grant. This means that, conversely to the previous concept, data users not necessarily must be part of the healthcare or related industry.
  • Health Data Access Body (HDAB): 36-39 of the proposal. This refers to the bodies responsible for granting access to electronic health data for secondary purposes. Members State have the obligation to designate one (or more if they opt for a regional approach, although, a federal coordinator and a point of contact shall be appointed in this case) and provide them with necessary resources for their functioning. Regarding their interplay with national Ethics Committees, the proposal limits this interaction to two situations: it highlights the obligation of HDABs to cooperate with them and to involve them in the evaluation of requests related to pseudonymized health data when mandatory under the national legislation.
  • HealthData@EU: 52 of the proposal. This concerns the cross-border infrastructure for secondary use of electronic health data that will connect the national point of contact and provide a centralized platform aiming to provide a secure processing environment. It will be operated by the EU Commission, and it will allow the national contact point, authorized participants (e.g., third countries or international organizations complying with the necessary actions required for Member States to build their capacity to interact in the EHDS) and EU bodies participating in research or health policy (e.g., the European Medicines Agency, among others) to connect and participate in the HealthData@EU. For this, they shall acquire the required technical capability.

Evolution at national level

As anticipated at the beginning of this article, during the previous years some countries have developed their infrastructure and workings in relation to the EHDS. This level of preparation requires various actions. This includes infrastructure for handling the health data, legal provisions, initiatives for data governance, assignation of resources, creation of a Health Data Authority and capacity building for the connection with HealthData@EU (for both primary and secondary use). For the purposes of this article, we will focus on the steps carried out regarding the creation of a Health Authority or point of contact and the status of the infrastructure to be able to interact with the central platform for data sharing for secondary use.

Impact on businesses and individuals

The substantial fines serve as a powerful deterrent, they signal the ICO’s commitment to penalising companies that flout privacy regulations. The penalties serve as a clear message for businesses to revaluate their marketing strategies, to ensuring alignment with PECR guidelines to avoid reputational damage and to maintain customer trust.

Companies found in violation face not just financial penalties but also potential reputational damage, which could affect consumer confidence and brand image. Businesses are advised to emphasise compliance with privacy standards in order to minimise negative consequences, as upholding these standards is essential to preserving a positive corporate image.

The fines reinforce consumers’ rights to privacy and protection from unsolicited marketing communications. Stricter enforcement encourages consumers to trust that regulatory bodies are actively safeguarding their interests, which helps create a more reliable and safer digital environment.

The emphasis on the provision of consent gives consumers more power over their personal data and guarantees their control over the communications they receive. The sanctions highlight how important it is that businesses value and respect customer choices in order to create a digital environment where privacy is given top priority.

Recently in January, Belgium welcomed the inauguration of its national Health Data Agency (HDA), created in light of the Act of 14th of March of 2023. It aims to establish a secure and privacy-respecting digital health landscape including methods and policies for data exchange.

Some point of relevance related to HDA:

  • The HDA will facilitate the access to health care data (primary purpose) for research, policy making, and innovation (secondary processing).
  • It will collaborate with the Belgian health care ecosystem to foster cross-region data sharing.
  • It will manage a data catalog providing the interested parties (e.g., pharmaceutical companies, researchers, health care professionals) the details for the access to such data such as the custodian, type of data, description, among others.
  • Additionally, its operational framework is designed to ensure interoperability with the future EHDS and, according to the HAD’s report 2023, it will perform the role of health data access body.

Finland was one of the pioneers in Europe with a specific legislation regarding secondary use of health data, adopted in May 2019; The Act in Secondary Use of Health and Social Data which concerns the processing of personal data for secondary use. The Act regulates a national process for access request (e.g., secure environments for handling of data, supply the minimum amount of data necessary in each case, removal of identifiers from the data) and the tasks of the Finnish Social and Health Data Permit Authority (‘Findata[1]’).


Additionally, Findata is leading the creation of common forms for requests concerning secondary use of health data for the EHDS. These forms will provide the HDABs with the necessary information to assess whether permission to use the data can be granted, following the requirements of the upcoming EHDS and the GDPR. The development of these forms is based on their internal application forms and its experience during the five years of operation.

The Luxembourg National Data Service (LNDS) was established in 2022 as a national organization providing trustable data services for public and governmental institutes, including health data. Through this, Luxembourg has proven to be quite advanced in terms of alignment with the EHDS. Additionally, it has been tasked with the national implementation of the EU Data Governance Act and will collaborate with the Ministry of Health on designing the health data access body for Luxembourg. It is also  actively contributing to the Data Spaces Support Centre, whichcoordinates the development of the nine planned European data spaces and works towards common standards and interoperability between them.

Germany has passed several laws to support the digitalisation and use of health data. These include the Digital Act (DigiG), the Hospital Transparency Act, and the Act to Improve the Use of Health Data (‘GDNG’) (aiming to develop a decentralised health data infrastructure. The latter has already been approved and will come into force in January 1st  2025. This foresees the creation of a Health Data Lab (‘Forschungsdatenzentrum Gesundheit’), which will be a central data repository and coordination point to enable access to research data from various sources, while also providing data via a secure processing environments. Particularly, this Act aims to aims to prepare Germany for the European Health Data Space.

France has set up several platforms for the access to health information. The most notable is  The Health Data Hub. This eas created in 2019 and has both centralized and structured the process for researchers and public bodies to obtain access to data from the French health system, the National System for Health Data (‘SNDS’). The Health Data Hub is currently piloting the HealthData@EU secondary use infrastructure for the implementation of the EHDS.

In order to further harmonize health data governance at the local level, a Strategic Committee for Health Data was established in 2023 which provides health institutions a health data standardizing access requests and evaluation in line with national governance rules (EIT Health France, 2024).

The Shared Services of Ministry of Health (‘SPMS’) has the status of National eHealth Agency in Portugal and manages information systems that support the daily activity of health professionals in the Portuguese National Health System.

Within the SPMS, a coordination group for “Secondary use of health data” requests has been established to manage requests of health data for secondary use purposes. This group reviews requests to be submitted to the Data Protection Officer, ensuring a single point of entry and seemless methodology for researchers from request to data sharing. It manages and oversees the entire process, from request to data sharing. Finally, there is an action funded by the EU aiming at the technical implementation of the Health Data Access Body in Portugal (HealthData@PT).

Member State’s willingness to pre-emptively anticipate the EHDS’s implementation is well-received. Overall, there is a broad acceptance of the EHDS’s benefits for both patients and stake-holders alike. These range from ease-of-access on the one hand, to trust, tranparancy and compliance on the other. Notwithstanding the above, there are still topical ongoing discussions regarding the interplay between the GDPR and other health-related legislation.

Author: Victoria Derumier

DPO & Belgian Entity Director

Author: Michelle Ayora

Data Protection Lawyer

We are supporting our clients in this privacy compliance process. If you are interested, feel free to reach out our team for support.

Contact us