The European Health Data Space — From approval to national implementation

5 Sep 2024

New European rules promise to unlock the value of health data for research and innovation, as long as implementation and interpretation challenges can be overcome. 

By Julian Sellner, Adrian Thorogood, and Fruzsina Molnar-Gabor 

The Regulation on the European Health Data Space (EHDS), approved by the European Parliament in April 2024, promises to empower patients to access and control their electronic health data, enable healthcare providers to access patient data with consent throughout the European Union (EU) for better healthcare (primary use), and also require the sharing of anonymised or pseudonymised health data for better research, innovation, and policy-making (secondary use) (link). For secondary use, the EHDS will provide secure digital infrastructure for data sharing, a governance framework and rules, and common standards and practices, contributing to the realisation of open science in the health sector (link). Genetic and genomics data fall under the concept of health data and will also be made more readily available. The success of the EHDS now relies crucially on Member State action and implementation. 

Data access opportunities and data sharing obligations

The EHDS Regulation essentially gives researchers and other health data users a right to access electronic health data for a permitted research, innovation, or public policy purpose, if certain conditions are met (Art 45, 46). This includes access to aggregate statistics, anonymised data, or pseudonymised data (where justified as necessary). Approved health data users must only use data for the approved purpose, ensure confidentiality and privacy, and generally make their results or outputs publicly available within 18 months (Art 4(a)(3)).

Countries must designate Health Data Access Bodies (HDABs) to review data access applications, issue data permits, publish information about approved uses, and oversee compliance (Art 36). In Germany, the competent HDAB will be established at the Federal Institute for Drugs and Medical Devices (BfArM). These bodies also act as intermediaries who obtain data from data holders, prepare and anonymise or pseudonymise data, and provide users with data access in secure processing environments (Art 37). Download or export of personal data is not permitted. 

Most health data holders (e.g. research institutions) across the EU are required to make a wide range of electronic health data available in a timely manner for secondary use (Arts 33, 41). Health data holders must also provide descriptions of their data holdings for publication in a dataset catalogue.  Research data can be exceptionally withheld until completion of a clinical trial or publication of a research study (Rec 39). A single data holder can also be designated to handle access directly. This may be a promising, streamlined option for national genomics initiatives. 

The EHDS provides legal certainty by clarifying General Data Protection Regulation (GDPR) controller and processor roles, in addition to the lawful grounds for processing health data by data holders, HDABs, and data users (Art 51, Rec 37). Member States may still, however, introduce stricter measures and safeguards on the processing of human genetic and various types of -omics data, due to their “‘sensitivity and value’’ (Art 33). Concerns also remain that mandatory sharing will affect IP rights and commercially sensitive information (link).

Cross-border access

Cross-border access is to be facilitated by the HealthData@EU digital infrastructure, consisting of national contact points responsible for providing cross-border access  and a central platform to be set up by the Commission (Art 52(1), Art 2(2)(x)). Existing European research infrastructures are meant to connect to HealthData@EU (Art 52(4)). Health data from multiple countries can be requested through a single HDAB, though each HDAB remains responsible for approving data under its remit. The EHDS Regulation encourages mutual recognition between HDABs (Art 46(3)), though this ambition is likely to be complicated by national interpretive differences (link).

Third country transfers of health data within the EHDS 

The EHDS Regulation foresees participation of third countries or international organisations (Art 52(5)). In order to participate, the third country must provide access to Union data users on equivalent terms and conditions (reciprocity principle), and comply with the rules of the EHDS Regulation as well as Chapter V of the GDPR. Member States may introduce further conditions, including limitations on international data access and data transfers (Art 63). Non-personal health data is not covered by the GDPR but is deemed as highly sensitive and thus may be subject to specific protective measures (Art 61(1)).

Implementation challenges for Member States

Member States must, among other tasks, designate an HDAB and a national contact point and provide sufficient material and human resources and expertise to set up secure processing environments, identity management systems, and administrative procedures for data access applications. Member States shall also provide an accessible and easily understandable mechanism for individuals to exercise their right to opt out of most types of secondary use. Exceptions are only made for certain important public interest uses under strict safeguards (Art 35(f)), raising concerns for researchers about biased and patchy datasets (link).

We commend the core principle of the EHDS that electronic health data, regardless of type or source, is a common resource that must be put to use for societal benefit, with due attention to data protection. The proof of this principle, however, depends on implementation of the national ecosystems and cross-border connections. Given the formidable scope of these tasks, time is of the essence, as the EHDS rules on the secondary use of health data will apply four years after the Regulation comes into force, around 2028 (with extensions for clinical trial and human genetic data until 2030). The prospects for direct international participation and data access are unfortunately even more distant, and given the strict standard and procedure for reciprocity, might remain out of reach for an unforeseeable period. 

Further Reading

Council of the European Union, Proposal for a Regulation on the European Health Data Space – Analysis of the final compromise text with a view to agreement (18 March 2024) 

European Commission. Q&A on the European Health Data Space. 24 April 2024 https://ec.europa.eu/commission/presscorner/detail/en/qanda_24_2251.

European Data Protection Board, “EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space | European Data Protection Board.” https://www.edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-032022-proposal_en.

Kristof Van Quathem, European Health Data Space: Revolutionizing Health Care, Scientific Research in the EU. (23 May 2024) IAPP https://iapp.org/news/a/european-health-data-space-revolutionizing-health-care-scientific-research-in-the-eu.

Staunton, Ciara, Mahsa Shabani, Deborah Mascalzoni, Signe Mežinska, and Santa Slokenberga. “Ethical and Social Reflections on the Proposed European Health Data Space.” European Journal of Human Genetics, February 14, 2024, 1–8. https://doi.org/10.1038/s41431-024-01543-9.

Shabani, Mahsa. “Will the European Health Data Space Change Data Sharing Rules?” Science 375, no. 6587 (March 25, 2022): 1357–59. https://doi.org/10.1126/science.abn4874.

Elizabeth Redrup Hill, PHG Foundation: European Health Data Space (October 2023) https://www.phgfoundation.org/wp-content/uploads/2023/10/The-European-Health-Data-Space-briefing.pdf

Elizabeth Redrup Hill, PHG Foundation: The European Health Data Space has arrived (June 2024) https://www.phgfoundation.org/blog/the-european-health-data-space-regulation-has-arrived/ 

Julian Sellner is a research assistant at the Chair of Prof. Dr. Molnár-Gábor and a trainee lawyer at the regional court Heidelberg.

Adrian Thorogood is Legal Advisor and Data Governance Manager for the Terry Fox Research Institute in Canada and co-editor of the Forum. 

Fruzsina Molnar-Gabor is Professor of International Health and Medical Law as well as Data Protection Law at Heidelberg University and co-editor of the Forum.