The European Health Data Space (EHDS) aims to create a common framework for accessing, sharing, and reusing health data across the European Union.
The EHDS was adopted on 11 February 2025 and entered into force on 26 March 2025. General provisions will take effect from 26 March 2027, with key rules on primary and secondary use of health data following on 26 March 2029 and 2031 respectively. Various technical and organisational measures will be phased in progressively by 26 March 2035.
One of the EU's most ambitious digital projects, the EHDS promises to improve healthcare systems, strengthen pandemic preparedness and prevention, and drive innovation in fields such as medical research and artificial intelligence.
The EHDS concerns a particularly sensitive category of personal data: health data. Under the General Data Protection Regulation (GDPR), health data is subject to the highest standards of protection. This raises a fundamental question: can the EHDS truly unlock the value of health data while upholding the strong privacy rights enshrined in the GDPR?
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), in their joint Opinion on the proposal (2022), argued that while the EHDS holds great promise, it would risk diluting rather than reinforcing individual rights unless carefully aligned with the GDPR. This was partly addressed in the final text of the EDHS, with Recital 52 anchoring EHDS secondary use in existing GDPR legal bases.
Digitalising healthcare in the EU
One of the most positive aspects of the EHDS is its commitment to digitalising healthcare systems. For the first time, individuals in the EU will have seamless access to their medical records in electronic format. Once the appropriate infrastructure is in place and relevant provisions apply, a patient treated in Berlin could, for example, instantly share their health history with a doctor in Madrid, avoiding delays and unnecessary duplication of tests. Such access is consistent with GDPR principles, particularly the right of data subjects to obtain copies of their personal data. It also reflects broader EU goals of mobility and integration within the single market.
Secondary use: where innovation meets risk
Secondary use refers to processing data beyond the initial purpose for data processing of direct care, so, for example, for research, policymaking, innovation, or training algorithms. There is no doubt that the secondary use of health data can bring immense benefits. It can accelerate the development of new medicines, improve disease surveillance, and strengthen health systems. During the COVID-19 pandemic, for instance, timely access to health data proved vital for monitoring the spread of the virus and testing vaccines.
The joint Opinion mentioned above raised concerns about the level of control individuals would have over the secondary use of their health data under the EHDS. Under the GDPR, there are strong safeguards around the use of special data, including for further processing. The EHDS, however, introduces complementing broad categories of permissible reuse in Article 53. The EHDS also defines secondary use purposes very broadly – ranging from development and innovation activities for products or services, to training of AI systems. According to the EDPB and EDPS, such open-ended definitions could create uncertainty and risk eroding GDPR protections.
There are however, various safeguards around secondary use of health data which have been included in the EHDS to protect individuals, as well as provisions dealing with the interaction of the EHDS secondary use provisions with Articles 6 (lawful processing) and 9 (special category data) of the GDPR:
- Recital 52 EHDS says a GDPR Article 6 lawful basis (6(1)(a-c, e or f)) in conjunction with an Article 9(2) exemption from the prohibition on processing special category data is needed for processing secondary use personal electronic health data. It notes that the EHDS provides for a lawful basis including the safeguards required under GDPR Article 9(2)(g-j). It goes on to say that health data applicants should demonstrate an Article 6 GDPR lawful basis when making a request to access electronic health data and fulfil the conditions of Chapter IV GDPR. Member States are no longer allowed to maintain or introduce additional Article 9(4) GDPR conditions but under Article 51(4) EHDS, they are permitted to introduce stricter measures for certain types of secondary use data including wellness data.
- Article 54 EHDS list purposes for which secondary processing is prohibited. This includes for taking decisions (ie decisions which have a legal, social, economic or similarly significant effect) which have a negative impact on an individual based on their health data.
- Data access permits issued by the relevant health data access body will stipulate what can be done with secondary use data, effectively limiting the purposes and scope of secondary use on a case by case basis.
- Article 71 requires Member States to give individuals a reversible right to opt out of secondary data use except under certain Member State-specified circumstances with a strong public interest, or certain other stipulated circumstances.
- Further protections for individuals are included in Article 66 (and Recitals 53 and 72). Article 66 requires the GDPR principles of data minimisation and purpose limitation be observed. It says secondary use data should be anonymised, or if that is not possible bearing in mind the secondary use purpose, that it should be pseudonymised before being made available by a health data access body. The data to reverse the pseudonymisation should only be held by the health data access body or a trusted third party in accordance with national law.
- There are various requirements to store and process health data in secure environments. Article 73, for example, requires health data bodies to provide access to data pursuant to a data permit using a secure environment, and Article 87 sets out further security requirements.
- Health data access bodies, trusted health data holders and health data access services are required to store and process personal electronic health data in the EU when performing pseudonymisation, anonymisation and any other personal data processing operations referred to in Articles 67 to 72, through secure processing environments. The data may, by way of exception, be stored in a third country which benefits from an EU adequacy decision under the GDPR.
While the extent of these protections may depend partly on how Member States implement the EHDS, there is a clear attempt to ensure that individuals are not disadvantaged by the secondary use provisions and that their fundamental rights are preserved.
Wellness data at a crossroad
Data from wellness and lifestyle apps is also included within the EHDS. These applications – from fitness trackers to sleep monitors – generate vast volumes of information. While not always classified as medical devices, they can reveal highly sensitive insights into diet, exercise, mental health, and even religious practices.
The EHDS treats these apps as potential data sources. However, unlike certified medical devices, wellness apps are not subject to the same strict quality or safety standards. Their data may be incomplete, biased, or collected without genuine informed consent. Worse still, they could enable intrusive profiling of individuals’ daily lives.
The joint Opinion therefore recommended either excluding wellness data from secondary use or requiring prior, GDPR-compliant consent before such data can be reused. Wellness data remains within scope for secondary use in the final legislation, and while Article 48 now prohibits the sharing of all or part of the health data from wellness applications without consent in relation to Electronic Health Record systems (primary use), it does not introduce a consent requirement with regards to secondary use. Secondary use of wellness data is, however, subject to the safeguards outlined above, including the ability for Member States to introduce stricter requirements under Article 51(4) EHDS.
Legal uncertainty: layering EHDS on top of GDPR
The GDPR already represents a complex, multi-layered framework. National laws across Member States add further layers of regulation, particularly in the health sector. By introducing EHDS-specific rights and obligations, the EU risks creating overlaps and inconsistencies. This is notwithstanding the fact that the EHDS does specify where it complements the GDPR and where it is without prejudice to it.
For example, the EHDS refers to rights of access and portability, but in ways that do not always mirror the wording of the GDPR. This could confuse patients, who may not know whether they are exercising a GDPR right or an EHDS right – and consequently whether the scope and remedies are the same.
The regulators in their joint Opinion stressed the importance of absolute legal clarity, raising concerns about the introduction of parallel rights that conflict with GDPR provisions or create uncertainties. They emphasised the importance of being clear about how EHDS rules fit within the GDPR architecture, and ensuring consistency across Member States. It may take some time before the full picture emerges as to whether or not this has been achieved.
Trust as the cornerstone
At the heart of the debate lies a simple truth: digital health initiatives succeed or fail based on public trust. If patients believe their data may be reused without their knowledge or consent, they may resist sharing it in the first place.
The EHDS has the potential to transform healthcare and research across the continent. It could create a truly integrated digital health ecosystem, delivering better outcomes for patients and society.
But innovation cannot come at the cost of rights. The GDPR is not a hurdle to overcome – it is the foundation on which trust is built.
