In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted.  This article focusses on the obligations of data users; for an overview of the EHDS generally, see our first post in this series.

We expect the final text of the EHDS to be adopted by the European Parliament in April 2024 and by the EU Member States shortly thereafter.

1: Health data users

    Under the EHDS, data holders will be required to make their electronic health data available to public health data access bodies (HDABs), who, in turn, will make it available on a secure processing environment to health data users who obtained a permit.

    The term “health data user” covers any natural or legal person, including Union bodies, that have been granted a permit to access health data for secondary use (that is, for uses other than the use for which the data was originally collected). 

    2: Allowed and prohibited uses

    The EHDS sets out a list of purposes for which secondary use of health data is allowed.  The list of purposes is quite broad and both policy and research-oriented.  It includes, among other things, scientific research related to health, including development and innovation activities for products and services and training, testing and evaluating algorithms, AI systems and digital health applications.  According to the recitals, “scientific research” must be interpreted in a broad manner:

    “including for example technological development and demonstration, fundamental research, applied research and privately funded research. Examples are innovation activities including training of artificial intelligence algorithms that could be used in healthcare or care of natural persons, as well as the evaluation and further development of existing algorithms and product for such purposes. The EHDS should also contribute to fundamental research; while the benefits to end-users and patients may be less direct in fundamental research, such research is crucial for societal benefits in the longer term.”

    The EHDS also prohibits certain secondary uses, such as using data for marketing purposes or to take decisions detrimental to a person or group of persons.  In addition, when receiving access to health data, health data users are prohibited from attempting to re-identify individuals or from giving access to third parties not mentioned in the data permit.

    3: Permit

    Health data users who want to access health data have to submit a data access application to the HDAB and obtain a permit.  The EHDS sets out in detail what information the application must contain, for example, the list of persons who will have access to the data, the purposes for which the data will be used and the expected benefit, when relevant why pseudonymized data is required (instead of anonymous data), the legal basis under Art. 6 GDPR for accessing the data, and the period for which access is required.

    If a health data user seeks access to health data of several data holders in different Member States, it can file one access requests with its HDAB, which will then coordinate with the others.  Each relevant HDAB, however, decides independently on whether to grant a permit to access the data within its remit.

    The HDAB must decide on whether to grant the permit within three months, though this may be extended by another three months, if necessary.  The health data users should then receive access to the data within two months after receiving the permit, although that time period can also be extended if necessary.  Health data users may be granted access to the requested data in the HDAB’s secure processing environment for a period up to ten years, which can be prolonged if justified.

    4: Publications

    Once a health data user obtained its permit and access to the requested data, it has to publish a report with the (anonymous) results of its research within 18 months after the completion of the processing in the secure processing environment.   Health data users must indicate in the report that the data was obtained through the EHDS. 

    In addition to the above, the HDAB must make publicly available in an easily searchable manner:

    • all health data access applications received from health data users;
    • all health data permits granted to health data users; and
    • the results communicated by health data users.

    The protections in EHDS for IP-rights and trade secrets do not extend to the research being performed on the basis of EHDS data.  This means that research strategies pursued by health data users will be made public through the HDAB.

    5: Data users in third countries

    Under the EHDS, health data users from third countries can also make an application to access data from an HDAB.  However, this only applies if their country of establishment (i) participates itself in the EHDS, following a Commission decision establishing that the third country concerned provides an equivalent data access system and protections, or (ii) allows EU applicants to have access to their data on similar terms as in the EHDS and also subject to a Commission decision establishing this.

    6: Data controllers

    When health data users receive access in the HDAB’s secure processing environment to pseudonymized health data, subject to the GDPR, they qualify as data controller for that use (and the HDAB qualifies as a processor). 

    In this case, the health data user must also establish a GDPR legal basis for its processing.  According to the recitals to the EHDS the appropriate legal basis will most likely be the user’s legitimate interest or a public interest (most likely for data users that are public bodies).  For the processing of sensitive personal data (such as health data), Art. 9 GDPR also requires data controllers to demonstrate they can rely on a derogation, often with associated safeguards.  The recitals to the EHDS state that the EHDS  itself provides the safeguards referred to in Art. 9 GDPR.  While it is not entirely clear, this suggests that each time an Art. 9(2) GDPR derogation refers to Union law to activate the derogation (for example for scientific research in Art. 9(2)(j) GDPR), the EHDS would serve as that Union law.

    Email this postTweet this postLike this postShare this post on LinkedIn
    Photo of Kristof Van Quathem Kristof Van Quathem

    Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

    Kristof has been specializing in this area for over twenty…

    Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

    Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

    Kristof is admitted to practice in Belgium.