On March 5, 2025, the final text of the European Health Data Space (EHDS) was published in the EU Official Journal (see here). In early April 2024, we wrote several blog posts on EHDS based on a provisional compromise text. We have now updated those to reflect the final version and included references to the correct provisions.
1. Basic structure has not changed
The basic idea behind the EHDS has not changed. Holders of electronic health data will be required to make their data available to health data access bodies (HDAB), who, in turn, will make it available in a secure platform to data users who obtained a permit. The data users can only download anonymous data from the platform. According to the recitals, the anonymization should occur as early as possible in the chain so, in most cases, probably by the data holder (Recital 72 EHDS). In our experience, “anonymization” of health data is a tricky topic, with different regulators and companies taking different approaches; to address this, the recitals to the EHDS provide that the Commission should set out a “unified procedure” for anonymization and pseudonymization (Recital 65 EHDS).
In exceptional cases, the data user may seek access to pseudonymized data, instead of anonymous data. The data user must identify an appropriate legal basis for its intended use, such as legitimate interest (Art. 6(1)(f) GDPR). A recital in the agreed text now indicates explicitly that the EHDS itself provides the safeguards required under Art. 9 GDPR for the processing of special category personal data, such as health data (Recital 52 EHDS).
The data covered by the EHDS has not substantially changed vis-vis the Commission proposal. It still covers, for example, electronic health data from electronic health records, clinical trial data (recitals, but not legal text, limit this to data relating to trials that have ended, and there is also no explicit exclusion trials closed prior the entry into force of the EHDS – Recital 56 EHDS), data from wellness apps, genetic data, personal health data generated by medical devices and other health data from medical devices, data from registries, and data from research cohorts (but only after the first publication of the results). Member States may add data categories on national level, and they may adopt national-level access limitations for certain sensitive data types, such as genetic data and biobanks.
2. Introduction of an opt-out
One of the most controversial topics of the EHDS was the introduction of a (reversible) right to opt-out for EU citizens. The original Commission proposal did not contain such a right under the assumption (correct in our opinion) that the EHDS contained sufficient safeguards itself. However, the European Parliament and some Member States disagreed and insisted on inserting a right to opt-out (Art. 71 EHDS).
Member States will have to provide for an accessible and easily understandable opt-out mechanism. After individuals opt-out (“and where personal electronic health data relating to them can be identified in a dataset”), the data of those individuals must not be shared with data users, even in anonymous form. Member States can adopt derogations from the opt-out rule (i.e., allow for the use of data despite an opt-out), but only in favor of certain secondary use by public bodies and under strict conditions.
Finally, the EHDS provides that data holders will not be required to collect and store personal data merely to comply with the opt-out rule. In other words, pharmaceutical companies do not have to change their practices of only collecting pseudonymized clinical trial data, merely to meet the reversible opt-out choices of trial participants.
We expect that the opt-out rule will raise many questions in practice. For example, the text is silent on the level of granularity required for the opt-out. It is also unclear how the opt-out will be managed and by whom. Member States can rely on the HDAB to do this, but they do not have to, which could lead to a divergence in approaches. It is also unclear how the opt-out will work for data sets collected prior to the entry into force of the EHDS and where there is no easy link with the individuals (e.g., pseudonymized data). Similarly, the reversibility of the opt-out choice will be difficult to implement for certain data sets even after the entry into force the EHDS (e.g., for clinical trial data where only the hospital can make the link with the patient).
3. Improved language on IP protection
The original Commission proposal was quite cavalier in respect of IP rights. The adopted text expands on this aspect of the EHDS through a more detailed regime on identifying IP-protected data and trade secrets, measures that the HDAB needs to take to protect the relevant data, and a possibility to refuse access in case of serious risks to IP-rights or trade secrets (Art. 52 EHDS). The IP regime also includes a dedicated complaint procedure. Still, the IP protections under the EHDS are quite weak and weaker than under the Data Act, despite the potentially higher value of the data concerned.
4. Limited data localization
While the European Parliament proposed sweeping data localization requirements for all electronic heath data, the final text appears much more moderate. In a nutshell, Member States can (but do not have to) require that personal electronic health data used for healthcare purposes (primary use) be stored in the EU (Art. 86 EHDS).
Similarly, in relation to secondary use, HDAB will have to store the data they process for purposes of EHDS (i.e., the collection of data for sharing with a data users, anonymization efforts and the delivery of the secure platform) in the Union or in a third country that provides adequate protection in accordance with the GDPR – thus including entities certified to the EU-US Framework (Art. 87 EHDS). Certain Member States, such as France, have already indicated a desire to limit this to the EU and to exclude third countries that provide adequate protection.
Finally, in accordance with Art. 9(4) GDPR, Member States maintain the right to restrict or condition international transfers of personal electronic health data, for example to data users or processors outside the EU, above and beyond the conditions imposed by the GDPR itself.
5. Restrictions on international transfers of non-personal data
EHDS may restrict international transfers of non-personal data in two ways.
First, non-personal health data held by HDAB (but not trusted health data holders, apparently) and made available for secondary use are considered “highly sensitive” (in accordance with the Data Governance Act), provided there is a risk of re-identification “through means going beyond those reasonably likely to be used” (otherwise it would be personal data to begin with). For this non-personal data, the European Commission can set out protective measures in secondary legislation (Art. 88 EHDS).
Second, in relation to secondary use, HDAB and data users must prevent international transfers of non-personal data where such a transfer would create a conflict with Union or Member State law (Art. 89 EHDS). Similar to the GDPR, transfers of non-personal data pursuant to a foreign court order or administrative decision are also restricted, unless the legal regime of the third country in question meets certain standards. Subject to some exceptions, the data holder must be informed about the data request prior to the transfer.