In March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  Although the text has not yet been formally adopted by all the European institutions, a number of interesting points can already be highlighted.  This article focuses on the governance and enforcement of the EHDS; for an overview of the EHDS generally, see our first post in this series.

The final text of the EHDS was adopted by the European Parliament on 24 April 2024 and is expected to be formally adopted by the European Council in the coming months.

1: Governance

    The EHDS establishes a new independent advisory and regulatory body, the European Health Data Space Board (EHDS Board) to facilitate the exchange of information and cooperation among Member States and with the European Commission.  The Board has a wide remit, albeit a consultative one.  In respect of secondary use of health data, for example, it will assist Member States in coordinating the practices of their Health Data Access Bodies (HDABs), exchange best practices that help the Commission in preparing its secondary legislation, and share information on identified risks and incidents in relation to the secondary use of health data.

    The EHDS Board will be composed of two representatives per Member State, one nominated for primary use (health care) and the other for secondary use (scientific research).  It will be co-chaired by one representative of the EU Commission and one representative of the Member States.  The Board can also draw on external experts.

    In addition to the EHDS Board, the EHDS creates a “stakeholder forum” through which relevant stakeholders can advise the EHDS Board by providing practical views on their respective sectors.  The stakeholders forum will be composed of, but not limited to, representatives of the pharmaceutical industry, health professionals, consumers, patients, and scientific researchers.  Commercial and non-commercial interests will need to be equally represented.  The members will be appointed by the EU Commission following an open call for interest. 

    2: Enforcement

    The EHDS contains a dedicated enforcement section in relation to the secondary use of health data.  Enforcement is primarily attributed to each Member State’s HDAB, which have to monitor compliance by data holders and data users and may request information from them as needed to verify such compliance.  In addition, individuals have a right to lodge a complaint (individually or collectively) with the HDAB. 

    In particular, the HDAB has the power to:

    • revoke a health data user’s permit and exclude a data user from EHDS for up to five years;
    • fine a data holder who refuses to share data, with periodic penalty payments (the amount of which will be established under national law) and, in case of repeated breaches, exclude the data holder from access to EHDS data as a data user, while being required to share as a data holder;
    • inform other HDABs of such measures – the Commission will set up an IT tool for this purpose; and
    • inform the Data Protection Authorities of any possible breach of the GDPR.

    In addition, the HDAB can impose an administrative fine on data users and to a lesser extent on data holders.  The fining language in the EHDS is quite similar to that of the GDPR and so are the potential fines.  Minor infringements by data users can be subject to fine of up to €10 million or, in case of an undertaking, 2% of the total worldwide annual turnover of the preceding financial year.  Some violations, however, can be subject to a fine of up to €20 million or, in case of an undertaking, 4% of the total worldwide annual turnover of the preceding financial year.  Violations subject to these increased fines include:

    • a data user using data for prohibited purposes;
    • a data user extracting personal data (instead of anonymous data) from the HDAB’s secure processing environment – presumably by circumventing protections put in place by the HDAB;
    • a data user trying to re-identify individuals; and
    • a data user or data holder not complying with an HDAB’s enforcement measures.

    As an exception to the above, Data Protection Authorities are responsible for enforcing the EHDS opt-out of individuals, in accordance with the enforcement provisions of the GDPR.

    Finally, individuals have the right to receive compensation for material or non-material damage suffered as a result of an infringement of the EHDS by a digital health authority, a health data access body, a health data holder, or a health data user, in accordance with national and Union law.  They also have the right to mandate a non-profit organization, with statutory objectives that are in the public interest, constituted in accordance with Member State law and active in the field of data protection, to lodge a complaint on their behalf.  These organizations would be the same as those that may represent individuals under the GDPR.  According to the recitals, the concept of damage should be interpreted broadly in light of the case law of the Court of Justice of the EU (see our blog here for more on the emerging EU case-law on non-material damages).

    3: Timelines

    The EHDS is massive endeavor that will require some time to put in place, both for regulated companies and for government bodies.   In this series of blog posts we focused on the secondary use of health data, but the EHDS also contains important chapters of electronic health records and cross border health care, which will also require much effort and funding from Member States.  As a result, the timelines for implementation of the EHDS are quite long.

    In relation to secondary use specifically, the EHDS obligations will start applying four years after its entry into force (i.e., around 2028), except that for some data categories, such as clinical trial data and human genetic data, for which the grace implementation period extends to six years instead (i.e., around 2030).  The European Commission’s ability to recognize third countries, such as the UK and Switzerland, to participate in EHDS is even deferred for ten years – though this does not automatically exclude data users from third countries from participating in the EU EHDS (see our blog post on data users here).

    Photo of Kristof Van Quathem Kristof Van Quathem

    Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

    Kristof has been specializing in this area for over twenty…

    Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

    Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

    Kristof is admitted to practice in Belgium.