Secondary Use of Health Data: What the European Health Data Space Changes

PostedMarch 21, 2025

ByIuliia Gorshkova

The secondary use of health data represents one of the most significant shifts in the European research and innovation landscape, moving from fragmented national initiatives to a harmonized, cross-border framework. For decades, the reuse of electronic health records, genomic data, and patient registries for research, policy-making, and product development has been constrained by a patchwork of national laws, varying interpretations of consent, and technical barriers preventing data interoperability. The proposed European Health Data Space (EHDS) aims to resolve these structural inefficiencies, creating a dual-purpose infrastructure that supports both primary care delivery and secondary use for research and innovation. This transformation is not merely technical; it redefines the legal basis for data access, establishes new roles for data intermediaries, and introduces a regulatory environment where compliance is intrinsically linked to data architecture.

Understanding the impact of the EHDS requires a precise analysis of how it interacts with existing legislation, most notably the General Data Protection Regulation (GDPR), the Data Governance Act (DGA), and the upcoming AI Act. While GDPR provides the fundamental rights framework for processing personal data, the EHDS operationalizes these rights for the specific context of health data reuse, creating “health data access bodies” (HDABs) that act as trusted third parties. For professionals in biotech, robotics, and health AI, the EHDS signifies a transition from ad-hoc data sharing agreements to a standardized, albeit complex, regulatory pathway that promises legal certainty in exchange for rigorous governance.

The Legal Architecture of Secondary Use

To grasp the operational changes brought by the EHDS, one must first distinguish between the legal grounds for processing under GDPR and the procedural access mechanisms established by the EHDS Regulation. The GDPR does not prohibit secondary use; it merely requires a valid legal basis. Historically, research organizations have relied heavily on Article 6(1)(a) (consent) or Article 6(1)(e) (public interest/task). However, the reliance on consent has proven burdensome for large-scale research, often necessitating dynamic consent models or complex waivers.

The EHDS introduces a new paradigm by explicitly recognizing specific legal grounds for secondary use that are distinct from primary care processing. It builds upon the GDPR’s “scientific research” exemption found in Article 89, but adds a layer of administrative authorization. Under the EHDS, access to health data for secondary use is generally granted through a health data access body (HDAB). This body acts as a gatekeeper, verifying that the intended use complies with the regulation and that appropriate safeguards are in place.

Interplay with GDPR Articles 89 and 9

A critical technicality for legal practitioners is the relationship between the EHDS and Article 9 of the GDPR, which governs the processing of special category data (including health data). Article 9(2)(j) allows processing for scientific research purposes when authorized by Union or Member State law. The EHDS Regulation serves as that specific authorization law at the EU level.

However, the EHDS does not override the requirement for a lawful basis under Article 6. Consequently, even when an HDAB grants access, the research institution must still satisfy the conditions of GDPR. The EHDS simplifies this by providing a standardized “research permit” that can serve as evidence of compliance, but the underlying legal justification remains rooted in the GDPR framework. This creates a “dual-gate” system: the HDAB gate (procedural and technical) and the GDPR gate (legal and ethical).

The Role of the Data Governance Act (DGA)

The EHDS does not exist in a vacuum. It is closely linked to the Data Governance Act (DGA), which establishes the general framework for data sharing mechanisms, such as data intermediaries and data altruism. The DGA focuses on creating trust and facilitating data sharing across sectors. The EHDS is the sector-specific implementation of these principles for health data.

Specifically, the EHDS creates the concept of personal health data spaces. These are digital environments where individuals can store, access, and share their health data. While the primary focus is on the individual’s control over their data for primary use (e.g., sharing with a doctor in another Member State), the infrastructure supports secondary use by ensuring data is collected and stored in interoperable formats. For biotech companies, this means that data generated in clinical settings or by wearables (if integrated into the EHDS ecosystem) will eventually become more accessible through the secondary use pathways, provided the data is structured according to the EHDS specifications.

Health Data Access Bodies (HDABs): The New Gatekeepers

Perhaps the most significant institutional innovation of the EHDS is the establishment of Health Data Access Bodies in each Member State. These bodies are designated national authorities responsible for processing applications for secondary use. They are the central pivot around which the secondary use ecosystem revolves.

The HDAB is not merely a regulator; it is an active facilitator. Its tasks include verifying the legality of the request, ensuring the applicant has the technical capacity to process the data securely, and coordinating with other HDABs for cross-border requests. For a biotech firm seeking access to oncology data from multiple countries, the HDAB in the firm’s home country will act as the single point of contact, communicating with the HDABs in the data-holding countries. This “single information point” mechanism is designed to reduce the administrative burden that currently plagues cross-border research.

Verification and Compliance Checks

When an applicant submits a request to an HDAB, the body performs a rigorous verification process. This includes:

Legitimacy of Purpose: Ensuring the request falls under permitted secondary uses (research, innovation, policy-making, training of AI algorithms).
Data Minimization: Verifying that the request is limited to the minimum necessary data required to achieve the objective.
Technical Security: Assessing the applicant’s ability to process data in a secure environment (e.g., via secure processing environments or “data clean rooms”).

It is important to note that the HDAB does not typically transfer the raw data to the applicant. Instead, the applicant is usually granted access to process the data within a secure processing environment (SPE) controlled by the HDAB or a trusted third party. The results of the analysis (e.g., statistical outputs, trained AI models) are then exported after a validation check to ensure they do not contain re-identifiable information.

Access Rules and Permitted Uses

The EHDS Regulation defines a specific list of purposes for which secondary use is permitted. This “whitelist” approach provides legal certainty, contrasting with the more ambiguous “research purposes” definition in GDPR case law. For professionals in biotech and AI, understanding these categories is essential for project planning.

Research, Innovation, and Policy-Making

The primary beneficiaries of the EHDS secondary use framework are entities engaged in:

Scientific Research: This includes life sciences research, epidemiological studies, and clinical trial planning.
Innovation: Specifically, the development and testing of products and services. This is crucial for the AI and MedTech sectors, as it explicitly covers the training and validation of algorithms.
Statistics and Policy-Making: Public bodies can access data to inform health policy and measure the performance of health systems.

Crucially, the regulation allows for the use of data to train, validate, and test AI systems. This is a major development. Previously, the legality of using patient data to train algorithms was a gray area, often debated under the “compatibility” test of GDPR Article 5(1)(b). The EHDS explicitly validates this use case, provided the AI system is intended to improve diagnosis, treatment, or health outcomes.

Commercial vs. Non-Commercial Use

The EHDS distinguishes between non-commercial and commercial research, but it does not prohibit the latter. Commercial entities, such as pharmaceutical companies or AI startups, are eligible to apply for data access. However, the regulation imposes stricter scrutiny on commercial requests to ensure that the public interest in data reuse is balanced against private profit motives.

In practice, this means that commercial applicants may be required to demonstrate how their project contributes to the public good (e.g., developing a new therapy for a rare disease) and may face different fee structures. Member States are allowed to charge fees for data access to cover the administrative costs of the HDABs, and these fees may vary depending on the applicant’s status (SME, large enterprise, non-profit).

Safeguards and Privacy-Enhancing Technologies (PETs)

The EHDS is built on the premise that data security and privacy are prerequisites for trust. The regulation mandates the use of specific safeguards that go beyond standard GDPR compliance. For data scientists and IT architects, these requirements dictate the technical stack used for data processing.

The Secure Processing Environment (SPE)

The concept of the Secure Processing Environment is central to the EHDS. It is a technical infrastructure where data is processed and where the results of the processing are scrutinized before release. The EHDS mandates that:

Raw data should not leave the SPE.
Access to the SPE must be strictly controlled (e.g., multi-factor authentication, IP whitelisting).
The environment must support Privacy-Enhancing Technologies (PETs).

PETs are not just recommended; they are a core requirement. This includes techniques such as:

Encryption: Data must be encrypted at rest and in transit. Homomorphic encryption, which allows computation on encrypted data without decrypting it, is highlighted as a best practice.
Trusted Execution Environments (TEEs): Hardware-based security that isolates data processing from the rest of the system.
Differential Privacy: Adding statistical noise to datasets to prevent re-identification of individuals in the output.

Re-identification Prohibition

A strict prohibition applies to any attempt to re-identify individuals from the data provided. The regulation explicitly states that any attempt to re-identify individuals constitutes a breach of the regulation and will be subject to significant penalties. This aligns with the GDPR’s view that re-identification is generally prohibited unless the controller has a legal basis to do so (which is rare in secondary use contexts).

Furthermore, the results exported from the SPE are subject to an ex-ante check by the HDAB (or an automated tool approved by the HDAB) to ensure that the output does not contain personal data or that the risk of re-identification is negligible. This “output control” mechanism shifts the burden of privacy protection from the data subject to the data user and the regulator.

Cross-Border Access and the EHDS Portal

One of the most ambitious aspects of the EHDS is the creation of a cross-border infrastructure. Currently, a researcher in Italy wishing to access data from Germany must navigate two different legal systems, two different languages, and two different technical standards. The EHDS aims to solve this through a federated system.

The Single Point of Contact

The EHDS establishes a network of HDABs that communicate via a standardized digital infrastructure. A researcher submits a single application through a central portal (or the national HDAB portal, which connects to the European network). The HDAB in the researcher’s country of establishment validates the application and forwards the relevant parts to the HDABs in the data-holding countries.

This mechanism is similar to the “one-stop-shop” mechanism in GDPR enforcement, but adapted for data access. It significantly reduces the time to access data, which is a critical factor in fast-moving fields like AI development and pandemic response.

Interoperability and Common Standards

For data to be accessible across borders, it must be interoperable. The EHDS relies heavily on the European Health Data Space Code of Practice, which defines common data formats, terminologies (such as SNOMED CT, LOINC), and metadata standards.

For healthcare providers and software vendors, this implies a compliance burden: systems must be updated to export data in EHDS-compliant formats. However, for the secondary use ecosystem, this standardization is a prerequisite. It ensures that a dataset from Spain can be merged with a dataset from Finland without extensive manual cleaning, enabling larger, more powerful studies.

Interaction with the AI Act

The convergence of the EHDS and the EU AI Act creates a specific regulatory environment for AI in healthcare. The AI Act classifies AI systems intended to be used as safety components in the regulation of health and safety (e.g., in medical devices) as High-Risk AI Systems.

Training such systems requires vast amounts of high-quality data. The EHDS provides the legal and technical pathway to acquire this data. However, the AI Act imposes strict requirements on data quality, bias mitigation, and robustness. Therefore, using EHDS data is not a “free pass” to train any model; the resulting AI system must still comply with the AI Act’s requirements.

Data Quality and Bias

When accessing data through the EHDS for AI training, developers must be aware of the “Garbage In, Garbage Out” principle, which is now legally codified in the AI Act. If the data accessed via EHDS is biased (e.g., underrepresenting certain demographics), the resulting AI system may be non-compliant.

The EHDS framework allows researchers to query the metadata of datasets before accessing them to assess their suitability. This includes information on the provenance of the data, the population it represents, and the collection methods. This transparency is intended to help developers fulfill their obligations under the AI Act regarding data quality.

National Implementations and Divergences

While the EHDS is a Regulation (meaning it applies directly in all Member States without needing transposition into national law), it leaves room for national implementations regarding certain procedural details and the designation of HDABs. Furthermore, existing national health data access initiatives are not immediately abolished; they will coexist with the EHDS during a transition period.

Comparative Examples: France, Germany, and the Netherlands

Several European countries have already established advanced frameworks for health data reuse, which serve as precursors to the EHDS.

France (Health Data Hub): France established the Health Data Hub to create a trusted platform for health data access. The French model is heavily influenced by the concept of a “data intermediary,” which aligns well with the EHDS. The Health Data Hub already utilizes secure processing environments and focuses on facilitating access for AI development.
Germany: Germany has a more fragmented approach due to its federal structure. The Digital Healthcare Act (DVG) has pushed for data availability, but strict interpretations of data protection by German authorities often create hurdles. The EHDS is expected to harmonize these strict interpretations by providing a clear EU-wide standard, potentially easing access to German hospital data for cross-border research.
The Netherlands (Health-RI): The Netherlands has focused on creating a “data infrastructure” rather than a single platform. Health-RI connects various regional data hubs. The EHDS will likely integrate with these existing infrastructures, acting as a federated layer on top of the national initiatives.

For international companies, the key takeaway is that while the EHDS standardizes the application process, the underlying data governance culture (e.g., the strictness of ethical reviews) may still vary slightly between countries. However, the “consistency mechanism” within the EHDS allows the European Commission to oversee national HDABs to ensure uniform application of the rules.

Practical Implications for Biotech and AI Practitioners

For professionals working in biotech and AI, the EHDS requires a shift in operational strategy. The era of informal data sharing agreements or “data scraping” from public sources is ending. Future data access will be formalized, audited, and technically constrained.

Preparing for Data Access Applications

Entities wishing to utilize health data for secondary use should prepare by:

Defining Precise Use Cases: Vague research proposals will likely be rejected. Applications must specify the exact variables needed, the analytical methods to be used, and the intended output.
Assessing Technical Infrastructure: Organizations must demonstrate they can interact with Secure Processing Environments. This may require investing in cloud infrastructure or partnering with specialized data processors.
Understanding Fee Structures: Budgeting for data access will become a standard line item. While non-commercial research may be subsidized, commercial access will incur costs that reflect the administrative and technical resources required to facilitate the access.

The Role of Data Altruism

The EHDS also promotes “data altruism,” where individuals voluntarily donate their data for the public good. The regulation establishes a national register of data altruism organizations. For researchers, accessing data from altruism registers can be a faster route than accessing routine administrative data, as the consent basis is often clearer. However, this data may suffer from selection bias (only certain types of individuals donate), which must be accounted for in research design.

Risks and Challenges

Despite the promise of the EHDS, significant challenges remain. The implementation timeline is aggressive, and the technical infrastructure required is complex.

Legal Risks: There is a risk of “regulatory overlap.” If an HDAB grants access to data, but the processing subsequently leads to a data breach, the research institution remains liable under GDPR. The HDAB acts as a facilitator, not a data controller in the traditional sense (though the EHDS assigns specific responsibilities to HDABs regarding data security). Legal teams must carefully delineate responsibilities in contracts with HDABs.

Technical Risks: The requirement for PETs and SPEs creates a high barrier to entry for smaller companies. If the cost of accessing data (including the cost of using the secure environments) is too high, the EHDS could inadvertently stifle innovation by favoring large incumbents. The regulation attempts to mitigate this with fee reductions for SMEs, but the technical complexity remains a hurdle.

Trust Risks

Previous Nagoya Protocol in Practice: Access and Benefit-Sharing for EU Biotech

Next Explaining Classroom AI to Parents—Minus the Jargon

AI in Education: Fundamentals & Tools

Understanding AI Basics

Practical AI Tools for Educators

Integrating AI into Teaching

Case Studies & Success Stories

Ethical AI & Inclusive Practices

Ethical & Legal Frameworks for AI Systems

Equity & Inclusion

Transparency & Trust

Algorithmic Bias, Discrimination & Legal Risk

AI Errors, Accountability & Legal Responsibility

Institutional AI Governance & Policy Design

AI, Security & GDPR Compliance

Data Protection & Privacy

Cybersecurity in AI

EU Regulations & Policies

Engaging Parents & Guardians

Data Protection, Privacy & AI Governance

Additional Resources

Glossary of Terms

Templates & Guides

Webinars & Research

AI for Administrative & Pedagogical Support

AI for Time Management

AI in Student Performance Tracking

AI for Automated Communication

AI for Document Management

AI, Robotics & Biotech Regulation in Europe

EU AI Act Explained: Scope, Risk Levels, Obligations

AI-Enabled Products: Robots, Medical Software, Smart Devices

Machinery Regulation & Safety Standards for Intelligent Systems

AI in Healthcare & Biotech: MDR, IVDR, EMA

Liability & Responsibility for AI-Driven Systems

Compliance in Practice: From Risk Assessment to CE Marking

Country-Specific AI Regulation & Enforcement

How EU AI Law Is Applied at National Level

Different Compliance Models

National AI Sandboxes & Regulatory Experiments

Public Sector AI Rules Across Europe

Cross-Border AI Deployment Challenges

When National Law Overrides EU Guidance

Legal Cases, Enforcement & Real-World Precedents

AI Act, GDPR & Algorithmic Decision-Making Cases

Liability Disputes Involving Automated Systems

Robotics Accidents & Legal Responsibility

Medical & Biotech AI Failures: Lessons Learned

What Enforcement Trends Tell Us About Future Regulation