The “dream” of a European Health Data Space comes true

Back in March 2024, a provisional agreement was reached between the EU member states, the EU Parliament and the EU Commission on the regulation to establish the European Health Data Space (EHDS), which has now been approved by the European Council on January 21, 2025.

The EHDS is thus a done deal - it only needs to be formally signed by the Council and the EU Parliament and will then enter into force 20 days after publication in the Official Journal of the EU.

The EHDS has two main objectives:

On the one hand, individuals should gain quick and easy access to and control over their personal health data - regardless of which EU country they are in (primary use). On the other hand, the potential of data for research and innovation should be utilized through anonymized reuse (secondary use). To achieve this, the EHDS is intended to link national healthcare systems more closely together and requires the harmonization of various European electronic health record systems (so-called EHR systems).

EU citizens can actively object to the use of health data for specific purposes (so-called opt-out procedure), as was the case in January 2025 with the automatically introduced electronic health record in Germany under the Digital Act (DigiG).

The EHDS is expected to have far-reaching consequences for manufacturers, particularly of medical devices and the pharmaceutical industry:

On one side, the EHDS gives medical devices and pharmaceutical manufacturers access to extensive health data, which is also required for the development and improvement of their products. In return, however, they must ensure that their products not only comply with the already strict requirements of medical device and data protection law and, if applicable, the AI Regulation, but also that their products are compatible with the new data standards and regulations of the EHDS in order to ensure the secure exchange of data.

In addition, Art. 51 EHDS requires MedTech and pharmaceutical companies as well as clinics and health insurance companies (as so-called “health data holders”) to make the data specified therein available for secondary use. The list of data categories includes personal electronic health data generated by medical devices, data from clinical trials, clinical studies and performance studies and health-related data from research cohorts, questionnaires and surveys, after the first publication of the corresponding results.

It is also anticipated that electronic health data containing protected intellectual property and trade secrets of private companies must also be made available in principle - the MedTech company, for example, should in this case “identify which parts of the datasets are concerned and justify the need for the specific protection of the data” (Art. 52 para. 2 EHDS). The health data access body then decides which measures are necessary to protect intellectual property rights and trade secrets. Access to data can be subject to legal, organizational and technical measures - possible approaches include contractual agreements between data holders and users to protect intellectual property or trade secrets. The European Commission intends to develop and recommend non-binding contract templates for such agreements.

Electronic health data may be requested from health data access bodies by companies and start-ups in the healthcare sector (so-called health data users) for the purpose of scientific research in the field of healthcare, provided they are necessary for the development and innovation of new products and services (Art. 53 EHDS).

The data may only be processed by the health data users in accordance with the previously granted data permit (Art. 54, 68 EHDS) and the GDPR. However, the inherent tension between the protection of intellectual property and trade secrets on the one hand and the right to access data on the other is evident. The German Medical Technology Association had also explicitly pointed this out in its statement (only available in German) of July 21, 2022.

The EHDS will largely become applicable two years after its expected entry into force in the near future. However, some provisions will apply later: for example, the rules on secondary use will only impose obligations on health data holders after four years.

Our conclusion:

The EHDS will be a balancing act between potential and challenge!

Whether it will, as intended, be “a key element in the creation of a strong and resilient European Health Union” (Recital 1 of the EHDS) or lead to competitive disadvantages in the medium term remains to be seen.

It is important—just as with other European regulations and directives—to ensure proper preparation and comprehensive protective measures. Key considerations include the identification of sensitive data, organizational measures such as usage restrictions regarding commercial use or data usage contracts, and technical measures such as encryption and pseudonymization.