Deep dive on the new European Health Data Space: A new balance of interest and rights

March 9, 2025

by: María González Gordon, CMS Spain Managing Partner & co-Head of CMS Global Digital Business practice


At the heart of the digital regulatory tsunami, the European Commission placed the European data strategy and Artificial Intelligence standards as the center and backbone of its “A Europe fit for a Digital Age” plan.


Aware of the competitiveness problems of the old continent vis-à-vis its neighbors to the east and west, its main asset is, once again, the commitment to generate legal frameworks that may lead global companieswithglobalproductstoadoptEuropean legal standards (thus applying the so-called Brussels effect), aware that it would not make economic sense for a multinational to discard, because of the necessary regulatory adaptation, a market of 500 million potential users. It is true that the current geopolitical context, with the change of administration in the US and its firm commitment to deregulation in these matters, the emergence of new players such as Deepseek, and the risk of fragmentation in Europe, all call into question the strategy adopted just a few years ago. It seems urgent to revisit this issue on an ongoing basis.


In her speech on 27th November 2024 on the new College of Commissioners and its programme, President of the European Commission, Ursula von der Leyen, at the European Parliament Plenary, declared: “For us to be competitive, Europe must be home to the next wave of frontier technologies. And I can think of no better person to lead on this as Executive Vice-President than Henna Virkkunen. You know her well. She will leave no stone unturned to ensure Europe can use digital technologies to boost its prosperity, to unleash innovation and to help keep people safer. And she is the right person to ensure that Europe’s tech sovereignty is built right here in Europe.”


European data spaces


The European Data Strategy, consisting of a set of standards and the establishment of European Data Spaces, was shaped with the objective of “ensuring that Europe’s tech sovereignty is built right here in Europe”.


The existing regulatory framework to date consists of Regulations and Directives (which entails different forms of harmonization within the 27 Member States) on the reuse of public sector data (Open Data Directive), the governance of public data subject to third party rights (Data Governance Act/Regulation), the regulation of access to machine-generated data (Data Act/Regulation), orthefreeflowofnonpersonaldatathroughout the European Union (Free Flow Regulation1), among other issues.


One of the most ambitious keys to this Strategy, in my opinion, is the creation of European Data Spaces. The aim of these spaces is to make more data (especially data held by private entities) available for access and reuse, creating a reliable and secure environment for the benefit of both European companies and citizens.


With this objective in mind, a list of 14 strategic areas in which pooling and access to large volumes of quality data and its exchange in a secure and regulated environment was established as early as 2020. These included areas such as health, agriculture, manufacturing, energy, mobility, finance, public administration, skills and even the creation of a European open science cloud. They have been joined by projects in other areas such as media, the green pact, language, research and innovation, tourism and cultural heritage.

With the mission of building a single data market, these common spaces will be characterized by

  • being open to the participation of public and private organizations as well as individuals;
  • being built on a secure infrastructure that ensures compliance with privacy rules;
  • being governed by fair, transparent, proportionate and non-discriminatory access rules; and
  • in any case, respecting EU rules and values, in particular, personal data, consumers and competition.


The European Health Data Space Regulation (EHDS)


The idea behind the concept of Digital Humanism, where technology should be designed and used in ways that enhance human values and respect human dignity, is clearly expressed and materialized in the creation of this Health Data Space,wherevastamountsofdataarepooled,and then accessed, shared and processed. Technology is used to bridge gaps and reduce disparities. It is used for the benefit of future products and solutions and the establishment of resources that would improve health data exchange across EU member states. In short, EHDS is a clear example on how technology can be used for enhancing medical research, public health, and personalized healthcare.


TheHealthDataSpaceisthefirstofallEuropean Data Spaces to be regulated. The reason why was clearly explained by the Commission on its Communication to the European Parliament and the Council back in 2022 under the title of “A European Health Data Space: harnessing the power of health data for people, patients and innovation” when it declared that “health data reuse is estimated to be worth around EUR 25-30 billion annually. That figure is expected to reach around EUR 50 billion within 10 years. However, the complexity and divergence of rules, structures and processes within and across Member States makes it difficult to easily access and share health data. This creates barriers to healthcare delivery and innovation, leaving patients unable to benefit from its potential. (…) In essence, today’s EU health sector is rich in data, but poor in making it work for people and science”.2


This new Regulation puts significant emphasis on data protection, security, transparency and accountability, which are all key elements of Digital Humanism. The approach taken by the legislator not only supports the availability of high-quality healthcare services for all EU citizens, regardless of their location but also fosters trust and empowers individuals to have control over their own health data. The EHDS creates a legal framework that harnesses the use of data to contribute to a common good: our health.

The text of this Regulation, which has not been without much debate, was finally approved by the European Parliament and the Council on January 21, 2025, with Denmark and Finland voting against it.

The objective of this Regulation is to establish a governance framework to facilitate access to electronic health data for the purpose of primary and secondary use of health and genetic data processed in electronic format (whether personal or non-personal data).

In particular, this European data space will improve a natural person’s access to and control over their personal electronic health data in the context of healthcare, as well as to better achieve other improvements involving the use of electronic health data in the healthcare and care sectors that would benefit society. These sectors include research, innovation, policy- making, preparedness and response to health threats, including preventing and addressing future pandemics, patient safety, personalised medicine, official statistics or regulatory activities. In addition, this Regulation’s goal is to improve the functioning of the internal market by laying down a uniform legal and technical framework, in particular for the development, marketing and use of electronic health record systems (‘EHR systems’) in conformity with Union values.

  1. On the primary use of health data

    For these purposes, primary use is considered to be “the processing of electronic health data for the provision of healthcare to assess, preserve or restore the state of health of the natural person to whom such data refers, including the prescription, dispensing and provision of medicines and medical devices, as well as for social, administrative or patient reimbursement services”. Priority data include patients’ summarized medical records, electronic prescriptions, electronic dispensations, diagnostic imaging studies and their reports, diagnostic test results and hospital discharge reports.


    The Regulation provides that individuals (and their representatives) can access and download their electronic health data, free of charge and in an easily readable, consolidated and accessible format. It also includes rules for:

    • rectifying the data
    • requesting data portability
    • limiting access by healthcare professionals to all or part of the personal electronic health data, and
    • obtaining information on who has accessed the data. In addition, it establishes the ability for each Member State to provide that individuals have a right to opt-out of access to their personal electronic health data recorded in an EHR system.


    The creation of a central interoperability platform for digital health “MyHealth@UE” is also envisaged to provide services to support and facilitate the exchange of personal electronic health data between the national contact points for digital health in the member states.

    2. On the secondary use of health data

    On the other hand, the secondary use foreseen in the proposed Regulation concerns the processing of electronic health data for the purposes expressly set out in Article 53, which include, among others, scientific research related to the health or care sector that contributes, for example, to the evaluation of health technologies or that seeks high levels of quality and safety of medicines or medical devices. These include development and innovation activities for products or services (which would include the development of new medicines and competing medical devices), as well as the training, testing and evaluation of algorithms and medical devices, Artificial Intelligence systems and digital health applications. These factors are the most interesting for this analysis from the point of view of intellectual and industrial property and business secrecy.


    These secondary use rules do not apply to two categories of data holders: natural persons and microenterprises, unless otherwise provided by national law.


    The remaining health data holders are obliged to make available to third parties for secondary use a large catalog of data, among which are included personal electronic health data automatically generated by medical devices, data from clinical trials, clinical studies, clinical investigations and performance studies, other health data from medical devices, data from research groups, questionnaires and health-related surveys, after the first publication of the corresponding results.


    One of the most controversial issues during the negotiation of this Regulation has been the treatment given to questions of intellectual and industrial property and trade secrets. In the final approved text, and despite the contrary position of the innovative pharmaceutical industry and the associations representing the interests of the private sector in industrial property matters, an obligation to share electronic health data protected by:

    • intellectual property rights,
    • industrial property rights,
    • trade secrets,
    • regulations on the protection or exclusivity of data, typical of the regulations on medicinal products for human and veterinary use

    is still included.

    The Regulation goes even further: the purpose of secondary use is to allow competitors to use the data they obtain from the original data holders to create and develop products competing with those of the original data holders.


    Although the most positive and greater significant achievement of this new Regulation is the common good and the creation of a more personalized and accessible health system for all citizens, which is undoubtedly one of the most defensible and honest objectives, it is also true that this system breaks the balance that existed to date. This protected industrial and intellectual property rights that safeguarded creation, innovation and the investment behind both. Thus, the existing balance is modified.


    In this sense, there has been criticism of this kind of compulsory license imposed on those who have made the investment, research and creative effort to share the results of their efforts with their competitors so that the latter can create competing products. This is contrary to and significantly undermines the raison d’être and the system of exclusive rights inherent to industrial and intellectual property and trade secrets. However, it is already difficult to understand how these licenses (many of them exclusive licenses) will continue to exist in practice, given the existence of compulsory access mechanisms (compulsory license) such as the one regulated by the EHDS.


    The impact analysis carried out prior to the drafting of this regulation, the conclusions of which are reflected in Recitals 53 and 60 of the Regulation, concluded the following regarding the balance of interests between the right to health and industrial and intellectual property rights:

    • Recital (53) states that: “Electronic health data used for secondary use can bring societal benefits. The use of real-life data and real-life proxy data, including patient- reported outcomes, should be encouraged for regulatory and evidence-based policy- making purposes, as well as for research, health technology assessment and clinical purposes. Real-life data and real-life evidence data have the potential to complement currently available health data. To achieve that objective, it is important that the data sets made available for secondary use in accordance with this Regulation are as complete as possible. This Regulation provides for the necessary safeguards to mitigate certain risks inherent in achieving those benefits.”
    • On the other hand, Recital (60) concludes: “Electronic health data protected by intellectual property rights or trade secrets, including data on clinical trials, research and studies, can be very useful for secondary use and can foster innovation in the Union for the benefit of patients in the Union. In order to encourage continued Union leadership in this area, it is important to encourage the sharing of clinical trial and clinical research data through the EEDS for secondary use. Data on clinical trials and clinical investigations should be made available as far as possible, while taking all necessary measures to protect intellectual property rights and trade secrets.”


    With the intention of ensuring that this obligation to share data is effectively fulfilled, the Regulation establishes, on the one hand, sanctions for those who fail to comply with the obligation to make them available (up to 10 million Euros or 2% of the annual worldwide turnover) and, on the other hand, it creates health data access bodies. Thus, the holders of health data will have to inform them of the health data generated, with a warning as to which part of this information or content is protected by intellectual and industrial property rights, secrets or exclusivity, thus justifying the need to establish specific protection measures to respect these rights. However, it will be up to the aforementioned access bodies to decide which specific measures to adopt and implement to safeguard such exclusivity.


    The final version of the Regulation, although it deals with this balance sheet significantly better than previous versions, only contains in its article 53.3 the following indications regarding such safeguard measures: “shall take all appropriate and proportionate specific measures, including measures of a legal, organizational and technical nature that they consider necessary to protect intellectual property rights, industrial property rights, trade secrets or exclusive data rights”.


    At this point, the following reflections are in order:

    1. On the adequacy of the measures with regard to the rights at stake


    One of the most obvious criticisms that can be made of the wording of this proposal (and which has beencarriedoverfromthefirstavailableversionof this text drafted by the European Commission in 2022), is that the measures envisaged are clearly aimed at protecting trade or business secrets.


    In the version finally approved, clearly erroneous references to confidentiality measures being sufficient for the protection of intellectual or industrial property rights have been eliminated, but no indications have been included to enable the data access bodies (whose knowledge of these areas of law might be limited so that they will depend on the Ministries of Health, not Innovation) to understand and implement what measures can be adopted to safeguard and protect such rights. In fact, the regulation establishes that it will be up to these data access bodies alone to determine the necessity and appropriateness of such measures.


    The fact is that this compulsory license clashes head-on with these exclusive rights. Where previously the owner of the data protected by the exclusive right could, in the exercise of his ius excludendi alios, prevent third parties from accessing the protected information without his consent, he is now limited in his actions, with the imposition of a third party’s consent over his own. This system is reminiscent of Standard Essential Patents licenses.


    2. On the deviation of this process from the already foreseen process adopted in the Data Act.


    When drafting this regulation, the European regulator decided to depart from the regime and procedure it had already approved and implemented for machine-generated data under the Data Act. Thus, the data holder in the EHDS

    • does not decide on the necessity and adequacy of the measures to safeguard exclusive rights in this set of compulsory licenses;
    • it is a third party that, without providing a mechanism to hear the interests of the holder as the most affected party, determines at its sole discretion when granting access, involving a serious risk of infringing intellectual property rights, industrial secrets or exclusivity of the data; and
    • no mechanism is included to allow for an exception to access and reuse of the data when, in the opinion of the data holder, it could have a serious impact on the market.

    3. The balance between the protection of personal data and the purpose and mission of the EHDS.


    The standard establishes the obligation for the data access body to provide access to data in an anonymized format, particularly taking into account the sensitivity of the data we are talking about. But the Regulation already foresees that if, in order to achieve the specific purpose for which the data is requested, it is not possible to work with anonymized data, then such access will be provided in a pseudo-anonymized format. Although it is foreseen that the information and ways to reverse the pseudonymisation may only be available to the data access body and not to the data user, the fact is that many of the pseudonymisation measures are not sufficiently adequate to prevent third parties from being able to achieve such reversal.


    In fact, the Regulation already foresees that if the user of the data gains significant insight regarding the health of a natural person whose data are included in the data set to which he had access, he will have to inform the data access body about them.


    4. The right to opt-out for a secondary use of electronic personal data


    The legislator has also foreseen the possibility for individuals to opt-out, at any time and without justification, to exclude the processing of their personal electronic health data for secondary uses. This opt-out system has been significantly criticized by Member States, in particular Finland and Denmark, which argued that such a mechanism would be very difficult and costly to implement and enforce.


    Conclusion


    The European Commission, aware of the growth potential of the health data economy has put in place a new Regulation establishing the legal framework to create a European Health Data Space. This is the first European Data Space to be regulated. The intended goals clearly show the appropriateness and the need for such a regulation: better diagnosis and treatment that improve patient safety, continuity of care and improved healthcare efficiency. According to the Fact Sheet prepared by the European Commission on the European Health Data Space, savings in the EU have been calculated as over 5.5 billion Euros just from better access and exchange of health data in healthcare, an expected additional growth of 20- 30% in the digital health market and, particularly relevant, a significant saving of 5.4 Billion Euros in research, innovation and policy making.3


    This will definitively empower individuals and cause significant change, as it creates a better and more efficient digital access to their personal electronic health data. Mechanisms have been established to support free movement by ensuring that health data will follow the people. Additionally, a secure environment is created, that respects the privacy and personal data regulations, as well as European values and ethics.


    This regulation aligns with the principles of Digital Humanism by ensuring that health data is used ethically, protecting individuals’ privacy and rights while promoting collective health benefits. It represents a significant step towards a more interconnected and humane digital health ecosystem that prioritizes the well-being of individuals and communities, even to the point that it may inadvertently impose certain restrictions on competitiveness and innovation.


    As with any new regulation which is introduced, the existing balance with other legal frameworks has changed. Namely, the rules established on secondary use of electronic health personal data have raised the issue of how exclusive rights, and in particular the incentive to continue the investment on innovation, might have been affected with by the way in which access to , for instance, clinical trial data, has been regulated, and how this can impact competition, negatively or positively, depending on which side of the table you sit. We still have much to learn and discuss when this new European Health Data Space start working.

    1. https://eur-lex.europa.eu/eli/reg/2018/1807/oj/eng ↩︎
    2. https://health.ec.europa.eu/publications/ communication-commission-european-health-data-space- harnessing-power-health-data-people-patients-and_en ↩︎
    3. https://ec.europa.eu/commission/ presscorner/detail/en/fs_24_1347 ↩︎


    María González heads up the Intellectual Property, Industrial Property and Digital Business department at CMS Albiñana & Suárez de Lezo. She specialises in advising domestic and international companies on intellectual property, industrial property, copyright and technology, particularly in litigation and dispute resolution. Moreover, she is well versed in the drafting, negotiation and termination of a wide range of IP/IT agreements (licences, trademarks, designs, software, outsourcing, distribution agreements, transfers, assignments, etc.), not to mention her expertise in advising on technology, digital transformation and data analytics in sectors such as insurtech, fintech, energy, health and wellbeing and real estate, among others. She is also an authorised representative before the Spanish Patent and Trademark Office (OEPM) and the European Union Intellectual Property Office (EUIPO). Additionally, she has been recognised in the field of IP by leading and most prestigious legal directories Chambers & Partners, Legal 500 and Who’s Who Legal.