Research Spotlight: The EU's Plan To Reuse Your Personal Health Data
This research spotlight newsletter unpacks the new European Health Data Space (EHDS) Regulation, its implication for privacy, research, and data management, and why the GDPR alone is no longer enough.
The EU has built a new system to make better use of health data. It is called the European Health Data Space (EDHS) Regulation, and it could change how personal medical records are used for research, public health, and policy. This newsletter spotlights a journal article to break down what the EDHS regulation means for us, why the current GDPR rules fall short, and how the balance between innovation and privacy is being tested. This comprehensive newsletter sits at the intersection of health data, digital rights, EU law and medical ethics.
What the EHDS aims to fix
The European Health Data Space (EHDS) is a much-needed policy initiative intended to bring some order, coherence and practical usability to a situation that has long frustrated researchers, public health officials and policymakers alike.
Across the EU, enormous volumes of health data are routinely collected by hospitals, clinics, laboratories and national health systems.
Most of this data, however, is left sitting in databases, unused and under-analysed.
It is the digital equivalent of keeping a library full of valuable books that no one is allowed to read.

The central problem addressed in the article by Vera Lúcia Raposo is that the existing regulatory framework, especially the General Data Protection Regulation (GDPR), while comprehensive and well-intentioned, has inadvertently created barriers to the secondary use of personal data, particularly in the health sector.
The GDPR does allow for data reuse in certain circumstances, such as for scientific or historical research, or in the public interest, but the rules around this are vague, fragmented and difficult to implement.
The article points out that the result is widespread legal uncertainty, with institutions afraid to repurpose data even when doing so would clearly benefit scientific advancement or public health.
The EHDS is essentially a legislative response to this problem. It attempts to provide a more structured and harmonised framework for the secondary use of health data across the European Union.
The proposed Regulation introduces mechanisms that are, at least in theory, designed to make data reuse easier, more transparent and more secure.
These include the creation of health data access bodies in each member state, a centralised permit system for authorised secondary use, and an infrastructure for data sharing that ensures data is accessed in a secure processing environment, under strict conditions.
According to the article, this is where the real innovation lies. Rather than trying to retrofit the GDPR to cover complex and often high-stakes data repurposing scenarios, the EHDS creates a parallel regime for health data that is aligned with, but not wholly dependent on, the GDPR.
The author explains that this parallel structure aims to remove ambiguity by clearly delineating what is permitted, by whom, and under what circumstances.
Data subjects will not be asked for repeated consent every time their anonymised or pseudonymized data is reused, as long as the reuse falls within authorised purposes such as public health, health system planning or research.
The article rightly notes that the potential benefits of this reform is significant.
Greater access to high-quality, cross-border health data could support faster innovation in medicine, improve epidemiological monitoring and reduce duplication of research efforts.
The EHDS also has the potential to level the playing field between member states that currently have vastly different practices in terms of data governance and health research facilitation.
At the same time, the author points out the legal and ethical challenges.
The EHDS proposes a system that, while more practical in some respects, could also concentrate a great deal of discretion in the hands of national health data access bodies.
These bodies will be responsible for authorising secondary use, and although there is a general framework to follow, member states retain some autonomy in how they implement the system.
The risk here, as the article explains, is that despite the EHDS’s ambition for harmonisation, the outcome may still be patchy and inconsistent across the EU.
Moreover, the author highlights an underlying tension that will not be easily resolved: the trade-off between the collective benefit of data reuse and the individual’s interest in privacy and control.

The GDPR gave individuals strong rights over their personal data. The EHDS, by contrast, introduces a logic where certain data uses are considered acceptable without renewed individual authorisation.
This may be legally justifiable under EU law, but it does carry political and ethical implications that require close scrutiny.
The EHDS is trying to fix a real and urgent problem: the underuse of health data in Europe that prides itself on scientific excellence and public health standards. But as the author makes clear, creating a second regulatory layer is no guarantee of success.
The fix may work, but only if the implementation is consistent, transparent and grounded in clear legal principles.
Why the GDPR is not enough
On paper, the GDPR seems generous when it comes to the secondary use of personal data.
It offers several legal grounds, such as consent, public interest, scientific research and legitimate interests.
However, the journal article carefully shows that in practice, this generosity comes wrapped in layers of complexity and legal uncertainty.
The real-life experience of those who work with data, e.g., researchers, institutions and public health authorities often involves more headaches than clarity.
The article explains that one of the most notorious barriers is the so-called compatibility test in Article 6(4) of the GDPR.

The GDPR compatibility test requires that any new purpose for which data is reused must be compatible with the original purpose for which it was collected.
Although the GDPR sets out a list of factors to help assess compatibility, such as the link between purposes, the context of data collection and the nature of the data, the law offers no binding interpretation or uniform method of applying these factors.
As the author points out, this leaves institutions guessing how data protection authorities or courts might interpret compatibility in a given case.
That is a risky game, especially when the consequences of getting it wrong include investigations, fines and reputational harm.
The article also highlights another problem: the over-reliance on consent.
While consent seems like a neat solution, it quickly becomes impractical when dealing with large-scale health datasets collected years ago, possibly by other institutions or for entirely different reasons.
Reaching out to thousands, or even millions, of data subjects to obtain fresh consent is often impossible.
As a result, consent becomes a theoretical option that adds very little in terms of real usability.
The author shows that, although scientific research is treated more favourably under the GDPR, even this is limited by vague language and differences in national implementation.
The GDPR leaves key concepts like “research purposes” and “public interest” open to interpretation, allowing member states to introduce stricter rules or additional conditions.
What ends up happening is that researchers face an inconsistent data legal system across the EU, which undermines the very idea of a harmonised data protection regime.
How the EHDS plans to enable data reuse
The EHDS brings with it a legal and institutional redesign aimed at making health data useful beyond its original purpose.
At the heart of this new model are Health Data Access Bodies (HDABs), one for each EU member state, which are given the rather complex task of authorising secondary uses of electronic health data.
These authorities will assess requests, issue permits and ensure that the data is accessed only through secure processing environments.
The article shows how this attempt to build an institutional pathway intends to reduce the fear of legal ambiguity that currently paralyses data controllers under the GDPR.
Rather than guessing whether a reuse is legal, researchers and institutions will be able to request authorisation from a national HDAB, which will either grant or refuse it based on specific, published criteria.
The EHDS also outlines what qualifies as acceptable secondary use.
Permitted purposes include research, innovation, health system planning, education and public policy. However, there are clearly defined exclusions as well.

For example, insurance companies, advertising agencies and employers are categorically barred from access, which the article describes as an important safeguard that limits the commercialisation of sensitive data.
This shows a clear policy intention to preserve public trust and limit exploitation.
One of the most practical changes is the requirement that data be accessed through a secure processing environment.
Researchers will be allowed to work with the data in a tightly controlled space, reducing the risk of data leaks or breaches.
As the author notes, this technical safeguard is essential if the public is expected to accept reduced consent requirements for reuse.
Interestingly, the EHDS does not require fresh consent from data subjects for each new use, provided the secondary purpose is lawful and authorised.
While this removes an obvious barrier, the article raises the concern that the reduced role of consent might weaken individuals' sense of control. It is a trade-off, but one that the Regulation clearly endorses in favour of public interest outcomes.
The EHDS, as analysed in the article, does present a structured, lawful and technically secure approach to unlocking the value of health data across the EU.
Another open question flagged in the article concerns the interaction between the EHDS and the GDPR over time.
Although the EHDS is designed to work alongside the GDPR, overlapping obligations and potentially competing interpretations of legal bases may create friction.
If courts and regulators across Europe begin to diverge in their interpretations, the certainty that researchers and public bodies hope for could be short-lived.
Still, the author offers a cautiously optimistic conclusion.
The EHDS is far from flawless, but it provides a dedicated legal structure that was sorely missing in the field of secondary health data use.
If implemented consistently, transparently and with close attention to public trust, the EHDS could offer the EU a chance to demonstrate that innovation and rights protection do not have to be in conflict.
Research Spotlight: Summary
The problem of underused health data:
The article highlights that vast quantities of health data are collected across the EU but remain unused due to legal uncertainty and restrictive interpretations of data protection law. The EHDS aims to unlock this data for research and policy purposes.
GDPR’s limits on secondary use:
Although the GDPR allows for data reuse in theory, in practice, it imposes rigid conditions, especially through the compatibility test under Article 6(4). The legal ambiguity it creates deters organisations from repurposing data, even where benefits to society are clear.The EHDS introduces a parallel regime:
The EHDS regulation sets up a new regulatory framework specifically for the secondary use of health data. It establishes health data access bodies in each EU country to review and authorise data reuse requests under more predictable and structured conditions.Focus on public interest and research:
The EHDS permits data reuse for purposes such as scientific research, public health, healthcare system planning, and policy development. It explicitly excludes uses for solely commercial purposes, thus limiting commercial exploitation of sensitive health information.Data access through secure environments:
To protect individual privacy, the EHDS mandates that data be accessed only within secure processing environments. This ensures that researchers and authorised users work with the data under controlled conditions, without the ability to extract or misuse personal information.Consent plays a reduced role:
The EDHS Regulation allows for secondary use without renewed consent, provided the use aligns with authorised purposes. While this simplifies access for researchers, it also raises concerns about the diminishing role of individual autonomy and the future of data subject rights.Implementation risks and open questions:
Despite its potential, the article warns that national differences in applying the EHDS could undermine its harmonisation goals. Legal overlaps with the GDPR may also create tension. Success depends on clear interpretation, public trust and consistent enforcement across the EU.
Are these reforms sufficient to unlock data for good, or do the risks still outweigh the rewards? Reply with your thoughts or questions; we would love to hear how you see the future of health data in the EU.
Health Data Access Bodies will authorise secondary data use across the EU but I wonder with each member state interpreting the rules independently, will the promised harmonisation actually work in practice, or just repeat the GDPR’s fragmentation?