back to blog

In May this year the European Commission presented a draft regulation establishing a European Health Data Space (EHDS). The initiative is one of the main cornerstones of the European Health Union, and also implements the objectives of the European Data Strategy. Thanks to the new regulation, access to extremely valuable, previously unused medical information will be opened up, which will significantly improve the quality of healthcare and contribute to innovation, if only in the pharmaceutical industry. What’s more, EHDS will enable patients to control their health data and use it in their country or in other member states. The project is intended to support a single market for digital health services and products. It is also intended to provide a consistent, reliable and effective framework for the use of health data for research, innovation, policy-making and regulatory action, while ensuring full compliance with the EU’s high data protection standards. Nonetheless, as currently drafted, the regulations proposed by the European Commission leave the risk of using certain mechanisms provided for in the EHDS in a manner contrary to the interests of citizens.


The draft regulation establishing the European Health Data Space (EHDS) provides for access to electronic health data for physicians and patients (primary use), and in addition provides mechanisms for the use of such data by other interested institutions – policy makers, scientific research centers, pharmaceutical companies (secondary use). 

As the EU legislator points out, the inclusion of such a broad catalog of actors in the regulation will bring huge societal benefits in the form of increased innovation in medicine and the ability to respond more quickly to pandemics and health crises. This approach is in line with the idea of opening up data across sectors, as promoted by both the Instrat Foundation and Open Future. However, despite their general approval of the initiative, both organizations believe that current regulation lacks sufficient safeguards to guarantee citizens that their health information will not fall into the wrong hands.

Although, as it stands, the Health Data Access Bodies (HDABs) are not bound by any instructions when making decisions, the draft regulation leaves their creation solely to the discretion of member states and outside of effective EU or public control. Thus, there is a risk of HDABs being susceptible to influence by national authorities who may try to overstep their jurisdiction. At the same time, although the HDAB is tasked with managing health data as a common good, the construction of these institutions lacks elements that provide for the possibility of democratic control and public accountability. This can raise concerns and reluctance on the part of citizens to share data, particularly in countries like Poland, where the rate of distrust in government (56.8%) exceeds the rate of actual trust (33.7%) (Statista, 2020). 


In order to avoid corporate and political capture of institutions whose mandate is to support public interest goals related to health data access and exchange, Instrat and Open Future propose the following:

1. Collective data management by institutions responsible for access to health data through independent oversight bodies

Despite their assigned functions, HDABs have not been equipped with an adequately autonomous space providing for an element of public participation in data sharing decisions. In order to change this state of affairs, it is necessary to safeguard the independence of HDABs, while at the same time creating conditions for introducing a collective layer of democratic control. Accordingly, Article 36(3) of the proposed regulation should include elements of engagement with a wider range of stakeholders. At the same time, we suggest expanding this article to include a provision for an independent oversight panel, acting as a focal point for HDAB management on behalf of and for the benefit of the general public.

Additionally, to maximize public accountability and oversight, internal deliberations and documents produced by the panel should be made public. Similarly, members of the independent oversight board should be able to report potential misconduct arising from the HDAB’s actions. This is essential to prevent the HDAB – as the sole entity tasked with monitoring and overseeing compliance with Chapter IV (on secondary use of data) – from abusing its central position.

2. Trust-by-design and social control of health data access institutions

Article 38(4) is intended to legitimize the activities of HDABs and make health data sharing more attractive by informing the general public about the benefits of these institutions. At the same time, in the absence of more precise EU rules on the design of HDABs and concrete mechanisms to ensure the independence of these bodies from political influence, the above provision may not be enough to build citizens’ trust in HDABs. 

For this reason, we recommend the introduction of a trust-by-design principle to enhance the credibility of the HDAB by proposing an appropriate architecture for these institutions in the regulation itself. This means, first, strengthening the European Commission’s authority to inspect the HDAB and creating an appropriate regulatory framework for EU bodies to respond to violations of secondary data use regulations. Secondly, we propose that provisions that increase the legitimacy of HDABs’ activities (such as, for example, providing information about the activities of these institutions and the benefits of their existence) should be included not in Article 38, which treats HDABs’ obligations to individuals, but in Article 36, which talks about establishing these institutions.

3. Concluding remarks

Data access fees for public institutions

Both organizations believe that any fees associated with providing data access to public institutions should be limited to the actual costs resulting from processing the access request. In the absence of such a stipulation in the regulation, there is a risk of imposing disproportionate fees on public sector bodies, which could be a barrier to obtaining data of high social value (as was the case with the Polish Energy Market Agency (ARE)).

Business-to-Government (B2G) data sharing rules

According to the proposed regulation establishing the European Health Data Space, granting access to privately held data for the purpose of preventing emergencies should be done in accordance with Article 15 of the Data Act. At the same time, it should be noted that the draft Health Data Space Regulation proposes a much more ambitious framework for protecting the public interest in the event of a crisis, and there is a caveat in the preamble that state authorities may go beyond the area designated by Chapter V of the Data Act. Thus, discrepancies on the general scope of B2G data sharing may lead to legal uncertainty and reduce the effectiveness of the regulations in question. Therefore, in order to avoid possible doubts, we recommend better alignment of the aforementioned legal acts by including in the Data Act overriding principles derived from sectoral regulations such as the regulation establishing the European Health Data Space.


  • Patryk Berus, Communications Manager, patryk.berus@istrat.pl, +48 519 466 422
  • Blanka Wawrzyniak, Head of Digital Economy Program, blanka.wawrzyniak@instrat.pl, +48 668 487 653