Increasingly on everyone’s lips, and subject to constant regulatory changes, data spaces are emerging as structured ecosystems that enable access to, exchange and shared use of data amongst multiple parties under common rules of governance, interoperability, security and control. In the healthcare sector, this concept takes on particular significance with the development of the European Health Data Space (EHDS), which is one of the European Union’s most ambitious initiatives, not only in terms of the data economy, but also as a new mechanism for fostering cohesion and integration between healthcare systems, researchers and industry at Union level.
In light of this, the Regulation on the European Health Data Space, published on 26 March 2025, establishes a common framework designed to facilitate access to and the secure exchange of electronic health data between Member States. This paves the way not only for the establishment of a common framework across the European Union for the processing of health data for primary use, thereby facilitating the direct provision of healthcare to European citizens in other EU countries, but also for secondary uses, such as scientific research, innovation, public policy-making or the improved functioning of healthcare systems.
This instrument is intended not only to harmonise practices at Union level, but also to promote the creation of infrastructure and governance mechanisms that enable data to flow effectively in a climate of trust. The EHDS thus marks a paradigm shift: moving away from fragmented models, where data remains isolated within national or institutional systems, towards an integrated, cross-border approach. In this way, and as part of the European Data Strategy, the aim is to ensure that health data can circulate between Member States in accordance with common standards, while respecting patients’ fundamental rights.
Given the scale of this project, the significant legal and operational challenges posed by the creation of this new framework cannot be overlooked. To discuss these issues, the 32nd International Congress on Law and the Human Genome was held in Bilbao at the end of March. This well-established forum specialises in analysing the legal challenges surrounding the use of data in the biomedical field, and on this occasion focused on the EHDS and the legal uncertainties and practical implications it raises.
From a functional perspective, the Regulation draws a distinction between two broad categories of data use, which, of course, was already the case in practice. On the one hand, primary use, which encompasses the processing required to provide direct healthcare to the patient, such as diagnosis, medical treatment or continuity of care. On the other hand, secondary use, which encompasses the reuse of such data for different purposes, such as scientific research, biomedical innovation, the development of new therapies, the improvement of healthcare systems, or the formulation of public policy.
The development of this second dimension is one of the main drivers of the Regulation, as it provides the framework for harnessing the enormous value of data generated in real-world clinical practice (real-world data) in other areas. For sectors such as biotechnology and pharmaceuticals, this represents a significant step forward, as it facilitates access to large volumes of harmonised data at Union level, thereby accelerating drug development, improving biomarker validation and optimising clinical trials. However, while the distinction between primary and secondary uses may seem clear in theory, in practice it is far less clear-cut, with numerous activities falling into a grey area, such as those aimed at improving the quality of care or optimising healthcare management, which can simultaneously have a direct impact on patients and generate reusable knowledge.
This phenomenon is particularly evident in areas such as the development of artificial intelligence tools applied to healthcare, where clinical data can be used for both patient care and research. In such cases, determining which of these two categories each use falls into is not merely a technical matter, but has significant implications for the safeguards that will ensure access to the data. Consequently, being able to draw a clear line between these two uses becomes a strategic factor, one that determines not only regulatory compliance but also the viability and scalability of R&D projects. This issue is likely to become increasingly important in the coming years, as interpretative criteria are developed and case studies are consolidated at Union level, as we are seeing in the case of France and its Health Data Space.
Another major debate surrounding the European Health Data Space that was raised at the Congress concerns the suitability of consent as the legal basis for data processing in scientific research. Traditionally, the data subject’s consent has been one of the cornerstones of the rules concerning personal data protection, particularly in the healthcare sector. However, its application has significant limitations in large-scale research contexts.
In particular, in situations involving the large-scale reuse of data or in projects involving large volumes of medical information about data subjects, obtaining specific, informed and up-to-date consent may prove unfeasible from an operational point of view. Furthermore, in many cases, patients themselves are not fully aware of the potential future uses of their data at the time it is collected. In light of this situation, there is a growing trend towards models that allow data processing to be based on legal grounds other than consent, particularly where there are significant public interests at stake, such as biomedical research or the improvement of healthcare systems. This approach is in line with the European data governance strategy, which aims to facilitate innovation without compromising the protection of fundamental rights.
However, this paradigm shift raises significant questions. Any reduction in the importance of consent must not result in a weakening of safeguards for citizens. On the contrary, it calls for the strengthening of other safeguards, such as transparency, institutional oversight and the accountability of the parties involved. Key outstanding issues include how to ensure compliance with the duty to provide information in the absence of direct consent, how to facilitate the exercise of rights such as access, rectification or objection, and how to define responsibilities in environments involving multiple parties with different roles (controllers, processors, data intermediaries, etc.).
In this context, the conference also highlighted the view that the success of the European Health Data Space will depend not only on the quality of its regulatory framework, but also on its ability to build public trust. Social acceptance will be essential for the project to run smoothly, given that we are dealing with the highly sensitive area of health data. In this regard, the development of data spaces cannot be understood solely from a legal perspective; it also requires consideration of the technological and organisational aspects, as well as the economic models of the parties seeking access to them, and the promotion of cooperation between public administrations, the private sector and the scientific community.
In line with this, the importance of moving towards models of governance that strike a balance between two interests was emphasised on several occasions. While these may initially appear to be contradictory, ultimately they need not be in conflict: on the one hand, facilitating access to data to drive research and innovation, and on the other, the need to ensure a high level of protection for fundamental rights. Ultimately, the roll-out of the European Health Data Space opens up an unprecedented range of opportunities for scientific progress and the development of the healthcare sector in Europe, which must be pursued without compromising patients’ rights.
The most realistic conclusion at the moment is probably that the framework is still a work in progress, and that, at this stage, we still have more questions than answers. While we hope that these questions will be clarified through EU initiatives such as the recently published Implementing Regulation 2026/771, laying down the necessary measures for the establishment and operation of the European Health Data Space (EHDS) Board, it is clear that scientific research is becoming firmly established as a matter of significant public interest. The process of implementing this model will also require time for regulatory development and practical application; during this period, it will be essential both to establish robust governance systems and to ensure transparency for citizens, while strengthening control and oversight mechanisms. Only in this way will it be possible to strike a balance between promoting innovation and protecting fundamental rights.
In short, the European Health Data Space is not merely a regulatory initiative, but the foundation of a new paradigm in the use of data in the healthcare sector. Its success will depend on how the tensions inherent in the model are managed and on the ability of the various parties to operate within a common framework based on trust, accountability and cooperation.
Written by: Sofía Ruiz de la Viuda. Intellectual Property, AI, and Software Consultant.
