Sarah de Heer*
Introduction
The fragmented legal landscape of healthcare data has long been a challenge to sharing this type of data and to receiving cross-border healthcare.[1] To address this challenge, the European Health Data Space Regulation (EHDS Regulation) was adopted. While the EHDS Regulation entered into force in March 2025,[2] its implementation will be gradual, with full implementation planned in March 2035.[3] The legislative goals show the two interests that lie at the heart of the EHDS Regulation. The first goal is ensuring the right to the protection of electronic personal health data, while the second is the smooth functioning of the internal market of electronic health record systems (EHR systems) to facilitate secondary use of electronic personal health data.[4] Data protection rules aim to achieve the former objective, while product safety legislation seeks to achieve the latter goal.
The purpose of this contribution is to explore how the EHDS Regulation combines data protection with product safety legislation.
Protecting the Right to Electronic Personal Health Data
The EHDS Regulation aims to protect fundamental rights, and more specifically the right to the protection of personal data. As such, the EHDS Regulation forms part of EU data protection legislation, which also includes, amongst others, the General Data Protection Regulation (GDPR).[5] The EHDS Regulation complements the application of the GDPR in the healthcare sector as regards personal electronic health data,[6] thereby tailoring GDPR rights to fit the healthcare sector. Individual rights outlined in the EHDS Regulation serve as a means to achieve the legislative objective of enhancing the individual’s control over their electronic personal health data.
The EHDS Regulation specifically discusses two types of these altered data subject rights, namely 1) the rights of access, and 2) the right to data portability.
While the rights of access are already well-established under the GDPR, they may not fit the healthcare context. For instance, the right to access under the GDPR allows the data controller to take a month to decide on a data subject’s request to access their personal data.[7] In the context of healthcare, this delayed response may negatively impact the individual’s health.[8] The right to access under the EHDS Regulation aims to remove this potentially harmful effect by providing immediate access to individuals to their personal electronic health data that has been included in the EHR system.[9] To prevent the controller of electronic health data from being overburdened by this obligation, the EHDS Regulation restricts this right to a specific type of personal health information,[10] namely the so-called ‘priority categories’, which include patient summaries and electronic prescriptions.[11] Other examples of these access rights are the individual’s right to rectify health data included in their EHR[12] and their right to restrict access to their electronic health data.[13]
The right to data portability is also cemented in the GDPR.[14] However, this right to data portability is restricted to personal data that is provided by the data subject themselves and that is processed based on the data subject’s consent or a contract between the data subject and the controller of electronic health data.[15] Under the EHDS Regulation, the right to data portability gives individuals the right to provide access to their data,[16] and to exchange their data with healthcare professionals and the right to download their data.[17] Natural persons are to exercise their right to data portability free of charge.
In addition to these individuals’ rights, the EHDS Regulation lays down rules on the use of patient’s electronic health data by healthcare professionals[18] and on the secondary use of this type of data.[19] Secondary use entails that certain electronic health data are used by other people for other purposes than the provision healthcare services, including the public interest of public health and occupational health, and scientific research in the health or care sector.[20] As such, the EHDS Regulation aims to protect electronic health data in a threefold manner. The first two categories, namely 1) individual rights, and 2) the use of electronic health data by healthcare professionals, can be grouped under the primary use of electronic health data. The third category is the secondary use of electronic health data.
The Internal Market of Electronic Health Record Systems
The EHDS Regulation establishes a uniform EHR system as regards the interoperability software, and logging software.[21] This uniformity is aimed at ensuring that individuals can effectively rely on their rights of access and their right to data portability.[22] Furthermore, uniform EHR systems facilitate the use of electronic health data by healthcare professionals and data sharing for secondary use.[23]
To ensure uniformity in the internal market of products and services, the European Legislator may use product safety legislation under the New Legislative Framework.[24] This type of product safety legislation encompasses two main procedures for verifying the quality of products or services, namely the conformity assessment procedure and market surveillance.
The conformity assessment procedure is partially implemented in the EHDS Regulation. Manufacturers of EHR systems need to draw up the EU Declaration of Conformity and affix the EHR system with the CE marking of conformity before placing it on the internal market of the European Union.[25] However, although the EHDS Regulation requires EHR systems to be in conformity with essential requirements and common specifications,[26] it does not establish a novel conformity assessment procedure.[27] The EHDS Regulation also introduces market surveillance over EHR systems.[28] Once the EHR systems are placed on the market, the market surveillance authority is to monitor the continued conformity with the essential requirements and common specifications. Concretely, these essential requirements and common specifications aim to safeguard the protection of personal data.[29] Furthermore, market surveillance authorities are to evaluate EHR systems that pose a risk to the health, safety or rights of individuals or to the protection of personal data.[30] Both the conformity assessment procedure and market surveillance, as components of product safety legislation, ensure compliance with essential requirements and common specifications, which thus means that the essential requirements and common specifications are aimed at safeguarding the protection of electronic health data.
Nothing New – Fundamental Rights Protection Through Product Safety Legislation
While there has previously been a link between product safety legislation and fundamental rights protection, this has been more subtle in the past. For instance, the Medical Devices Regulation[31] respects fundamental rights as mentioned in the EU Charter, and specifically human dignity, the integrity of the person, the protection of personal data, the freedom of art and science, the freedom to conduct business, the right to property, and the freedom of the press.[32] The Batteries Regulation[33] requires consideration of human rights in due diligence policies[34] and to identify and assess the risks of negatively impacting human rights,[35] specifically rights surrounding occupational health and safety[36] and discrimination.[37] Nevertheless, it is evident that these two legislative instruments – as product safety legislation – fall under the New Legislative Framework.[38] This approach can also be seen in the Artificial Intelligence Act[39] that aims to protect fundamental rights through, for instance, the use of the classification of AI systems based on the risk posed to fundamental rights[40] the fundamental rights impact assessment.[41] Again, the Artificial Intelligence Act is, at its essence, product safety legislation that originates from the New Legislative Framework, which aims to protect fundamental rights.
This, however, cannot be said about the EHDS Regulation. Although the EHDS Regulation protects electronic health data through the use of product safety legislation under the New Legislative Framework, the EHDS Regulation does not appear to be based on this Framework. As such, the EHDS Regulation is hybrid legislation situated between data protection legislation and product safety legislation.
The Odd One Out – Data Protection Legislation and Elements of Product Safety Legislation
To answer the question in the title – if the EHDS is the odd one out – the following should be stated. While the EHDS Regulation is not the first legislative instrument aimed at protecting fundamental rights through the use of product safety legislation, the EHDS Regulation has brought fundamental rights protection to a higher level, which makes the EHDS Regulation – together with the Artificial Intelligence Act – the odd one out amongst EU product safety legislation. An explanation for this hybrid model could be that a uniform EHR system is a prerequisite for the effective enjoyment of the individual’s rights. If the European legislator would not have harmonised the EHR systems, different standards and requirements may have remained throughout the Member States, thereby hindering patient’s control over their health data.
There seems to be a trend to use product safety legislation to protect fundamental rights, which means that we may not have seen the last of this hybrid legislation. However, the adoption of this type of legislation may bring doubts as to the effectiveness of ensuring fundamental rights through product safety legislation. While fundamental rights legislation and product safety legislation aim to mitigate risks either to fundamental rights or to products, respectively, they both have different approaches. The method of fundamental rights legislation is to use a proportionality assessment to determine potential violations in a certain context, which thus makes the outcome of the proportionality assessment highly contextual. Yet, product safety legislation uses a binary assessment: either the product fulfils the product safety requirements or it does not.[42] This ‘either-or’ approach of product safety legislation may not be able to account for the refined method used in fundamental rights legislation. As such, product safety legislation may not be able to consider the complex nature of the protection of fundamental rights.[43]
* Sarah de Heer is a Doctoral Candidate at the Faculty of Law, Lund University.
[1] European Commission, Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space COM(2022) 197 final, 7.
[2] Article 105, paragraph 1 EHDS Regulation.
[3] Article 105, paragraphs 2-7 EHDS Regulation.
[4] These two legislative objectives are also reflected in the legal basis upon which the EHDS Regulation is based, namely Article 16 Treaty on the Functioning of the European Union (TFEU) that embeds the right to the protection of personal data and Article 114 TFEU that aims to facilitate the smooth functioning of the internal market, see the Preamble EHDS Regulation.
[5] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119/1.
[6] Recital 8 EHDS Regulation.
[7] Article 12(3) and (4) GDPR.
[8] Recital 9 EHDS Regulation.
[9] Article 3(1) EHDS Regulation.
[10] Article 2(2)(a) EHDS Regulation.
[11] Articles 3(1) and 14(1) EHDS Regulation.
[12] Article 6 EHDS Regulation.
[13] Article 8 EHDS Regulation.
[14] Article 20 GDPR.
[15] Article 20(1) GDPR and Recital 14 EHDS Regulation.
[16] Article 7(1) EHDS Regulation.
[17] Articles 3(2) and 7(4) EHDS Regulation, see also Recital 14 EHDS Regulation. Additionally, natural persons have the right to request their personal electronic health data to be transmitted to the social security or reimbursement services sector, see Article 7(3) EHDS Regulation.
[18] Articles 11 and 12 EHDS Regulation.
[19] Chapter IV EHDS Regulation.
[20] The EHDS Regulation lists minimum categories of electronic health data that may be used for the purpose of secondary use, see Article 51 EHDS Regulation. See Article 53(1)(a) and (e) EHDS Regulation.
[21] Article 1(2)(b) EHDS Regulation. See also: Article 25(1) EHDS Regulation.
[22] European Commission, Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space COM(2022) 197 final, 4.
[23] European Commission, Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space COM(2022) 197 final, 2.
[24] For more information about the New Legislative Framework, please see https://single-market-economy.ec.europa.eu/single-market/goods/new-legislative-framework_en
[25] Article 30(1)(e) and (f) EHDS Regulation.
[26] Article 30(1)(a) EHDS Regulation.
[27] Nevertheless, where the EHR system also falls within the scope of a medical devices/an in vitro diagnostic medical devices or an AI system, the conformity assessment procedure under the respective legislative instruments should also consider the requirements under the EHDS Regulation. Combining these two administrative procedures is aimed at limiting the administrative burden on the manufacturers of EHR systems, see Recital 42 EHDS Regulation.
[28] Article 30(1)(l) and (m) EHDS Regulation and Article 37(2) EHDS Regulation. The market surveillance authorities for EHR systems included in medical devices, in vitro diagnostic medical devices or high-risk AI systems will be those assigned in the respective Regulation, see Article 43(4) EHDS Regulation.
[29] Recital 46 EHDS Regulation.
[30] Article 44 EHDS Regulation.
[31] Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC [2017] OJ L 117/1.
[32] Recital 89 Medical Devices Regulation; Article 1(16) Medical Devices Regulation.
[33] Regulation (EU) 2023/1542 of the European Parliament and of the Council of 12 July 2023 concerning batteries and waste batteries, amending Directive 2008/98/EC and Regulation (EU) 2019/1020 and repealing Directive 2006/66/EC [2023] OJ L 191/1.
[34] Recitals 86 and 87 Battery Regulation.
[35] Article 50(1)(a) Battery Regulation.
[36] Point (b)(i) Annex X Battery Regulation.
[37] Point (b)(iv) Annex X Battery Regulation.
[38] See also: Recital 25 Medical Devices Regulation.
[39] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 [2024] OJ L 1/144.
[40] Recital 48 Artificial Intelligence Act.
[41] Article 27 Artificial Intelligence Act.
[42] For more information, please see Marco Almada and Nicolas Petit, ‘The EU AI Act: Between the Rock of Product Safety and the Hard Place of Fundamental Rights?’ (2025) Common Market Law Review 85, 105-106.
[43] Similarly, Gornet and Maxwell argue that standards, which form an integral part of product safety legislation, were not originally designed to protect fundamental rights, see Mélanie Gornet and Winston Maxwell, ‘The European approach to regulating AI through technical standards’ (2024) 13 Internet Policy Review 1, 9-10.
