Health data protection 2026: The ECJ, the EHDS, research, AI and data subjects’ rights

Health data: what does it actually mean?

Many follow-up questions begin with one fundamental issue: what exactly counts as health data? From a legal perspective, the starting point is Article 4(15) GDPR. Under that provision, health data means personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveals information about that person’s health status.

Case law shows, however, that this concept is interpreted broadly. Health data does not only include traditional medical information such as diagnoses, clinical findings, or laboratory results. It may also encompass data from which conclusions about a person’s health can be drawn through attribution, comparison, or inference. This is reflected in the CJEU’s current line of case law. The Court adopts a broad understanding of health data: what matters is not merely how medical a piece of information appears at first glance, but whether, in the specific context, it allows conclusions to be drawn about a person’s health. In the digital health market, this may already become relevant where order data, usage data, or contextual data is linked to medicines, therapies, or medical services.

This significantly expands the practical reach of the concept. It also leads directly to the next question: when is data still personal data, and when does it lose its connection to an identifiable individual?

Anonymisation: when is data truly anonymous?

Where the concept of health data is interpreted broadly, the distinction between personal data, pseudonymised data, and anonymous data becomes especially important. The reason is simple: it determines whether the GDPR applies. For data to be considered anonymous, the key question is whether a person can still be identified by means reasonably likely to be used.

This distinction is particularly complex in the healthcare sector. Health datasets are often highly information-rich. Diagnoses, treatment histories, time markers, rare diseases, or linkability with other datasets can create re-identification risks even where names or direct identifiers have been removed.

The debate is now also reflected at legislative level. As part of the Digital Omnibus initiative, the European Commission is seeking to reflect the EU-law approach to identifiability and trace it more explicitly in the GDPR definition of personal data. Data protection authorities have warned, however, that what is presented as a clarification could in practice become an unintended narrowing of the concept of personal data.

This very distinction is also central to the lawful sharing of data.

Sharing data in the public interest: the data governance act and data trust models

The Data Governance Act raised hopes that new trust-based structures for data sharing could be established. If sensitive data is neither to be released without restriction nor blocked entirely, workable models are needed that enable controlled and legitimate data use.

The DGA is built primarily around two ideas: data intermediation services as neutral intermediaries, and data altruism organisations through which data can be made available voluntarily for purposes of general interest. In public debate, such models are often grouped together under the label of “data trusts.”

In practice, however, the picture so far has been rather sobering. Data altruism in particular has not yet seen any visible breakthrough. The number of recognised data altruism organisations remains low, and in the healthcare sector there are still no broadly established structures capable of supporting large-scale sharing of sensitive data.

This reluctance has not gone unnoticed at European level. The Commission is now proposing to streamline the DGA architecture significantly: fewer regulatory burdens, greater flexibility, and stronger integration with other data law instruments. This appears to reflect an underlying assumption that the original regulatory design was too cumbersome to foster either a viable market or robust public-interest models.

The issue, then, is no longer only whether trustworthy data sharing is desirable, but also how heavily the related models need to be regulated in order to remain both functional and trustworthy.

The electronic patient record, research, and secondary use

Hardly any field illustrates more clearly than the electronic patient record (ePA) how health data protection law is shifting from a framework of prohibitions and permissions toward a broader question of infrastructure and governance. The electronic patient record is not only a tool for care delivery, but also a potential data source for research, quality assurance, and other forms of secondary use.

This also brings the GDPR’s research privilege into sharper focus. The GDPR contains specific provisions for research and allows the processing of sensitive data for scientific research purposes under certain conditions, subject to appropriate safeguards.

In Germany, the Health Data Use Act (Gesundheitsdatennutzungsgesetz, GDNG) plays a key role in this context. It establishes structures intended to make health data more accessible for public-interest purposes, for example through the Health Research Data Centre and coordinated access procedures. In addition, the ePA—designed with opt-out elements—shows that the system is increasingly relying on legally structured usage models.

At European level, this development is taken up and reinforced by the EHDS. The European Health Data Space is intended not only to facilitate the primary use of data in healthcare provision, but also to channel the secondary use of health data for research, innovation, regulation, and policymaking into an ordered framework.

What is emerging, step by step, is therefore a multi-layered regime: the GDPR provides the data protection guardrails, national law organises access, and the EHDS Europeanises the data space while seeking to build a European network for health data. Further initiatives, such as the proposed Research Data Act or the Medical Registers Act, suggest that this architecture is set to become even denser. As a result, greater attention is also shifting to the infrastructures in which this data is processed.

Social data and cloud use in healthcare

Alongside general data protection law, sector-specific social law rules also apply here. This is particularly relevant where health data is at the same time processed as social data, for example in the context of statutory health insurers, long-term care insurers, or care provision embedded in the social security system.

This becomes especially clear in cloud environments. Under the relevant provisions of the German Social Code, in particular section 393 of Book V of the Social Code (SGB V), the legislator has not simply authorised the use of cloud services in healthcare across the board. Instead, it has tied cloud use to specific IT security requirements. Cloud use is therefore treated as an autonomous regulatory issue. For service providers, this means that anyone seeking to process health data or social data in cloud-based infrastructures must comply not only with the GDPR and the rules on processor arrangements, but also with sector-specific social law requirements and formalised security standards. The C5 attestation framework in particular shows that the legislator intends to establish a highly standardised security regime here. The more sensitive the data, the greater the demand for demonstrable security guarantees. At the same time, this significantly increases regulatory complexity in practice.

AI in the healthcare sector: data protection issues in the next wave

From a data protection perspective, the analysis begins with a simple but far-reaching point: health data remains a special category of personal data in the AI context as well. This means that its use for the training, fine-tuning, deployment, or further development of AI systems is not lawful simply because it is technically useful or economically attractive.

Rather, each processing operation requires a valid legal basis. As soon as health data is involved, the general assessment under Article 6 GDPR is not enough; an applicable exception under Article 9 GDPR must also be available.

The issues become particularly complex in AI-as-a-service models. Where patient data is entered into external cloud-based AI services, questions immediately arise around the allocation of roles, purpose limitation, processor arrangements, security architecture, and possible onward use by the provider. At the same time, the AI Act is creating an additional regulatory layer, with many AI systems in healthcare also being classified as high-risk systems. Data protection law and AI regulation are increasingly intertwined, and together they raise the compliance bar.

Data subject rights under pressure

As the processing of health data becomes more complex, the importance of data subject rights also increases. They are the central counterweight to ever more extensive regimes of use, access, and analysis.

The right of access remains particularly important. In the healthcare sector especially, it often determines whether data subjects are able to understand at all which data about them is being processed, in what context, and to whom it has been disclosed. More recent CJEU case law tends to strengthen this right: the first copy of medical records is generally free of charge, no reasons need to be given for requesting access, and the information must be provided in a way that enables the data subject to actually understand and verify the processing. Medical data is often distributed across different systems, embedded in technically complex documentation structures, and used in several contexts at the same time.

At the same time, recent European findings show that the practical implementation of the right of access remains deficient in many cases. The problem today often lies not in the absence of the right itself, but in the way it is handled in practice.

Alongside access, the rights to rectification, erasure, restriction of processing, and objection remain important. Without effective transparency, however, these rights can easily become hollow. In the healthcare sector, data subject rights are therefore a key test of whether increasing data use is still perceived as controllable.

They also reflect several of the core questions running through health data law as a whole.

Cross-cutting issues and key questions

When these developments are viewed together, it quickly becomes clear that health data protection must now be understood as a genuine multi-level system. The GDPR still provides the basic architecture. Alongside it, sector-specific national law further specifies many questions concerning processing, use, and infrastructure. At the same time, the EHDS, the DGA, the Data Act, the AI Act, and the Digital Omnibus are adding a new layer of EU data regulation that increasingly focuses on access, interoperability, secondary use, and governance.

This also gives rise to the recurring underlying issues that connect all of the themes discussed in this article. First, there are the definitional boundaries: what counts as health data, when is data anonymous, and how do health data, social data, and research data relate to one another? From there, questions of data sharing follow: under what conditions should sensitive data be made available for use in the public interest? Closely linked to this is the issue of further processing for new purposes: data is often collected for healthcare provision, but may later be reused for research, quality assurance, or AI.

Finally, governance is becoming increasingly central. More and more often, the key question is no longer only whether data may be processed, but also which entities mediate access, which procedures apply, which infrastructures organise data flows, and under what safeguards this takes place.

Conclusion

Health data law is currently one of the most dynamic fields within data protection law. This is true not only for traditional privacy questions, but also for new access and governance structures, secondary use, cloud processing, AI systems, and the practical enforcement of data subject rights. In hardly any other area is it currently more apparent how closely intertwined fundamental rights protection, research interests, innovation pressure, and regulatory steering have become.

Does this increasing density create greater legal certainty for practice and research—or above all new complexity? There is much to suggest that both are happening at the same time. The rules are becoming more precise, more institutionalised, and more interoperable at European level; at the same time, however, the demands placed on legal classification, governance, and compliant implementation are increasing.