By Paul Quinn, 16 January 2026
Why Health Data Access Bodies risk becoming Europe’s weakest link in health data governance
The European Health Data Space (EHDS) is one of the most ambitious regulatory projects the European Union has ever undertaken in the health domain. Its core promise is to unlock the value of electronic health data for research, innovation, and policy-making, while at the same time protecting fundamental rights and maintaining public trust. The EHDS is often presented as a technical infrastructure project, but in reality it represents a profound reconfiguration of how health data are governed in Europe.
At the centre of this new governance architecture sit Health Data Access Bodies (HDABs). These institutions will determine whether secondary uses of electronic health data are permitted, under what conditions, and with what safeguards. Their decisions will shape the boundaries of legitimate data use across the EU.
In my recent peer-reviewed article, I argue that HDABs have been given a mandate that is so complex, resource-intensive, and normatively demanding that it risks being impossible to fulfil as currently conceived. This is not a purely technical concern. It raises deeper questions about institutional capacity, accountability, and trust—particularly in the context of health and ageing governance, where data use is closely intertwined with vulnerability and social values.
What Health Data Access Bodies are expected to do
Health Data Access Bodies are new public authorities that every EU Member State must establish under the EHDS. Their core function is to act as gatekeepers for the secondary use of electronic health data, deciding who may access such data, for which purposes, and under what conditions. This includes access for scientific research, public sector activities, and innovation in health and care, including the development and testing of AI systems.
To grant access, HDABs must carry out a cumulative assessment that spans several legal and normative domains. They must determine whether a request falls within the permitted purposes under the EHDS and does not fall under any prohibited uses, such as applications that may harm individuals or society or enable discriminatory outcomes. At the same time, they must ensure compliance with the GDPR, including the existence of a valid legal basis for processing, respect for data minimisation and purpose limitation, and the use of anonymised data wherever possible. Where required under national law, they must also verify that appropriate ethical scrutiny has taken place.
In doing so, HDABs are not merely administrative bodies. They are expected to translate abstract legal principles and ethical commitments into concrete access decisions. Their role is therefore central to the legitimacy of the EHDS as a system of health data governance.
Discretion without clear limits
A fundamental difficulty arises from the breadth of discretion that the EHDS confers upon HDABs. The regulation permits access to health data for purposes such as scientific research, innovation, and support for public sector mandates, yet these concepts are deliberately framed in expansive and open-ended terms. At the same time, HDABs are required to refuse access where data use could harm individuals or society, produce discriminatory effects, or have significant negative social consequences.
As a result, HDABs are asked to make value-laden judgments about what constitutes legitimate research, acceptable innovation, and societal harm. These judgments are not neutral or purely technical. They are deeply embedded in cultural, political, and moral contexts that vary across Europe. This is particularly apparent in areas relating to ageing, care, and long-term dependency, where views on acceptable data use often diverge significantly.
The EHDS offers limited guidance on how this discretion should be exercised. This creates a risk of inconsistency between Member States, legal uncertainty for data users, and contestation by individuals and civil society. It also places HDABs in a politically sensitive position, as their decisions may be perceived as endorsing or rejecting particular social visions of health and care.
The GDPR burden does not disappear
Contrary to some expectations, the EHDS does not replace the GDPR. Instead, it reinforces its application. HDABs must ensure that data recipients have a valid legal basis under Articles 6 and 9 GDPR, that data minimisation and purpose limitation are respected, and that any use of personal rather than anonymised data is properly justified.
These assessments are far from straightforward. Determining whether a proposed activity genuinely constitutes scientific research, public interest processing, or another lawful basis often requires detailed contextual analysis. This complexity is amplified by the continued fragmentation of national laws governing health and genetic data, which the GDPR explicitly allows. HDABs must therefore assess legal compliance in a landscape where the applicable rules may differ substantially from one Member State to another.
The cross-border nature of the EHDS further complicates matters. HDABs are expected to assess applications from entities established in other Member States without discrimination, even when unfamiliar national legal frameworks are involved. This places a heavy burden on institutional expertise and resources.
Ethics without harmonisation
Ethical governance presents an additional challenge. The EHDS requires HDABs to verify that ethical scrutiny has taken place where required under national law, yet ethical review systems across Europe are highly fragmented and largely unharmonised. Some Member States rely on centralised ethics committees, others on decentralised institutional review boards, and others on sector-specific or informal mechanisms.
HDABs are therefore expected to assess compliance with a wide array of ethical governance models without being ethics committees themselves and without clear EU-level benchmarks for what constitutes adequate ethical review. This creates further uncertainty and adds to the cumulative burden placed on these bodies.
Speed, scale, and the risk to trust
Taken together, the demands placed on HDABs create a structural risk. Under pressure to process large volumes of data access requests within limited timeframes, HDABs may be forced to prioritise speed and procedural compliance over substantive evaluation. In such circumstances, they risk becoming rubber-stamp forums that legitimise data access without meaningful scrutiny. Alternatively, they may become bottlenecks that slow access to such an extent that the EHDS fails to deliver on its innovation and research objectives.
Neither outcome is conducive to trust. This is particularly problematic in the context of health and ageing, where data often concern individuals in situations of heightened vulnerability and reduced capacity to contest how their data are used.
Towards Institutional Realism in Health Data Governance
The EHDS is not inherently flawed, but it demands institutional realism. If Health Data Access Bodies are to function as credible guardians of health data governance, their mandate must be more clearly delimited, supported by robust EU-level guidance, and matched with adequate expertise and resources. Transparency in decision-making and accountability for difficult judgments will be essential.
At the Health and Ageing Law Lab, we view HDABs not as technical intermediaries but as constitutional actors within Europe’s emerging health data ecosystem. Whether they can realistically fulfil the role assigned to them will shape the future of health data governance—and the relationship between innovation, rights, and ageing—for years to come.
