MEDICINE, LAW & SOCIETY 
Vol. 16, No. 2, pp. 287–318, October 2023  
 
https://doi.org/10.18690/mls.16.2.287-318.2023 
CC-BY, text © Křepelka, 2023 
This work is licensed under the Creative Commons Attribution 4.0 International License. 
This license allows reusers to distribute, remix, adapt, and build upon the material in any medium or 
format, so long as attribution is given to the creator. The license allows for commercial use. 
https://creativecommons.org/licenses/by/4.0 
 
 
  
 
PROPOSED LAW FOR THE EUROPEAN 
HEALTH DATA SPACE IN CONTEXT 
  
Accepted  
17. 6. 2023 
 
Revised 
7. 9. 2023 
 
Published 
27. 10. 2023 
FILIP KŘEPELKA 
Masaryk University, Brno, Czechia 
filip.krepelka@law.muni.cz 
 
CORRESPONDING AUTHOR 
filip.krepelka@law.muni.cz 
 
Keywords 
healthcare,  
privacy,  
health records,  
EU integration,  
COVID-19 
Abstract Analysing electronic health records could improve 
medicine, but personal data protection impedes this research. 
The European Health Data Space shall unleash these data. The 
focus now shifts on how best to balance this effort while at the 
same time protecting patients' privacy and autonomy. Still, we 
need to address the reality. Research on images, laboratory 
results and prescriptions will be easy, as they are electronic. 
However, the written core of health records is not structured, 
and establishing summaries for all patients is challenging. 
Regulations instead of directives are a laudable solution to help 
simplify the situation. Nonetheless, new challenges emerge 
with the co-existence of supranational and national 
frameworks if the former is to have far-reaching ambitions. 
 
 
288 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023   
 
1 Intrudaction 
 
"European Health Data Space" (EHDS) will improve cross-border healthcare and 
support the analysis of health data. The proposal for a regulation (EHDSR) has 
sparked intense debate since its unveiling in May 2022. Let us consider the critical 
aspects of this envisaged uniform standard, expanding on the research of 
transformations of directives into regulations resulting in such uniformity (Křepelka, 
2021).  
 
The conceptualisation of the text reflects this task. We will first consider medical 
confidentiality and health1 records (chapter 2) and the role of the European Union 
(hereinafter EU) in medicine and healthcare (chapter 3), before examining the 
proposal itself (chapter 4) and its various aspects (chapter 5). 
 
Better understanding the origins of medical confidentiality and health records 
(subchapter 2.1), their purpose and substance (2.2), their forms (2.3), standards (2.4), 
their internationalisation (1.5), and the linguistic dimension (1.6) helps to inform us 
regarding the substance of the proposal, as the current literature from experts about 
their interconnection ignores these important facets.  
 
The EU integrates healthcare, financed and organised and medicine regulated by the 
Member States as an economic activity subject to internal market rules (3.1), while 
the C-19 pandemic cause considerable stress to this arrangement (3.2). 
Harmonisation and subsequent unification of personal data protection are crucial to 
understanding the EU's involvement (3.3). Still, the EU has also focused its efforts 
on health data beyond this protection (3.4). We cannot ignore its multilingualism 
(3.5). 
 
The proposal (4.1) sparked considerable debate (4.2). One may expect lengthy 
deliberations as the expectations differ among stakeholders (4.3). Still, as lawyers, we 
need to discuss competence (4.4) and consider the choice of a regulation (4.5), 
entanglement of such regulation with related regulations (4.6), and national laws to 
implement it (4.7), while properly evaluating its multilingual expression (4.8). 
 
 
1 This paper uses the terminology of EHDSR. Still, English texts mention "medical records" or "patient records".  
F. Křepelka: Proposed Law for the European Health Data Space in Context 289   
 
 
The final chapter addresses particular aspects of the proposed framework. It 
questions remnant paper records (5.1), shows an understanding of the self-
certification of health record systems (5.2), and discusses the position of national 
authorities (5.3). Second, distinguishing primary use in healthcare (5.4) and 
secondary use in research (5.5) is crucial, while fees for the latter shall contribute to 
the financing (5.6). Third, the scope of data deserves our interest, including sensitive 
ones (5.7). Still, patient summaries as structured datasets differ from traditional 
entries in health records (5.8), whose translation deserves our attention (5.9).  
 
The article traces the origins of medical confidentiality and standards for health 
records. It summarises the roles played by the EU in healthcare and medicine. 
Nevertheless, the interpretation (Rechtsdogmatik in German legal science) of the 
proposed provisions identified as crucial forms its core, while it offers suggestions 
for their clarifications (Rechtspolitik). The article does not rely on empirical legal 
studies on the issue but instead refers to findings of other disciplines. 
 
2 Confidentiality and Health Records 
 
2.1 Historic Introduction 
 
Privacy of one’s personal health information was not the primary concern in the 
past. Most people simply strived for basic livelihood, while many lacked basic 
freedoms. Foremost, medicine was exceptional care, the privilege of the rich and 
mercy for the poor. Methods and techniques were primitive for millennia. Despite 
this, confidentiality has been valued since antiquity, as the Hippocratic Oath 
indicates (Hanák et al., 2019).  
 
Few understand Old Greek Ἃ δ' ἂν ἐν θεραπείῃ ἢ ἴδω, ἢ ἀκούσω, ἢ καὶ ἄνευ 
θεραπηίης κατὰ βίον ἀνθρώπων, ἃ μὴ χρή ποτε ἐκλαλέεσθαι ἔξω, σιγήσομαι, ἄῤῥητα 
ἡγεύμενος εἶναι τὰ τοιαῦτα, but mentioning the original honours its legendary author. 
Its translation to Latin Quae vero inter curandum, aut etiam Medicinam minime faciens, in 
communi hominum vita, vel videro, vel audivero, quae minime in vulgus efferri oporteat, ea arcana 
esse ratus, silebo as the language used for centuries and influencing expert parlance 
follows. Citing English Whatever, in connection with my professional practice, or not in 
connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will 
not divulge, as reckoning that all such should be kept secret, the global experts' language in 
290 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023   
 
which also this text appears, helps international readers. The author's Czech Cokoli, 
co při léčbě i mimo svou praxi ve styku s lidmi uvidím a uslyším, co se nesmí sdělit, to zamlčím a 
uchovám v tajnosti represents national languages used in the communications between 
patients and their physicians and nurses.2 
 
The Oath does not mention health records. The milieu of Hippocrates of Kos3 was 
ancient Greek civilisation in its heyday. The script was its part. Despite this, written 
documents were rare both then and in the next two millennia. Among the general 
public, reading was not a general skill, and writing was expensive. Still, the breach of 
confidentiality can consist of misuse of these records, their leaks, release or 
incursion. It is not a reach to interpret the Oath as expecting to keep records 
confidential. Privacy concerns are paramount to rendering health data electronic and 
their interconnection, including EHDS. 
 
Historiography does not inform us of any notorious records. Maybe these records 
concerned elite patients, while physicians kept them secret and destroyed them when 
they became useless or feared their disclosure. While the first evidence for the 
existence of health records in the West dates to the 16th century, they were not 
maintained in a systematic way before the 19th century (Gillum, 2013). We may ask 
about other traditions of health records, perhaps Arabic or Chinese ones. 
 
2.2 Purpose, Content and Evolution of Health Records  
 
Health records primarily serve the interests of providing good treatment and 
refreshing physicians' familiarity with cases, as it is impossible for medical providers 
to remember all the information concerning hundreds of patients. These records 
assist the teamwork in hospitals. The institutions financing treatment and authorities 
controlling its quality also have an interest in the records. They provide evidence in 
deciding on complaints and actions.  
 
Health records summarise anamnesis, diagnosis, treatment, prognosis, 
communication with patients or relatives, and decisions by physicians and patients. 
Before the 20th century, descriptions with numbers indicating measures or counts 
 
2 For the Old Greek, Latin and English versions of the Oath see Oath of Hippocrates - Wikisource, the free online 
library, for Czech version "Hippokratova přísaha" in Czech wikipedia. Please note that various translations of the 
Old-Greek original exist.  
3 Hippocrates (c. 450-380 B.C.E.) in Internet Encyclopedia of Philosophy, iep.utm.edu/hippocra.  
F. Křepelka: Proposed Law for the European Health Data Space in Context 291   
 
 
prevailed. Drawings were sporadic, as they were time-consuming, and most 
physicians were not talented artists. The situation changed in the 20th century, when 
records started to include laboratory results and imagery. Despite this, verbalisation 
remained indispensable. One infrequent word, epicrisis, conclusions on the disease 
and treatment, more commonly known today as a medical case summary or history, 
deserves mention.  
 
2.3  Paper and Databases  
 
Handwritten records were exclusive until the 19th century. Shorthand, developed 
for recording parliamentary discussions, did not enter medicine, as few mastered it. 
Typewriters prevailed in the 20th century. Physicians wrote or dictated to nurses and 
secretaries. Files in furniture contained these records, while hospitals had entire 
rooms for this purpose.  
 
The telegraph, telephone, radio, and television could also assist in emergency 
services and the delivery of pharmaceuticals. More recently, voice recordings and 
their rewriting by administrative staff have helped to alleviate burdens on physicians 
in some hospitals.  
 
Data processing and storage have improved with the advances in information 
technologies in the last decades. Decreasing costs allowed computers and their 
interconnection with the Internet in science, industry, business, education, military, 
government and leisure. Medicine also enjoyed this modernisation (Cesnik & Kidd, 
2010; Haux, 2010). Computers accompanied research and enabled advanced 
techniques, which computer tomography represents by its name.  
 
However, regarding health records, the industry was often laggard. Computers 
replaced typewriters, but the interconnection often stopped at institutional walls. 
Many countries have rendered electronic health records interoperable. However, 
others have failed until recently, including the author's Czechia. The situation may 
not reflect a country's economic and technical development but rather its diverging 
attitudes, concerns, policies, and management. Czechia, for example, introduced 
electronic communication but has failed until recently to make it attractive for 
people (Kučera & Kyncl, 2010). Nonetheless, Czechia has addressed issues 
292 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023   
 
pertaining to electronic health records with a specific law4 which, among other 
things, aims recently to improve their interconnection (Těšitelová, 2021). 
 
2.4 Standards for Health Records 
 
Keeping health records became a deontological and legal requirement in the 19th 
and 20th centuries. Czechia has detailed statutory provisions and an entire ministerial 
decree regulating this field.5 Such detailed laws need not be representative, as 
Czechoslovakia nationalised its healthcare (Křepelka, 2017). Recent attention 
reflects increased litigation in which health records provide evidence. Instead, 
guidelines of medical associations and chambers representing and controlling the 
profession may specify them. Hospitals also may specify them because teamwork 
requires a seamless exchange of information. Institutions financing healthcare could 
be another source of standards. In the end, the differences between the substance 
of the standards may be insignificant. Still, styles may differ among countries and 
their respective languages.  
 
Physicians protected their paper health records with locks. Incursions leading to the 
disclosure of medical information were sporadic, but we know little about secret 
misuses. Patients are often reluctant to ask for access to the records concerning 
them. Even requests by a patient‘s relatives for medical information were met with 
unwillingness. Health authorities and institutions financing medical treatment enjoy 
access necessary for control. Unsurprisingly, the interest of police officers to access 
medical records to aid in investigating crimes has been controversial. Nonetheless, a 
patient’s entitlement to analyse one's own records seemed manifest. Granting access 
to other researchers was premised on the notion of collegiality.  
 
Swift and remote access to electronic records is advantageous, but disclosure and 
misuse may be instant and orchestrated from a distance. Unsurprisingly, 
electronisation reshaped the deontological and regulatory landscape. Similar 
challenges to privacy also emerged outside medicine. General personal data protection 
has thus become an issue. 
 
 
4 Zákon č. 325/2021 Sb., o elektronizaci zdravotnictví [Law on Electronisation of Healthcare]. 
5 Zákon č. 372/2011 Sb., o zdravotních službách a podmínkách jejich poskytování [Law on Medical Services and 
the Conditions of their Delivery], §§ 53-69c Zdravotnická dokumentace [Health records] and Vyhláška Ministerstva 
zdravotnictví 98/2012 Sb., o zdravotnické dokumentaci [Decree of the Ministry of Healthcare on Health records] 
F. Křepelka: Proposed Law for the European Health Data Space in Context 293   
 
 
2.5 Internationalisation of the Standards  
 
International pacts and conventions on human rights and international codes of 
biomedical ethics stipulate dignity and privacy.6 One may extrapolate from these 
documents that they ought to protect health records, but they do not explicitly say 
so.  
 
The World Health Organisation (WHO), in performing its briefs, relies on 
information provided by its Member States. These countries, in turn, rely on data 
collected and analysed by their ministries, public health authorities and other 
administrations. WHO contributes significantly to assessing methods and 
techniques in medicine. Nevertheless, it does not play any significant role in 
standardising health records. Similarly, the World Medical Association (WMO), 
which promotes the interests of physicians' associations and chambers, does not 
specify any standards in this area. Maintaining and protecting electronic health 
records and systems for them has attracted the attention of the International 
Standardization Organization (ISO), which has addressed healthcare as a service 
with its norm 13808:2011 and its updates (Munoz et al., 2011; Austin et al., 2013). 
 
2.6 Role of Languages  
 
Citing the confidentiality requirement in the Hippocratic Oath reminds us that 
communicating rules is language-based. In general, communication in the medical 
sphere is between patients and physicians (and other healthcare practitioners) and 
entries in health records are that, and so are – directly or indirectly – leaks. 
 
Repeating the Hippocratic medical confidentiality requirement in four languages 
reminds us about the potential pitfalls associated with international communication, 
complicated here by the evolution of languages. As the Oath served for centuries as 
a traditional code of medical ethics, vivid discussions about its provisions exist, 
encompassing its translations (Smith, 2012). 
 
Keeping health records by overburdened physicians resulted in abbreviations, 
acronyms, incomplete sentences, often illegible writing, and peculiar formulations. 
 
6 Article 10 Private life and right to information: (1) Everyone has the right to respect for private life in relation to 
information about his or her health, Convention for the Protection of Human Rights and Dignity of the Human 
Being with regard to the Application of Biology and Medicine, ETS No. 164, 4. 4. 1997, Council of Europe.  
294 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023   
 
Resorting to Latin with an admixture of Greek indicated the role of these classical 
languages in education, culture and science (Wulff, 2004). Physicians switched to 
national languages but have retained Latin and Greek words (Jóskowska & 
Grabarczyk, 2013). Unsurprisingly, some laypeople may suspect physicians that 
continue to employ these do so in order to keep their ars arcane. We do not dare to 
estimate how much this Latinisiation eased communication between physicians in 
infrequent cases of internationally mobile patients. 
 
3 Health data and the EU Integration 
 
3.1 Economic Integration as Context  
 
The Member States of the EU organise, finance, and control their healthcare. These 
policies reflect their socioeconomic development and political choices. One less 
manifest aspect of this competence is the law addressing the relationship between 
the patient and his relatives with providers and their physicians and nurses, 
respectively. Many countries consider the relationship contractual. Confidentiality 
and health records are related issues. 
 
Nonetheless, healthcare as an industry is subject to integration with the free 
movement of goods, persons, capital, and services. The European communities and 
the EU have increasingly addressed these issues with secondary law. In parallel, the 
Court of Justice has contributed by interpreting basic economic freedoms, 
sometimes far-reaching. One may thus consider EU health law (Hervey & McHalle, 
2015). 
 
We may only mention legislation on medicinal products (pharmaceuticals) and 
medical devices, on the qualifications of healthcare practitioners or the extension of 
coordination of social security to public health insurance, including the necessary 
treatment of tourists. All these standards have an informatic dimension. Seeking 
treatment abroad and paying for it was always an option. Harmonising national laws 
by the Patients' Rights in Cross-border Healthcare Directive (CBHCD) specifying 
this reimbursement deserves our attention for its interest in health informatics.  
  
F. Křepelka: Proposed Law for the European Health Data Space in Context 295   
 
 
3.2 The COVID-19 Pandemic 
 
The COVID-19 pandemic hit all humankind in 2020-2022. Countries adopted 
unprecedented requirements and restrictions: contact tracing, mandatory testing, 
quarantines, isolations, suppressed contacts, prohibited activities, closed businesses 
and schools and curtailed domestic and international travel.  
 
The pandemic also had a profound impact on the EU. People realised that public 
health belongs in the realm of national competence. Tackling this epidemic became 
a political issue par excellence. National policies differed during the three seasons. 
The EU Member States curtailed mobility and controlled the trade in essential 
medicinal products. Realising its auxiliary role, the EU acknowledged these 
restrictions.  
 
The EU exercised its competence, among other things, in the accelerated 
authorisation of vaccines (Donati, 2022) and surveillance of repurposed 
pharmaceuticals. It entered new fields by coordinating their purchase. It introduced 
the EU Covid certificate for restoring cross-border mobility.7 
 
Integration enthusiasts swiftly called for the EU‘s increased engagement.8 The 
European Commission harnessed these calls with the European Health Union,9 
encompassing improved epidemic cooperation,10 stabilising "medical 
countermeasures",11 and enhancing health informatics. Nonetheless, we can 
conclude three years later that no revolution concerning healthcare emerged. 
Europeanisation is impossible if healthcare expenditures exceed money redistributed 
by this supranational polity.  
 
 
7 Regulation 2021/953 of the European Parliament and of the Council (…) on a framework for the issuance, 
verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates. 
8 Manifesto for a European Health Union, http://europeanhealthunion.eu/#manifes, launched 24. 11. 2020, with 
1353 signatures in 29. 12. 2022. 
9 Communication from the Commission to the European Parliament, the Council (EPaC) and (…). Building a 
European Health Union: Reinforcings the EU's resilience for cross-border health threats, 11. 11. 2020, 
COM/2020)724 final. Proposal for a Regulation (EPaC) on serious cross-border threats to health and repealing 
Decision 1082/2013/EU COM/2020/727 final, Proposal for a Regulation (EPaC) amending Regulation 851/2004 
establishing a European centre for disease prevention and control COM/2020/726 final, Proposal for Regulation 
on a reinforced role for the European Medicines Agency in crisis preparedness.  
10 Regulation (EU) 2022/2371 of the European Parliament and of the Council (…) on serious cross-border threats 
to health and repealing Decision No 1082/2013/EU, OJ L 314, 6.12.2022, pp. 26–63. 
11 Council Regulation (EU) 2022/2372 (…) on a framework of measures for ensuring the supply of crisis-relevant 
medical countermeasures in the event of a public health emergency at Union level. 
296 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023   
 
Still, one may add improving health informatics to this post-pandemic resilience 
package. The COVID-19 pandemic boosted electronic communication. It 
encompassed education, the home office of white collars and live culture, providing 
a further impulse for digital administration and telemedicine. Unsurprisingly, the EU 
COVID certificate was primarily electronic.  
 
3.3 Harmonising and Unifying Data Protection 
 
European countries recognised that personal data deserve protection with a 
convention agreed upon under the auspices of the Council of Europe.12 Still, the 
Council does not play a significant role due to intensive law-making by the European 
Communities and the EU. 
 
The first framework was the Personal Data Protection Directive (PDPD). The 
European Community justified harmonising the national laws on personal data to 
enable their cross-border movement. Enterprises and institutions collecting, 
maintaining, and using them should keep them accurate and protect against 
espionage and sabotage. The PDPD classified data related to health as sensitive but 
accepted its traditional treatment under Article 8(3).13  
 
The Member States choose how they transpose directives. Among others, they can 
do it with several laws. As personal data protection overlaps with the standards for 
health records, it was possible to transpose PDPD by adjusting them. Unfortunately, 
PDPD was among the directives whose transposition was perfunctory years after its 
implementation deadline (Korff, 2008). 
 
The General Data Protection Regulation (GDPR) is the most notorious uniform 
standard which replaced harmonisation. The impulse was a new, specific 
competence provision to protect personal data. However, because it led to increased 
bureaucratisation, and given its complexity and ambiguity, the GDPR has been 
frequently perceived as a regulatory monster (Voss, 2021). In response, big 
 
12 Convention for the protection of individuals with regard to automatic processing of personal data (ETS No. 108, 
28.01.1981). 
13 Article 8(3) PDPD: "Paragraph 1 (prohibiting processing special categories of data) shall not apply where 
processing of the data is required for the purposess of preventive medicine, medical diagnosis, the provision of care 
or treatment ort he management of health-care services, and where those data are processed by a health professional 
subject under national law or rules established by national competent bodies to the obligation of professional secrecy 
or by another person also subject to an equivalent obligation of secrecy". 
F. Křepelka: Proposed Law for the European Health Data Space in Context 297   
 
 
businesses has had to engage data supervisors, while small ones have had to hire 
advisors or fear sanctions due to non-compliance. Paperwork has proliferated. 
Extensive interpretations questioned various practices. 
 
Concerning healthcare, small providers enjoyed the guidance of their associations 
and representations. The legal authority for collecting personal data would stem 
from both the performance of the contract and the legal duty to keep health records 
(Article 6(1)(b)(c)). Therefore, explicit patient consent is unnecessary. Moreover, it 
would be undesirable, as we would hardly perceive it as voluntary if patients need 
treatment and ask for it. Patients are vulnerable, and their data sensitive. The GDPR 
considers data regarding health- and social care, including protecting public health 
and health at the workplace, as specific, and their use is subject to restrictions (Article 
9(2)(h)). The GDPR has a chilling effect on analysing existing health records, just 
when this data mining has become attractive thanks to information technologies 
(Hansen et al., 2022).  
 
3.4 Interest in Medical Data  
 
The EU's interest in health data has gone beyond personal data protection. The cited 
Cross-border Healthcare Directive encourages cooperation concerning cross-border 
care. MyHealth@EU14 and HealthData@EU, two electronic platforms of the eHealth 
Digital Service Infrastructure (eHDSI), have been developed for this cross-border 
interconnection. There are initiatives for its improvement, TEHDAS being the most 
prominent.15  
 
Despite these efforts, this interconnection is not omnipresent if we need to learn 
about pairs of Member States where cross-border e-prescriptions, e-dispensations 
and patient summaries are available.16 Nonetheless, as an idea and project, EHDS 
predates the proposal analysed here (Iacob & Simonelli, 2020). 
 
 
14 See information My health@EU. Electronic cross/border health services in the EU, available at 
http://health.ec.europa.eu/system/files/2020-09/myhealth_qa_en_0.pdf.  
15 "Towards European Health Data Space", http://tehdas.eu, co-funded by the Health Programme of the EU and 
Sitra (Finnish Innovation Fund), involving partners from 21 EU Member States and four other European countries.  
16 For recent situation, consult Electronic cross-border health services (europa.eu). 
298 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023   
 
Several adopted and proposed regulations are the legal expressions of a new 
approach of the EU, pursuing its Digital Strategy and construing a Digital Single 
Market.17 The EHDS shall be among its dozen sectoral data spaces.18  
 
3.5 European Multilingualism  
 
Linguistically defined nations have established European countries. The EU has 
grown significantly beyond international organisations. Nonetheless, it is incapable 
of federalising. Several observers and laypeople would consider the absence of démos, 
i.e., a political nation, as an obstacle. Europeans lack one language for political 
deliberations. Under these conditions, EU law claiming direct effect and primacy 
over inconsistent national law – the essence of its supranationality - must exist in all 
the Member States' national languages. 
 
Multilingualism has repercussions for economic integration. Undoubtedly, goods, 
including medicinal products (pharmaceuticals) and medical devices, are subject to 
extensive international trade. Nonetheless, manufacturers and distributors must 
accompany them with information translated into national languages. Physicians, 
nurses and other healthcare practitioners enjoy welcoming attitudes thanks to their 
frequent shortage. However, medicine requires excellent knowledge of the local 
language for effective communication with patients. We shall also consider language 
barriers on cross-border migration for treatment and necessary treatment of tourists. 
 
4 Proposed Standard for Interconnection  
 
4.1 The Proposal  
 
The European Commission unveiled the proposal for a regulation establishing the 
European Health Data Space (EHDSR) in May 2022. Nonetheless, it was no surprise 
as the European Commission presented it as its priority,19 in harmony with rotating 
presidencies. 
 
 
17 Communication from the Commission to the European Parliament, the Council, the European Economic and 
Social Committee and the Committee of the Regions: A Digital Single Market Strategy for Europe. 
COM/2015/0192 final. 
18 Commission staff working document on Common European Data Spaces, 23.2.2022 SWD(2022) 45 final.  
19 Combined evaluation roadmap / Inception Impact Assessment Ref. Ares (2020)7907993, 23. 12. 2020.  
F. Křepelka: Proposed Law for the European Health Data Space in Context 299   
 
 
The proposal is a lengthy legal text addressing the issue in detail. An explanatory 
memorandum introduces this act, which includes in-built substantiation with 
numerous recitals. The annexes set technical specifications and items in patient 
summaries.20 Estimates of expenditures follow. The proposal refers to several 
studies. It reveals that the Regulatory Scrutiny Board, an internal body of the 
Commission for better regulation, negatively assessed its first version in 2021.21 
 
4.2 Appraisals and Criticism  
 
The leaked proposal of EHDSR already sparked criticism, allegedly meeting the 
business interests.22 Its presentation in May 2022 sparked a wave of reactions.  
 
Unsurprisingly, digitalEurope, the lobby of "data majors", cherished the proposal.23 
Numerous institutions, associations and consortia representing patients, providers, 
the pharmaceutical industry, and universities voiced support. Among others, the 
statement by dozens of European associations deserves mentioning.24 The 
perception of GDPR as an obstacle to data mining in health records could contribute 
to it.  
 
Nonetheless, the European Data Protection Supervisor and the European Data 
Protection Board, the EU authorities charged with personal data protection, voiced 
concerns in their joint report,25 namely, compromising patients' autonomy 
concerning their data. 
 
The attitudes changed in the autumn of 2022. We hypothesise that the critical 
observers needed time to summarise their objections and debate them internally. 
Among others, one cannot ignore the criticism of the European Consumer 
 
20 Annex I – Main characteristic of electronic health data categories, namely 1. Patient summary and annex II – 
Essential requirements for EHR systems and products claiming interoperability with EHR systems.  
21 See Explanatory memorandum to EHDSR, impact assessment.  
22 See 'Santé numérique: les inquiétants projects d'Emamanuel Macron et de l'UE', 29. 4. 2022, available at 
https://multinationales.org/Sante-numerique-les-inquietants-projets-d-Emmanuel-Macron-et-de-l-UE.  
23 Welcoming press release on 3. 5. 2022, but already in 29. 7. 2022, the digitalEurope published an extensive opinion: 
https://www.digitaleurope.org/resources/initial-reactions-to-the-european-health-data-space-proposal/.  
24 European Patients Forum. 'EHDS Consensus Statement: Ensuring the full potential of EHDS: Stakeholder's 
recommendations on how to make the digital transformation a success across Europe', available at https://www.eu-
patient.eu/news/latest-epf-news/2022/ehds-consensus-statement/.  
25 EDPB-EDPS (further EDPB-EDPS) 'Joint opinion on the proposal for a Regulation on the European Health 
Data Space', 22-07-12_edpb_edps_joint-opinion_europeanhealthdataspace_en_.pdf (europa.eu) 
300 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023   
 
Association (BEUC, 2022). The Standing Committee of European Doctors also 
voiced concerns (CPME, 2022).  
 
4.3 Legislative Procedure  
 
EUR-Lex – Procedure enables us to observe law-making progress in the EU. The 
proposal is subject to ordinary legislative procedure. Concerning the political 
dimensions – interests, positions and contexts- we follow media coverage of EU 
politics.  
 
The Economic and Social Council has already delivered its opinion, welcoming the 
project and mentioning its risks.26 The Committee of Regions has proposed changes 
underlining local and regional dimensions.27 However, the European Parliament has 
not completed even the first reading until September 2023. The proposal is pending 
in its committees. One may only speculate recently about inputs of the directly 
elected body. Anyway, deliberations in the Council will be crucial, as the Member 
States will implement EHDS in their healthcare systems. EUR-Lex indicates modest 
progress during the Czech presidency (7-12/2022), while it stalled for months during 
the Swedish presidency (1-6/2003). Euractiv informs about partial achievements in 
this law-making body. The Council / COREPER agreed to delete the telemedicine 
provision (Article 33) and reformulate the secondary use provisions (Holmgaard 
Mersh, 2022; Fortuna, 2023).  
 
4.4 Competence Issues 
 
EHDS belongs to the EU legislative initiatives that the integration enthusiasts 
welcome as magnificent, while sceptics consider it redundant, if not dangerous. One 
may discuss its contribution to patient mobility and biomedical research. Assessing 
efforts and expenditures would be helpful. The author joins those concluding that 
proportionality and subsidiarity are beyond the legal scrutiny. The EU law-making 
institutions should decide whether this interconnection is desirable.  
  
 
26 EESC 2022/02531, 22. 9. 2022, published in OJ C 486, 21.12, 2022, p. 123-128.  
27 Interinstitutional File 2023/0140(COD), 6403/23, 14. 2. 2023  
F. Křepelka: Proposed Law for the European Health Data Space in Context 301   
 
 
Competence is a different issue. The Commission proposes EHDSR on the general 
competence to regulate the internal market in Article 114 Treaty on the Functioning 
of the European Union (TFEU) and the specific one stipulating personal data 
protection in its Article 16. Nevertheless, concerning healthcare, the EU balances 
the Member States' mentioned roles and tasks while carving out exceptions in Article 
168(5) TFEU. Article 168 prohibits harmonisation, so one may argue a fortiori that 
unification is also illicit.  
 
EHDSR would primarily interconnect existing electronic health information 
systems. Despite this, this legislative act would also have harmonising and unifying 
effects. Therefore, it is understandable to question the competence to legislate on 
this issue.28 Once enacted, EHDSR will surely provide an example of competence 
creep (Prechal, 2010). Therefore, in order to avoid future disputes, unanimity in the 
Council will be desirable under these conditions. 
 
4.5 The Choice of Instrument 
 
Explanatory memoranda accompanying the regulations and directives recently 
proposed by the Commission contain a "choice of the instrument" section. 
Concerning EHDSR, the direct effect will establish individual rights, while 
uniformity should reduce fragmenting. Contrary to the memoranda accompanying 
other proposals, it also states that a directive would be unfeasible as its different 
transposition undermines personal data flow across borders.29  
  
 
28 Among stakeholders' opinions, 'Positionspapier der ABDA – Bundesvereinigung Deutscher Apothekerverbände 
e. V.', Oktober 2022, available at http://abda.de/fileadmin/user_upload/assets/Bilder/Newsroom/ABDA-
RS_2297_221021_Positionspapier_EHDS-Verordnung_10-2022_Anlage.pdf.  
29 "The proposal takes the form of a new Regulation. This is considered the most suitable instrument, given the 
need for a regulatory framework that directly addresses the rights of natural persons and reduces fragmentation in 
the digital single market. To prevent the fragmentation that resulted from inconsistent use of the relevant clauses in 
the GDPR (e.g. Article 9(4)), the EHDS uses the options for an EU law offered by the GDPR Regulation concerning 
the use of health data, for various purposes. In the preparing the proposal, different national legal contexts that built 
upon the GDPR by providing national legislation were carefully analysed. In order to prevent major disruption, but 
also inconsistent future developments, the EHDS aims to put forward an initiative that takes into account the main 
common elements of different frameworks. A Directive was not selected, as it would allow a divergent 
implementation and a fragmented market that could affect the protection and free movement of personal data in 
the health sector. The proposal will strengthen the EU’s health data economy by increasing legal certainty and 
guaranteeing a fully uniform and consistent sectoral legal framework. The proposed Regulation also calls for 
stakeholder involvement to ensure that requirements meet the needs of health professionals, natural persons, 
academia, industry and other relevant stakeholders." 
302 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023   
 
Once enacted, EHDSR will repeal Article14 CBHCD, which encourages the 
interconnection of health information systems (e-health), with the limited 
achievements mentioned above. We may consider this provision as a 
recommendation in the directive. Nonetheless, this provision expected the standards 
for this interoperability of national electronic information systems by derived acts, 
so it is desirable to consider them.  
 
The Commission enacted an implementing decision for this purpose,30 while 
technology advances resulted in its recast.31 When the COVID-19 pandemic 
required tracing contacts, it amended this recast decision, enabling the cross-border 
interconnection of these applications.32 As these apps were voluntary, their 
contribution to tackling the pandemic was limited. 
 
Still, we need to consider the entire supranational privacy standard. Article 14 refers 
to the PDPD and the E-privacy Directive.33 Meanwhile, the GDPR resulting from 
a transformation of the directive deserves consideration as it applies to health 
records. On the contrary, the cited directive applies further, as the intent to replace 
it with e-privacy regulation has stalled.34  
 
Despite its focus on interconnection, EHDSR stipulates (Article 1(2) and Article 3) 
the rights of patients. It is possible to interpret providers' corresponding duties and 
responsibilities. Still, explicitly prescribing them would be better. 
  
 
30 Commission Implementing Decision 2011/890/EU (…) providing the rules for the establishment, the 
management and the functioning of the network of national responsible authorities on eHealth.  
31 Commission Implementing Decision 2019/1765 (…) providing the rules for the establishment, the management 
and the functioning of the network of national authorities responsible for eHealth (…).  
32 Commission Implementing Decision (EU) 2020/1023 (…) amending Implementing Decision (EU) 2019/1765 
as regards the cross-border Exchange of data between national contact tracing and warning mobile applications 
with regard to combatting the COVID-19 pandemic.  
33 Directive 2002/58/EC of the European Parliament and of the Council (…)concerning the processing of personal 
data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic 
communications), OJ L 201, 31. 7. 2002, 37—47.  
34 Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life 
and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation 
on Privacy and Electronic Communications), COM (2017), an ensuing endless negotiations in the Council and its 
auxilliary bodies.  
F. Křepelka: Proposed Law for the European Health Data Space in Context 303   
 
 
4.6 Overlapping Regulations 
 
Laws may apply in parallel, while multiple requirements are possible until 
inconsistencies and conflicts emerge. At that moment, it would be necessary to 
resolve the conflicts, with principles lex posterior derogat legi priori and, more 
importantly, lex specialis derogat legi generali, respectively. 
 
Nonetheless, GDPR has encouraged the perception that it has acquired a quasi-
constitutional position as the specification of TFEU and the CFREU provisions on 
personal data. Other regulations "mimic" it (Papakonstantinou & Hert, 2021). 
EHDSR indicates another preference for unleashing data for research. 
Unsurprisingly, many stakeholders presenting their views have called for clarification 
of the relationship between GDPR and EHDSR.  
 
Another issue will be its coherence with regulations - branded as "acts" in their short 
titles - forming the Single Digital Market. The European Parliament and the Council 
have already adopted several,35 while others are pending.36 The legal environment 
will thus develop, and we should consider new "acts" when adopted. Several 
provisions of these regulations may change the regulatory landscape in health 
informatics interconnected with EHDSR. 
 
4.7 Implications for National Laws 
 
In theory, the primacy of the EU law applies, and regulations enjoy a direct effect. 
EHDSR will establish rights, duties and restrictions for individuals and other private 
subjects, putting aside possible incompliant provisions of the Member States.37 
  
 
35 Regulation 2019/881 of the European Parliament and the Council (…) on ENISA (the European Union Agency 
for Cybersecurity) and on information and communications technology cybersecurity certification (…) 
(Cybersecurity Act), and Regulation 2022/868 (…) on European data governance (Data Governance Act).  
36 Proposal for a Regulation of the European Parliament and the Council on a Single Market for Digital Services 
(Digital Services Act) (…), 15/12/2020 COM (2020) 825 final 2020/0361(COD), proposal for a Regulation EPaC 
on contestable and fair markets in the digital sector (Digital Markets Act), 15/12/2020, COM (2020) 842 final 
2020/0374 (COD), proposal for a Regulation EPaC laying down harmonised rules on artificial intelligence (Artificial 
Intelligence Act), 21/4/2021, COM (2021) 206 final 2021/0106(COD), proposal for a Regulation EPaC on 
harmonised rules on fair access to and use of data (Data Act). COM (2022) 68 final, 23/2/2022, 2022/0047(COD). 
37 Judgments 34-73 Fratelli Variola S.p.A. v. Amministrazione italiana delle Finanze, ECLI:EU:C:1974:101 (10. 10. 
1973) and 47–71 Politi S.A.S. v. Ministero delle Finanze, ECR 1971, 01039 (10. 12. 1971).  
304 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023   
 
The Member States enforce most EU laws. Despite the outlined direct effect, 
accompanying national legislation is necessary. Namely, the Member States establish 
or empower institutions, stipulate sanctions and specify procedures. Once enacted, 
EHDSR will be among them, expressing these expectations (Article 69). 
 
Nonetheless, we do well to consider its actual repercussions. EHDSR would enable 
the cross-border movement of patient data. However, it does not harmonise national 
laws addressing health records. Therefore, the Member States' laws addressing them 
will not become redundant. On the other hand, one cannot say that EHDSR would 
spare them as it expects their particular arrangement for their interconnection. 
 
New regulations addressing in detail the issues addressed previously by directives 
also increasingly contain directive-like provisions. To mention one, EHDSR 
empowers (Article 33(5)) the Member States to require the patient's consent to the 
research on specified data. 
 
4.8 Language(s) of the Regulation  
 
English has become the first global lingua franca of elite and expert communication 
worldwide. This article is written in this language to achieve international readership. 
The EU forms no exception, despite Brexit. English has become one of its two or 
three working languages, dominating most settings (except French at the Court of 
Justice). Recent translation statistics (European Commission, 2021, p. 7)38 suggest 
drafting in English. Therefore, our focus on it in international discussions is 
understandable. 
 
Nonetheless, the proposal for EHDSR has been available in all twenty-four official 
languages, and the outcome will be authentic in them. National authorities of the 
Member States will consider primarily their versions. This analysis does not discuss 
its terminology in other languages due to capacity constraints, but it would be helpful 
to consider possible dissonances. The doctrine encourages comparing language 
versions. 
  
 
38 7. 2,541,294 of 2,767,078 pages were translated from English to other languages in 2021, thus exceeding 90 percent 
of all the source documents. If we consider documents originating in other language countries, the documents 
resulting from the all-EU negotiations are likely in English. 
F. Křepelka: Proposed Law for the European Health Data Space in Context 305   
 
 
5 Particular Issues  
 
5.1 Paper Records 
 
Our analysis of EHDSR should start by asking whether electronic records will be 
mandatory. EHDSR solely mentions environmental benefits.39  
 
In Czechia, harnessing e-health is the principal issue. Old-age physicians using paper 
seem to be already an anecdote. Most providers operate electronic health record 
systems. However, the legislative framework requires that electronic records have a 
robust backup system. Therefore, even the advanced providers print and store 
entries as official records.40  
 
Costly cyberattacks on hospitals41 justify these fears. Moreover, critics consider 
interconnection as enabling surveillance by authorities, alluding to "Big Brother". As 
mentioned, the state authorities are incapable of promoting feasible e-solutions. It 
took an entire decade just to introduce e-prescriptions in Czechia (Bruthans, 2019).  
 
Expecting that all health records are electronic would be optimistic even if Czechia 
were the exceptional laggard. As previously mentioned, slow voluntary 
interconnection indicates that the situation could be similar in other European 
countries. 
 
There are arguments for both interpretations. On the one hand, establishing the 
patients' rights in their mobility and "unleashing" health data research necessitates 
them to be in electronic form. On the other hand, such far-reaching requirements 
should be unequivocal. 
 
5.2 Certification of Systems 
 
EHDSR (Articles 14–30) envisages self-certifications of electronic health records 
systems regarding their interoperability and security. Several cited stakeholders 
voiced dissatisfaction with this approach (BEUC, 2022, pp. 9–10; CPME, 2022, pt. 
 
39 See explanatory memorandum to EHDSR, impact assessment.  
40 As stated by in-house counsels of one leading university hospital and of one regional emergency service. 
41 For detailed expert information in English see Brno University Hospital ransomware attack (2020) - International 
cyber law: interactive toolkit (ccdcoe.org). 
306 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023   
 
7). We suggest accepting this approach as reducing the burden on operators (in 
general, Erixon & Lamprecht, 2018). 
 
Nonetheless, even these requirements deserve clarification. Countries have already 
stipulated standards for these systems. The question is whether EHDSR will pre-
empt the existing national licencing and surveillance or whether both standards will 
apply in parallel. Although retaining national requirements would pose an undue 
double burden, their pre-emption amounts to an unlawful unification. 
 
Moreover, the Member States establish and operate providers, including principal 
hospitals. Supporting them concerning informatics is unsurprising. The Member 
States with advanced health informatics may also support private providers. 
Outsourcing to software firms and resorting to internal expertise may be used in 
tandem. There is no provision for "homemade" systems. Therefore, self-certification 
applies to them. We should remember this engagement during the legislative 
procedure, as several stakeholders require certification. 
 
5.3 National Authorities  
 
EHDSR requires (Article 10) the Member States to designate their "digital health 
authority". One may expect they will consider as qualified their authorities already 
regulating and managing healthcare. Therefore, the question is whether these 
institutions could also become national regulators overseeing the implementation of 
EHDSR.  
 
Calls for independent authority by stakeholders may reflect recurrent tendencies 
emphasising the independence of administration (OECD, 2017) and judiciary. 
However, they primarily indicate a reading of EHDSR that the Member States could 
include this agenda in the existing ones and consider it problematic. If this 
interpretation is correct, we should ask whether reorganisation with in-built boards 
or particular officials would suffice. 
 
As mentioned, observers and commentators call for clarification of the 
interrelationship of EHDSR with GDPR. EHDSR promises synergy. Under these 
circumstances, national data protection authorities will continue their control of 
providers operating health record systems. 
 
F. Křepelka: Proposed Law for the European Health Data Space in Context 307   
 
 
5.4 Treatment as the Primary Use  
 
Different requirements will apply in primary (treatment, healthcare) and secondary 
uses of patient data (research, data mining) in interconnected health records. 
Therefore, distinguishing between them is crucial. There are, however, borderline 
activities that do not fall neatly into either category.42 
 
Concerning treatment, EHDSR raises the question regarding access to health 
records. Consenting to specific treatment need not amount to granting access to 
information available thanks to their interconnection. Some patients may perceive 
particular health data, namely those concerning psyche or sexuality, as 
extraordinarily sensitive and do not want to disclose them even to their general 
practitioners or other specialists. 
 
EHDSR (Article 2(2)a) underlines patients' rights to decide on the use of their data. 
Therefore, it is surprising that it will open access to health data. It would be desirable 
to emphasise that accessing the health records of untreated patients is prohibited. 
Empowering patients to approve access to their data may resolve this dilemma. 
Indeed, it is infeasible in urgent situations. Patients could benefit from the possibility 
of deciding in advance about access. Notification of every access to the patient 
health records could serve to help control possible misuse. 
 
At the same time, physicians do not need such far-reaching access. They may even 
consider an ensuing expectation to examine the entire health data of their patients 
as overly burdensome. When considering treatments, physicians ask for concrete 
information with straightforward questions. Filtering this data from interconnected 
records for particular warnings may be optimal. 
 
Moreover, experts promoting safety in medicine suggest intense communication 
with patients. For example, practitioners repeatedly question their patients before 
surgery to avoid mistaken identity or confusion about the planned intervention. 
Patients incapable of communicating benefit from increased attention. One could 
not recommend refraining from asking these questions even if these health records 
were complete and actual.  
 
42 See also CPME p. 1, ft. 2 underlines that "A precision should be made in relation to research that uses electronic 
health data from biobanks and dedicated databases. Biobanks are created for research purposes – this is their primary 
purpose, and thus do not fit well within the secondary use system concept."  
308 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023   
 
5.5 Research as the Secondary Use  
 
GDPR has provided fertile soil for the idea that personal data forms individual 
identity. Even their pseudonymisation or anonymisation does not remove its 
potential for being compromised by illegitimate use (Donnelly & McDonagh, 2019; 
Demotes-Mainard, Cornu & Guerin, 2019). Unsurprisingly, the "unleashing" of 
health data promised with EHDSR sparks outrage, as it is a paradigm change. 
 
As mentioned, there is a widespread perception that GDPR has chilled the analyses 
of health records as an activity requiring patients' explicit consent and empowering 
them to demand clarification. GDPR expects national laws to specify the rules for 
data research. However, it seems that the Member States have so far hesitated to do 
so. 
 
Still, patient data pseudonymisation and anonymisation have become subjects of 
intense debate. Several commentators see these measures as sufficient, but others 
insist that perfect decoupling data from patients is difficult, if not impossible, 
mentioning genetics as one example (Mitchell et al., 2020; BEUC, 2022, p. 12, 4.3). 
 
Meanwhile, advanced informatics would allow individuals to decide whether to 
include or exclude their data, as this would be possible with several clicks on the 
screen in platforms interconnecting electronic records. Opt-out and opt-in regimes 
or their combinations are possible. Surprisingly, EHDSR will not empower patients 
to do so when it becomes technically feasible. 
 
EHDSR will prohibit (Article 37) research aimed at specified illicit purposes: 
insurance, advertisement, and development of harmful products. One may ask about 
the rationale of this provision if pseudo- and anonymisation promise to disconnect 
patients from their health data. It will deliver an argument for the opponents if it 
indicates mistrust towards these methods. And it is mere virtue signalling by the EU 
lawmakers towards the European general public if these methods work. 
 
5.6 Data Quality and Fees 
 
EHDSR will entitle (Article 56) researchers to examine prospective health data 
before purchasing access. Undoubtedly, this approach is sensible, and we could 
generalise it. The data in health records form no gold mine. If they were, managers 
F. Křepelka: Proposed Law for the European Health Data Space in Context 309   
 
 
would overcome obstacles resulting from personal data protection. These health 
data have become a valuable commodity recently because of advanced informatics, 
as automated data mining has become cheap.  
 
The proposal stipulates (Article 42) that researchers' fees for data access should be 
reasonable. One may defend this as an adequate arrangement addressing the issue. 
Still, it expresses public interest in health data research.  
 
Israel exchanged the patients' data it collected systematically and structured feasibly 
for preferential delivery of the then-scarce COVID-19 vaccines (Birnhack, 2021). 
Two decades ago, the deCODE launched national genetic scrutiny in Iceland for 
promising investment in the national economy and growth impulse (Merz & McGee, 
2004). In both cases, the decision-making on behalf of entire nations was political. 
Parliaments or executives responsible to parliaments decided on the bargain. Despite 
this, vivid discussions emerged. General standards for this commercialisation 
expected by EHDSR may underestimate variable political, societal, economic and 
psychological aspects of particular research projects.  
 
Ethics committees approving the projects (CPME, 2022, point 8)43 may mitigate the 
problem if EHDSR expects general data openness. Still, these projects have already 
become subject to their scrutiny, as scientific journals often require their approvals. 
 
5.7 Selected Special Data 
 
EHDS will grow incrementally. Still, it prioritises several data: electronic 
prescriptions by physicians addressed to patients and pharmacies, laboratory results 
related to particular patients, and medical imagery (Article 5). Other categories shall 
follow. Let us discuss the selected ones.  
 
One sensitive category is data related to the financing of healthcare.44 Coupling these 
data with interventions and treatments would be interesting for economists. Their 
analyses could expose various phenomena in healthcare financing and thus 
contribute to transparency but may also serve competitors. EHDSR lacks detail on 
this topic. Therefore, we need to discuss what data it will expect. Among others, 
 
43 And the accompayning flyer 'Role of Ethics Committees in the European Health Data Space', 25. 5. 2022, 
cpme.eu/api/documents/adopted/2022/04/AR_CPDP_Flyer_220427.pdf. 
44 Article 33(1)(j) EHDSR.  
310 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023   
 
there are calculations to insurance funds or similar authorities for financing 
healthcare and prices charged to patients. Significant differences exist among the 
national systems, which combine public and private elements. Should this provision 
also encompass economic data related to privately-paid medicine?  
 
Another such category is data from biomedical research. This research is subject to 
bioethics, business standards, and international and national laws. Regarding clinical 
trials of medicinal products (pharmaceuticals), the EU has just made its uniform 
standard applicable.45 Case report forms are clinical trial records concerning research 
subjects, i.e. volunteers or patients. As the second and third phases of clinical trials 
also form treatment, information about administering investigational medicinal 
products enters standard patient health records. Access to these data has economic, 
societal, psychological, political, and legal repercussions. Unsurprisingly, the 
business has voiced concerns about publicising research data (Levy & Johns, 2016). 
EHDSR recognizes (Article 33(4)) this concern rhetorically, mentioning protecting 
competition and intellectual property rights. 
 
5.8 Patient Summaries  
 
German Krankengeschichte for traditional paper records indicates an understanding of 
its nature. Particular entries summarise the patient's situation identified by the 
physician, anamnesis, diagnoses and interventions, which their communication 
accompanied. This patient's history consists of entries arranged chronologically. 
Multiple providers keep these records, as patients often received care from multiple 
specialised providers and often change providers.  
 
 
45 Regulation (EU) No 536/2014 EPaC (…) on clinical trials on medicinal products for human use, and repealing 
Directive 2001/20/, Article 98(2), Article 98(1) CTR, concerning clinical trials approved before the entry into force 
(31 Jan 2022) in accordance with Commission decision (EU) 2021/1240 (…) on the compliance of the EU portal 
and the EU database for clinical trials of medicinal products for human use with the requirements referred to in 
Article 82(2) of Regulation (EU) No 536/2014 (…). 
F. Křepelka: Proposed Law for the European Health Data Space in Context 311   
 
 
On the contrary, a patient summary should deliver (Annex 1-1 EHDSR) relevant 
information.46 Concerning its content, EHDSR builds on its gradual development 
with the EU (Maarseveen & Thorp, 2014)47 and international standards.48 
 
Nonetheless, such datasets usually do not exist. Completing them would be 
demanding. Foremost, older paper records are unavailable as laws enable their 
shredding. We may hope they are not essential, as newer health records reflect 
everything relevant. It would be necessary to concentrate existing health records – 
including the electronic ones - on one designated provider or another institution. 
Otherwise, entries by multiple providers would need coordination. EHDSR does 
not stipulate guidelines on this issue, so we question whether the Member States 
could specify it.  
 
The proposal for EHDSR acknowledges that existing health records are 
incompatible (rec. 18), justifying lengthy transitional periods.49 The proposal is silent 
on the proportion of completed patient summaries or similar datasets and the effort 
necessary for completing them. Therefore, we can only speculate on the length of 
time it would take to complete one patient‘s summary. Let readers imagine their case. 
Middle-aged or elderly individuals often have a complex history of illnesses, injuries 
and findings. Their treatment could consist of repeated visits or recurrent 
hospitalisations over a period of years, sometimes even decades. These records could 
consist of hundreds of pages. Patient summaries cease to be summaries in their 
cases, so additional substantive entries would be better. Moreover, patient 
summaries need actualisations, as they can become obsolete within short periods of 
time due to new diseases, or injury and ensuing treatment. 
 
 
46 Patient summary: 1. Personal details, 2. Contact information, 3. Information on insurance, 4. Allergies, 5. Medical 
alerts, 6. Vaccination/prophylaxis, possibly in the formo f a vaccination card, 7. Current, resolved, closed or inactive 
problems, 8. Textual information related to medical history, 9. Medical devices and implants, 10. Procedures, 11. 
Functional status, 12. Current and relevant past medicines, 13. Social history observations related to health, 14. 
Pregnancy history, 15. Patient-provided data, 16. Observation results pertaining to the health condition, 17. Plan of 
care, 19. Information on a rare disease such as details about the impact or characteristics of the disease. 
47 See also 'Guidelines on Minimum/non-exhaustive patient summary dataset for electronic Exchange in accordance 
with the Cross-border Directive 2011/24/EU', adopted by the e Health Network, version 1.0, 19. 11. 2013, available 
at http://health.ec.europa.eu/systém/files/2019-02/guidelines_patient_summary_en_0.pdf.  
48 International Patient Summary and European standard aligned by Comité Européen de Normalisation CEN and 
International Standard Organization ISO EN ISO 27269:2022 as equivalent to ISO 27269:20221.  
49 Article 72 EHDSR expects one year of vacatio legis and encompassing the most prioritised data in one additional 
year and other data within three years.  
312 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023   
 
Physicians are undoubtedly the most qualified for this task but are busy professionals 
who routinely, and rightly, complain about bureaucracy. They have hundreds of 
patients. Expecting them to spend dozens of hours on the issue is naive. Training 
others for this task may be the solution, but it would spark outrage about other 
persons' access to patient data.  
 
In any case, completing and updating patient summaries necessarily comes at 
substantial cost. Let us thus consider resorting to rapidly advancing artificial 
intelligence. Its deployment in healthcare has become a reality (Briganti & Moine, 
2020), and this is a realistic option for generating patient summaries (Pivovarov & 
Elhahad, 2015). Nevertheless, it has also become a concern, and the EU has already 
proposed an "act" for its surveillance.50 Even this solution, however, would require 
scanning existing records en masse. Surprisingly, the proposal and accompanying 
studies do not expect it, perhaps due to outlined underestimates of the effort that 
would be involved. 
 
Patient summaries would constitute an excellent source for research. From this 
viewpoint, their completion is desirable. Their merits for particular treatments are 
less apparent. Deploring duplicities has become commonplace, but we know little 
about their incidence and consequences. Moreover, repeated checks are not entirely 
undesirable, as they increase safety. Reliance on the information available through 
EHDS need not compromise professional cautiousness even if all data were perfect. 
 
5.9 Translations of Verbal Entries  
 
EHDSR pays little attention to the language of health records and their 
interconnection. Its entire text mentions language(s) solely when admitting that 
existing health data are not structured, so their machine translation is infeasible (rec. 
18). 
 
Several explanations for this laxity are possible. Imagery, laboratory results and data 
generated by medical devices are non-linguistic, while international trade in 
computers and software results in the global convergence of file formats and 
 
50 Proposal for a Regulation of the European Parliament and the Council laying down harmonised rules on artificial 
intelligence (Artificial Intelligence Act), 21. 4. 2021, COM (2021) 206 final 2021/0106(COD). 
F. Křepelka: Proposed Law for the European Health Data Space in Context 313   
 
 
software. Moreover, experts' international communication in English may result in 
underestimating the linguistic dimension.  
 
Nevertheless, verbalised information forms an indispensable part of health records. 
Therefore, one should consider the machine translation, its quality, and the 
perspectives of its enhancement. In some cases, encouraging reading of the original 
and its translation with the patient's assistance may be suitable. 
 
6 Conclusions  
 
All four chapters of this article finish with sub-chapters mentioning relevant 
language aspects. This symbolism emphasises the roles of language(s) in every 
communication and the challenges for international trade, mobility, and European 
integration.  
 
Predicting whether a particular legislative proposal will succeed is tricky, especially 
in supranational settings. The recent promise (Pištorová & Plevák, 2022; Fortuna, 
2023) to complete law-making in 2024 and render the EHDS applicable in 2025 is 
ambitious in September 2023. 
 
The supranational lawmakers should resolve the tension between data protection, 
considered an identitarian issue, and the interest of scientists in the research of these 
data. Fortunately, various compromises are possible. 
 
Besides, it is necessary to ascertain whether the existing health data are interoperable 
and how to render them such if they are not. Political analysis identifying 
unpreparedness even in Germany (Wrosch, 2022) provides a cautionary warning. 
Commitment to EHDS may primarily serve as an impulse for completing the 
interconnection of health records in domestic settings. 
 
Characterising the "acts" adopted and proposed for the Single Digital Market as 
"regulatory brutality", i.e. introducing new standards without much willingness to 
consider existing national frameworks (Papakonstantinou & Hert, 2022), also fits 
EHDSR. Once enacted, it will expand on the issues addressed by the national 
lawmakers, including their recently adopted laws promoting health informatics. It is 
time to discuss the aspects in which it supersedes them and these it will complement.  
 
314 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023   
 
For these reasons, its provisions deserve intense discussion. One should not 
underestimate the psychological, political, and technical challenges of construing 
EHDS. Generally, frequent enchantment in the scholarly debates about EU law 
(Leino-Sandberg, 2022) is counterproductive in developing our supranational polity. 
This ambitious project could quickly fail without such care for details.  
 
 
Acknowledgement 
 
The article is a result of the research project GA19-17403S (2019-2021) Nahrazování směrnic 
nařízeními v Evropské unii [Replacement of Directives with Regulations in the European Union], 
funded by Grantová agentura České republiky [Grant Agency of the Czech Republic]. 
 
Legal acts, standards and proposals of them 
 
CBHCD – Cross-Border Health Care Directive - Directive 2011/24/EU of the European Parliament 
and the Council (…) on the application of patients' rights in cross-border healthcare, OJ L 
88, 4 .4. 2011, p. 45–65. 
EHDSR: Proposal for a Regulation of the European Parliament and of the Council on the European 
Health Data Space (Text with EEA relevance), 3.5.2022 COM(2022) 197 final 
2022/0140(COD), {SEC(2022) 196 final} - {SWD(2022) 130 final} - {SWD(2022) 131 final} 
- {SWD(2022) 132 final}. 
GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 
on the protection of natural persons with regard to the processing of personal data and on 
the free movement of such data, and repealing Directive 95/46/EC (General Data 
Protection Regulation) (Text with EEA relevance), OJ. L 119, 4.5.2016, pp. 1–88. 
ISO 18308:2011 Health informatics – Requirements for an electronic health record architecture.  
Judgments 34-73 Fratelli Variola S.p.A. v. Amministrazione italiana delle Finanze, 
ECLI:EU:C:1974:101 (10. 10. 1973) and 47–71 Politi S.A.S. v. Ministero delle Finanze, ECR 
1971, 01039 (10. 12. 1971). 
PDPD - Directive 95/46/EC of the European Parliament and the Council (…) on the protection of 
individuals with regard to the processing of personal data and on the free movement of such 
data, OJ L 281, 23.11.1995, pp. 31–50. 
 
Position papers, explanatory reports and similar documents 
 
BEUC - The European Consumer Organisation (2022). Position paper on the proposed European Health 
Data Space (further BEUC). Retrieved from 
https://www.beuc.eu/sites/default/files/publications/BEUC-X-2022-
104_Position_paper_on_the_proposed_European_Health_Data_Space.pdf (15 August 
2023). 
CPME – Médecins européens / European doctors (2022). Position on the European Health Data Space 
(further cited as CPME). Retrieved from 
https://www.cpme.eu/api/documents/adopted/2022/11/cpme.2022-
065.FINAL.CPME.position.EHDS.pdf (15 August 2023). 
European Commission, Directorate-General for Translation (2022). Translation in figures 2022.  
Brussels: Publications Office of the European Union, 2022. Retrieved from: 
https://data.europa.eu/doi/10.2782/253419 (10 October 2023). 
OECD (2017). Creating a Culture of Independence: Practical Guidance against Undue Influence, The Governance of 
Regulators. Paris: OECD Publishing. 
F. Křepelka: Proposed Law for the European Health Data Space in Context 315   
 
 
 
 
References 
 
Austin, T., Sun, S., Hassan, T. & Kalra, D. (2013). Evaluation of ISO EN 13606 as a result of its 
implementation in XML. Health Informatics Journal 19(4), pp. 264–280. doi: 
10.1177/1460458212473993. 
Birnhack, M. (2021). Who Controls Covid-Related Medical Data? Copyright and Personal Data. 
International Review Industrial Property and Copyright Law, 52(7), pp. 821–824. doi: 
10.1007/s40319-021-01067-5. 
Briganti, G. & Le Moine, O. (2020). Artificial Intelligence in Medicine: Today and Tomorrow. 
Frontiers in Medicine, (7)27, pp. 1–6. doi: 10.3389/fmed.2020.00027. 
Bruthans, J. (2019). The past and current state of the Czech outpatient electronic prescription 
(Recept)'. International Journal of Medical Informatics, 123, pp. 49–53. doi: 
10.1016/j.ijmedinf.2019.01.003. 
Cesnik, B. & Kidd, M.R. (2010). History of health informatics: a global perspective. Studies in Health 
Technology and Informatics, p. 151. 
Donati, A. (2022). The Conditional Marketing Authorisation of Covid-19 Vaccines: A Critical 
Assessment under EU Law. European Journal of Health Law, pp. 33–52. doi: 
10.1163/15718093-bja10065. 
Donnelly, M. & McDonagh, M. (2019). Health Research, Consent and the GDPR Exemption. 
European Journal of Health Law, 26(2), pp. 97–119. doi: 10.1163/15718093-12262427. 
Demotes-Mainard, J., Cornu, C. & Guerin, A. (2019). How the new European data protection affects 
clinical research and recommendations?. Therapies, 74, pp. 31–42. doi: 
10.16/j.therap.2019.12.004. 
Erixon, F. & Lamprecht. P. (2018). The Next Steps for the Digital Single Market: From Where do 
We Start? Five Freedoms. Project at ECIPE. Policy Brief, pp. 1-15. 
Fortuna, G. (2023). Council hashes out secondary use of data in EU health data space. 
EURACTIV.com. Retrieved from https://www.euractiv.com/section/health-
consumers/news/council-hashes-out-secondary-use-of-data-in-eu-health-data-space/(15 
August 2023)). 
Gillum, R.F (2013). From papyrus to the electronic tablet: a brief history of the clinical medical 
record with lessons for the digital age. American Journal of Medicine, 126(10), pp. 853–857. doi: 
10.1016/j.amjmed.2013.03.024. 
Hanák, P.B., Ivanová, K. & Chráska, M. (2019). Analysing the Semantic Space of the Hippocratic 
Oath. Open Medicine, 14, pp. 683–693. doi: 10.1515/med-2019-0079. 
Hansen, J., Wilson, P., Verhoeven, E., Kroneman, M., Kirwan, M., Verheij, R. & Bent van Veen, E. 
(on behalf of the EUHealthSupport consortium). (2022). Assessment of the EU Member States' 
rules on health data in the light of GDPR Specifications. Publication office of the European Union. 
Haux, R. (2010). Medical informatics: past, present, future'. International Journal of Medical Information, 
79(9), pp. 599–610. doi: 10.1016/j.ijmedinf.2010.06.003. 
Hervey, T. & McHale, J.V. (2015). European Union Health Law: Themes and Implications. Cambridge: 
Cambridge University Press. 
Holmgaard Mersh, A. (2022). EU ministers to scrap cross-border telemedicine from health data 
space. EURACTIV.com. Retrieved from https://www.euractiv.com/section/health-
consumers/news/eu-ministers-to-scrap-cross-border-telemedicine-from-health-data-space/ 
(15 August 2023). 
Iacob, N. & Simonelli, F. (2020). Towards a European Health Data Ecosystem. European Journal of 
Risk Regulation, 11, pp. 884–893. doi: 10.1017/err.2020.88. 
Jóskowska, K. & Grabarczyk. Z. (2013). Greek and Latin in medical terminology. Folia Medica 
Copernicana, 1(2), pp. 41–52. 
Korff, D. (2018). Study on the Protection of the Rights and Interests of Legal Persons with Regard to the Processing 
of Personal Data Relating to Such Persons. Retrieved from https://ssrn.com/abstract=1288583 
(21 August 2023). 
316 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023   
 
Křepelka, F. (2017). Regulation of Health Care and Medicine in the Czech Republic. In Povalowski, 
A., Vrabko, M. & Mrkývka, P. (eds.), Selected Issues of Public Economic Law in Theory, Judicature 
and Practice in the Czech Republic, Poland and Slovakia (pp. 149–167). Warszawa: Wydawnictwo C. 
H. Beck. 
Křepelka, F. (2021). Transformations of Directives into Regulations: Towards a More Uniform 
Administrative Law?. European Public Law, pp. 781–805. doi: 10.54648/euro2021038. 
Leino-Sandberg, P. (2022). Enchantment and critical distance in EU legal scholarship: What role for 
institutional lawyers?. European Law Open, 1(2), pp. 231–256. doi: 10.1017/elo.2022.17. 
Levy, K.E. & Johns, D.M. (2016). When open data is a Trojan Horse: The weaponization of 
transparency in science and governance. Big Data & Society, 3(1), doi: 
10.1177/2053951715621568. 
Maarseveen, E. & Thorp, J. (2014). Guidelines on the European patient summary dataset. Eurohealth, 
(20)1, pp. 25–28. 
Merz, J. F., McGee, G. E. & Sankar, P. (2004). "Iceland Inc."?: On the ethics of commercial 
population genomics. Social Sciences in Medicine, 58(6), pp. 1201–1209. doi: 10.1016/s0277-
9536(03)00256-9. 
Mitchell, C., Ordish, J. & Hall, A. (2020). Genomic Medicine and research: how does the GDPR apply? 
Retrieved from https://ssrn.com/abstract=1288583 www.phgfoundation.org (21 August 
2023). 
Munoz, P., Trigo, J. D., Martínez, I., Munoz, A., Escayola, J. & Garcia, J. (2011). The ISO/EN 13606 
Standard for the Interoperable Exchange of Electronic Health Records. Journal of Healthcare 
Engineering, pp. 1–24. doi: 10.1260/2040-2295.2.1.1. 
Papakonstantinou, V. & de Hert P. (2022). The Regulation of Digital Technologies in the EU: The 
Law-Making Phenomena of 'Act-ification, 'GDPR Mimesis' and 'EU Law Brutality'. Technology 
and Regulation Journal. Retrieved from https://ssrn.com/abstract=4123313 (21 August 2023). 
Pištorová, B. & Plevák, O. (2022). Stakeholders doubtful EU health data space will launch on 
schedule. EURACTIV.cz. Retrieved from https://www.euractiv.com/section/health-
consumers/news/stakeholders-doubtful-eu-health-data-space-will-launch-on-schedule/ (12 
August 2023). 
Pivovarov, R. & Elhadad, N. (2015). Automated methods for the summarisation of electronic health 
records. Journal of American Medical Informatics Association, 22(5), pp. 938–947. doi: 
10.1093/jamia/ocv032. 
Prechal, A. (2010). Competence Creep and General Principles of Law. Review of European and 
Administrative Law, 3(1), pp. 5–22. doi: 10.7590/REAL_2010_01_02. 
Smith, L. (2012). Abortion in the classical world. Journal of Family Planning and Reproductive Health Care, 
pp. 125–126. doi: 10.1136/jfprhc-2012-100313. 
Těšitelová, V. (2021). Elektronizace zdravotnictví řečí paragrafů [Electronisation of healthcare in the 
language of paragraphs]. Praha: Ústav zdravotnických informací a statistiky ČR. 
Voss, A. (2021). Fixing the GDPR: Towards Version 2.0. Position Paper (2021), p. 26. Retrieved from 
https://www.axel-voss-europa.de/wp-content/uploads/2021/05/GDPR-2.0-ENG.pdf (21 
August 2023). 
Wrosch, L. (2022). Is Germany ready for the European Health Data Space? An analysis of challenges and 
potential improvements to patient care and the healthcare system from the perspective of expert groups.' 
Master Thesis – Maastricht University. Retrieved from http://ictandhealth.com/wp-
content/uploads/2023/Master-Thesis-Lukas-Wrosch.pdf (21 August 2023). 
Wulff, H.R. (2004). The language of medicine. Journal of the Royal Society of Medicine, 97(4), pp. 187–188. 
doi: 10.1177/014107680409700412. 
 
Povzetek v slovenskem jeziku 
 
Analiza elektronskih zdravstvenih zapisov bi lahko izboljšala medicino, vendar možnosti za to omejuje 
varovanje osebnih podatkov. Evropski zdravstveni podatkovni prostor naj bi te podatke sprostil. 
Poudarek se zdaj preusmerja na najboljše načine za uravnoteženje tega prizadevanja hkrati z 
varovanjem zasebnosti in avtonomije pacientov. Kljub temu se moramo spoprijeti z realnostjo. 
F. Křepelka: Proposed Law for the European Health Data Space in Context 317   
 
 
Raziskave o slikah, laboratorijskih rezultatih in receptih bodo preproste, saj so elektronske. Vendar pa 
pisna jedro zdravstvenih zapisov ni strukturirano, vzpostavljanje povzetkov za vse paciente pa je 
zahtevno. Namesto direktiv so uredbe hvalevredna rešitev za poenostavitev položaja. Kljub temu pa 
se pojavljajo novi izzivi povezani s sobivanjem nacionalnih pravnih okvirov in nadnacionalnega 
pravnega okvira, če naj bi prvi imel daleč segajoče ambicije. 
 
Ključne besede:  
 
  
318 MEDICINE, LAW & SOCIETY, Vol. 16, No. 2, October 2023