No separate ethical assessment alongside the EHDS

Posted on 13 april 202628 april 2026 by Antoinette

No separate ethical assessment

EHDS allows a separate ethical assessment

The European Health Data Space (EHDS) forms a fundamental pillar of the European data strategy and has the explicit goal of significantly increasing the availability of health data for useful reuse. It promises to put an end to the legal fragmentation and reluctance to share data that have hampered cross-border research for years. The EHDS introduces a harmonised system with Health Data Access Bodies (HDABs). However, the regulation contains a political compromise: Member States retain the power to require an additional ethical assessment for an EHDS permit. They would do well not to make use of this option. Here is why a separate assessment by an ethics committee would solely do harm.

The HDAB as a comprehensive gatekeeper

An analysis of the rules shows that an additional ethical layer is superfluous. The new HDABs are required under the EHDS and the GDPR to conduct an extensive assessment:

EHDS assessment : The HDAB checks whether the goal of the applicant is one of the recognized purposes, such as scientific research aimed at public health, whether this is not prohibited use, and whether there is a broader public interest. It checks whether the applicant possesses the appropriate qualifications and whether the proposed research is scientifically sound.
Privacy and GDPR compliance: The HDAB acts as a gatekeeper for the GDPR and continuously verifies the lawful basis, proportionality, and subsidiarity of the data processing.
Strict security: Data is not transferred directly but may only be processed within a controlled Secure Processing Environment (SPE), which serves as the primary technical safeguard for patient rights.
Patient participation: The HDAB manages the complex assessment regarding opt-out and opt-in regimes, depending on national legislation.

An additional assessment has no purpose

The rules on how to write laws in many countries stipulate that if legislation is prescribed, an extensive analysis must be conducted to determine whether a problem actually exists and how it can best be resolved. An ethical review is therefore only permitted if the HDAB’s review leaves a gap that must be filled by national legislation. However, this does not appear to be the case. Because physical risks to the patient are absent in data research (unlike in clinical trials), and privacy aspects are fully covered by the HDAB, there is no remaining ‘ethical vacuum’ that a separate committee would need to fill.

Instead an extra assessment could be harmful

Sometimes, current ethics committees impose requirements that the EHDS is explicitly abolishing: such as the requirement that the data holder be listed as a co-author, or a payment that significantly exceeds the costs of making the data available. Moreover, an ethics committee has legal disadvantages: a decision on an EHDS permit application is an administrative decision. It must therefore comply with, among other things, the principle of legal certainty. And if it is not strictly defined what that ethics committee must still assess, then that requirement has not been met. Moreover, the ethics committees will make different decisions per country, thereby restricting the free movement of data; which therefore directly contradicts the intent of the EHDS Regulation.

Consequences for innovation and science

The development of precision medicine and the treatment of rare diseases requires enormous statistical power, which necessitates the aggregation of multinational cohorts. If Member States adopt their own, divergent ethical criteria, this directly undermines the fundamental objective of the EHDS: a seamless, pan-European ecosystem for health data. It reintroduces the administrative friction that often made important studies unfeasible under the old system. Member States must therefore refrain from adding extra national safeguards on top of this unified European framework. The most effective strategy is not to duplicate decision-making, but to integrate the expertise of members of existing ethics committees into the structure of the HDAB. This prevents conflicts of interest, guarantees legal certainty, and ensures that the cross-border potential of the EHDS can be fully utilized.

Would you like to know more about the HDAB assessment and the EHDS? Contact Antoinette Vlieger.

The concept of Science in the Omnibus

How does the EU define 'scientific research' in the Digital Omnibus? There has been criticism of this, but it is unjustified.

Long live AI, says AI!

Many people are afraid that their jobs are at risk due to AI. I decided to turn the question around and asked Gemini: which jobs are you going to take over, in a way that make us happy? Here is her own optimistic answer.

The EHDS, PFAS and marriage counseling

The EHDS has been in effect for a year. From PFAS to chronic complaints: this is how the reuse of health data works in practice.

The concept of Science in the Omnibus

Posted on 13 april 202628 april 2026 by Antoinette

The definition of science in the Digital Omnibus

Debate on science versus good science

A new debate is brewing around the proposed Digital Omnibus Act, specifically concerning how the EU should define ‘scientific research’. In a recent paper, Evert-Ben van Veen sharply criticizes the European Commission’s proposed definition and offers an alternative. While I appreciate the critical look at the EC’s drafting, I fundamentally disagree with his proposed solution. In his paper, Van Veen argues that a definition of scientific research should include normative criteria, such as adhering to “applicable regulations” and “generally accepted standards of research integrity,” in order to distinguish “good science from bad science.” From a dogmatic and strategic legal perspective, this is a dangerous conflation of two very different things. Here is why we shouldn’t overload the definition of ‘scientific research’:

Three reasons why not to define like this

1️⃣ Ontology vs. Normativity: Defining what an activity is, is fundamentally different from defining how it should be lawfully executed. We do not need a restrictive, normative definition of “science” to prevent bad data practices.

2️⃣ We already have the regulatory tools: If a researcher wants to use health data unethically or excessively, that project shouldn’t be stopped by claiming “this isn’t science.” It should be stopped because it violates the core principles of the GDPR (proportionality, subsidiarity, purpose limitation), fails ethical committee (METC) reviews, or doesn’t meet the stringent funding criteria of bodies like ZonMw or Horizon Europe.

3️⃣ Academic Freedom: Article 13 of the EU Charter guarantees the freedom of the arts and sciences. If the legislator starts defining ‘science’ based on vague, politically sensitive criteria like contributing to societal “wellbeing” or adhering to fluid “ethical standards”, we risk encroaching on academic freedom. The state regulates the lawful use of data; it should not hold the monopoly on defining what constitutes legitimate knowledge creation.

Let’s keep definitions neutral and rely on the actual legal frameworks (GDPR, EHDS) to ensure compliance.

No separate ethical assessment alongside the EHDS

The EHDS prescribes a comprehensive and uniform assessment by the HDAB. A separate ethical assessment adds nothing and hinders science.

Long live AI, says AI!

The EHDS, PFAS and marriage counseling

The EHDS has been in effect for a year. From PFAS to chronic complaints: this is how the reuse of health data works in practice.

The EHDS, PFAS and marriage counseling

Posted on 13 april 202628 april 2026 by Antoinette

The EHDS, PFAS and marriage couseling

Three questions that merged

This morning, three things happened to land on my plate together: a new assignment on the useful reuse of health data, an article about the bizarre increase in symptoms of depression among women in their fifties, and a theory from a doctor friend about PFAS: it disrupts hormones, potentially causing our daughters to be shorter. In my mind, this merged into one big research question. If PFAS has such an impact on hormones, does that perhaps also explain why menopause seems so intense these days? And if we speculate a step further: do women divorce during menopause—by chance—or do they divorce due to symptoms triggered by hormonal factors (or environmental pollution)?

Combining PFAS and mental healthcare data

The answer is: nobody knows. Why not? Because at this moment it is virtually impossible to link mental health care data to other datasets on a large scale. Due to the stigma – and enormous legal apprehension – they remain under lock and key. And this is therefore typically a matter for the European Health Data Space Regulation. The fact that the EHDS has now been in force for a year makes me hopeful as a lawyer. Soon, as a scientist, you will be able to apply to the national Health Data Access Body (HDAB) for a permit to investigate these kinds of pressing questions. You will then gain access to pseudonymized data in a highly secure environment (a Secure Processing Environment). This way, for example, you can finally safely combine health data on menopausal symptoms with geographical data on the spread of PFAS.

EHDS will thus bring a lot to society.

Of course, the strictest security safeguards apply (rightly so), especially to mental healthcare data. But we are definitely moving from ‘data sharing is a favor’ to ‘data for research is a right’ due to the enormous societal importance. For if it turns out that environmental damage leads to an increase in divorces or burnouts via our hormones, then society needs something other than marriage counseling.

No separate ethical assessment alongside the EHDS

The EHDS prescribes a comprehensive and uniform assessment by the HDAB. A separate ethical assessment adds nothing and hinders science.

The concept of Science in the Omnibus

How does the EU define 'scientific research' in the Digital Omnibus? There has been criticism of this, but it is unjustified.

Long live AI, says AI!

EHDS everywhere or just a layer on top?

Posted on 13 april 202628 april 2026 by Antoinette

EHDS everywhere or just a layer on top?

Building the EHDS as a new layer

Oskar Thunman wrote an insightful piece on how different countries prepare for the EHDS. More specifically, he describes how they build EHDS access services on top of their current national systems. As a legal expert in the field of health data, I am astounded by the lack of discussion regarding to what extent the EHDS Regulation actually allows this.

Maximum harmonisation

There is an ongoing discussion on the correct interpretation of Article 1(8): can secondary data users individually choose whether to apply for an EHDS permit? That seems contrary to the concept of a permit, and the workings of EU law. However, a similarly open-to-interpretation article seems to be lacking in respect to the chapters on the primary use of health data and ICT. EU Regulations are usually based on maximum harmonisation. They prescribe the exact rules that will always apply in every Member State, unless the regulation explicitly states that Member States may deviate. This is currently the case with the GDPR: it applies directly and everywhere in the EU, not solely when data crosses member state borders. Article 9(4) of the GDPR allows for certain national deviations, but the EHDS states that Member States may no longer maintain these.

What would the EU court say?

So, I wonder how it is possible that everybody presumes that continuing ‘business as usual’ within national borders is legally allowed? It is not allowed under the GDPR either. Why the different reading? And thus, to answer Oskar Thunman’s question “now what,” I’d say: let’s go to the EU Court and force Member States to actually build one “European Data Space,” as the Regulation appears to prescribe?

No separate ethical assessment alongside the EHDS

The EHDS prescribes a comprehensive and uniform assessment by the HDAB. A separate ethical assessment adds nothing and hinders science.

The concept of Science in the Omnibus

How does the EU define 'scientific research' in the Digital Omnibus? There has been criticism of this, but it is unjustified.

Long live AI, says AI!

The free flow of health-ICT

Posted on 13 april 202620 april 2026 by Antoinette

The free flow of health ICT

Ontwerp van Zorg-adressering

The Dutch Ministry of Health, Welfare and Sport (VWS) recently opened a consultation on the concept Global Technical Design (GTO) of the Generic Function Addressing: a kind of address book for healthcare providers. This is an important step for Dutch healthcare, but if you view this document through a European lens, I do see some tension.

National health law versus EU free flow of services

The Ministry of Health, Welfare and Sport (VWS) seems to argue, based on health law (Article 168, paragraph 7 TFEU & the autonomy of Member States to organize their healthcare systems), that this structure is permissible. The system relies on typically Dutch anchors: the Chamber of Commerce (KvK) and the UZI/DEZI register. However, my legal intuition tells me that we are overlooking broader European market rules here. Doesn’t this technical design erect a wall for foreign ICT suppliers?

Can a Dutch CC registration be mandatory?

If a German software developer (e.g. of an EHR solution) is forced to have a Dutch Chamber of Commerce registration in order to connect their systems to the LRZa, this directly infringes upon Article 56 TFEU (the free movement of services) and the European Services Directive, which prohibits Member States from forcing foreign service providers to register in a local or national register in order to be allowed to provide their digital services. Furthermore, such a closed national approach seems to me to be at odds with the intended beneficial effect of the eIDAS Regulation and the European Health Data Space (EHDS). After all, these exist precisely to break down cross-border digital friction and vendor lock-in at the national level.

Which other Ministry knows more about this?

Are there experts in European law and/or the Services Directive who recognize this tension? Is the Netherlands building a legally untenable digital border here? I would like to brainstorm with someone knowledgeable about the free movement of ICT services to see if my intuition is correct and whether it makes sense to respond to this consultation together. Perhaps someone from the Ministry of Economic Affairs and Climate Policy? I look forward to hearing your thoughts and suggestions for experts.

No separate ethical assessment alongside the EHDS

The EHDS prescribes a comprehensive and uniform assessment by the HDAB. A separate ethical assessment adds nothing and hinders science.

The concept of Science in the Omnibus

How does the EU define 'scientific research' in the Digital Omnibus? There has been criticism of this, but it is unjustified.

Long live AI, says AI!

Who can be a member in the EHDS-board?

Posted on 13 april 202621 april 2026 by Antoinette

Who can be member of the board?

The EHDS Board: a new job in Brussels

The European Health Data Space (EHDS) has been in force for a year. Currently, the European Commission is working hard on the practical elaborations. As a result, the first implementing regulation is now a fact. This regulation focuses on establishing the EHDS Board. But who is actually allowed to sit on this board on behalf of a Member State?

That question is less clear than it seems. Specifically, the EHDS stipulates that the board consists of two representatives per Member State. One member is appointed for primary data use, and the other for secondary use. This sounds quite broad. Consequently, you might think a country like the Netherlands can send anyone with relevant expertise. For example, this could be someone from the Health Data Access Body (HDAB) or a university professor. It could even be an expert from a national public health organization.

Affiliated with an authority?

However, the new implementing regulation tightens the reins. Member States must submit the names of their representatives. In addition, they must explicitly state to which “Member State authorities” these individuals are affiliated. What exactly is meant by this requirement? This can be interpreted in two different ways.

The broad interpretation: This could mean any public authority of a Member State. This aligns perfectly with the broad European definition of ‘authority’, as seen in the Farrell judgment. Therefore, organizations like the RIVM or ZonMw could simply join as full members instead of advisory experts.
The narrow interpretation: In this view, the word ‘authority’ refers exclusively to the Digital Health Authority (ADG) and the HDAB. This is analogous to how the GDPR handles the concept. In that case, we must establish these bodies quickly to participate in the EHDS Council.

Subgroups in the EHDS Board

Article 92(6) of the EHDS does not make the situation any clearer. It states that the Council may be divided into subgroups. Furthermore, it stipulates that the ADGs and HDABs must be represented in these specific subgroups.

Does this mean (a contrario) that the Board itself does not have to consist exclusively of such representatives? Or is this precisely proof that all Council members must come from those two specific authorities?

Preferably someone who sees the benefits

Ultimately, the answer to this question is crucial for structuring public data governance. If the narrow interpretation is correct, an organization like the RIVM cannot hold the seat for secondary use. However, excluding public health organizations would be a missed opportunity. Sending a representative who experiences the practical benefits of the EHDS seems like an excellent idea. Conversely, a regulator might act mainly from the perspective of enforcement and risk.

Therefore, I hope for the broad interpretation, but I fear the stringent one. If the narrow interpretation is indeed correct, quick action is essential. Member States must establish the ADG and the HDAB as soon as possible. Otherwise, they risk missing the first crucial meetings of the Board.

No separate ethical assessment alongside the EHDS

The EHDS prescribes a comprehensive and uniform assessment by the HDAB. A separate ethical assessment adds nothing and hinders science.

The concept of Science in the Omnibus

How does the EU define 'scientific research' in the Digital Omnibus? There has been criticism of this, but it is unjustified.

Long live AI, says AI!

A persistent EHDS misunderstanding

Posted on 4 februari 202621 april 2026 by Antoinette

A persistent EHDS misunderstanding

Letter from the Dutch Minister of Helath

On January 20, 2026, the Dutch Minister of Health, Welfare and Sport sent a letter to the House of Representatives, informing it about the current status of the EHDS implementation. This letter was largely excellent and clear. However, it contained a persistent misunderstanding regarding the EHDS Catalogue and the Permit application process (DAAMS = Data Access Applications Management Solution).

On page 6, the letter lists four items or functions that must be developed in the coming years to ensure a well-functioning Health Data Access Body (HDAB)—the new government body where permits can be requested to reuse health data for public health purposes. The Minister describes the first of these as a national dataset catalog that provides insight into the location of data available for secondary use. This description is incorrect, as one can also apply for a permit concerning data that are not included in the catalog. Describing the catalog in this way would make the EHDS significantly less useful to science than the EU intended.

What should be included in the catalog?

To understand the difference between the EHDS Catalogue and the Permit DAAMS, we must first look at what belongs in the catalogue. Every entity (except micro entities) that holds EHDS data collected in a set is legally required to register those sets in the national catalogue. These datasets are defined as a “structured collection of electronic health data.” They must be labeled according to the Health DCAT-AP metadata standard so that researchers can more easily search throughout Europe for reusable datasets. The National Catalogue will hereto be linked to a European Catalogue.

What can you apply for at the HDAB?

However, what one can request from the HDAB, as a researcher, encompasses more than what is listed in the catalogue. One can apply for a permit to work with “data,” and this is defined separately in the EHDS (a definition that stems from the Data Governance Act). Data concerns: “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording.”

The difference is that datasets are “structured collections” of data, while “data” also includes all kinds of unstructured data that have never been collected in a structured set. Does it matter whether or not the application procedure (DAAMS) is restricted to the catalogue? Absolutely, it makes a big difference.

Dangers of limiting DAAMS to the Catalogue

Does it matter whether or not the application procedure (DAAMS) is restricted to the catalogue? Absolutely, it makes a big difference. Limiting the system creates three major obstacles:

You cannot label unstructured data: It is often mistakenly thought that data holders must register all unstructured data in the catalog. Healthcare institutions would have to inventory all healthcare data, regardless of scientific interest, which is highly inefficient and practically impossible to implement. Furthermore, providing metadata for unstructured data so that others understand it is extremely difficult. Because including all unstructured healthcare data in a catalog cannot be effectively implemented, it won’t work.
Unstructured data cannot be applied for: If not all EHDS data are in the catalogue, and the application process is limited to the catalogue, many types of data cannot be requested. Limiting the DAAMS to the catalogue means secondary use is restricted to data that has already been used for research or statistics. Extracting previously uncollected and unstructured data from the healthcare system will not be possible. Instead, it is more logical to search for data only when requested through a separate permit procedure.
Rare and new data cannot be collected: Existing datasets contain very little rare data, as scientists often choose readily available data to advance their careers. The EHDS licensing system is designed to solve the problem of data being difficult to find. If data holders must submit datasets annually and the application is limited to this, we could not request newly generated data during a pandemic. This contradicts the fact that the EHDS is explicitly intended to make fast data collection possible in such situations.

Split catalogue and application process for greater impact

The EHDS introduces a permit for both requesting data from society and reusing existing datasets. Article 67 of the EHDS contains a list of everything that must be submitted when applying for a permit. Notably, this article does not mention the catalog at all. It requires “a description of the requested electronic health data, including their scope, time range, format, sources and, where possible, the geographical coverage”. The word “data holder” surprisingly does not appear there.

Moreover, recital 73 states that the HDAB should assist health data users in the selection of suitable datasets or data sources for secondary use. This means the scientist, together with the HDAB, has to locate the data. A general indication of the sources is enough for the application, after which the HDAB must further assist.

To make scientific progress in new directions possible, the system must be designed correctly. The EHDS Permit DAAMS therefore should not require an applicant to designate a dataset that is already neatly listed in the catalogue. Only by splitting the catalogue and the application process can the EHDS achieve its true potential.

No separate ethical assessment alongside the EHDS

The EHDS prescribes a comprehensive and uniform assessment by the HDAB. A separate ethical assessment adds nothing and hinders science.

The concept of Science in the Omnibus

How does the EU define 'scientific research' in the Digital Omnibus? There has been criticism of this, but it is unjustified.

Long live AI, says AI!

The Dutch Bodily Material Act must be rewritten

Posted on 26 augustus 202528 april 2026 by admin

The draft Bodily Material Act (WZL) must be rewritten

The WZL versus the EHDS

The European Health Data Space Regulation concerns data, not bodily material. The draft Bodily Material Act (WZL) concerns material, not data. Therefore, based on the names of the two laws, one might assume there is no overlap. Therefore, there would be no reason to discuss the WZL on this website. I will discuss it anyway, because there is more overlap than one might think. When you extract data from material, you are doing something with both data and material. Moreover, the Guidelines for Regulations (rules on how to write laws) stipulate that new laws must always be carefully considered to determine their true necessity. Moreover, they must be harmonized with existing regulations as much as possible. Moreover, many (incorrectly) believe that the WZL does indeed concern data from material, while the EHDS explicitly does. For these three reasons, I will discuss the draft WZL here. Spoiler alert: it’s rubbish.

Why the WZL?

First, a little background on the WZL. Scientists are usually concerned with data from the material, not the material itself (unless, for example, they need material for a surgery class). They find this so logical that the two get confused. For lawyers, bodily material is completely different from data from the material. Previously, these were clearly legally separated. The WGBO (Dutch Medical Treatment Contracts Act) contains a statutory provision on the reuse of material (7:467 BW) and a statutory provision on the reuse of patient data (7:458). Because people often want to extract data from material, the law states: “Research with anonymous substances and parts separated from the body is understood to mean research in which it is guaranteed that the bodily material to be used in the research and the data to be obtained from it cannot be traced back to the person.”

So, as soon as you extract patient data from the material, you no longer fall under the article about the material, but under the article about data. This prevented duplication, and that was perfectly arranged. The problem is that over time, the legal article about material has been interpreted differently. Some believed that if traceable data were extracted, consent was always required (perhaps based on invalid a contrario reasoning applied to Article 7:467 of the Dutch Civil Code?), while the other legal article (Article 7:458 of the Dutch Civil Code) states: consent unless unreasonable.

What is anonymous?

Moreover, bodily material was previously generally considered anonymous: you can’t tell who a drop of blood belongs to. But now that DNA can be extracted from a drop of blood, it was argued that bodily material is essentially no longer anonymous. This conflicts with European (GDPR) case law regarding when something is considered personal data. This is based on a relative concept. Whether privacy is at stake and therefore whether the GDPR applies depends on who is processing the data and what that processing entails. This (case law on the) GDPR is relevant because, when the GDPR Implementation Act was drafted (Article 24), specific reference was made to the Medical Treatment Contracts Act (WGBO): these articles were intended to provide the same framework. However, this relative approach to personal data seems to have had no effect on how bodily material is treated. This may be because the experts cited in this regard are medical scientists, not lawyers. They will have concluded that material is never technically anonymous again, but that is a different matter from the question of whether it is legally anonymous.

All those biobanks...

Because the law stipulates that one can opt out of material unless it is not anonymous, many now believe that bodily material is never anonymous and therefore (almost) always requires consent. This is often difficult for scientists to handle. In my opinion, this difficulty lies in a misreading of the legal provisions, and in this regard, a legislative amendment was therefore unnecessary. However, this doesn’t change the fact that the House of Representatives simultaneously became uneasy about the fact that a large amount of material (from millions of Dutch people) was now being stored in biobanks, with little oversight. A law was therefore necessary, and that argument hasn’t been dismissed yet: and therefore, “a” WZL (Wiseness of the Authorization of Bodily Material) is necessary. However, the confusion about material versus data from that material has only increased with this draft law on the control of bodily material.

Double rules

The WZL itself explicitly states, “This law applies to procedures involving bodily material (…).” This is problematic in itself. Firstly, because the article in the WGBO stipulated: this article applies to bodily material, unless (traceable) data is extracted from it, in which case you fall under the article on data. This “unless” provision is not in the WZL. This means that if personal data is extracted from bodily material, it will soon fall under the WZL because it involves bodily material, and it will also fall under the GDPR (and soon the EHDS) because it involves personal data (and health data). This means that under the WZL, you must check whether an objection has been filed (via a separate system), while under the EHDS, you must also check whether an objection has been filed in the National Control Register.

This is despite the fact that the intention is to reduce the administrative burden, and the Guidelines for Regulations stipulate that harmonization must be as high as possible. Why the WZL isn’t aligned with the EHDS is therefore a mystery to me. Moreover, it’s unacceptable to choose to have data extraction from material fall solely under the WZL, as that is a Dutch law that cannot override the European GDPR. It should be the other way around: it should be explicitly stated that if personal data is extracted from material, it no longer falls under the WZL but under the GDPR. This is currently lacking.

But the WZL is not about the data itself

But it’s also problematic because it escapes almost everyone’s attention that the WZL concerns actions with material (including data extraction), but not with that data itself. Even the Council of State recently wrote in an advisory opinion: “A regulation will also be introduced for the (further) processing of personal data (health-related) for this situation.” That’s not the case. But if even the Council of State is confused about this, then so must be almost the entire field. It becomes even more serious when one examines precisely when the law will apply: “This law applies to actions with bodily material that has been (…) collected (…) in connection with medicine (…) and which actions are intended for a purpose other than (…) assessing the patient’s state of health.”

Bodily material (such as drops of blood or a piece of skin) is often collected for the care of a specific patient. Afterward, it is stored, still for that specific patient, due to the obligation to keep records of what is done and why. The WZL will therefore not apply in this case, while the article from the WGBO (Dutch Medical Treatment Contracts Act) on material will be repealed. This means that as long as no scientist is interested in the material, no regulations apply. But it gets even stranger. Because if a scientist becomes interested in the material after three years, the WZL will apply, and it will then stipulate (in 2028) that information must be provided to the patient when collecting it. But that was three years earlier, in 2025. How can a law now stipulate that it will apply in 2028, which then prescribes that something must be done three years earlier? I really don’t get it.

Nobody owns it

Another problem is that the bill appears to be based on incorrect assumptions. The Consultation Version of the Second Amendment Memorandum to the Bill on Control of Body Material, dated June 10, 2024, refers four times to a report. This report contains several remarkable statements. For example, on page 55 it states: “Our law primarily considers materials separated from the body as ‘substances susceptible to human control’ (Article 3:2 of the Dutch Civil Code). Ownership can then be considered. The person from whom the body material originates becomes the owner of that material.” This is incorrect. Article 3:2 of the Dutch Civil Code states: “Things are tangible objects susceptible to human control,” to which Article 5:1 of the Dutch Civil Code adds: “Ownership is the most comprehensive right a person can have in a thing.”

This “possession” does not imply that every thing is subject to ownership. You can only own something if it is also subject to possession, because you can only become an owner through transfer of possession, taking possession, or possession plus prescription. Everything “outside of commerce,” as it has been defined for centuries, is not subject to possession and therefore also not subject to ownership. If too much skin is wrongly removed, this may be abuse, but you cannot report theft to the police. No one owns bodily material, just as no one owns health data (one cannot own “the sun is hot,” and therefore also not “the patient has a fever.”).

Provide control, but harmonize

Intuitively, we feel that patients should perhaps have some control over their bodily material, but this is separate from the concept of ownership. Similarly, under the GDPR, patients have control rights over data to protect their privacy, which are therefore entirely independent of the question of ownership. The GDPR stipulates that a balance must always be struck between the interests of privacy and the interests of data use. And this should also be the case with bodily material. Therefore, the WZL should, where possible, align as closely as possible with the GDPR and the upcoming EHDS, and the subtle balance sought in these two regulations between the interests of privacy and the interests of data freedom. However, the WZL wrongly fails to align with the EHDS at all. In that regard, the recent report from the Council of State was indeed correct. Such a lack of harmonization violates Article 2.45 of the aforementioned Guidelines for Regulations, which stipulates that this should be pursued as much as possible.

Physical integrity not at stake

The decision not to align fully with the GDPR and the EHDS also appears to be related (besides the confusion of data and material) to the confusion of body and bodily material. The moment material is taken from a patient, at that moment, bodily integrity is compromised. This is no longer the case when a sample is retrieved from an archive for research five years later. Three situations can be distinguished regarding collection: collection for care, collection for care and research, and collection solely for research. The Medical Research Involving Human Subjects Act (WMO) applies to this third issue. This Act contains strict safeguards to protect the patient’s health and bodily integrity. There was some uncertainty about the extent to which this law also applied in the second situation: when an additional tube of blood is collected. In that case, too, the patient’s body is at stake, and ethical questions arise. However, if an existing sample is retrieved for research, only privacy issues arise.

So why an ethical assessment?

Despite this, the WZL stipulates that material managers must always have regulations that have been approved by an ethics committee. But this is very odd for a situation in which there are no ethical questions at all: the situation in which material was collected solely for healthcare purposes. If one only realizes afterward that this material might also be useful for research, bodily integrity is not at stake at all. The only question then is whether the patient’s privacy is sufficiently protected, which is already addressed by the GDPR and the EHDS. Why a Medical Ethics Review Committee needs to be involved in this is incomprehensible. These review committees are extremely valuable in medical research involving human subjects. Patients who think they might die say yes to everything. And then a review committee has to look into whether the risk to the patient is not too great, or whether the chance of a beneficial effect from the research is not too small. This ethical constellation is completely irrelevant when a piece of skin taken three years earlier is used. Therefore, it is incomprehensible why the ethics review committee needs to be involved in this.

In short: back to the drawing board

All in all, the WZL is an incomprehensible law, while the Explanatory Memorandum precisely states that it aims to provide clarity. Furthermore, the WZL is not in line with the Guidelines for Regulations because it is not optimally aligned with the GDPR and the EHDS. Therefore, the draft WZL must simply be scrapped. No minor adjustments, as was previously the case. A completely new WZL needs to be written (i) that precludes the dual application of rules to the same action, (ii) that aligns as closely as possible with the GDPR and the EHDS, (iii) that regulates control through the National Control Register, (iv) that, following the GDPR, opts for a risk-benefit assessment, and (v) that omits the ethical review if privacy is at stake but physical integrity is not.

No separate ethical assessment alongside the EHDS

The EHDS prescribes a comprehensive and uniform assessment by the HDAB. A separate ethical assessment adds nothing and hinders science.

The concept of Science in the Omnibus

How does the EU define 'scientific research' in the Digital Omnibus? There has been criticism of this, but it is unjustified.

Long live AI, says AI!

The Health Data Access Body

Posted on 10 augustus 202523 april 2026 by admin

The Health Data Access Body

Who can become a HDAB?

The Dutch government must announce by March 2027 who will be the Health Data Access Body, the body that will make health data available for beneficial reuse. This HDAB issues permits, and is therefore automatically a government body. After all, anyone established under public law is a government. Furthermore, anyone vested with public authority is a government, meaning that they can unilaterally determine someone’s legal status, such as determining whether someone receives a permit. Therefore, when designating the HDAB, three legal options can be chosen:

1. A completely new government body is established under the EHDS Implementation Legislation;
2. An existing government body is designated as the body that will henceforth also assume the HDAB tasks; or
3. An (existing or new) private-law organization is chosen, which, through the implementing legislation and the ZBO Framework Act, is embedded in the public system and thus becomes a government.

Legal tasks

When establishing this government body, it must be borne in mind that the HDAB must perform both legal and practical tasks under the EHDS. All legal tasks (which constitute a government entity) cannot be outsourced. This includes issuing permits, imposing fines, or imposing administrative penalties. This administrative decision-making will not be simple. Permit applications must be assessed against the GDPR and the EHDS, but also, for example, against the prohibition of discrimination and the European free movement provisions.

Furthermore, compliance with other European law must be ensured, such as the Data Governance Regulation, the Data Regulation, and the Open Data Directives (implemented in the Reuse of Government Information Act), as well as the General Administrative Law Act and Intellectual Property Law. Objections and appeals can be lodged against a permit (or its refusal). If data subjects refuse to make data available, an administrative enforcement order or administrative penalty must be imposed, and these can also be challenged. Therefore, the HDAB needs a considerable number of skilled lawyers.

Performing tasks

In addition, the HDAB is assigned various practical tasks under the EHDS, which can potentially be outsourced. The fact that a government is responsible for something doesn’t mean it has to carry it out itself. For example, the government is also responsible for good schools, but these are practical tasks, not administrative decisions, and therefore can be outsourced to various foundations.

Similarly, the HDAB can commission tasks to carry out its practical tasks, such as setting up a catalog, anonymizing or pseudonymizing, linking databases, maintaining a National Control Register, monitoring Secure Processing Environments, or ensuring the interoperability of all BVOs. These are all practical tasks that the HDAB can perform itself, but which can also be outsourced to contractors who do not necessarily have to be government bodies.

Who cannot become HDAB

The HDAB must not have any interests in the data or the permit application, due to the prohibition on conflicting interests. This effectively eliminates Statistics Netherlands (CBS) as a possible option, given the commercial activities of microdata services. The HDAB also cannot be the Dutch Data Protection Authority, as these two organizations have conflicting tasks (keeping everything confidential versus sharing more data). Similarly, the Market Authority is mentioned separately in the EHDS, which seems to imply that the Netherlands Authority for Consumers and Markets (ACM) cannot become the HDAB either.

Rumor has it that the Ministry of Health, Welfare and Sport (VWS) will opt to establish a single, entirely new body. It is important, however, that strict adherence to the EHDS requirement that there must be no conflicting interests within the HDAB is maintained, both at the organizational level and with regard to the people working there. Therefore, it is highly undesirable for an HDAB director to also be a member of, for example, the Supervisory Board of data holders or data users.

HDAB versus Data Protection Authority

Note that the HDAB also has responsibilities towards the natural persons to whom the data pertains (patients, or indeed all citizens). This concerns the way in which the HDAB itself handles personal data. The HDAB must comply with various GDPR requirements regarding transparency. In addition, the HDAB supervises data holders and data users; it assesses whether a permit application complies with the GDPR and whether work within the BVOs is being carried out in accordance with the GDPR.

However, if it appears that someone else is violating the GDPR, for example, because the National Register of Authorities has not been respected, the HDAB will provide that information to the Data Protection Authority, which will take action. Regarding the latter, the HDAB must cooperate with the Data Protection Authority. Regarding the former, the HDAB, like other government bodies, is supervised by the Data Protection Authority.

Big enough

Finally, a single HDAB or multiple HDABs can be chosen, with one designated as the coordinating HDAB. Given that a significant number of well-trained lawyers are needed for the HDAB, and given our small size, it seems illogical to establish multiple HDABs. At the same time, care must be taken to ensure that the HDAB that is established is not too small. There is debate about when the EHDS applies. Some argue that this is only the case if researchers choose to use the HDAB route.

If researchers are indeed free to choose whether or not to apply for a permit, then the HDAB does not need to be so large. If a permit is almost always required (unless one can invoke one of the exceptions in Article 1), then the HDAB must be large enough. After all, if scientists apply for more permits than the HDAB can process, scientific research in the Netherlands could stagnate due to capacity shortages at the HDAB. Of course that is not the intention.

No separate ethical assessment alongside the EHDS

The EHDS prescribes a comprehensive and uniform assessment by the HDAB. A separate ethical assessment adds nothing and hinders science.

The concept of Science in the Omnibus

How does the EU define 'scientific research' in the Digital Omnibus? There has been criticism of this, but it is unjustified.

Long live AI, says AI!

The EHDS and the Secure Processing Environment

Posted on 10 augustus 202523 april 2026 by admin

The EHDS and the secure processing environment

Technical Requirements of the European Commission

Under the EHDS, work must be carried out in a Secure Processing Environment (SPE). Scientists will not receive data, but will have access to it in a SPE that meets the strict technical and security standards established under the EHDS. The exact nature of these requirements is not yet known. They will be established by the European Commission by March 2027 (see timeline). The European Commission will also assist Member States in promoting the security and interoperability of the various SPEs. Such security requirements cannot be prescribed in the EHDS itself. Risks and security evolve faster than new European legislation.

HDAB and Trusted Data Holders monitor

Please note: there are parties who claim that there will only be one single BVO, managed by the HDAB. This would then become a supercomputer containing all Dutch healthcare data. This is not the case. The EHDS clearly speaks of multiple SPEs. Every Trusted Data Holder (TDH) must also have an SPE, and it is likely that all the academic hospitals, among others, could become such. The HDAB and the TDHs must always monitor what exactly happens in their SPE, so that scientists are only granted access in line with the exact conditions of their permit.

Therefore, those who hold an SPE must be able to enforce compliance with both the GDPR and the EHDS. Scientists may not simply grant access to another scientist who is not also listed on the permit. And only non-personal data (i.e., anonymous or aggregated data) may be downloaded from such a SPE. They may, of course, be transferred from one SPE to another, for which interoperability must be achieved. The log data of processing operations within the SPE must be retained for at least one year to verify compliance with the permit conditions. In this way, the SPE is an essential safeguard for protecting the rights and freedoms of patients with regard to the processing of their health data for secondary use.

The SPE should always be mandatory

There is criticism (in The Netherlands) of the EHDS, which aims to make more health data available for beneficial reuse. It is important to keep in mind that the idea of this law is to make more data available, precisely by making it more secure; in the certified SPEs. It is important to note here that there are people who think that you will soon be able to freely choose whether to apply for a data permit, and that you will thereby ensure that you fall under the EHDS. It follows that you would also be able to choose whether or not you are obliged to work in a SPE. That you can choose whether you are obliged to do something seems an untenable position to me. But if it turns out that I am wrong, and people can indeed freely choose whether to apply for a permit, then the implementing legislation should include that working in a SPE (as described by the European Commission) will always be mandatory from 2029, even if one does not follow the route via the HDAB.