Data protection and data use in the health sector

Data protection and data use in the health sector

- The spoken word shall prevail-

I. Introduction

Dear Bernd Weber,
Dear Frank Holz,
Dear Theodor Rüber,
Ladies and Gentlemen,

Thank you very much for inviting me to the MIB Future Panel 2025.

From my point of view, the topic of today's event is appropriately chosen: AI Applications and Large Language Models in Medicine.

In this respect, I am very happy to talk to you today about one of my - and this is really not an exaggeration - topics close to my heart: Data protection and data use in the health sector.

I would like to show you why data protection is particularly important in this area. In the healthcare sector, highly sensitive data are processed that tell a lot about us.

Health data are therefore rightly subject to special protection under data protection law.

The associated risks must therefore be consistently addressed in order to provide the data subjects with adequate protection of their fundamental rights.

At the same time, however, the medical sector shows how valuable and meaningful data use can be realised if therapies can be optimised and research can be improved. Data protection does not hinder data use in general. I would like to say this quite clearly here.

The General Data Protection Regulation does not make such a statement at any point, but provides that fundamental rights are weighed against each other. This means that where the right to life and physical integrity outweighs the right to informational self-determination, data may be used. Even in my position as the Federal Data Protection Commissioner, I can therefore say:

The processing of health data is in the essential interest of the general public and shall be made possible in many areas - with the appropriate technical security mechanisms in order to also consider the right to informational self-determination, which must also be guaranteed constitutionally.

And with well-founded trust of the data subjects in the compliance with ethical, legal and technical standards. This increases their motivation to support research. It is therefore essential for citizens to be able to trust that their personal data will be processed while respecting their informational self-determination. This is especially true for AI Applications and Large Language Models.

In my view, data protection is a central prerequisite for human-centred scientific research with health data.

Ladies and gentlemen, today I would like to talk to you about two items that, in my view, are central for the future of data protection and data use in the health sector:

Firstly, about the set of rules at the interface of these two areas of law, which already today leaves a lot of scope for scientific research and fundamental rights-sensitive use of health data, especially the European Health Data Space.
Secondly, I would like to venture with you an outlook into the future, where, in my view, there is still potential for improvement for a human-centred health policy.

II. EHDS

In a first step, let's take a look at the current set of rules on health data protection and the use of health data. I would like to start with the EHDS Regulation.

The EHDS Regulation, which establishes the so-called European Health Data Space, has been in force as of this year. The EHDS is the first of several sector-specific data spaces under the European Data Strategy.

In the future, the EHDS will be a central element for the use of data in the health sector.

The EHDS gives citizens control over their health data via a digital interoperable format, similar to what we already know today in Germany with the electronic health record (ePA).

The EHDS will provide citizens with access to prescriptions,laboratory results, discharge reports and vaccination records, among other things.

In addition, the EHDS provides for numerous regulations for secondary use of health data for research, innovation and policy-making. The wonderful aspect of this is: These secondary uses must be possible across border, so that data exchange will be interoperable across the EU.

I am convinced that these data can also be effectively used in terms of AI Applications and Large Language Models, especially for the purpose of AI training in the interest of the society. But I will come to this later.

III. Intermediate conclusion

Ladies and gentlemen, it is not only the establishment of the EHDS that shows: Data protection must and can always be considered and implemented from the outset in all new developments, including and especially in the medical sector.

This is also shown by the German Health Data Use Act (GDNG), which enables better scientific use of health data, including from the ePA. And it is shown by the German Health Data Lab (FDZ Gesundheit), which is an appropriate and secure tool for more data use in the health sector, through its technically strict pseudonymisation procedures, trust centres and the secure processing environment

In the digitisation of healthcare, we can achieve a level of security and data protection that is at least equal to that of the analogue world, while opening up new opportunities for treatment, better care and research.

We do not have to forego technical progress, medical research or privacy protection. All three are equal, can, must be considered, and implemented together right from the outset.

In addition, rules on the retention period and deletion of research data are to be defined, which take into account both the data subjects' right to informational self-determination and the interest of scientific research in a later verifiability of the research results.

I am sure that a balance is possible between the public interest in the use of health data for research purposes and the individual's interest in protection. I am committed to this as BfDI, not only through the early solution-oriented advice of the German legislator, but also at European and international level.

IV. Outlook

Ladies and gentlemen, let's finally take a look into the future together: What challenges await us when it comes to data protection and data use in the digitisation process of the healthcare sector?

Ladies and gentlemen, with regard to the future of healthcare, I am thinking of a topic that is of invaluable relevance in medical research and whose buzzword you have certainly missed in my speech: Artificial Intelligence (AI).

I have long been calling for a debate about finally being honest about the purposes for which we as a society actually want to use AI - and for which we do not.

From my point of view, it makes a big difference whether an AI should be trained to heal people or because commercial interests are at the forefront.

In this respect, the EHDS Regulation, which I mentioned at the beginning of my speech, should be a positive factor for the future: Article 53 of the Regulation explicitly allows the secondary use of health data for the training, testing and evaluation of AI systems where this is necessary for health research for the benefit of patients or end-users.

Training with health data for purely commercial purposes is not foreseen here. Even if the provisions of the EHDS Regulation only apply in a few years, they should already give us an indication of what is possible and what is not.

The regulations indicate very well how a data protection-compliant AI training should be designed, i.e. by regulating legitimate uses (Art. 53), by prioritising the use of anonymised data (Art. 66) and a low-threshold right of objection of the data subjects, which can only be restricted for important reasons of public interest.

In practice, it will be a major challenge to determine on a case-by-case basis when health data are anonymous. I therefore work with my colleagues from the state data protection authorities, as well as with medical experts, to develop guidelines and concrete aids using our legal and technical expertise so that reliable anonymisation can be guaranteed in practice.

Because, ladies and gentlemen, I do not want legal uncertainty in an important area such as health. I want clear rules that enable research and advance Germany as a health and research location - in compliance with data protection law. And I want confident patients who enjoy using their ePA and Digital Health Applications, and this in a safe manner.

But for this purpose, we must also have the courage to clearly realise what is currently not running smoothly. In the medical field, we need clear rules and prohibitions for data processing in sensitive areas such as brain data and neurodata. Here, the legislator must act and write - directly into the law - clear guidelines stating which processing is allowed.

Similarly, the legislator should establish clear prohibitions, e.g. for the re-identification from pseudonymised or anonymised datasets.

Ladies and gentlemen, last not least, the global political situation shows us that we can no longer rely on access to research data abroad. With just one executive order, we can lose a great number of research data. We therefore need a clear, easy-to-use set of rules for the use of health data in Europe. This is especially true for AI training data. In this context, data protection is the pillar of trust necessary to convince persons.

And we have many other challenges awaiting us in the future: AI agents that track our vitality and take autonomous action, brain computer interfaces that actually allow remote control of people, and human enhancement that needs and utilizes health data to improve human capabilities.

Ladies and gentlemen, let's tackle it together - for human-centred and privacy-compliant data use in the health sector.

Because, to quote Mark Twain, health is the greatest asset we have as human beings.

Thank you very much for your attention!

I am now really looking forward to our discussion led by Theo.