Open health data  is one of the most valuable assets of our society. Well managed and shared responsibly, they can save lives, drive medical discoveries, or even optimize hospital resources. However, for decades, this data has remained fragmented in institutional silos, with incompatible formats and technical and legal barriers that made it difficult to reuse. Now, the European Union is radically changing the landscape with an ambitious strategy that combines two complementary approaches:

• Facilitate open access to statistics and non-sensitive aggregated data.
• Create secure infrastructures to share personal health data under strict privacy guarantees.

In Spain, this transformation is already underway through the National Health Data Space or research groups that are at the forefront of  the innovative use of health data. Initiatives such as IMPACT-Data, which integrates medical data to drive precision medicine, demonstrate the potential of working with health data in a structured and secure way. And to make it easier for all this data to be easy to find and reuse, standards such as HealthDCAT-AP are implemented.

All this is perfectly aligned with the European strategy of the European Health Data Space Regulation (EHDS), officially published in March 2025, which is also integrated with the Open Data Directive (ODD), in force since 2019. Although the two regulatory frameworks have different scopes, their interaction offers extraordinary opportunities for innovation, research and the improvement of healthcare across Europe.

A recent report prepared by Capgemini Invent for data.europa.eu analyzes these synergies. In this post, we explore the main conclusions of this work and reflect on its relevance for the Spanish open data ecosystem.

1. Two complementary frameworks for a common goal

On the one hand, the European Health Data Space focuses specifically on health data and pursues three fundamental objectives:

• Facilitate international access to health data for patient care (primary use).
• Promote the reuse of this data for research, public policy, and innovation (secondary use).
• Technically standardize electronic health record (EHR) systems to improve cross-border interoperability.

For its part, the Open Data Directive has a broader scope: it encourages the public sector to make government data available to any user for free reuse. This includes  High-Value Datasets that must be published for free, in machine-readable formats, and via APIs in six categories that did not originally include "health." However, in the proposal to expand the new categories published by the EU, the health category does appear.

The complementarity between the two regulatory frameworks is evident: while the ODD facilitates open access to aggregated and non-sensitive health statistics, the EHDS regulates controlled access to individual health data under strict conditions of security, consent and governance. Together, they form a tiered data sharing system that maximizes its social value without compromising privacy, in full compliance with the General Data Protection Regulation (GDPR).

Main benefits computer by user groups

The report looks at four main user groups and examines both the potential benefits and challenges they face in combining EHDS data with open data.

1. Patients: Informed Empowerment with Practical Barriers

European patients will gain faster and more secure access to their own electronic health records, especially in cross-border contexts thanks to infrastructures such as MyHealth@EU. This project is particularly useful for European citizens who are displaced in another European country. . 

Another interesting project that informs the public is PatientsLikeMe,  which brings together more than 850,000 patients with rare or chronic diseases in an online community that shares information of interest about treatments and other issues. 

2. Potential health professionals subordinate to integration

On the other hand, healthcare professionals will be able to access clinical patient data earlier and more easily, even across borders, improving continuity of care and the quality of diagnosis and treatment.

The combination with open data could amplify these benefits if tools are developed that integrate both sources of information directly into electronic health record systems.

3. Policymakers: data for better decisions

Public officials are natural beneficiaries of the convergence between EHDS and open data. The possibility of combining detailed health data (upon request and authorisation through the Health Data Access Bodies that each Member State must establish) with open statistical and contextual information would allow  for much more robust evidence-based policies to be developed.

The report mentions use cases such as combining health data with environmental information to assess health impacts. A real example is the French Green Data for Health project, which crosses open data on noise pollution with information on prescriptions for sleep medications from more than 10 million inhabitants, investigating correlations between environmental noise and sleep disorders.

4. Researchers and reusers: the main immediate beneficiaries

Researchers, academics and innovators are the group that will most directly benefit from the EHDS-ODD synergy as they have the skills and tools to locate, access, combine and analyse data from multiple sources. In addition, their work already routinely involves the integration of various data sets.

A recent study published in PLOS Digital Health on the case of Andalusia demonstrates how open data in health can democratize research in health AI and improve equity in treatment.

The development of EHDS is being supported by European programmes such as EU4Health, Horizon Europe and specific projects such as TEHDAS2, which help to define technical standards and pilot real applications.

1. Recommendations to maximize impact

The report concludes with four key recommendations that are particularly relevant to the Spanish open data ecosystem:

1. Stimulate research at the EHDS-open data intersection through dedicated funding. It is essential to encourage researchers who combine these sources to translate their findings into practical applications: improved clinical protocols, decision tools, updated quality standards.
2. Evaluate and facilitate direct use by professionals and patients. Promoting data literacy and developing intuitive applications integrated into existing systems (such as electronic health records) could change this.
3. Strengthen governance through education and clear regulatory frameworks. As EHDS technical entities become operationalized, clear regulation defining common regulatory frameworks will be essential.
4. Monitor, evaluate and adapt. The period 2025-2031 will see the gradual entry into force of the various EHDS requirements. Regular evaluations are recommended to assess how EHDS is actually being used, which combinations with open data are generating the most value, and what adjustments are needed.

Moreover, for all this to work, the report suggests that portals such as data.europa.eu (and by extension, datos.gob.es) should highlight practical examples that demonstrate how open data complements protected data from sectoral spaces, thus inspiring new applications.

Overall, the role of open data portals will be fundamental in this emerging ecosystem: not only as providers of quality datasets, but also as facilitators of knowledge, meeting spaces between communities and catalysts for innovation. The future of European healthcare is now being written, and open data plays a leading role in that story.

Since 24 September last year, the Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022, on European Data Governance (Data Governance Regulation) has been applicable throughout the European Union. Since it is a Regulation, its provisions are directly effective without the need for transposing State legislation, as is the case with directives. However, with regard to the application of its regulation to Public Administrations, the Spanish legislator has considered it appropriate to make some amendments to the Law 37/2007, of 16 November 2007, on the re-use of public sector information. Specifically:

• A specific sanctioning regime has been incorporated within the scope of the General State Administration for cases of non-compliance with its provisions by re-users, as will be explained in detail below;
• Specific criteria have been established on the calculation of the fees that may be charged by public administrations and public sector entities that are not of an industrial or commercial nature;
• And finally, some singularities have been established in relation to the administrative procedure for requesting re-use, in particular a maximum period of two months is established for notifying the corresponding resolution -which may be extended to a maximum of thirty days due to the length or complexity of the request-, after which the request will be deemed to have been rejected.

What is the scope of this new regulation?

As is the case with the Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the reuse of public sector informationthis Regulation applies to data generated in the course of the "public service remit" in order to facilitate its re-use. However, the former did not contemplate the re-use of those data protected by the concurrence of certain legal assets, such as confidentiality, trade secrets, the intellectual property or, singularly, the protection of personal data.

You can see a summary of the regulations in this infographic.

Indeed, one of the main objectives of the Regulation is to facilitate the re-use of this type of data held by administrations and other public sector entities for research, innovation and statistical purposes, by providing for enhanced safeguards for this purpose. It is therefore a matter of establishing the legal conditions that allow access to the data and their further use without affecting other rights and legal interests of third parties. Consequently, the Regulation does not establish new obligations for public bodies to allow access to and re-use of information, which remains a competence reserved for Member States. It simply incorporates a number of novel mechanisms aimed at making access to information compatible, as far as possible, with respect for the confidentiality requirements mentioned above. In fact, it is expressly warned that, in the event of a conflict with the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), the latter shall in any case prevail (GDPR), the latter shall in any case prevail.

Apart from the regulation referring to the public sector, to which we will refer below, the Regulation incorporates specific provisions for certain types of services which, although they could also be provided by public entities in some cases, will normally be assumed by private entities. Specifically, intermediation services and the altruistic transfer of data are regulated, establishing a specific legal regime for both cases. The Ministry of Economic Affairs and Digital Transformation will be in charge of overseeing this process in Spain

As regards, in particular, the impact of the Regulation on the public sector, its provisions do not apply to public undertakings , i.e. those in which there is a dominant influence of a public sector body, to broadcasting activities and, inter alia, to cultural and educational establishments. Nor to data which, although generated in the performance of a public service mission, are protected for reasons of public security, defence or national security.

Under what conditions can information be re-used?

In general, the conditions under which re-use is authorised must preserve the protected nature of the information. For this reason, as a general rule, access will be to data that are anonymised or, where appropriate, aggregated, modified or subject to prior processing to meet this requirement. In this respect, public bodies are authorised to charge fees which, among other criteria, are to be calculated on the basis of the costs necessary for the anonymisation of personal data or the adaptation of data subject to confidentiality.

It is also expressly foreseen that access and re-use take place in a secure environment controlled by the public body itself, be it a physical or virtual environment.  In this way, direct supervision can be carried out, which could consist not only in verifying the activity of the re-user, but also in prohibiting the results of processing operations that jeopardise the rights and interests of third parties whose integrity must be guaranteed. Precisely, the cost for the maintenance of these spaces is included among the criteria that can be taken into account when calculating the corresponding fee that can be charged by the public body.

In the case of personal data, the Regulation does not add a new legal basis to legitimise the re-use of personal data other than those already established by the general rules on re-use. Public bodies are therefore encouraged to provide assistance to re-usersin such cases to help them obtain permission from stakeholders. However, this is a support measure that can in no way place disproportionate burdens on the agencies. In this respect, the possibility to re-use pseudonymised data should be covered by some of the cases provided for in the GDPR. Furthermore, as an additional guarantee, the purpose for which the data are intended to be re-used must be compatible with the purpose for which the data were originally intended justified the processing of the data by the public body in the exercise of its main activity, and appropriate safeguards must be adopted.

A practical example of great interest concerns the re-use of health data for biomedical research purposes reuse of health data for biomedical research purposes, which the Spanish legislator which has been established by the Spanish legislator under the provisions of the latter precept. Specifically, the 17th additional provision of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rightsallows the reuse of pseudonymised data in this area when certain specific guarantees are established, which could be reinforced with the use of the aforementioned secure environments in the case of the use of particularly incisive technologies, such as artificial intelligence. This is without prejudice to compliance with other obligations which must be taken into account depending on the conditions of the data processing, in particular the carrying out of impact assessments.

What instruments are foreseen to ensure effective implementation?

From an organisational perspective, States need to ensure thatinformation is easily accessible through a single point. In the case of Spain, this point is available through the platform enabled through the platform datos.gob.esplatform, although there may also be other access points for specific sectors and different territorial levels, in which case they must be linked. Re-users may contact this point in order to make enquiries and requests, which shall be forwarded to thethese will be forwarded to the competent body or entity for processing and response.

The following must also be designated and notified to the notify to the European Commission one or more specialised entities with the appropriate technical and human resources, which could be some of the existing ones, that perform the function of assisting public bodies in granting or refusing re-use. However, if foreseen by European or national regulations, these bodies could assume decision-making functions and not only mere assistance. In any case, it is foreseen that the administrations and, where appropriate, the entities of the institutional public sector, according to the ‑‑according to the terminology of article 2 of Law 27/2007‑‑who make this designation and communicate it to the Ministry of Economic Affairs and Digital Transformationwhich, for its part, will be responsible for the corresponding notification at European level.

Finally, as indicated at the beginning, the following have been classified as specific infringements for the scope of the General Administration of the State certain conducts of re-users which are punishable by fines ranging from 10,001 to 100,000 euros. Specifically, it concerns conduct that, either deliberately or negligently, involves a breach of the main guarantees provided for in European legislation: in particular, failure to comply with the conditions for access to data or to secure areas, re-identification or failure to report security problems.

In short, as pointed out in the European Data Strategyif the European Union wants to play a leading role in the data economy , it is essential, among other measures, to improve governance structures and increase repositories of quality data , which are often affected by significant legal obstacles. With the Data Governance Regulation an important step has been taken at the regulatory level, but it now remains to be seen whether public bodies are able to take a proactive stance to facilitate the implementation of its measures, which ultimately imply important challenges in the digital transformation of their document management.

Content prepared by Julián Valero, Professor at the University of Murcia and Coordinator of the "Innovation, Law and Technology" Research Group (iDerTec).

The contents and points of view reflected in this publication are the sole responsibility of the author.

Last December, the Congress of Deputies validated Royal Decree-Law 24/2021, which transposed several European directives, including Directive (EU) 2019/1024 on open data and the re-use of public sector information. This directive seeks to broaden the scope of application of the previous regulation, bringing legal guarantees and obligations in line with the current innovation landscape, where technologies such as Artificial Intelligence (AI) could benefit from increased availability of public sector data. This initiative is aligned with the European Union's Data Strategy for the creation of a single data market where information flows freely between States and between sectors.

With this Royal Decree-Law, the provisions of Act 37/2007, of 16 November, on the re-use of public sector information were amended, providing new features regarding obligated parties, types of data to be considered of special interest or procedures for processing requests, among other aspects. As the Directive points out, the aim of this new regulation is to promote the re-use of public sector information in a context of digital transformation, seeking to promote the "intelligent use of data", as well as the "creation of new services and applications based on the use, aggregation or combination of data". It was therefore essential to update the regulatory framework as the previous provisions were "outdated with respect to these rapid changes and, as a result, the economic and social opportunities offered by the re-use of public data may be lost".

These new developments have been analysed by a team coordinated by researchers Julián Valero and Rubén Martínez, as part of the project "Open data and reuse of public sector information in the context of its digital transformation: adapting to the new regulatory framework of the European Union (ref. PID2019-105736GB-I00)", funded by the Ministry of Science and Innovation.

Main findings of the study

Based on these premises, the study undertakes a systematic analysis of the new regulatory framework, highlighting the following conclusions:

• The European regulation is limited in its ability to establish clear and precise obligations to facilitate access to public sector information for re-use. In this regard, the referral to the Member States' regulation constitutes an added difficulty in facilitating a European market for re-use.
• The subjective scope of application of the rules on re-use has been extended to include new subjects to which the rules apply. Consequently, these entities have to adjust the management of the data they generate to the new regulation, which is a major challenge insofar as it does not always coincide with the scope of application of the regulation on common administrative procedure and the legal regime of the public sector, a regulation that has served to boost technological modernisation in this area.
• The new category of high-value data is one of the main novelties of the new regulation. Beyond the measures to be adopted at the European level, the study suggests that the States adopt a broader perspective than that envisaged in the Directive. Thus, it is proposed not only to include certain private subjects but also to establish new sets of data outside those established by the European Union, such as those referring to public sector procurement.
• The Directive also establishes that "Member States should ensure that practical arrangements are in place that help re-users in their search for documents available for re-use". In this sense, the study suggests taking advantage of the current parliamentary procedure of the draft act to establish a specific regulation in Spanish legislation, since these are instruments of great relevance for the achievement of the objectives set by the European Union, especially with regard to Artificial Intelligence.
• It is essential to promote a regulation that adequately addresses the issue of the liability of public sector entities. In particular, the study considers that the current regulation may generate legal uncertainty for re-users, who will not find an adequate legal framework to promote digital transformation initiatives based on the re-use of public sector information.
• Although the new regulation allows public bodies to continue to set conditions that restrict the re-use of data or limit competition, this possibility is conditional on the respect of certain safeguards. This has given an important boost to the use of open licences. However, the fact that there is a wide diversity in the conditions set by each agency creates significant dysfunctions for re-users, which would justify, according to the study, the creation of an open governmental licensing model based on legal regulation.
• A more precise regulation of the administrative procedure to be followed by public bodies when dealing with requests for access for re-use should be established. According to the study, special attention should be paid to the grounds for refusal, as they are too generic in their current wording. It is also considered necessary to review the regulation of administrative silence from the perspective of European legislation, which is particularly demanding with regard to the reasons for refusing access. Finally, it is proposed that an independent control body be set up, so that complaints lodged with this body can replace ordinary administrative appeals, a possibility expressly permitted by the legislation on common administrative procedure.

These are some of the main contributions of the study, the final result of which has materialised in the book "Datos abiertos y reutilización de la información del sector público", published by the Comares publishing house, the first book in Spain to comprehensively study the new legal regime in this area, integrating European regulations and state legislation.

Why a Royal Decree-Law?

In the plenary session of the Congress of Deputies held on December 2, 2021, Royal Decree-Law 24/2021, of November 2, on the transposition of several European Union directives, including Directive (EU) 2019/1024 of the European Parliament and of the Council, of June 20, 2019, on open data and the reuse of public sector information, was validated. With this new regulation, the provisions of Law 37/2007, of November 16, on the reuse of public sector information have been modified.

What are the main novelties of this regulation?

The content of the new legal regulation is substantially focused on the incorporation of the provisions of the 2019 Directive to the text of the Spanish Law of 2017, although it is necessary to take into account that those precepts that could be directly applied were already in force since the end of the deadline for its transposition in July 2021. However, apart from updating some already outdated legal references -specifically on personal data protection, public sector legal regime and administrative procedure-, on the occasion of the transposition, some relevant novelties have been added that go beyond the mere adaptation of the European regulation. Thus:

• From the point of view of its subjective scope, the legislation will be applicable to all entities to which, according to the terms provided in their regulatory regulations, the regulations governing the common administrative procedure are applicable. This would be the case, for example, of private law entities linked to or dependent on Public Administrations when they exercise administrative powers.
• The reuse of documents to which access is excluded or limited for reasons of protection of sensitive information on critical infrastructures is expressly excluded from the legal regulation.
• As regards high-value data, alongside those established by the European Commission (i.e. geospatial, Earth observation and environment, meteorology, statistics, companies, as well as mobility), additional datasets may also be specified by the Ministry of Economic Affairs and Digital Transformation, specifically through the selection and updating carried out by the Data Office Division with the collaboration of the stakeholders, both public and private. In this regard it is important to recall that, as a general rule, these data will be freely available, machine-readable, provided through APIs and, where appropriate, provided in the form of bulk download.
• When making high-value data available free of charge could have a substantial impact on the budget of bodies and entities governed by public law that must obtain income to finance their public service activity, the Public Administration to which they are linked, or on which they depend, will be competent to exempt them from this obligation. Consequently, such bodies and entities would not be able to take this decision on their own.
• The scope of the reusable public information catalog is projected -at least potentially- beyond the scope of the General State Administration and its public bodies, so that other entities that decide to create their own catalogs that are interoperable with the national one are required to do so. This is an instrument whose practical relevance is reinforced by the fact that, through it, information will be provided on the rights legally provided for reuse, help systems will be offered and datasets will be made available in accessible, easy to locate and reusable formats.
• En cuanto al sometimiento a las normas legales sobre procedimiento de tramitación de solicitudes de reutilización, las sociedades mercantiles, centros de enseñanza, organismos de investigación o entidades que realicen actividades de investigación quedarán exentos.
• Regarding the submission to the legal rules on the procedure for processing requests for reuse, corporations, educational institutions, research organizations or entities that carry out research activities will be exempted.
• From the organizational point of view, each entity is required to designate a unit responsible for ensuring the availability of its information. Among the functions that will correspond to these units are those related to the coordination of reuse activities with existing policies on publications, administrative information and electronic administration; providing information on which bodies are competent in each area; promoting the updating and making information available in appropriate formats; as well as promoting awareness and training activities.

In any case, in the aforementioned parliamentary session, it was unanimously decided to proceed with the processing of the initiative as a bill through the urgency procedure, one of the possibilities provided for in Article 86 of the Constitution when it comes to validating decree-laws. Consequently, a legislative initiative will have to be processed following the regulatory channels established for this type of cases, which will allow the various parliamentary groups to propose amendments that, if approved, would be incorporated into the final text of the legislation on the reuse of public sector information and open data.

Content prepared by Julián Valero, Professor at the University of Murcia and Coordinator of the Research Group "Innovation, Law and Technology" (iDerTec).

The contents and points of view reflected in this publication are the sole responsibility of its author.

In June 2019, the European Union published the Directive (EU) 2019/1024 on open data and the re-use of public sector information. This Directive incorporated some new developments in the universe of open data in Europe, such as

• The extension of obligations to the public services, transport and research sector that is totally or partially financed by the public sector.
• Promoting real-time access to dynamic data, using appropriate technical means, incorporating the concept of high-value data.
• The reduction of exceptions to the establishment of tariffs based on marginal costs.
• The increase of transparency in the establishment of exclusive agreements, reducing even more the conditions to carry out this type of agreements.

The incorporation of novelties to the Spanish legal framework

Once the directive has been published, each member country has to transpose it into its own legal system. The deadline for this action is 17 July 2021.

In Spain, work is already underway in this process. In this sense, a public consultation has been launched to find out the opinion of citizens and organizations affected by the future regulation on different aspects:

• The problems that the initiative is intended to solve.
• The need and opportunity for its approval.
• The objectives of the regulation.
• The possible alternative regulatory and non-regulatory solutions.

The full text of the consultation is published on the website of the Ministry of Economic Affairs and Digital Transformation. Those citizens who wish to do so have until 31 July to make their comments.

The aim of this action is to promote public participation in the process of drafting Spanish legislation, a step prior to the preparation of the draft law