From Privacy-Enhancing to Health Data Utilisation: The Traces of Anonymisation and Pseudonymisation in EU Data Protection Law

Abstract

The proliferation of digital technologies in healthcare creates two conflicting needs: protection of health data and the free flow of such data. Anonymisation and pseudonymisation hold the potential to play important roles in reconciling these two conflicting needs by enabling the processing of health data in a less privacy-intrusive manner. Taking a forward-looking perspective, this paper aims to contribute to the scholarly debate around anonymisation and pseudonymisation by extending the discussion to the contexts of forthcoming EU data laws, with a focus on the draft European Health Data Space (EHDS) Regulation. It does so by digging into the past, present and future of anonymisation and pseudonymisation in EU data laws. Starting with a positivist enquiry, the paper investigates the traces and evolution of anonymisation and pseudonymisation in EU data protection instruments from both before and after the entry into force of the General Data Protection Regulation. It then shifts focus to future EU data laws and examines the roles of anonymisation and pseudonymisation in these instruments, including the draft EHDS Regulation, the newly adopted EU Data Governance Act and the draft EU Data Act. Ultimately, the paper makes preliminary remarks and recommendations on the draft EHDS Regulation and questions to what extent its current incorporation of anonymisation and pseudonymisation can be reconciled with the health data sharing arrangements proposed in this Regulation.