Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
The European Health Data Space just entered into force, setting the stage for its application in two years, 26 March 2027.
The EHDS is the first sectoral common EU data space under the European strategy for data. Through a framework for the use and exchange of electronic health data across the EU, the EHDS aims to improve individuals' access to and control over their personal electronic health data for the health care delivery, referred to as primary use of data.
It also seeks to facilitate the secondary use of data, meaning its exchange and reuse for research, innovation, policymaking and regulatory activities.
Having yet another digital regulation on the table comes with its own set of challenges, like navigating its interplay with the EU General Data Protection Regulation, the Data Act, the Data Governance Act, EU cybersecurity-related laws like the NIS2 Directive, and sectoral laws in the health sector.
Another important aspect concerns its dynamics with potential sovereignty and localization requirements in several EU member states. For instance, Germany requires that the processing of social and health data be done in the country, in the EU, or in a country recognized as adequate by the EU.
On 27 March, Advocate General Tamara Ćapeta delivered her opinion on the ongoing WhatsApp Ireland v. European Data Protection Board case before the European Court of Justice. In this case, WhatsApp is contesting the General Court's dismissal of its request to annul the EDPB's binding decision for lack of standing.
In the opinion, the Advocate General disagreed with the General Court's reasoning and found the EDPB's binding decision was of direct and individual concern to WhatsApp. Ćapeta concluded that WhatsApp's action for annulment is admissible and that the case should be referred back to the General Court for a decision on its merits.
The dispute initially started when Ireland's Data Protection Commission issued a draft decision on WhatsApp's compliance with the GDPR's transparency requirements and its obligation to inform individuals. Other data protection authorities disagreed with the draft decision, hence, in accordance with the GDPR's consistency mechanism, the EDPB issued a decision on the contested matters binding on all supervisory authorities concerned.
Based on this, the Irish regulator adopted a final decision and fined WhatsApp 225 million euros for infringing several GDPR provisions. WhatsApp contested this decision at the national level and brought an action for annulment of the EDPB's binding decision before the General Court.
It remains to be seen whether the Court of Justice will follow the Advocate General's reasoning and confirm an organization has the ability to directly challenge the EDPB's binding decision, rather than being limited to disputing the final data protection authority decision based on it in national courts.
The EDPB launched its 2025 Coordinated Enforcement Framework action, focusing on the implementation of the right to erasure under Article 17 of the GDPR. Thirty-two European privacy regulators will investigate the status of one of the most frequently exercised GDPR rights through national coordinated actions. The results will be available in the EDPB report early next year.
Many are awaiting an update on the Irish DPC's draft decision concerning TikTok's transfers of personal data from the EU to China. There is also significant interest in the upcoming Latombe v. Commission hearing on the validity of the EU-U.S. Data Privacy Framework. However, data flows from the EU to the U.K. may be out of the spotlight until the end of the year if the European Commission's proposed six-month extension of the EU-U.K. adequacy decision is approved.
With the EU Artificial Intelligence Act deadline for the designation of national competent authorities approaching in August, governments will soon be rushed to make a decision on who will be responsible for implementing and enforcing the EU AI Act on a national level. In early March, Ireland chose eight public bodies to take this position and clarified that additional designations are possible. Norway has also shared its plans to possibly establish a brand new AI authority in addition to designating already existing authorities.
Laura Pliauškaitė is European operations coordinator for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
