The conundrum of health data in a world of AI-enhanced diagnosis: Legislative frameworks

While the GDPR provides a strong legislative foundation to protect the rights and freedoms of European individuals, it cannot (and does not) govern all aspects that influence the direction of the iToBoS project.

Emerging legislative frameworks

The European data strategy outlines Europe’s goal of “putting people first in developing technology and defending and promoting European values and rights in the digital world.”[1] To support this, the Commission has proposed two legislative texts that ultimately serve to support the existing GDPR, the Data Act and the Data Governance Act. These two complementary regulations seek to provide the European community with rules to foster beneficial data-led activities within the Digital Single Market.[2] The proposed regulations lay the foundation for the creation of data-driven applications that seek to improve a host of sectors – from health care to finance - while improving critical aspects such as sustainability and efficiency. As these emerging proposals find their way through the policy development process at the European level, their impact will start to be felt in a range of sectors – health included. Ultimately, the proposals seek to support the GDPR and provide a set of rules to buttress the development of a citizen-centric data market, through the creation, curation, and governance of Data Spaces, and the fostering of the “data altruism”[3] ideology.

Further to this, the Artificial Intelligence Act provides the foundations for the development of a trustworthy and respectful AI-driven society – one in which the technology is harnessed for the benefit of citizens by ensuring the correct protections are in place to mitigate potential harmful impacts from the widespread integration of algorithms and automation into society.[4]

At the heart of the proposed regulation is the legal requirement for companies to conduct a risk assessment of the tools in question to determine the specific rules required to be followed. High-risk systems would have both ex-ante (before being placed on the market) and ex-post (after being placed on the market) requirements. These include aspects such as: ongoing risk management, technical documentation, traceability logging, human oversight, transparency, and provision of information to users, registration of deployment, and a conformity assessment. The conformity assessment is used to demonstrate that the deployment has followed the rules in question, as well as demonstrating their products conform to any standards or technical specifications that have been set by European standards bodies, such as CEN/CELEC.[5]


Understanding the implications of existing and emerging legal frameworks will shape how iToBoS develops over the course of the next few years. Specific work packages in the project, such as WP2 - Privacy, data protection, ethical and societal issues in iToBoS solutions (led by Trilateral Research[6]), WP4 - Implementation of AI privacy and anonymization (led by IBM[7]), and WP7 - Integration of explainable AI for data-, feature- and model quality control and transparency of automated diagnoses (led by Fraunhofer[8]) are integral to understanding specific requirements for the project, as well as ensuring that the developed tools integrate technologies that move beyond the state of the art – pushing the project (and the sector) further into the 21st century by enhancing clinical decision making whilst respecting European rights, values, freedoms, and remaining compliant with existing legislative frameworks.




[3] Data Act: Commission proposes measures for a fair and innovative data economy, available at: