By
Cristina Vanberghen
Africa-Press – Lesotho. As health systems digitize, a quiet global contest is emerging – not over who delivers care, but who governs the data behind it.
From Brussels’ new European Health Data Space to India’s fast-moving digital infrastructure, the way countries are regulating (or failing to regulate) medical data is becoming a defining test of their commitment to both innovation and democratic accountability.
The stakes go beyond privacy. At their core, these divergent models signal a fundamental debate about sovereignty in the age of AI-powered medicine – and whether democratic societies can compete with big tech without becoming reliant on it.
Britain’s Tech Outsourcing: Palantir and the Politics of Control
In the U.K., the National Health Service (NHS) has become a testbed for digital centralisation – with American tech at its core. In 2023, the government signed a £330 million contract with U.S. data analytics company Palantir to develop its Federated Data Platform (FDP), designed to aggregate sensitive patient records across more than 200 NHS trusts.[1]
The decision triggered an uproar. Privacy advocates, Members of Parliament, and even senior clinicians warned that outsourcing critical health data infrastructure to a firm with deep ties to U.S. intelligence would erode public trust [2] Critics also flagged a lack of transparency in the procurement process.
As of early 2025, only about one-third of NHS trusts are actively using the platform, while others are resisting the rollout over concerns about interoperability and ethical safeguards. In an effort to accelerate uptake, the U.K. government allocated an extra £8 million to consultancy support for adoption.[3]
What was supposed to be a “single source of truth” for patient data is now emblematic of the limits of public-private partnerships in healthcare.
The European Health Data Space: Privacy Meets Power
On the other side of the Channel, the European Union has gone in a radically different direction. With the European Health Data Space (EHDS), which entered into force in March 2025, Brussels has laid out the world’s most comprehensive legal framework for cross-border health data exchange.[4]
The European Health Data Space (EHDS) Regulation[5] establishes a comprehensive legal framework that strengthens individuals’ rights to access and control their electronic health data. It enhances the right to data portability by obliging health professionals and providers to make electronic health records (EHRs), particularly priority categories of health data, accessible to data subjects in a structured, commonly used, and interoperable format. Under Article 3(8) of the Regulation, this right applies regardless of whether the data was provided by the data subject or generated by healthcare professionals, thereby expanding the scope originally outlined in Article 20 of the General Data Protection Regulation (GDPR).[6] The EHDS’s legal basis enables these obligations without relying solely on consent or contract, unlike the GDPR.
Unlike the GDPR, which limits portability to data processed based on consent or contract, the EHDS provides individuals with broader real-time access to their health data and facilitates cross-border exchange through the MyHealth@EU infrastructure. The Regulation sets out mandatory interoperability and semantic standards, ensuring seamless and secure portability of EHRs across Member States, supported by robust data security measures.
The EHDS sharply delineates primary data use for individual healthcare from secondary use, encompassing research, innovation, policymaking, and regulatory objectives. The enhanced portability right under Article 3(8) is limited to primary use, meaning individuals cannot directly transfer or make portable their data for secondary purposes via personal control mechanisms. Furthermore, the Regulation does not fully clarify the interplay between Article 3(8) of the EHDS and Article 9 of the GDPR, particularly concerning the processing of sensitive health data without explicit consent. These areas may require additional guidance or delegated acts to ensure consistency and practical implementation.
Crucially, the EU is also developing HealthData@EU, a pan-European infrastructure for federated data access, underpinned by strict interoperability standards like the FHIR protocol and the European Electronic Health Record Exchange Format.[7]
The EHDS goes beyond mere privacy protection—it’s a calculated power play. It enables the EU to set strict conditions for third countries seeking access. Any nation or company found lacking in security or safeguards risks being shut out of EU-funded research.
However, rollout is patchy. Eastern and Southern European nations frequently struggle with insufficient digital systems or budgets to comply with the regulation’s demanding cybersecurity and interoperability standards.
The AI Dilemma: More Data, More Bias?
Beyond governance, a subtler dilemma is unfolding: how to ensure that AI in medicine is both innovative and ethical. AI systems require vast quantities of data to be effective – but poorly curated or biased data can amplify inequalities.
The EHDS tries to address this:
Pharmaceutical companies are obliged to share certain types of data for secondary use, although some can claim exemptions based on intellectual property.[8]
Low-quality data – particularly in under-resourced healthcare systems – can result in widespread bias in AI results.
The GDPR still applies, meaning individual rights to erasure, correction, and consent must be balanced with public interest.
HDABs are tasked with ensuring data access is not monopolised by private actors or platforms.[9]
It’s an ambitious model, but also a slow one. The regulatory friction may stifle early-stage innovation, prompting some startups to look outside the EU.
India: Speed Without a Safety Net?
India, by contrast, is prioritizing scale. With a health-tech market projected to grow at nearly 30 percent per year through 2032, India is building one of the world’s largest federated digital health systems.[10] According to IBEF, in 2023, India’s hospital sector was worth US$98.98 billion and is expected to expand at a robust 8.0% CAGR from 2024 to 2032, potentially doubling to around US$193.59 billion by 2032.[11]
It already boasts:
India’s Ayushman Bharat Digital Mission (ABDM) is advancing a unified digital health network nationwide. Central to this initiative are the Ayushman Bharat Health Accounts (ABHAs), unique 14-digit identifiers (previously called Health IDs) that empower citizens to engage with the digital health system. By February 3, 2025, more than 739 million ABHA IDs have been issued.[12]
More than 500 million linked health records; [13]
A unified health ID and consent architecture under the Ayushman Bharat Digital Mission (ABDM).[14]
Yet this infrastructure is racing ahead of the legal guardrails meant to protect it.
The Supreme Court of India’s ruling in Justice K.S. Puttaswamy (Retd.) vs. Union of India[15] established privacy as a fundamental right under Article 21 of the Constitution, underscoring that personal data, particularly health information, is a cornerstone of this right. Following this landmark judgment, India has made significant strides in fortifying its data protection landscape, with a focus on safeguarding health data. To fully grasp the legal and regulatory framework, it’s crucial to first examine how ‘health data’ is defined and understood within India’s legislative context.
Defining Health Data in India’s Legal Framework
Indian law does not provide a unified definition of health data. The Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), categorize “sensitive personal data or information (SPDI) to encompass physical, physiological, and mental health conditions, along with medical records and history.”[16]
The proposed Digital Information Security in Healthcare Act (DISHA) [17] defines “digital health data” as electronic records containing health-related information, including physical and mental health, treatments, and diagnostic tests.[18] The Health Data Management Policy under the Ayushman Bharat Digital Mission (ABDM) aligns health data with “personal” or “sensitive personal data.” Broadly, health data includes medical records, diagnostic reports, biometric details, and other health-related information, requiring robust safeguards due to its sensitive nature.
India’s Legal and Regulatory Framework for Health Data
As of May 2025, India lacks dedicated health-specific legislation, relying instead on general data protection laws. The key components include:
1. Information Technology Act, 2000 and SPDI Rules
The IT Act, paired with the SPDI Rules, forms the bedrock of health data protection. The SPDI Rules require entities handling sensitive data, including healthcare providers, to secure prior consent, use data lawfully, adopt reasonable security measures, and report breaches. However, the IT Act’s broad scope struggles to address health data-specific challenges like interoperability, secondary use, or cross-border data transfers, which are vital for modern healthcare systems.
2. Digital Personal Data Protection Act, 2023
Introduced in August 2023, the DPDPA is a milestone in India’s data protection regime. It governs the processing of digital personal data, including health data, through principles like consent, purpose limitation, data minimization, accuracy, storage limits, accountability, and robust security standards. The Act grants individuals rights to access, correct, erase, and seek redress for data-related grievances. Entities processing health data must obtain explicit consent and implement stringent security protocols. Shri Ashwini Vaishnaw, India’s Minister for Electronics and Information Technology, described the DPDPA’s philosophy as a “simple, principle-based, trust-driven model” that evolves dynamically rather than being rigidly prescriptive.[19]
3. Ayushman Bharat Digital Mission (ABDM)
Launched in September 2021 by Prime Minister Narendra Modi, the ABDM seeks to build an interoperable digital health ecosystem. A cornerstone of this mission is the Ayushman Bharat Health Account (ABHA), a unique health ID enabling citizens to store and manage digital health records. The ABDM also encompasses registries like the Healthcare Professional Registry (HPR), Health Facility Registry (HFR), and Drug Registry. By February 2025, more than 739 million ABHA cards had been issued, linking around 490 million health records and markedly enhancing healthcare access, particularly in rural areas. [20] However, the ABDM, alongside the DPDPA, falls short in addressing complex issues like data interoperability and international data flows due to the absence of health-specific laws.
Draft Proposals and Emerging Policies
Acknowledging the limitations of general data protection frameworks, India has proposed health-specific regulations, though these remain in draft form as of May 2025:
1. Digital Information Security in Healthcare Act (DISHA)
Proposed in 2022 by the Ministry of Health and Family Welfare, DISHA aims to create a tailored framework for health data protection. It focuses on securing personal data, regulating digital health data, and standardizing electronic health records (EHRs) while aligning with global benchmarks. Despite its potential, DISHA remains under discussion, with debates about its integration with the DPDPA.
2. Health Data Management Policy (HDM Policy)
Embedded within the ABDM, the HDM Policy prioritizes ‘Security and Privacy by Design’ to protect digital health data. It seeks to establish a uniform, interoperable digital health infrastructure centered on individual interests. The policy outlines minimum standards for data privacy, consent frameworks, and anonymization for secondary data use. If implemented, it could bridge gaps in India’s health data governance.
These draft frameworks reflect India’s commitment to addressing regulatory shortcomings, potentially aligning with global standards like the EU’s General Data Protection Regulation (GDPR).
The Road Ahead for Health Data Regulation in India
India stands at a critical juncture in shaping its health data regulatory landscape. Enacting DISHA or similar legislation could resolve gaps in areas like secondary data use, interoperability, and cross-border data sharing. Yet, challenges persist, including uncertain legislative timelines, limited enforcement capacity, and fragmentation in India’s healthcare system.
The current framework, built on the IT Act, DPDPA, and ABDM, provides a foundation for health data protection but lacks the precision required for a comprehensive regime. Draft proposals like DISHA and the HDM Policy signal progress, but their delayed implementation highlights ongoing challenges. As global health data governance evolves, India’s journey offers valuable lessons in balancing innovation, privacy, and public health in a diverse, resource-constrained context.
With AI tools entering clinical trials and diagnostics, the lack of enforceable protections may create new vulnerabilities. Hospitals and startups often operate without legal clarity on secondary use, data sharing, or accountability.
The Global Implications: Competing Models, Divergent Futures
At a global level, the contrast is striking.
The EU’s model is rooted in fundamental rights, public oversight, and digital sovereignty. It aims to build trust and long-term resilience—even at the cost of agility.
India’s model is experimental and market-driven, with rapid deployment but lagging institutional and legal safeguards.
The UK’s hybrid model, with outsourced infrastructure and contested governance, may offer a cautionary tale of privatization without consensus.
As more countries begin to regulate – or deregulate – health data, the question will no longer be who has the best technology. It will be who sets the terms of its use.
For now, the race to digitize health is wide open. However, the effort to regulate it is only starting.
Conclusion: The Stakes – Trust, Privacy, and Human Dignity
The regulation of health data ultimately hinges on trust – trust that sensitive information will be safeguarded, used equitably, and not exploited. The European Union’s European Health Data Space (EHDS) is grounded in transparency, patient empowerment, and the primacy of consent. India’s Ayushman Bharat Digital Mission (ABDM), by contrast, is driven by inclusivity and accessibility in a complex and diverse healthcare landscape.
Each region brings a distinct governance philosophy, yet both face significant challenges. The EU must address the compliance burdens placed on SMEs and under-resourced healthcare providers, as well as concerns about secondary use of data. India’s framework, while promising in scale, still requires enforceable safeguards to uphold data protection principles under its Digital Personal Data Protection Act (DPDPA), especially in the context of interoperability and consent management.
As E. Richard Gold and Robert Cook-Deegan argue in their analysis of AI and drug development, the future of health data governance cannot remain confined within national boundaries.[21] To unlock the full potential of routinely collected health data for public health, clinical research, and AI-driven innovation, a collaborative, multi-sectoral approach is essential. This involves aligning legal, ethical, and technical frameworks – not only within regions but also across them.
Recent WHO and G20 discussions on global health data standards underscore the urgency of this task. [22] Coordinated action will be critical in ensuring that global health systems can respond to cross-border crises, while also enabling innovation that respects privacy and reinforces democratic accountability.
The path forward must aim to harmonize standards while respecting digital sovereignty. A well-regulated global digital health ecosystem – built on trust, fairness, and user-centric design – is not only vital for innovation and equity, but for protecting the dignity of every individual whose data is part of it.
moderndiplomacy
For More News And Analysis About Lesotho Follow Africa-Press
