JMIR Publications

ABSTRACT

Secondary use of health data is essential for advancing medical research, innovation, and public health policy across Europe. Traditional static or broad consent models are increasingly inadequate in complex, multi-stakeholder digital ecosystems. Dynamic consent, which enables granular, interactive, and ongoing management of individual preferences including revocation, has emerged as a patient-centered alternative. This integrative review examines the legal feasibility and practical challenges of implementing dynamic consent for secondary health data use under the General Data Protection Regulation (GDPR) and the European Health Data Space (EHDS) Regulation. Drawing on doctrinal legal analysis, European policy documents, national derogations, and technical standards including Health Level Seven (HL7) Fast Healthcare Interoperability Resources (FHIR), electronic Identification, Authentication and Trust Services 2.0 (eIDAS 2.0)/EUDI Wallet, and distributed ledger approaches, the study synthesizes legal, governance, and informatics perspectives. Findings indicate that while the GDPR establishes parameters supportive of specific, informed, and revocable consent, significant barriers persist due to national fragmentation, divergent lawful bases for processing, and limited cross-border revocation mechanisms. The EHDS, with provisions phasing in from 2029, shifts governance toward institutional authorisation via Health Data Access Bodies and secure processing environments, reducing reliance on individual consent for many large-scale uses. Technical prerequisites, machine-readable consent artefacts, high-assurance digital identity, and policy-based enforcement remain unevenly developed. Nevertheless, integration with data altruism mechanisms under the Data Governance Act and emerging interoperability tools offers promising pathways. A three-stage operational architecture (Consent Administration, Decision, and Enforcement) is proposed to embed dynamic consent within the hybrid EHDS-GDPR framework. However, challenges including blockchain immutability conflicts with the right to erasure, revocation propagation across systems, implementation costs, consent fatigue, and digital divides must be addressed. Dynamic consent cannot serve as a universal solution but can meaningfully enhance transparency and trust when deployed contextually alongside institutional safeguards. Coordinated EU-level harmonisation, standardisation, and inclusive design will be essential for its successful operationalisation.