Data trusts have been conceived as a mechanism to enable the sharing of data across entities where other formats, such as open data or commercial agreements, are not appropriate, and make data sharing both easier and more scalable. By our definition, a data trust is a legal, technical, and organizational structure for enabling the sharing of data for a variety of purposes. The concept of the “data trust” requires further disambiguation from other facilitating structures such as data collaboratives. Irrespective of the terminology used, attempting to create trust in order to facilitate data sharing, and create benefit to individuals, groups of individuals, or society at large, requires at a minimum a process-based mechanism, that is, a workflow that should have a trustworthiness-by-design approach at its core. Data protection by design should be a key component of such an approach.

This study investigates the data protection concerns arising in the context of the cross-border interoperability of Electronic Health Record (EHR) systems in the European Union. The article first introduces the policies on digital health and examines the related interoperability issues. Second, the work analyses the latest Recommendation of the European Commission on this topic. Then, the study discusses the rules and the obligations settled by the General Data Protection Regulation to be taken into account when developing interoperable EHRs. According to the data protection by design and by default provision, EHR systems should be designed ex ante to guarantee data protection rules.