A new paper argues EU healthcare needs a legal-ethical governance model for synthetic data, with special attention to patient profiling. The practical takeaway: “privacy-preserving” synthetic datasets don’t eliminate GDPR/AI Act obligations once profiles are used in decisions that affect people.
EU healthcare synthetic data governance: profiling is the hard part
A paper published Nov 10, 2025 proposes a differentiated legal-ethical framework for governing synthetic data in EU healthcare, centered on patient profiling. The authors position synthetic data as a tool for privacy-preserving research and analytics, while stressing that governance has to be tailored to the EU’s regulatory environment—especially the GDPR and the EU AI Act—and the real-world risks that emerge when synthetic data supports profiling and decision-making.
The framework focuses on three recurring issues teams run into in practice: (1) how to reason about compliance when the dataset is “fully synthetic,” (2) how to manage bias and fairness risks in profiling pipelines, and (3) how to assign accountability when synthetic data is used to build profiles that later shape clinical or administrative outcomes. The paper also flags regulatory uncertainty: while GDPR restrictions apply to fully automated profiling that significantly affects individuals without safeguards, the boundary between generating a profile and applying it is not clearly defined, leaving compliance teams to interpret how obligations carry across the lifecycle.
- “Not personal data” isn’t a free pass. Even if fully synthetic data may fall outside personal-data definitions in some contexts, the paper emphasizes that downstream use in profiling and decision systems can still trigger legal-ethical obligations (and scrutiny) around impact, safeguards, and accountability.
- Profiling governance must cover the whole pipeline. Teams should separate controls for (a) synthetic data generation, (b) model training and validation, and (c) operational use of profiles—because the compliance risk concentrates at the point profiles influence decisions about individuals.
- Bias management becomes a first-class compliance task. The framework highlights fairness and bias risks in patient profiling; data leads should expect to justify representativeness choices, evaluation metrics, and monitoring plans—not just privacy claims.
- Regulatory ambiguity is a planning constraint. The paper notes unclear rules on the distinction between profile generation vs application under GDPR/AI Act framing; privacy and compliance teams may need conservative interpretations, documented risk assessments, and explicit safeguards for automated profiling.