Data privacy vs AI: Can healthcare have both?

It’s 03:17 on a Tuesday when your on-call clinician opens a patient file from home. The query triggers a cascade: data is sent to an AI triage assistant, several microservices spin up across cloud regions, and a billing rules engine checks reimbursement eligibility. The patient’s journey is safer and faster. But do you know where all the data went? Can you prove it didn't leave the EU? And can you defend the decisions AI made in case the on-call clinician forgot to manually check the results late at night?

If this scenario feels uncomfortably real, you’re not alone. The healthcare sector across Europe is trying to balance clinical innovation with uncompromising privacy expectations, GDPR and AI Act obligations, and fast-evolving hyperscaler sovereignty solutions.

The challenge is: how do you keep up with competitors using the innovations hyperscalers and AI service providers are bringing, while keeping operations compliant and ensuring healthcare continuity?

Why privacy and digital sovereignty matter (especially in healthcare)

Healthcare data is among the most sensitive categories of personal data. Unlike a marketing clickstream, a mismanaged discharge summary or radiology scan isn’t “low risk.”

As you probably know, GDPR classifies health data as a special category with strict processing conditions – and that’s before we look at national healthcare acts, professional secrecy rules, and sector-specific policies.

In addition, the EU AI Act considers healthcare support activities to be a high-risk AI activity that must comply with a specific set of requirements, including understanding what the AI system does and how you need to use it, supervision of AI results, incident reporting and more.

But there are even more important questions:

• Are you comfortable with – and legally allowed to proceed with – running your healthcare IT processes with global hyperscaler cloud and AI services?
• Or do you need to keep healthcare-related data within the EU or even within Switzerland?
• Is there a difference between storing and processing?
• And do you trust the hyperscaler cloud and AI service enough to support your critical medical processes?

This is where the topic of sovereignty comes in: making sure you are (and stay) in control of where your data is stored and where your workloads run to process your data. This is not only to ensure continuity of patient care, but also to make sure you remain complaint, even when using AI services.

At Nordcloud, we see sovereignty as a multi-layer design challenge, addressing legal compliance, leveraging hyperscaler sovereignty services, introducing AI services at the right places, and making this work in practice. Get the balance right, and you can accelerate digital health safety.

(Mis)understanding digital sovereignty

There are a lot of possibilities when it comes to hyperscaler sovereignty services, but also a lot of misconceptions. Many of these have to do with different ideas about what sovereignty actually means for your organisation – and not understanding what the hyperscaler sovereignty services actually do (or don’t do).

A best-practice sovereignty approach helps address this and map and implement the best approach over 5 steps:

1. Sovereignty workshop: To get everyone aligned on what sovereignty means for your organisation, establishing a common understanding of risks, options, and priorities.

2. Risk assessment: Analysing your real sovereignty risks using proven frameworks, so you understand what needs protection and what solutions make sense for your situation.

3. Solution blueprinting: Where you choose the right sovereignty level for your needs, matching your requirements to tested blueprints.

4. Architecture and migration: Implementing your chosen approach with minimal disruption.

5. Compliance monitoring: Staying sovereign with automated oversight and reporting.

Here are some of the common misconceptions we demystify in the sovereignty workshop:

1. “EU region = sovereign.” Hosting locally in EU helps but can be insufficient. Jurisdictional access, vendor contracts, and AI model hosting locations matter just as much.

2. “We can’t use public cloud for PHI.” You can - if you properly assess your risks and compliance needs and then implement proportional security (for example, using local sovereign cloud, encryption, workload isolation, and proper incident management).

3. “AI means sending data to a US system.” Not necessarily. You reduce US dependency by running AI services in sovereign local cloud, entirely local so it separates training AI models and AI services you’re running.

4. “With US Cloud Act, they can see our data.” That’s true, but not all the time and not all data – and only through legal processes. And remember that local authorities have similar rights.

The regulatory lens: Sovereignty, GDPR and AI

The sovereignty implications of key legislation

The GDPR sets the baseline for processing privacy data. Ideally, especially for healthcare data, you want to process your privacy data within EU (or actually EEA) for optimal legal protection. You need to have your vendor contracts addressing GDPR. And you need to have proportional security in place to protect that data.

This allows you to use risk management to determine what protection is needed per situation: less protection for more generic privacy data (name, address), more protection for special privacy data (medical data).

What that means differs per type of information you process, especially when processing health information that's mostly subject to additional specific local legislation (e.g. on patient dossiers). And you must ensure this protection is in place in the entire workflow: in your own data centres/private cloud, in cloud, in AI services, your SaaS applications, and within vendor implementations.

The EU AI Act introduces obligations for AI systems, with “high-risk” use cases likely touching clinical decision support and diagnostic assistance. You must take requirements around risk management, data governance, transparency, human oversight, and robustness on decision making. And you must have those in place by August 2026.

Note that legislation within Europe is pretty much aligned on these topics, but there are countries that aren't directly in the scope of EU legislation. As an example, Switzerland tends to follow EU legislation quite closely – FADP is very much the same as GDPR, but for AI the Swiss take a less strict approach in favor for AI innovation (with a per-sector approach on AI, like the UK). And GDPR is in scope for Norway (not being part of EU but being part of EEA), but they will have their own AI Act, aligning with EU AI Act.

You probably already noticed risk management is at the core of the way you implement AI, just like the proportional data protection the GDPR requires. So when you are set up your risk management for your data processing in the right way, the required security implementation (in line with your continuity and compliance needs) will automatically follow.

To tackle compliance, start with a risk assessment

Step 2 in the Nordcloud sovereignty approach is a risk assessment using legal requirements, the type of data you process, and the platforms you use to process data as a foundation.

The sovereignty services now available from hyperscalers will give you a new spectrum of choices to implement security in line with your risk management needs and a lowing for effective and efficient digital healthcare processes.

Making sovereignty work for you

With all the new sovereignty possibilities that the hyperscalers now bring, you have the possibility for a balanced implementation based on your medical processes.

For example, you can keep using the public hyperscaler cloud for publishing public information, contact information, and (with some security) appointment booking systems.

For a doctor-patient context involving exchanging medical information, you should consider using hyperscaler local sovereign cloud solutions. And for core medical processes like X-rays, CAT scans, and surgery-supporting (AI) systems, you should consider local solutions. This is not only because of privacy considerations, but also due to business continuity risks.

For Step 3 of the approach around solution blueprinting, we have 9 sovereignty levels, with increasing sovereignty from top to bottom. Notice that costs, flexibility, and resilience decrease when sovereignty levels go up.

When using IT and AI support, you must use risk management to figure out which security and sovereignty solutions are actually needed. To select the right approach, you might need additional support to navigate the fast-changing market of hyperscaler solutions. Nordcloud can support you in your entire digital sovereignty journey, from an initial workshop to understanding what is happening in the market, to support you in your risk assessment process and to blueprint your proportional sovereignty solutions.

If you’re exploring how to use hyperscaler cloud and AI in healthcare without compromising privacy, we’d love to help.

Nordcloud supports providers and life sciences organisations in designing and running sovereign solutions – from landing zones to AI-assisted care – so you can innovate confidently and compliantly.

👉 Contact us to have an intake for the sovereignty workshop and have a quick run through of the sovereignty reference architectures.