The GDPR and big health data. Fundamental challenges to the EU personal data protection framework

Healthcare and biomedical research both require and produce vast quantities of data. This exponential growth of data results from and feeds into three broad and related trends concerning: 1) biomedical sciences and technology, 2) organisation of public services and free markets, and 3) individuals in the contemporary society. One phenomenon that reflects all the above trends is “big data”, traditionally described by a reference to three Vs: volume (vast amount of data), variety (various types of data from various sources) and velocity (high speed of collection and processing of data). Big health data inevitably draws on data about an individual’s health and illness and as such raises the issue of protecting privacy and personal data. A key legislative act on personal data protection at the European Union level is the Regulation 2016/679 (General Data Protection Regulation, “the GDPR”), adopted on 27 April 2016 and applicable as from 25 May 2018. This research will focus on how big data (and big health data in particular) may pose a challenge to the GDPR. First, big data may not be well captured by the traditional concepts and instruments of data protection law (the problem of conceptual fit between big data and the GDPR). Second, big data may render effective implementation of the data subjects’ rights and corresponding obligations of data users difficult in practice (the problem of feasibility and effectiveness of protection under the GDPR).