Disentangling health data networks: a critical analysis of Articles 9 (2) and 89 GDPR
The European legislator has taken up an extensive approach to the regulation of health data, prohibiting connected processing activities under Article 9(1) General Data Protection Regulation (GDPR). On the other hand, the same Article 9(2) GDPR provides some exemptions to the general prohibition in case explicit consent is given, for the protection of the ‘vital interest of the data subject’ or in cases in which ‘the processing is necessary for reasons of public interest in the area of public health’. Along these lines, Article 89 GDPR allows the processing of personal data for ‘scientific and historical research purposes’ upon the condition that ‘specific safeguards’ are provided by Union or Member States law. These provisions clearly limit the possibilities of health data processing to the cases, where the processing is functional to the protection of data subjects’ fundamental rights or to the promotion of public interests or scientific research. The resulting framework thus appears to ban commercially oriented activities from treating sensitive health data and thus, implicitly, attempts to draw a line between the spheres of health research and the market. This study critically evaluates the ‘safe harbor’ of processing activities regarding health data under Articles 9(2) and 89 GDPR against the backdrop of the current developments in the field of health research.