Sharing Big Data in Health Care: Focus on the Role Played by Co-regulatory Instruments in Light of the New European Health Data Space

Big data and AI are revolutionizing data processing in health care. The new paradigm of data-driven decision making will lead primary activities, such as the provision of care services, as well as secondary health care purposes, like clini-cal research. However, the extraction of knowledge from big data in health care depends on the possibility for stakeholders to share and connect datasets in compliance with data protection law requirements. In this regard, the EU Data Strategy seeks to foster data sharing for public benefit.
The EU Commission, in the preparatory works for the European Health Data Space, has stressed that issues related to GDPR compliance could hinder the sharing and the re-use of data in health care. Namely, two order of problems may be highlighted in this perspective: 1) the special regime for health data pro-cessing in GDPR, which allows MS to add even stricter data protection rules; 2) margins of choice for data controllers and processors about how to implement technical and organisational measures for reaching GDPR compliance, according to the risk-based approach.
According to the EU Commission, legal uncertainty might be mitigated by adopting co-regulatory measures, such as a Code of Conduct for the sharing of health data. A Code of Conduct (articles 40 and 41 GDPR) could establish common ways to interpret and comply with loose GDPR requirements and prin-ciples, therefore creating harmonization. However, given the legal fragmentation typical of the health domain among MS, the elaboration of an EU-wide Code of Conduct for personal data processing could not bring the desired effects. More-over, some doubts concern the lack of legal effects produced by a Code of Conduct on the burden of proof for data controllers. Finally, also costs and complexities linked to the elaboration of GDPR co-regulatory instruments may hamper the diffusion of these mechanisms.
The paper discusses opportunities and limits of GDPR co-regulatory mecha-nisms, considering the forthcoming European Health Data Space. It is argued that despite legal and governance reasoning are theoretically correct about the role of these instruments, their spread is limited once the reasoning is linked to market and economic aspects.