Fit for purpose? The GDPR and the governance of European digital health

The introduction of the General Data Protection Regulation (GDPR) in 2018 served as the cornerstone of the new data governance regime of the European Union. Informed by principles and values such as privacy, accountability, transparency, and fairness, the GDPR is premised on the objective to balance the protection of individual privacy and the promotion of a thriving European data economy. Still, shortcomings of this regulatory effort have been noted by recent ethical, socio-political, legal, and policy scholarship. Focusing on the deployment of digital health technologies and big data practices within the European digital health ecosystem, this article draws upon these bodies of literature to chart the main lines of tension emerging between the current GDPR-based data governance regime and the broader societal shifts coming along with the expansion of digital health. Central aspects of the GDPR-i.e. key underlying data protection principles and regulatory categories, the reliance on the "notice-and-consent" model, the (narrow) remit of the Regulation vis-a-vis possible harms and discriminations-are misaligned with the surge in digital health. This throws into doubt whether the Regulation is fully fit for the purpose of governing current developments in this field, while also calling for swift and adequate policy responses.