Data Hungry AI: Balancing the Protection of Patient Data with Innovation in the European Union’s Remote Healthcare Systems

Integrating AI in remote patient monitoring systems (RPMS) has advanced patient care in the European Union. Still, it raises data compliance challenges under the General Data Protection Regulation (GDPR) due to AI’s need for vast data. In this paper, I examine this conflict with the GDPR principle of data minimisation and posit that the enforcement of the GDPR alongside the EU Artificial Intelligence Act (AIA) will cushion this conflict. I conclude by highlighting that the coming into force of the European Health Data Space (EHDS) will help balance the dilemma between the need to uphold the principle of data minimisation and allow AI-driven scientific progress.

Setting the Scene

AI is transforming telehealth, and remote patient monitoring systems (RPMS) are becoming common in the management of chronic diseases such as diabetes and heart disease. AI-powered RPMS analyse patient data from wearable sensors in real-time to identify early warning signals of deteriorating diseases and quickly provide the necessary intervention. The future of AI in RPMS in Europe is promising. However, as this write-up demonstrates, data protection concerns pose challenges to the full deployment of AI in remote healthcare. Because of this, I’m investigating the interplay between the need to protect patients’ data as demanded by the GDPR on the one hand, and the importance of training AI technology used in RPMS on the other hand. I will accomplish this by generally examining the data governance structure in the European Union, and specifically the GDPR principle of data minimisation. Subsequently, I will analyse this principle in relation to RPMS that use AI technology.

Data Minimization Challenges in EU Data Regulation

Among other regional and national data protection laws, the European Union data framework consists of the GDPR, the AIA, EHDS, the Data Governance Act (DGA) and the Data Act (DA). Both the DGA and the DA  are primarily focused on promoting the development of a European data economy, as stated in their respective preambles (Madi, 2024). They do not specifically address how health data plays a role in training AI used in RPMS, and consequently, I will focus mainly on the GDPR, AIA and EHDS.

The GDPR principle that is problematic in the context of RPMS is data minimisation, which is found in Article 5(1)(c). According to Cornelius Witt and Jan De Bruyne,  this principle refers to restricting data collection to only that which is necessary to achieve a certain goal. It is good to remember, however, that just because this principle is well entrenched in the GDPR, it does not make it automatically compatible with RPMS powered by AI. This is because AI systems, by nature, are hungry for data (as they are built to thrive on vast amounts of data) to function properly.  It is no wonder that data is described as the lifeblood of AI systems. How then can a balance be reached between the need to preserve the principle of data minimisation and, at the same time, allow the training of AI on vast amounts of health data for the good of science?

Striking the Balance

The GDPR mandates that data controllers define and document the specific purposes for which personal data will be processed. In the context of AI-powered RPMS, this means specifying the intended uses of patient data, including whether it will be used for AI training. This requirement compels data controllers to consider whether using patient data for AI training is truly necessary for the core functionalities of the RPMS or whether alternative data sources could be used. Also, Article 5(1) (b) of the GDPR  prohibits the processing of personal data for purposes beyond those initially specified. This restriction prevents data controllers from using patient data collected for RPMS for unrelated purposes, such as marketing, without obtaining explicit consent or having a separate legal basis. Being in violation of this could allow an affected person to seek the solace provided in Article 82 of the GDPR by showing that they have suffered a monetary loss because their data was used for marketing or training AI models used in RPMS to their economic detriment.

The AIA promises to complement the GDPR in enforcing the data minimisation principle. Article 10 of the AIA establishes data governance in AI systems by establishing a regulatory framework that emphasizes the protection of personal data while promoting ethical AI use. The framework is designed to ensure that AI systems only process data that is necessary for their intended purpose. Therefore, Maria Jędrzejczak is of the view that the AIA`s data governance system, to that extent, resembles the data minimization principle under the GDPR.

Under Article 6 of AIA, AI systems are classified based on risk levels. The higher the risk, the stricter the risk management requirements. It is hoped that once the AIA is operational, data collected in RPMS will only be limited to the purpose for which it was collected. This is because collecting huge amounts of data will come with higher risks and, consequently, stricter management obligations under the AIA (Anca Parmena Olimid,2024). No reasonable data controller or processor would want to unnecessarily expose themselves to too much risk, which comes with hefty penalties if they fail to demonstrate that they have proper means of managing it. Additionally, failing to collect data that is sufficient only for the intended purpose may be used as a ground under Article 85 to make a complaint to the relevant enforcing body. But of course, the success of this remedy depends on whether the AI is classified as high risk.

The EU Council has passed a new law that would facilitate access to and exchange of health data at the EU level. This law is called the EHDS and seeks to balance the need to protect health data with the advancement of AI in healthcare. While the regulation does not explicitly mention RPMS, it establishes a framework for accessing and using electronic health data that can apply to these systems. The EHDS emphasizes empowering individuals with control over their health data by restricting access to specific portions of their electronic health records. This aligns with existing EU data protection laws like the GDPR, which ensures that individuals have control over their sensitive health information.

The EHDS explicitly supports the secondary use of health data for purposes of training AI that is applied in health systems. This can be seen in recital 61, which states that activities related to scientific research, such as the training of AI systems that could be used in healthcare or the care of natural persons, are supported by the EHDS. This provision acknowledges the importance of leveraging health data to develop innovative healthcare solutions in the European Union. Furthermore, the regulation in recital 64 establishes health data access bodies to oversee and grant access to electronic health data for secondary use. These bodies play a crucial role in ensuring that data access requests are legitimate and have appropriate safeguards in place to protect health data.

Finland has already started implementing the EHDS rule nationally, and two working groups and a steering group have been established for this purpose. According to the government program, Finland will remove barriers to research, unify research laws, and actively engage in the work done under the EHDS regulation. The Ministry of Social Affairs and Health is pursuing a legislative project to revise the Act on the Secondary Use of Health and Social Data in addition to implementing the EHDS regulation.

The Future of RPMS Looks Promising

The future of RPMS in the European Union is certainly promising. As shown in my paper, the delicate balance between the protection of patient data and the need to allow AI to train on such, in the era of remote healthcare, can be enhanced by applying the GDPR hand in hand with the AIA. Additionally, the adoption of the EHDS  into binding law will help achieve this balance. But to harness the full benefits of the EHDS requires amending national legislation. Therefore, I strongly implore countries of the European Union to follow the excellent example set by Finland, which has already begun the national implementation of the regulation.

Chisanga Mutale | University of Turku

The author is a PhD researcher at the Faculty of Law of the University of Turku.

Similar Posts

Islamilainen avioliitto sopimuksena ja Suomen oikeus
07.05.2025 Tuulikki Mikkola

Islamilainen avioliitto sopimuksena ja Suomen oikeus

Islamin parisuhde- ja perheoikeuden tunteminen on tärkeää myös Suomessa. Islamin oikeuden mukaisesti solmitun avioliittosopimuksen oikeusvaikutusten hahmottaminen edellyttää yhtäältä Suomen avioliitto-oikeuden ja sopimuksen solmimisvaltion oikeuden tuntemista, toisaalta meillä sovellettaviksi tulevien kansainvälisen yksityisoikeuden säännösten soveltamista. Perusajatuksena on vieraan oikeuden kunnioittaminen niin pitkälle...