This article analyses the balance which the GDPR strikes between two important social values: protecting personal health data and facilitating health research through the lens of the consent requirement and the research exemption. The article shows that the normative weight of the consent requirement differs depending on the context for the health research in question. This more substantive approach to consent is reflected in the research exemption which allows for a more nuanced balancing of interests. However, because the GDPR articulates the exemption at an abstract and principled level, in practice the balance is struck at Member State level. Thus, the GDPR increases difficulties for EU cross-border health projects and impedes the policy goal of creating a harmonised regulatory framework for health research. The article argues that in order to address this problem, the European Data Protection Board should provide specific guidance on the operation of consent in health research.