In case you haven’t heard, Google is being sued in the UK for allegedly using medical data of the National Health Service and affecting the privacy of at least 1.6 million people in Great Britain. One of the claims is that the personal data of the people involved was used without the knowledge or consent of data subjects, thus violating several of the principles of data protection regulation.
According to Sky News, the data was used in the course of “testing a smartphone app called Streams.”[1] The purpose of the app was to detect acute kidney injury. While reasons behind the use of such data might seem praiseworthy, it can be argued that the company developing such an app is ultimately profiting from abusing people's personal data.
The importance of health data
It’s worth noting we’re not talking about, so to speak, standard personal data. This is about one of the most sensitive types of personal data, medical records. The GDPR and most privacy regulations around the globe treat this kind of personal data as a special category that requires the highest level of protection.
But what is health data anyway? Is it the diagnosis that you get from a doctor? Or, perhaps, a vaccination certificate? Well, the topic is rather complex and there are no simple answers. Let’s start with the definition provided by GDPR.
“Data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.[2]
Recital 35 of the GDPR provides a more detailed interpretation of the term.
... all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject...[3]
Moreover, it also includes data that, in combination with other information, could lead to a conclusion about the health status of a person. In a nutshell, data concerning health could be understood as any information related (directly or indirectly) to the past, present, or future health status of a person.
Since this information is quite sensitive, privacy regulation acts put stricter requirements on the processing of such data. As such specific terms like “explicit consent” are starting to appear in various regulatory acts, it seems that standard consent is not a sufficient legal basis for personal data processing anymore.
Is any consent valid consent?
You might be wondering why consent is so important in case of data protection regulation. And why are actions taken by Google deemed illegal? Well, consent is one of the most pivotal and complex concepts when it comes to data protection. In order to process personal data, companies are required to rely upon one of the legal bases for such activity, consent being one of them. Consent is defined in the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”[4] So does this mean simply saying “yes” can be considered valid consent? We’ve seen several companies fail to obtain valid consent, as - per definition - consent must be specific, freely given, and informed. Moreover, as stated in recital 42 of the GDPR, consent is considered to be invalid if “data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”[5]
When it comes to health treatment, there’s an ongoing debate about whether or not consent constitutes an appropriate legal ground for processing sensitive data. It was pointed out in Article 29 Working Party that “since the refusal of the treatment can be considered a determinant for the wellbeing of a patient, any consent shall not be considered valid.”[6] That’s why medical institutions usually rely on some other legal basis for processing such as the one stated in article 9(2h). According to the article, “processing is necessary for the purposes of preventive or occupational medicine.”
Having considered all this in the context of Google’s case, it seems that the requirement for using this extremely sensitive data did not fulfill the requirements established by law. The people involved were unaware of the fact that their data is being used. Moreover, they did not consent to the use of such data.
Private data should remain private
At Iagon, we believe no one should use your data without your consent. And if they do, they should not profit from your data without sharing the profits with you. That is why we spend extra resources and put extra effort into ensuring that all your information remains as private as possible. If you’d like some more information on how to protect your personal data, follow our blog and the newsletter where we publish various tips regarding privacy and data protection.
Google sued for using the NHS data of 1.6 million Britons 'without their knowledge or consent' - https://news.sky.com/story/google-sued-for-using-the-nhs-data-of-1-6-million-brits-without-their-knowledge-or-consent-12614525 ↩︎
GDPR Article 4(15) ↩︎
GDPR Recital 35 ↩︎
GDPR Art 4(11) ↩︎
GDPR recital 42 ↩︎
https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp131_en.pdf p8 ↩︎
For more information and other updates, please follow us on our social media or head over to the IAGON Website!