Page 212 - ITU KALEIDOSCOPE, ATLANTA 2019
P. 212

2019 ITU Kaleidoscope Academic Conference




           ‘send’ the data to the servers of the company which owns   European Commission, the Article 29 Working Party (now
           the  app  and  which  then  processes  the  data.  What  exactly   the  European  Data  Protection  Board  [16])  clarified  the
           happens  technically  behind  the  scenes  is  unclear.  It  is   scope of the definition of data concerning health in relation
           therefore  unclear  whether  ‘sending’  data  between  the   to  lifestyle  and  wellbeing  apps  and  provides  criteria  to
           device  and  the  server  of  a  company  can  be  seen  as  a   determine when data processed by such apps and devices is
           transfer within the meaning of the GDPR and whether the   health data [17]. According to the Article 29 Working Party,
           GDPR  transfer  regime  applies  to  processing  by  modern   personal  data  is  health  data  when  (1)  the  data  is  clearly
           technologies.                                      medical  data,  (2)  the  data  is  raw  sensor  data  that  can  be
                                                              used in itself or in combination with other data to draw a
           This research argues that the complexity of the GDPR legal   conclusion about the actual health status or health risk of a
           framework  does  not  offer  sufficient  protection  against   person or (3) conclusions are drawn about a person’s health
           processing by modern technologies. By taking a technical,   status or health risk [18]. This means that, in general, data
           behind  the  scenes  perspective  and  looking  at  whether  the   is  health  data  when  it  is  used  or  can  be  used  to  draw
           (technical) process of ‘sending’ data from a user’s device to   conclusions about a person’s health. However, the Article
           the server of a company can be seen as a transfer within the   29 Working Party also acknowledges that in some cases the
           meaning of the GDPR, we argue that this process is a mere   raw  data  itself  is  considered  to  be  health  data.  It  also
           transit of data where the device functions only as a tool for   acknowledges  that  presumably  simple  facts  about
           the  companies  to  collect  data  [11].  In  coming  to  this   individuals, such as IQ, wearing glasses or lenses, smoking
           conclusion, this article first needs to establish what the legal   and drinking habits, membership of patient support groups,
           basis for processing health data by modern technologies is.   etc. are considered to be health data. In our view, the mere
           We  then  look  at  the  technical  process  used  by  modern   fact  that  a  person  uses  an  app,  for  example  to  help  quit
           technologies and whether the GDPR transfer regime applies   smoking  or  to  count  calories  already  says  a  lot  about  a
           to this process in order to conclude whether the legal basis   person. Whether or not true, the conclusion can be drawn
           and the GDPR legal framework offer sufficient protection   that the person is a smoker or may be obese and that he or
           to processing by modern technologies.              she may have health issues (such as lung or heart problems)
                                                              because of this. The mere fact that a person uses a health
             2.  LEGAL BASIS FOR PROCESSING HEALTH            app already can say a lot about their health, and even more
                   DATA BY MODERN TECHNOLOGIES                so when the data is combined with other health information
                                                              about a person. For example, an employer or insurer buying
           The  GDPR  provides  rules  for  the  protection  of  personal   health data and combining it with the information already
           data and free movement of such data in order to protect the   on  record  not  only  violates  privacy  but  can  also
           fundamental  rights  and  freedoms  of  persons.  It  applies  to   discriminate  against  their  employee  or  the  insured.  This
           the processing of personal data of data subjects who are in   could  lead  to  increases  in  insurance  fees,  rejection  of
           the EU, regardless of where the controller or processor are   insurance  and  perhaps  even  in  unemployment.  Data
           established [12]. This means that the GDPR applies to any   generated  by  modern  technologies  which  can  conclude
           company around the globe processing data of data subjects   something about a person’s health in the broadest sense can
           who  are  in  the  EU  if  the  processing  activities  relate  to   therefore generally be seen as health data.
           offering goods or services to data subjects or monitoring the
           behavior  of  data  subjects.  As  such,  the  GDPR  aims  at   Health data has had a long history of being seen as a special
           offering  a  similar  level  of  protection  for  EU  citizens   category  of  data,  also  referred  to  as  sensitive  data,  that
           regardless of where the data is being processed [13]. This is   requires  additional  protection.  As  such,  Article  9  of  the
           particularly important when health data is being processed   GDPR prohibits the processing of health data unless there is
           by commercial companies who are not under any obligation   a  legal  basis  to  do  so.  If  there  is  no  legal  basis  for
           of  professional  secrecy.  In  previous  research  we  have   processing,  the  processing  is  considered  to  be  unlawful.
           established  that  many  companies  deny  or  at  least  do  not   According to the GDPR, explicit consent given by the data
           mention the fact that they process health data while in fact   subject  is  the  legal  basis  for  processing  health  data  by
           they are [14].                                     modern  technologies  [20,  21].  The  GDPR  thus  allows
                                                              processing  of  personal  health  data  by  companies  when  a
           While  we  use  the  more  overarching  term  health  data,   data subject explicitly consents. Consent of the data subject
           Article  4  (15)  of  the  General  Data  Protection  Regulation   within the meaning of the GDPR means a clear affirmative
           (GDPR) refers to it as ‘data concerning health’ and defines   act  establishing  at  least  the  freely  given,  informed
           it as:                                             indication that the data subject agrees to the processing of
                                                              his or her personal data [22]. Consent can also be given by
           Personal data related to the physical or mental health of a   electronic  means,  for  example  by  ticking  a  box  when
           natural  person,  including  the  provision  of  healthcare   visiting a website, choosing certain technical settings or any
           services which reveal information about health status [15].    other  statement  or  conduct  which  clearly  indicates  in  this
                                                              context  the  data  subject’s  acceptance  of  the  proposed
           This is a very broad definition: any information which can   processing.  Pre-ticked  boxes  or  inactivity  by  the  data
           reveal  something  about  a  person’s  (mental)  health  is   subject  do  not  constitute  consent  [23].  The  request  for
           considered to be health data. In the annex to its letter to the   consent  has  to  be  clear,  concise,  not  unnecessarily





                                                          – 192 –
   207   208   209   210   211   212   213   214   215   216   217