Page 216 - ITU KALEIDOSCOPE, ATLANTA 2019

P. 216

2019 ITU Kaleidoscope Academic Conference

research [43] has shown that there is a gap between the And even if they were to read them, they might not
GDPR and practical reality. There is a general lack of understand the meaning or the risks involved. As such,
transparency from commercial companies about their people do not know what they are consenting to. Therefore,
processing activities, their purposes for processing, the combining the fact that commercial companies are
quantity of health data processed, the location of storage generally not transparent enough about their processing
and recipients the data is shared with. In particular, the activities with the fact that users generally do not know
sharing of data is of a great concern as the data is collected what they are consenting to, results in a weak legal basis.
and shared with actors who are by no means under any As a consequence, violations take place more frequently
obligation of professional secrecy and who sell the data to than we would wish.
the highest bidder which may lead to various forms of
discrimination, violation of fundamental rights and As such, the complexity of the GDPR legal framework does
difficulties with exercising rights in case of infringements. not offer sufficient protection against data processing by
This is even more concerning considering that people modern technologies and commercial companies are not
generally do not inform themselves before giving away taking sufficient responsibility when processing health data.
their data and/ or choose convenience over privacy. It is the Perhaps the solution lies in prohibiting the use of health
responsibility of companies to protect their users’ privacy; data in certain situations as suggested by Frank Pasquale
however, unfortunately they often fail to do so. Consent as [44]. A stricter approach, i.e. prohibiting the use of health
a legal basis for processing health data by modern data in certain situations, would at least be an incentive for
technologies is therefore not enough. As a result of this, the companies not to violate the privacy of a person’s most
complexity of the GDPR legal framework does not offer intimate sphere. This approach will require further research
sufficient protection for processing of health data by on how to limit processing health data by modern
modern technologies. technologies. The situations where it might be limited or
prohibited would have to be defined. It is, however, our
6. CONCLUSION opinion that we need another way of looking at health data
processed by modern technologies that would be beneficial
The multitude of modern technologies that are available to all parties and still protects rights and freedoms.
today process large amounts of health data. When
processing data, controllers and processors need to abide by REFERENCES
the GDPR, which requires that there needs to be a legal
basis for processing. Commercial companies therefore need [1] Council of Europe, Explanatory memorandum to
to request the users of their modern technologies for Recommendation No. R (81) 1 of the Committee of
consent before being allowed to process health data. On Ministers to member states on regulations for
many occasions, these companies collect data via an app automated medical data banks [1981], para. 6.
and store it on a (cloud) server where it is being processed.
The device is used as a tool to collect data and the data can [2] B. Millington, ‘Smartphone Apps and the Mobile
be seen separately from the app considering that it exists Privatization of Health and Fitness’, Critical Studies
outside of the app (even if the app is deleted) where it is in Media Communication, v31 n5, December 2014,
accessible to the company. Taking into consideration that p. 479-493.
the data exists outside the app and that the data subject
cannot be the controller of his or her own data, the transfer [3] M. L. Flear et al., European Law and New Health
regime of the GDPR does not apply when the data is being Technologies, Oxford: University Press, 2013, p. 1.
sent from the device to the (cloud) server. This process is a
mere transit of data. [4] Editorial, An app a day is only a framework away,
Elsevier, The Lancet Digital Health, Volume 1,
Considering that the GDPR transfer regime does not apply, Issue 2, June 2019, Page e45, available at
the question is whether consent as a legal basis is enough. https://www.sciencedirect.com/science/article/pii/S2
While the GDPR applies to the processing of the data of 589750019300317.
data subjects who are in the EU, regardless of where the
controller or processor is established, the reality remains [5] See for example:
that it is more difficult to track data processed by modern https://www.theguardian.com/world/2018/jan/28/fitn
technologies, i.e. where it is stored and with whom is it ess-tracking-app-gives-away-location-of-secret-us-
shared, which may result in discrimination and violation of army-bases and https://decorrespondent.nl/8480/this-
rights. There is a general lack in transparency from fitness-app-lets-anyone-find-names-and-addresses-
companies as regards to their processing operations. for-thousands-of-soldiers-and-secret-
Furthermore, informing people via privacy policies of agents/260810880-cc840165.
modern technologies does not offer sufficient protection
considering that most people do not actually read them [45].

– 196 –

211 212 213 214 215 216 217 218 219 220 221