Guarding health data privacy in Europe: The limits and challenges of current regulations

The GDPR demonstrates the capacity of the European Union to prioritise data protection and privacy. The collection and use of health data by private corporations makes privacy protections critically important. Taken together, the provided policy recommendations here create comprehensive steps forward.

By George Washington University (guest author) · June 28, 2023

Over the last several decades, digital technology has dramatically transformed healthcare. Mobile health tools, which consist of mobile applications and wearable technologies, are now common and present significant potential advantages, such as enhanced healthcare quality, expanded healthcare accessibility, and improved health-related habits. Many of these advantages are derived from the data that these technologies collect, analyse, and share.

Wearable technologies, for example, are often equipped with an array of sensors capable of measuring environmental conditions (e.g., temperature and humidity), vital signs (e.g., heart rate and blood pressure), and behaviours (e.g., step-count and sleep patterns). However, the dramatic increase in health data collection, particularly by for-profit entities, also presents serious risks.

Mobile health apps often require users to divulge incredibly sensitive and intimate information, while even seemingly innocuous data can be utilised to infer personal information. Oura Rings, a smart ring used to track sleep and physical activity, can consistently identify when a woman is pregnant before they typically take a pregnancy test themselves.

Biometric data as simple as step counts can be used to infer the movements and routines of individuals, and location data can be used to identify specific individuals with astonishing accuracy. A 2013 study found that 95 per cent of individuals could be identified from their location data based on only four data points over four hours.

This data ultimately contains profoundly personal information about an individual, such as their sexual orientation, gender identity, mental health, genetic information, and lifestyle choices. Protection of this information is critical as individuals may face discrimination if it is revealed publicly. Discrimination based on sexual orientation has a long history, and Poland and Hungary recently passed laws curtailing the rights of LGBTQ+ individuals. Abortion is illegal in all cases in Malta and highly restricted in Poland. An activist in Poland is currently facing up to three years in prison for helping a woman access abortion pills. There is still a tremendous stigma around mental health issues in many locales. Revelations of mental illnesses can lead to discrimination in housing and employment.

While the European Union has strong data protection and privacy laws such as the GDPR, these laws are not without limitations. This report identifies six specific limitations with the current EU data protection and privacy policy landscape:

  • Consent: Even when individuals consent to the collection and processing of their health data, as required by EU law, they often have very little understanding of what they are consenting to and can be misled through dark patterns.
  • Transparency: Systems are not consistently transparent about how the data they collect is utilised.
  • Enforcement: Enforcement of the GDPR depends on member states’ data protection authorities (DPAs), whose capabilities vary based on enforcement power and resources; therefore, GDPR enforcement varies throughout the EU. Strengthening the enforcement powers and resources of national DPAs could boost enforcement of GDPR and protect individual’s personal health data.
  • Data Inferences: By not specifically protecting data inferences, individuals are less able to assert their fundamental rights over their personal data.
  • Burden on Individuals: A burden is currently placed on individuals to request access to data, interpret if laws are broken, and sue data companies in civil suits to protect their data. Collective action enabled by the GDPR and the Collective Redress Directive provide a better approach to hold data processors and data collectors accountable; however, assessment and compensation is inconsistent between Member States.
  • Information Security: There are opportunities to improve the security practices of government and private companies to safely store people’s sensitive health data.

Accordingly, we propose several policy recommendations to better protect individual’s data and privacy:

  1. Require health data collection agreements to have usercentric transparency with “optin” consent and appropriate enforcement by regulators.
  2. Explicitly protect data inferences.
  3. Require health apps and wearable devices to be certified by a recognised thirdparty
    organisation.
  4. Strengthen collective data rights through transparency and standardisation efforts.

The GDPR demonstrates the capacity of the European Union to prioritise data protection and privacy. The collection and use of health data by private corporations makes privacy protections critically important. While the GDPR has many protections that also inherently include the protection of sensitive health data, limitations still exist. Taken together, the provided policy recommendations create comprehensive steps forward.

Read the paperContribution by: Christopher Borges, Ruth Cooper, Ashley Schuett, and Brandon Seehoffer, Master’s Students, The George Washington University