Healthcare data has become big tech’s last frontier for innovation, competition and disruption. However, such recent strategic moves into the healthcare industry have not come without concerns from both a competition and privacy law perspective in the eyes of the regulators, healthcare professionals and patients alike.
Clearly, data-driven technologies can provide unprecedented opportunities to offer critical benefits to patients, the healthcare industry and society in general. The prospect of innovative new healthcare services assisted by data analytics legitimises big tech and its contributions to improving individual care, national health services and public health. Not only does it advance medical research and capacity for innovation but it could also be credited with lowering the cost of healthcare across the board.
In the European Union, safeguard rules governing the secondary use of patient data have been bolstered by the implementation of the General Data Protection Regulation (GDPR) on 25 May 2018. However, the lack of clarity, weak guidance and enforcement from the regulators in sector areas like adtech may also hinder health data privacy.
The question is, what is the price to pay for reaping the real health benefits when big tech is given the key to access massive troves of patient data collected by the NHS in the UK or by large healthcare networks and other players in the United States or elsewhere?
There are a number of cases flourishing on both sides of the Atlantic demonstrating the discrepancies of the privacy regulations applying to healthcare data and the need for consistency and clarity in the context of new trading relationships, for instance between the United Kingdom and the United States after Brexit.
In spite of the GDPR being fully in force, big tech advertising like Google, Amazon, Facebook and Oracle were found by the end of 2019 to have been dropping cookies and collecting clearly sensitive data from website users of a number of popular health websites in the UK, allowing them to track and serve them targeted ads without their explicit consent.
Understandably in this context, the flurry of acquisitions and push of big tech into the healthcare sector have raised serious privacy concerns and highlighted the dilemma between privacy risks on the one hand, and health benefits and innovation on the other.
Amazon has made a couple of digital health acquisitions, first in 2018, with the purchase of an online pharmacy PillPack, followed by another one in 2019, Health Navigator, a start-up that provides online symptom checking and triage tools to help companies direct patients to the right facilities. Such moves into the sector may not have raised alarms until the Department of Health and Social Care in the UK disclosed in July 2019 that it had entered into a Master Content License Agreement with Amazon to make verified NHS health data available through its AI-powered voice assistant Alexa. At the heart of the concerns lie the lack of transparency around the use of NHS patient data in the data sharing terms and the lack of disclosure of the commercial terms under which Amazon is effectively able to use NHS data free of charge.
Equally representative of the tension between the protection of patient data and the benefits of big data, the acquisitions by Google of Deepmind finalised in September 2019 and of Fitbit announced in November 2019 – and still pending a green light from the Department of Justice – shed a light on the emblematic impact of big tech entering the new healthcare data market.
The takeover of Deepmind by Google Health UK remains controversial on two accounts. Firstly, the UK Information Commissioner (ICO) pinned the Royal Free NHS Foundation Trust in 2017 for failing to establish a proper legal base when sharing the personal data of around 1.6 million patients with Deepmind as part of a trial to test an alert, diagnosis and detection system for acute kidney injury.
Further concerns were raised in relation to Deepmind’s takeover by Google, which may potentially gain free access to patient data through inherited partnership agreements entered into with a number of NHS trusts. As a result, the NHS Trust, keen to ensure full compliance with UK data protection laws, entered into carefully crafted partnership agreements with Google Health UK where they remain the data controller of patient data at all times and incorporated GDPR compliant data processing clauses.
Google Health UK also sought to re-establish public trust by providing assurances that Google would commit to not linking or associating, patient data with Google accounts, products or services at any stage. Indeed, from a data protection law point of view, DeepMind acts only as the Trusts’ data processor, yet it somewhat contradicts the findings of the ICO guidance published in March 2017 on big data, artificial intelligence (AI), machine learning and data protection.
The ICO highlights three specific features of big data analytics that may have data protection implications:
(i) the use of algorithms in a new way,
(ii) the opacity of the data processing, and
(iii) the practice of collecting “all the data”, often for new purposes.
In this respect, would an AI service provider more likely be acting as a data controller, and as such be subject to enhanced GDPR compliance obligations?
Similarly, Google’s acquisition of Fitbit resurrected fears that Google would combine all users’ health and fitness data along with related data collected through other Google services, without any legal base to do so, and certainly not users’ consent. In this case, the main concern is that Google may not only be able to access and use all combined data for targeted advertising but also become a major feed for Google ads.
Setting aside ongoing regulatory probes, fines and lawsuits both in the EU and in the US, Google’s strategy seems to be to push ahead to ensure its leadership in the health data industry.
Clearly, the use of patient data and the emerging models of commercialising innovation raise specific questions: who owns the data, who gets access to it and, now, who gets to share the benefits when the data gets monetised? The key, as ever, is that these innovative tech companies proceed with their healthcare plans in full accordance with data protection rules and with an appreciation of the sensitivity of patient data.