'When is the processing of data from medical implants lawful? The legal grounds for processing health-related personal data from ICT implantable medical devices for treatment purposes under EU data protection law' by Sarita Lindstad and Kaspar Rosager Ludvigsen in (2022) Medical Law Review states
Medicine is one of the biggest use cases for emerging information technologies. Data processing brings huge advantages but forces lawmakers and practitioners to balance between privacy, autonomy, accessibility, and functionality. ICT-connected Implantable Medical Devices plant themselves firmly between traditional medical equipment and software that processes health-related personal data, and these implants face many data management challenges. It is essential that healthcare providers and others can identify and understand the legal grounds they rely on to process data. The European Union is currently updating its framework, and the special provisions in the GDPR, the current ePrivacy Directive, and the coming ePrivacy Regulation all provide enhanced thresholds for processing data. This article provides an overview and explanation of the applicability of the rules and the legal grounds for processing data. We find that only a cumulative application of the GDPR and the ePrivacy rules ensure adequate protection of this data and present the legal grounds for processing in these cases. We discuss the challenges in obtaining and maintaining valid consent and necessity as a legal ground for processing and offer use case-specific discussions of the role of consent long-term and the lack of an adequate ‘vital interest’ exception in the ePrivacy rules.
The authors comment
Medicine is an emerging field for information communication technologies (ICT). Data processing brings significant advantages, and medical technologies develop at record speeds. ICT-connected Implantable Medical Devices (ICTIMD) plant themselves firmly between traditional medical equipment and software processing health-related personal data. ICTIMD are medical devices implanted in the human body with software capable of communicating and transferring data to external devices. They allow healthcare providers to monitor the patient’s condition without being physically present and help medical industries go from reactive to predictive and proactive models of care.
However, the rapid technological development is a two-edged sword, forcing lawmakers and practitioners to balance between privacy, data protection, autonomy, and accessibility. ICTIMD rely on the processing of data on a massive scale, and while they face many of the same data management challenges as other fields, there are some major distinguishing factors. Health data is one of the most sensitive types of personal data, and the impact of a data breach can have enormous consequences. ICTIMDs are also, in contrast to most other devices, collecting data automatically and constantly from sensors implanted in human subjects. The end-user and data subject, the patient, does not have the freedom to leave the device at home. These devices form a particularly sensitive part of the private sphere of the users, demanding high data protection standards.
The European Union (EU) is in the process of updating its privacy and data protection framework. Having replaced the Data Protection Directive (DPD) with the General Data Protection Regulation (GDPR), the complimenting ePrivacy directive (PECD) will eventually be replaced by an ePrivacy Regulation (EPR) and future additional legislation. These instruments together implement enhanced thresholds for processing health data from terminal equipment. For efficient data protection, it is vital that all the actors in the value chain, the healthcare providers, and the patients can identify and understand the lawful grounds available for processing. Our sections II and III start by clarifying the applicability of the rules and provide an overview of the legal grounds for processing from ICTIMD. Sections IV and V dive deeper into consent and necessity as legal grounds for processing ICTIMD data before section VI discusses the framework’s suitability for ICTIMD processing.
The article will focus on processing enabling medical treatment and exclude processing for research purposes or other public interests. It will be limited to data protection law and will not cover law enforcement access, criminal law issues of illegal access, product liability law, or health law specifically