Balancing Act: Navigating Privacy Rights and Data Sharing in the Digital Age

How the EU regulates Health Data

In today’s world, we’re often caught between wanting to keep our personal information private and seeing the good that can come from sharing it, especially with governments or companies. Governments also have to choose how they want to balance the privacy rights of citizens and the benefits of data sharing. Focusing on ‘health data’ can provide a good case study to explore this tension, given that health data is more sensitive than other kinds of data, and there are also enormous public health benefits in sharing health data. This trade-off came into the forefront during the COVID-19 public health crisis, which saw calls for the sharing of personal health and location data to track and contain the virus spread. The European Union (EU), a leader in privacy rights legislation, offers a compelling case study in regulating such data. As we navigate the complex landscape of regulating health data from a government perspective, the EU’s approach provides valuable insights into striking a balance between individual privacy rights and collective health benefits.

The privacy risks of health tracking data are a growing concern for many of us, as illustrated by a recent Apple commercial called “The Waiting Room” that portrays people worried about their health data collected via the health or fitness tracking apps. The rapid development of Artificial Intelligence (AI) and its ability to process large amounts of data have raised new challenges and opportunities for governments worldwide regarding the use and regulation of data collected via such new and increasingly ubiquitous technologies such as wearables, fitness trackers, smart watches, and so on. Companies like Fitbit, Apple, Nike, and Garmin offer devices that track a user’s heart rate, number of steps taken, activity levels, sleep quality and duration, and calories burned. These technologies generate health data that is highly valuable for large companies, as evidenced by Google’s acquisition of Fitbit in 2021. Google paid $7.35 per share for the wearable maker in an all-cash deal that valued Fitbit, and therefore the activity, health, sleep, and location data it can hold on its more than 28M active users, at $2.1 billion. In the aftermath of the initial announcement by Google, the European Data Protection Board (EDPB) intervened to raise concerns about Google’s plan to scoop up the health and activity data of millions of Fitbit users, at a time when the company is under intense scrutiny over how extensively it tracks people online and for antitrust concerns. The privacy of health tracking data is an emerging issue, as the availability and affordability of fitness trackers or smart watches that collect such data have increased significantly in recent years, making them a common device among consumers. According to a 2020 Pew Research survey, one-in-five Americans use a smart watch or fitness tracker.

Health tracking data, which is collected by fitness trackers and other devices, is more sensitive than other types of consumer data and requires more protection. This article critically examines how health data is regulated under the General Data Protection Regulation (GDPR) framework. I argue that the GDPR successfully balances the data privacy interests of users and the public health interests by going beyond the ‘consent principle’ and establishing strict procedural requirements for data controllers to obtain explicit consent from data subjects. However, by following a binary approach of either categorizing something as ‘sensitive health data’ or not, the EU approach to health data may not reflect the complexity and diversity of health data in the big data analytics environment.

The analysis proceeds as follows: first, defining the problem; secondly, the changing problem significance over time and why the market dynamics or self-regulation are not sufficient to protect users’ privacy; thirdly, the causal theory or how the GDPR provides a superior outcome in terms of balancing the benefits and risks of health data and definitional uncertainties with ‘health data’; and finally, explore the positive and negative consequences of GDPR as it relates to health data.

Defining the Problem

For the purposes of this article, “health data” is defined as any information, that is recorded in any form or medium, that is stored by a private organization, for the purposes of providing services to consumers, and used to determine, predict, or estimate the past, present, or future physical or mental health condition of an individual, and that includes any data that reflects a particular disease or condition, reproductive health, or substance abuse disorder.[6] This does not include any health data that is already covered by regulations for healthcare providers.

The global fitness trackers market is growing rapidly and is anticipated to grow to USD 145.7 billion by 2028 from USD 58.33 billion in 2023.[7] In 2022, more than 492.1 million units of wearables were shipped worldwide.[8] This increasing use of wearables pose new challenges for governments worldwide. On one hand, the health data collected by wearables are subject to the risk of privacy breaches and harms for users who share their personal data without adequate safeguards. Health data can reveal intimate and sensitive information that can be misused for purposes such as advertising, discrimination, fraud, or harassment. For example, some scholars warn of the heath data being used by insurance companies to monitor people and charge discriminatory premiums, without the users knowing that their data is being shared with third parties.[9] Other scholars have also warned of health trackers being used by employers to monitor employees and rewarding certain employees for their health-related behavior.[10] Moreover, health data collected via wearables are not covered by the same laws that protect health information collected by health care providers. Users may lack control and recourse over their health data, and they may be uninformed of the data usage, access, and consequences. Thus, governments must regulate the collection and use of such health data.

On the other hand, health tracking apps can benefit individual and public health by improving self-awareness, motivation, behavior change, disease prevention, diagnosis, treatment, and research. Health tracking apps can also help users monitor their health conditions, access personalized feedback and guidance, and share their data with trusted parties. The widespread use of such devices indicates that users benefit from them. Moreover, there are also public health benefits from using aggregated health data collected via the trackers, that can be used, for example, to monitor population health trends, and other research purposes. The policy problem is how to balance the benefits of health-related apps and trackers for individual and public health with the risks of privacy violations and harms.

Privacy problems can be categorized broadly into two categories: “civilian to civilian” problem, or “government to civilian” problem.[11] In this article, we primarily address the “civilian to civilian” problem, or private organizations collecting the health data of consumers. More pertinently for our analysis, GDPR excludes many “government to civilian” issues by curving out exemptions in GDPR article 2(2).[12] Moreover, EU treats privacy as a constitutional right, and the focus on privacy legislation is for data protection, not consumer protection.

The Problem Significance over time

In this section, I will analyze how the private companies might be self-regulating and whether the market mechanisms are sufficient to safeguard people’s privacy. I am also going to explore why the policy problems might get worse if they are not dealt with.

What are private companies doing by themselves, and why?

In order to avoid government regulation and public scrutiny, private companies often ‘self-regulate’ by having their own product privacy policies. In the aftermath of Google acquiring Fitbit, as many users of Fitbit’s wearables were concerned, in a press release it stated: “Fitbit will continue to put users in control of their data and will remain transparent about the data it collects and why.”[13] However, even if companies are careful with handling sensitive consumer data, users do not have sufficient control and recourse to deviations from publicized privacy policies. Moreover, for each firm, the brand and competition incentives dictate what stance they take in terms of privacy. As mentioned in the introduction, Apple has branded themselves as the privacy-first company. This is mainly because, for Apple, bulk of their revenue comes from their brand and hardware devices like iPhone. Ad revenues or selling data to third parties are not a major driver of their revenue. On the other hand, Google and Meta rely more on Ad revenue, and they have their own Ad platforms that enable advertisers to collect and combine data from multiple sources, to target specific ads and profile consumers. These are examples of how the competition dynamic can dictate how these companies self-regulate.

The market cannot solve the problem of balancing the privacy risks and benefits of health data sufficiently for several reasons.[14] There is a market for consumer data, where information is non-rivalrous which means data can be used my multiple parties and it is infinitely reusable. Hence, collecting data yields value to both the original collector for the original purpose and additional value for uses yet to be determined. This is where concentration and aggregation of data from multiple sources, such as the case for Google and Apple, can be dangerous as they can create extremely accurate profiles for consumers and use that to their advantage, which may not be beneficial for consumers. For instance, targeted political ads can influence and manipulate public opinion based on false or misleading information, as demonstrated by the Cambridge Analytica scandal.[15] Moreover, these companies often collect and store large amounts of data without a clear purpose or consent but find new ways to exploit them in the future. Additionally, users have imperfect information about the value of their personal information and have inconsistent preferences over time about how they value sensitive information.

In her influential book “The Age of Surveillance Capitalism”, Shoshana Zuboff (2019) argues that just relying on private companies to self-regulate or recommending ‘best practices’ by governments, won’t be sufficient to safeguard people’s privacy. The term ‘big data’ can be misleading because the data utilized by these companies, as they argue, might not always be ‘big’. However, it’s their aggregation and analysis that matters. As Zuboff (2019) observes, ‘Big data’ consists of collecting small data from individuals’ actions and expressions in their everyday life. Nothing is too insignificant or transient for this harvesting: every click, like, search, email, text, photo, location, network, purchase, movement, and more. These data are captured, abstracted, aggregated, analysed, sold, and resold. It is irrelevant to distinguish between big data analytics and other forms of data processing. As technologies and algorithms become more embedded in our lives, big data analytics become the norm, a part of ‘business as usual’. Following similar logic, the data collected via fitness trackers such as how many steps someone takes in a day, may seem ‘small’ and harmless by itself. But companies can use this data, along with other aggregated data, for their own commercial benefits.

Unlike the EU, the US has taken a more market driven approach to regulate health data so far. The fitness apps and trackers are not subject to HIPAA and companies are expected to self-regulate by following guidelines suggested by the Federal Trade Commission (FTC) and other government agencies. For example, in 2016 the FTC issued a list of best practices for developers of mobile health applications aimed at increasing transparency, privacy, and security.[16] Among these suggestions, developers are encouraged to “make sure your app doesn’t access consumer information it doesn’t need,” “let consumers select particular contacts, rather than having your app request access to all user contacts through the standard API,” and let users “choose privacy-protective default settings.” These guidelines are well-meaning, but as Zuboff (2019) points out,

“The agencies’ well-meaning guidelines overlook the inconvenient truth that transparency and privacy represent friction for surveillance capitalists in much the same way that improving working conditions, rejecting child labor, or shortening the working day represented friction for the early industrial capitalists. It took targeted laws to change working conditions back then, not suggestions. Then as now, the problems to which these pleas for self-restraint are addressed cannot be understood as excesses, mistakes, oversights, or lapses of judgment. They are necessitated by the reigning logic of accumulation and its relentless economic imperatives.”[17]

Hence, given the increasing use of wearables and the increasing power of technologies to harvest and utilize the health data, self-regulation by businesses is not sufficient, and government intervention is necessary. Otherwise, the policy problem can get much worse.

Causal Theory: How GDPR Regulates Health Data

Overview of GDPR

General Data Protection Regulation or the GDPR is the centerpiece of EU’s data privacy regulation approach. It contains 173 Recitals and 99 articles. It takes a risk-based approach to data protection and mandates ex-ante data protection impact assessments (DPIAs) for data controllers who deal with sensitive data.[18] In a nutshell, the GDPR covers all issues related to collection and processing of all EU citizens’ data. EU’s journey to GDPR started in 2012 with the goal of improving the uniformity of privacy regulation across the EU. In 2016, GDPR was passed in the EU parliament, with the implementation start date in 2018. This impressive feat of passing first of its kind comprehensive data privacy framework for all EU member states was possible due to several structural reasons, such as the technical competence of the EU commission, political economy of weaker IT industry in EU who did not lobby against such regulation as the it targets non-EU companies like Google and Facebook, and arguably due to the policy leadership by the European Commission’s current vice president Margrethe Vestager.[19]

GDPR defining ‘health data’

The GDPR considers ‘data concerning health’ (interchangeably referred to in this essay as health data) as a special category of data that merits enhanced protection. Hence, how it defines health data is important. According to the GDPR, ‘data concerning health’ refers to “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.[20] Recital 35 further states: “personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject.” This definition is broad in what it covers, and although it does not explicitly mention health data collected by trackers, arguably this definition covers such data as well, given such data can reveal information about the user’s health. However, GDPR’s definition has several problems. Firstly, it appears tautological because it is not clear how one can distinguish between personal data that does or does not relate to the “physical or mental health” or what is covered by a person’s “health status”. Moreover, what kind of personal data can be considered ‘health data’ can be context dependent as any data such as how many steps someone takes in a day, might not be ‘health data’ by itself, but aggregated with other kinds of data (such as lifestyle habits) and analyzed by algorithms, it might reveal the health status of a person. Privacy scholars often cite the case of Target sending ads about pregnancy products to a teenage girl, based on her buying certain items such as lotions and vitamin supplements, before her family was aware of her pregnancy.[21]

Overall, the definitional ambiguities with what can be considered ‘health data’ under GDPR can have wide ranging implications, given ‘data concerning health’ have special protections. It can be argued that the definition is deliberately broad and ambiguous, so that EU regulators can treat each case of health data based on its context. But it also creates regulatory uncertainty that can be negative for businesses.

Enhanced Protection of Health Data under GDPR

Article 9 of the GDPR categorizes health data as ‘special categories of personal data’ that has increased levels of protection.[22] Unlike more traditional health privacy laws, Article 9(1) of GDPR prohibits the processing of all data concerning health, and then it carves out several exceptions to this prohibition later. GDPR considers the processing of health data (similar to other sensitive data) as one that might pose a ‘risk’ to the rights and freedoms of natural persons.[23] For instance, GDPR recognises that health data are processed ‘on a large scale’ can pose significant risk to data subjects and obliges controllers to carry out a DPIA in this context.[24]

The GDPR restricts automated decision-making and profiling based on health data, unless the data subject consents or there is a substantial public interest and safeguards for the data subject’s rights and interests.[25] The GDPR also gives data subjects the right to object to fully automated decisions that analyse or predict their health.[26] Controllers processing health data have additional obligations: they must maintain records of processing activities regardless of the size of the organisation;[27] they must appoint a Data Protection Officer (DPO) if their core activities involve processing health data on a large scale;[28] and controllers and processors outside the EU must designate a written representative in the EU if they process health data on a large scale.[29] These provisions establish mechanisms to safeguard users’ from misuse of their health data, especially given new technologies such as AI and require additional scrutiny and reporting from data controllers and processors who have large amounts of health data.

The GDPR explicitly recognizes the data subject’s rights of information and access regarding their health data. These rights entail that data subjects can access their health data, such as the data in their medical records that include information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided.[30] This arguably also provides users of wearables the right to access and download their health data from service providers and possibly allow data portability if they choose so.

Exceptions to Special Protections for Health Data under GDPR

GDPR carves out several exceptions to the prohibition on processing of health data. These exceptions are aimed at ensuring that users’ and public health can attain the benefits of health data as well, balancing the privacy risks and potential benefits from processing health data. Firstly, health data can be processed if the data subjects have given their “explicit consent”.[31] GDPR significantly raised the procedural requirements to obtain ‘explicit consent’ from data subjects for processing of personal data in general, and the bar is even higher for special categories of data such as health data.

Secondly, health data can also be processed if it has been “manifestly made public by the data subjects”.[32] However, this creates policy ambiguity in the context of data collected by trackers or fitness apps, as often these apps allow users to share their data on community platforms or social media with friends. It is unclear if such sharing is considered ‘public’ sharing or not, but arguably, controllers would still need to obtain explicit consent for further sharing or using such health data and cannot assume the exception because of this provision.

Thirdly, health data can also be processed for reasons of “substantial public interest”.[33] GDPR emphasizes “substantial” here as just having any ‘public interest’ won’t be sufficient for the exception. As an example of “substantial public interest”, processing of health data for monitoring epidemics and their spread, such as current COVID-19 pandemic, would be considered appropriate. However, this also creates policy ambiguity because what constitutes ‘substantial public interest’ is not defined in the GDPR. It does explicitly warn against health data processed for reasons of public interest being also processed for other purposes by third parties such as employers, or insurance companies, which provides some protection.[34]

Finally, GDPR allows processing of health data for “scientific research purposes”.[35] This includes privately funded fundamental research and public health research conducted in the public interest.[36] This exception allows researchers to use data collected via fitness trackers or apps, to conduct scientific research in the public interest. However, there may be cases where it is ambiguous whether a study is conducted for public or commercial interest.

Does GDPR Successfully Balance the Risks and Benefits to Provide Superior Outcomes?

It is evident from the GDPR provisions and exceptions that it is aiming to balance the risks to data privacy and the interests of public health, when regulating health data. I argue that GDPR successfully achieves this balance due to several reasons, as discussed below.

Firstly, GDPR takes a clear position on the question for “the benefit of whom” it is regulating health data, when it balances the interests of data privacy and public health.[37] It states that “special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole”.[38] This explicit purpose statement is critical when it comes to interpreting all relevant exceptions and regulations of health data, as in the context of regulations being ambiguous, a strict test of whether the implementation of the regulation is necessary for the benefit of “natural persons and society as a whole” can be applied.

Secondly, the GDPR acknowledges that the protections on health data must be context driven. The balance between data privacy and public health interests are weighted differently based on the situation: in cases where epidemics need to be monitored and controlled — such as the current COVID-19 pandemic — public health interests override data privacy. Under normal processing conditions, data privacy interests are more important and the GDPR grants more protection to ‘health data’ than to other sensitive data. Hence, the GDPR provides flexibility in balancing the different interests involved, based on the context. As Lobel (2022) argued that this flexibility is important because privacy is just one of our democratic society’s many values, and prohibiting safe and equitable data collection can conflict with other equally valuable social goals, such as public health interests.

Thirdly, the GDPR goes beyond the traditional ‘consent principle’ whereby obtaining consent from the data subject whose personal information is collected, used or disclosed, will be sufficient in processing their data for whatever purpose the company sees fit. Not only is “explicit consent” required, but the GDPR also imposes significant procedural requirements on data controllers for the processing of all personal data, and the requirements are even higher for health data, including the data collected via fitness trackers. The GDPR even allows EU member states under certain instances to remove the consent exception altogether.[39]

Finally, the GDPR also explicitly regulates against algorithmic processing of health data, without explicit consent from the data subjects. Zuboff (2019) warned against personal data aggregation and algorithmic processing of these data by new technologies can turn seemingly innocuous personal data into sensitive health data. Hence, governments need to create safeguards for all kinds of personal data that can be aggregated and mined for commercial purposes. The GDPR succeeds in creating safeguards against such algorithmic processing of health data.

Despite these arguments, one critique of the GDPR’s health data regulation is the binary nature of its data categorization.[40] If the data is considered “sensitive”, then it enjoys enhanced protection. Similarly, it also takes a black/white approach to categorize data as “personal” or not. Such distinctions based on a binary approach are hard to sustain in the big data analytics environment. Another relevant, but unintended outcome of the GDPR’s enhanced protections for health data is the increased costs for businesses, which have secondary implications. Yuan and Li (2019) examined the policy influence of the GDPR on the financial performance of hospitals across the EU and found that the hospitals had to make costly adjustments to meet the requirements of personal health data protection introduced by this new regulation, and thus inevitably suffered a policy shock to their financial performance in the short term. While this impact is different for companies such as Google and Apple, higher regulatory burden also results into higher compliance costs for these companies.[41] According to a survey by IAAP, Businesses spent $1.3 million on average to meet compliance requirements and are expected to put in an additional $1.8 million.[42] As Sobers (2020) argues, most businesses were overall unprepared and very few companies felt confident about their compliance with GDPR, due to the significant investments in resources required to comply with the stricter rules. However, one unintended consequence of GDPR has also been increased market concentration, in favor of existing giants such as Google and Apple. This is because, large companies like Google have the capital and capacity to invest in upgrading their compliance measures (and it requires continuous investments for continuous updating to meet new regulatory requirements), which smaller firms do not. Another paradox is that very few, approximately only 12.5% people in EU seem to opt out of personalization or optional cookies, that collects data on users (Cowhey, 2023).

Despite these unintended consequences, overall, the GDPR provides superior policy outcomes compared to the status quo, when it comes to protection of sensitive health data and balancing the interests of the users and the public health interests.

Conclusion

In conclusion, while the GDPR is not without its challenges, it offers a forward-looking model for protecting health data in a rapidly evolving digital landscape. Its emphasis on explicit consent, along with stringent procedural requirements for data controllers, sets a high standard for privacy protection. This analysis underscores the importance of continually reassessing our approach to health data privacy to ensure it keeps pace with technological advances and the evolving needs of society.

Citations

Christovich, Michelle M. “Why should we care what Fitbit shares-a proposed statutory solution to protect sensitive personal fitness information.” Hastings Comm. & Ent. LJ 38 (2016).

Confessore, Nicholas. “Cambridge Analytica and Facebook: The scandal and the fallout so far.” The New York Times 4 (2018): 2018.

Cowhey, Peter F. “Lecture 8: Privacy — comparing approaches to privacy protection.” Digital Policy course — UCSD GPS. (2023)

European Union. “General data protection regulation (GDPR).” Intersoft Consulting, Accessed in October 24, no. 1 (2018).

Hill, Kashmir. “How target figured out a teen girl was pregnant before her father did.” Forbes, Inc 7 (2012): 4–1.

Lobel, Orly. The equality machine: harnessing digital technology for a brighter, more inclusive future. Hachette UK, 2022.

Sobers, Rob. “A year in the life of the GDPR: must-know stats and takeaways.” (2020).

Troiano, Alexandra. “Wearables and personal health data: putting a premium on your privacy.” Brooklyn Law Review 82, no. 4 (2017): 6.

Tzanou, Maria, ed. Health data privacy under the GDPR: Big data challenges and regulatory responses. Routledge, 2020.

Zuboff, Shoshana. The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power. United States: PublicAffairs, 2019.

Yuan, Bocong, and Jiannan Li. 2019. “The Policy Effect of the General Data Protection Regulation (GDPR) on the Digital Public Health Sector in the European Union: An Empirical Investigation.” International Journal of Environmental Research and Public Health 16 (6): 1070.

Footnotes:

[6] I borrow this definition in large part from the “Proposed Consumer Privacy Framework for Health Data” (2021) by the Center of Democracy and Technology. The report can be accessed here.

[7] See Market Data Forecast (March 2023) here.

[8] See Statista (2023) here.

[9] See Troiano (2017, pg. 1718)

[10] See Christovich (2016, pg. 102–104)

[11] See the slide deck by Professor Cowhey (2023). Lecture 8: Privacy — comparing approaches to privacy protection.

[12] See the legal text of GDPR here.

[13] Wired Magazine (2019). What is Google going to do with your Fitbit data? Anything it likes. Read here.

[14] The arguments here are based on Cowhey (2023) slide deck.

[15] Confessore (2018)

[16] See the FTC best practices here.

[17] Read the text of this chapter here.

[18] Article 34–35 of GDPR.

[19] Cowhey (2023)

[20] Article 4(15) of GDPR.

[21] Hill (2012)

[22] This section widely cites and is based on the analysis of EU privacy law expert, Professor Maria Tzanou.

[23] Recital 75 of GDPR.

[24] Article 35(3b) of GDPR.

[25] Article 4(4) of GDPR.

[26] Article 35(3b) of GDPR.

[27] Article 30(5) of GDPR.

[28] Article 37(1) of GDPR.

[29] Article 27(2) of GDPR.

[30] Recital 63 of GDPR.

[31] Article 9(2a) of GDPR.

[32] Article 9(2e) of GDPR.

[33] Article 9(2g) of GDPR.

[34] Recital 54 of GDPR.

[35] Recital 159 of GDPR.

[36] Ibid.

[37] Tzanou (2020, pg. 14)

[38] Recital 53 of GDPR (emphasis added).

[39] Article 9(2a) of GDPR.

[40] Tzanou (2020, pg. 14)

[41] GDPR’s impact on businesses are summarized here by Varonis.

[42] ibid