mHealth, Big Data and the Law

The film Gattaca (1997) pictured a dystopian future in which predictive data analysis about individual health outcomes, based on genetic predispostions, led to “in-Valids” being treated as second-class citizens.
Things have moved on a good deal since 1997, not just in the field of genetic profiling and prediction. Wearable technology, smart devices and their associated apps and the Internet of Things (IoT) have together revolutionised the nature and extent of data which is available for analysis, and Big Data has supplied the tools and techniques to analyse it.
The IoT no doubt means it is only a matter of time before one’s fridge is sharing photos of cats with the toaster and the washing machine is writing Agents of Shield fanfic.
The potential of everyday objects being able to collect and share sensitive data without our being fully aware of it even extends to children’s toys and, sinisterly, to things that look like toys while being anything but.
Google has recently applied for a patent for a device disguised as a soft toy, such as a floppy bunny or teddy bear, stuffed with electronics, which wakes up when triggered by a key phrase and can link to the internet and control a wide range of other devices.
The patent application itself, US 20150138333, claims the device is for:
An anthropomorphic device, perhaps in the form factor of a doll or toy, may be configured to control one or more media devices. Upon reception or a detection of a social cue, such as movement and/or a spoken word or phrase, the anthropomorphic device may aim its gaze at the source of the social cue. In response to receiving a voice command, the anthropomorphic device may interpret the voice command and map it to a media device command. Then, the anthropomorphic device may transmit the media device command to a media device, instructing the media device to change state.
The accompanying patent diagrams are like something from a 1970s horror movie:

Mattel’s Hello Barbie caused controversy on its launch at the New York Toy fair this year, since the doll uses voice recognition software enabled by a WiFi connection to record, analyse and respond to children’s conversations with it.
Furthermore, wearable technology and apps downloaded to individuals’ smart devices have the potential to harvest a wide range of information about the user’s day-to-day habits, behaviours and preferences. While some of this information is gathered for specifically medical purposes (such as wearable devices which permit improved monitoring of blood-sugar in diabetics), much is a matter of individual choice. Health, wellbeing and fitness apps are booming 1, with users often unaware of precisely how much data those apps are gathering and with whom or for what purposes it is being shared.
Individuals also commit a surprising amount of health information to social media. For instance, there are large numbers of social media sites where sufferers from various conditions offer support to each other and exchange information, such as those where mental health sufferers discuss side-effects of commonly prescribed SSRIs. These sites necessarily involve the participants confiding a good deal of medical information about themselves, albeit in a pseudonymous or anonymised format.
Giovanni Buttarelli, the European Data Protection Supervisor, in an Opinion on Mobile Health released on 21 May 2015, is keen to ensure that the Gattaca vision does not come to pass. His aim is to ensure that the potential of technology to deliver cheaper, more effective and personalised medical treatment to individuals is realised without a disproportionate intrusion into individual privacy and autonomy.
Mobile Health (“mHealth”), the subject of his Opinion, is a new and fast-growing sector which comes out of the convergence of technologies described above. Big Data’s ability to associate disparate data sets with each other produces a vastly more sophisticated picture than any isolated data segment can do.
Furthermore, as Buttarelli points out at paragraph 11of his Opinion:
Pseudonymous data remains personal data as it can be re-identified not only by the controller, but also by third parties through combination with external
information from other sources.
Accordingly, his Opinion calls, among other things:
- For a broader definition of “health” data to be treated as “sensitive personal information” under data protection legislation;
- For organisations handling such data (including apps developers and providers) to be transparent and accountable in their uses of it;
- For the development of “privacy-respectful” tools and practices and the incorporation of “privacy by design” and “privacy by default” in product development in the field;
- For far better user information and autonomy, for example in the ability to set privacy at the device level; and
- For very strict, purpose-based restrictions on data profiling, backed by a robust data protection enforcement environment.
mHealth is here to stay. Which direction it takes is largely in the hands of the legislature. However, anyone concerned in the field in any capacity would be well-advised to consider this Opinion and the body of work it summarises, together with the indications it gives about the likely direction of European Data enforcement in the field of mHealth, and plan accordingly.
-
Paragraph 19 of Buttanelli’s Opinion states “there are 97,000 mHealth apps currently available on multiple platforms, of which 70% target the consumer fitness and welfare and 30% target health professionals” and that it is
“also expected that, by 2017, 3.4 billion people worldwide will own a smartphone and half of them will be using mHealth apps.“ ↩