Nathalie Moreno, partner at Lewis Silkin, discusses the disruption and monetisation of healthcare data by big tech
This is an edited version of an article first published by Information-Age
Healthcare data has become big tech’s last frontier for innovation, competition and disruption. However, recent strategic moves into the healthcare industry have not come without concerns from both a competition and privacy law perspective in the eyes of the regulators, healthcare professionals and patients alike.
Clearly, data-driven technologies can provide unprecedented opportunities to offer critical benefits to patients, the healthcare industry and society in general. The prospect of innovative new healthcare services, assisted by data analytics, legitimises big tech and its contributions to improving individual care, national health services and public health. Not only does it advance medical research, and capacity for innovation, but it could also be credited with lowering the cost of healthcare across the board.
In the European Union safeguarding rules governing the secondary use of patient data have been bolstered by the implementation of the General Data Protection Regulation (GDPR) on 25 May 2018. However, the lack of clarity, weak guidance and enforcement from the regulators in sector areas like edtech may also hinder health data privacy.
The question is, what is the price to pay for reaping the real health benefits when big tech is given the key to access massive troves of patient data collected by the NHS in the UK or by large healthcare networks and other players, in the United States or elsewhere?
Conflict is flourishing
There are a number of cases flourishing on both sides of the Atlantic demonstrating the discrepancies of the privacy regulations applying to healthcare data and the need for consistency and clarity in the context of new trading relationships – for instance, between the United Kingdom and the United States after Brexit.
In spite of the GDPR being fully in force, big tech advertisers like Google, Amazon, Facebook and Oracle were found, by the end of 2019, to have been dropping cookies and collecting clearly sensitive data from the website users of a number of popular health websites in the UK, allowing them to be tracked, and serving them targeted ads without their explicit consent.
Understandably, in this context, the flurry of acquisitions, and push of big tech into the healthcare sector, have raised serious privacy concerns and highlighted the dilemma that exists between privacy risks on the one hand, and health benefits and innovation on the other.
Amazon has made a couple of digital health acquisitions – first in 2018, with the purchase of online pharmacy PillPack, followed by another one in 2019, Health Navigator, a start-up that provides online symptom checking and triage tools to help companies direct patients to the right facilities. Such moves into the sector might not have raised alarms until the Department of Health and Social Care in the UK disclosed in July 2019 that it had entered into a Master Content License Agreement with Amazon to make verified NHS health data available through its AI-powered voice assistant, Alexa.
Lack of transparency
At the heart of the concerns lie the lack of transparency around the use of NHS patient data in the data-sharing terms, and the lack of disclosure of the commercial terms under which Amazon is effectively able to use NHS data free of charge.
Equally representative of the tension between the protection of patient data and the benefits of big data, the acquisitions by Google of Deepmind, finalised in September 2019, and of Fitbit announced in November 2019 – and still awaiting a green light from the Department of Justice – shed a light on the emblematic impact of big tech entering the new healthcare data market.
The takeover of Deepmind by Google Health UK remains controversial on two accounts. Firstly, the UK Information Commissioner (ICO) pinned the Royal Free NHS Foundation Trust in 2017 for failing to establish a proper legal base when sharing the personal data of around 1.6 million patients with Deepmind as part of a trial to test an alert, diagnosis and detection system for acute kidney injury.
Further concerns were raised in relation to Deepmind’s takeover by Google which may, potentially, gain free access to patient data through inherited partnership agreements entered into with a number of NHS trusts. As a result the NHS Trust, keen to ensure full compliance with UK data protection laws, entered into carefully crafted partnership agreements with Google Health UK where they remain the data controller of patient data at all times and GDPR-compliant data processing clauses were incorporated.
Google Health UK also sought to re-establish public trust by providing assurances that Google would commit to not linking, or associating, patient data with Google accounts, products or services at any stage. Indeed, from a data protection law point of view, DeepMind acts only as the trusts’ data processor, yet it somewhat contradicts the findings of ICO guidance, published in March 2017, on big data, artificial intelligence (AI), machine learning and data protection.
Clearly, the use of patient data and the emerging models of commercialising innovation raise specific questions: who owns the data, who gets access to it and, now, who gets to share the benefits when the data gets monetised?
The key, as ever, is that these innovative tech companies proceed with their healthcare plans in full accordance with data protection rules and with an appreciation of the sensitivity of patient data.