Connected objects, including health related objects, are part of a network of physical objects that collect and exchange data about our habits, from consumer behavior to lifestyle choices. No matter the field, connected objects give rise to privacy issues. Nathalie Devillier is a professor and researcher at Grenoble Ecole de Management. She shares with us her expertise on the legal issues surrounding e-health and telemedicine.
Check the "I agree" box and open Pandora's box?
"By clicking on the 'I agree' button, we agree to terms and conditions concerning the use of our personal data. This can include the unauthorized transfer of our data to third parties. And for the moment, we do not have the power to fight this risk." explains Nathalie Devillier. Although the practice of transferring such data to business partners is illegal, many companies may use their terms and conditions to enact such transfers anyway because it is hard to bring action against them.
Regulating the transfer of sensitive data
The first challenge of IoT is therefore to develop the ability to control how personal data is collected and used. In particular, this can be of concern to e-health and telemedicine operators who are responsible for managing personal data related to healthcare.
While many users have jumped on the Quantified Self bandwagon (self-monitoring of personal data also known as lifelogging), it is crucial that companies implement sufficient legal protection to control risks associated with personal data being transferred to unauthorized parties (employers, insurance companies, etc.). As a result, before launching a new application, it is essential to carry out an analysis of impact on private life.
The Internet of Objects (IoT) refers to a network of objects embedded with sensors, electronics, network connectivity and software designed to record, compile, store and exchange data. As with all operating systems, these objects are vulnerable to data leakage. Whether it is due to accidental data loss or illegal hacking, personal data is vulnerable when traveling across networks. In addition, users are not necessarily aware of the path being taken by their personal data.
Users at the heart of the European regulatory framework
In 2016, a stronger legal framework was approved in Europe. The general regulatory framework for personal data outlines the fact that any and all health-related data must be protected. "This framework includes an obligation for companies to report security risks in their data collection and establishes a shared responsibility between final clients and the subcontractors who stock and manage data." explains Nathalie Devillier. The framework finally suggests key concepts such as "user autonomy" and "informational self-determination" which brings Europe closer to regulatory guidelines followed abroad.
"Companies who allow their users to control their personal data and who ask for their informed consent can turn such responsible practices into a strong point that is a unique competitive advantage." concludes Nathalie Devillier.