What will Google’s healthcare expansion mean for UK data protection?

Google's rapid expansion into healthcare is raising fears that NHS data could be headed to Silicon Valley under a Conservative government that is increasingly willing to partner with major technology firms.

In just over a year, Google has launched a new Google Health subsidiary, which also absorbed the health unit of DeepMind – the UK-based artificial intelligence lab it acquired in 2014 – and splashed out £1.6 billion on wearable firm Fitbit, giving the search giant access to its trove of data collected from 28 million active users.

These moves have left Google with a burgeoning healthcare business – and the NHS' vast database of medical information would be an invaluable addition to the portfolio.

The potential inclusion of the NHS in a trade deal between the UK and USA after Brexit has added to concerns that patient data could be hoovered up by American businesses. Last November, leaked documents revealed that "obtaining commitments on the free flow of data is a top priority" for the US negotiating team.

The next month, trade economist Alan Winters warned the deal could give companies unrestricted access to the UK's 55 million health records – which the accountancy firm EY estimates could be worth £10 billion a year.

Natalie Moreno, a commercial technology lawyer and data protection specialist at law firm Lewis Silkin, has called for Google to clarify its plans by publishing a framework for its use of NHS data.

"I think this is something which should be made public," she told Techworld. "There is no reason for people not to know what is being shared and for which purpose. We're not asking for information on the commercials, we're asking only what is the use of people's data."

Data dangers

Google has already signed deals with five NHS trusts to transfer their data processing agreements with DeepMind over to its parent company, whose history is littered with accusations of privacy violations, from scanning the contents of Gmail messages, to applying location tracking – even after users turn it off. In 2009, then-CEO Eric Schmidt pronounced: "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

The company has shifted its stance on data protection in the decade since then, but recent evidence suggests the private practices don't yet match the public pronouncements.

In the last year alone, Google has been fined $170 million for collecting children's personal data through YouTube, £44 million for providing insufficient information on its data use policies to French regulators, and another $13 million for sending its Street View cars to snatch private emails and passwords from unsecured domestic WiFi networks.

During those twelve months, it has also been accused of installing hidden microphones in its smart home devices, hiring contractors to listen to Google Assistant recordings, and stealing Sonos speaker technology to "vacuum up invaluable consumer data from users". Last November, Amnesty International described Google and Facebook's surveillance-based business model as an "assault on privacy."

That Amnesty International report cites the increasing concentration of power into the hands of Google as a key driver of the erosion of privacy online.

The integrations of DeepMind and Fibit into Google will only add to this dominance, and the two new additions have already had privacy issues of their own.

Where DeepMind and Fitbit come in

DeepMind has been accused of breaking a promise to never connect the health data it collects through its Streams app with its parent company. This occurred after the Information Commissioner's Office ruled that the Royal Free Hospital had failed to comply with the Data Protection Act when it handed over personal data of 1.6 million patients to DeepMind.

Fitbit has largely avoided such headline-grabbing stories, but the company's former head of security Marc Bown has admitted that online criminals had tried to hack into Fitbit customers' accounts on multiple occasions.

Google claimedat the time of the acquisition that Fitbit's health and wellness data will not be used for advertising – but it could be using the information for other purposes. Google could also use the other data Fitbit collects, such as user location and device information.

A spokesperson for Google Health sent Techworld a statement saying that the company was committed to following all data protection legislation, as well as the instructions of each of its NHS partners.

"Our NHS partners are the data controllers of the NHS patient data they provide to us and, as a data processor, we can only process patient data in line with their instructions," the representative said. "Each of our NHS partnerships operate under strict rules which cover the processing of data, including who can access data and how data can be used. Our work is governed by data protection legislation and information governance standards. We will never use NHS data outside of these rules."

Moreno expects Google to ensure the integrity of the Fitbit brand by protecting the personal information of its users, but suggested that it could still gain tremendous value by anonymising that data – which would circumvent the confines of GDPR. She speculates that an analysis of this information could be used to improve existing products and services and to develop new ones, as well as for advertising purposes.

Her call for Google to publish an NHS data framework could ultimately help the company achieve these aims by allaying privacy concerns.

"To me, it's a type of public-private partnership, and that requires high transparency. It's not a criticism," she said. "It would help the platforms with not being a target of accusations – if there's no base for them."

This story, "What will Google’s healthcare expansion mean for UK data protection?" was originally published by Techworld.com.


Copyright © 2020 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon