When is the processing of data from medical implants lawful? The legal grounds for processing health-related personal data from ICT implantable medical devices for treatment purposes under EU data protection law

Lindstad, Sarita and Ludvigsen, Kaspar Rosager (2023) When is the processing of data from medical implants lawful? The legal grounds for processing health-related personal data from ICT implantable medical devices for treatment purposes under EU data protection law. Medical Law Review, 31 (3). pp. 317-339. fwac038. ISSN 0967-0742 (https://doi.org/10.1093/medlaw/fwac038)

[thumbnail of Lindstad-Ludvigsen-MLR-2022-When-is-the-processing-of-data-from-medical-implants]
Preview
 Text. Filename: Lindstad_Ludvigsen_MLR_2022_When_is_the_processing_of_data_from_medical_implants.pdf
Final Published Version
License: Creative Commons Attribution 4.0 logo
Download (476kB)| Preview

Abstract

Medicine is one of the biggest use cases for emerging information technologies. Data processing brings huge advantages but forces lawmakers and practitioners to balance between privacy, autonomy, accessibility, and functionality. ICT-connected Implantable Medical Devices plant themselves firmly between traditional medical equipment and software that processes health-related personal data, and these implants face many data management challenges. It is essential that healthcare providers and others can identify and understand the legal grounds they rely on to process data. The European Union is currently updating its framework, and the special provisions in the GDPR, the current ePrivacy Directive, and the coming ePrivacy Regulation all provide enhanced thresholds for processing data. This article provides an overview and explanation of the applicability of the rules and the legal grounds for processing data. We find that only a cumulative application of the GDPR and the ePrivacy rules ensure adequate protection of this data and present the legal grounds for processing in these cases. We discuss the challenges in obtaining and maintaining valid consent and necessity as a legal ground for processing and offer use case-specific discussions of the role of consent long-term and the lack of an adequate ‘vital interest’ exception in the ePrivacy rules.

ORCID iDs

Lindstad, Sarita and Ludvigsen, Kaspar Rosager ORCID logoORCID: https://orcid.org/0000-0001-7243-2548;
  • Item type:Article
    ID code:82941
    Dates:
    Date
    Event
    25 August 2023
    Published
    25 October 2022
    Published Online
    25 October 2022
    Accepted
    Subjects:Law
    Department:Faculty of Science > Computer and Information Sciences
    Depositing user: Pure Administrator
    Date deposited:26 Oct 2022 13:53
    Last modified:11 Nov 2024 13:40
    URI:https://strathprints.strath.ac.uk/id/eprint/82941
CORE (COnnecting REpositories)