When is the processing of data from medical implants lawful? The legal grounds for processing health-related personal data from ICT Implantable Medical Devices for treatment purposes under EU Data Protection law

Medicine is one of the biggest use cases for emerging information technologies. Data processing brings huge advantages but also forces lawmakers and practitioners to hit new balances between privacy, autonomy, accessibility, and functionality. ICT-connected Implantable Medical Devices plant themselves firmly between traditional medical equipment and software that processes health-related personal data. While these implants face many of the typical data management challenges, there are some major distinguishing factors. For efficient protection, it is essential that healthcare providers, patients and others can identify and understand the legal grounds they may rely on to process the data from these devices. The European Union is currently updating its framework, and the special provisions in the GDPR, the current ePrivacy Directive, and the coming ePrivacy Regulation all provide enhanced thresholds for processing data from these devices. This article provides an overview and explanation of the applicability of the rules and the legal grounds for processing data adjusted to this specific use case. The paper argues that only a cumulative application of the GDPR and the ePrivacy rules ensures adequate protection of this data and presents the remaining legal grounds for processing in these cases. It covers the particular challenges in obtaining and maintaining valid consent and the discrepancies between the instruments regarding necessity as a legal ground for processing. Finally, it offers use case-specific discussions, i.a. of the role of consent as a legal ground for processing in the future as well as the lack of an adequate ‘vital interest’ exception in the ePrivacy rules.