When is the processing of data from medical implants lawful? The legal grounds for processing health-related personal data from ICT implantable medical devices for treatment purposes under EU data protection law

Sarita Lindstad, Kaspar Rosager Ludvigsen

Research output: Contribution to journalArticlepeer-review

2 Citations (Scopus)
27 Downloads (Pure)

Abstract

Medicine is one of the biggest use cases for emerging information technologies. Data processing brings huge advantages but forces lawmakers and practitioners to balance between privacy, autonomy, accessibility, and functionality. ICT-connected Implantable Medical Devices plant themselves firmly between traditional medical equipment and software that processes health-related personal data, and these implants face many data management challenges. It is essential that healthcare providers and others can identify and understand the legal grounds they rely on to process data. The European Union is currently updating its framework, and the special provisions in the GDPR, the current ePrivacy Directive, and the coming ePrivacy Regulation all provide enhanced thresholds for processing data. This article provides an overview and explanation of the applicability of the rules and the legal grounds for processing data. We find that only a cumulative application of the GDPR and the ePrivacy rules ensure adequate protection of this data and present the legal grounds for processing in these cases. We discuss the challenges in obtaining and maintaining valid consent and necessity as a legal ground for processing and offer use case-specific discussions of the role of consent long-term and the lack of an adequate ‘vital interest’ exception in the ePrivacy rules.
Original languageEnglish
Article numberfwac038
Pages (from-to)317-339
Number of pages23
JournalMedical Law Review
Volume31
Issue number3
Early online date25 Oct 2022
DOIs
Publication statusPublished - 25 Aug 2023

Keywords

  • e-privacy
  • GDPR
  • healthcare
  • ICTIMD
  • privacy
  • processing

Fingerprint

Dive into the research topics of 'When is the processing of data from medical implants lawful? The legal grounds for processing health-related personal data from ICT implantable medical devices for treatment purposes under EU data protection law'. Together they form a unique fingerprint.

Cite this