The overview of interesting Data & IT Law articles and news in April 2015!
“Health data” interpreted by the Article 29 Working Party
The Article 29 Working Party published a letter to European Commission. In the letter, it had described key terms in relation to lifestyle and wellbeing apps.
The Article 8 of EU Data Protection Directive qualifies health data as sensitive, however, it does not clearly define the meaning of “health data”. The Working Party would include these types of data: “medical data generated in a professional medical context, data regarding a wide range of information about an individual, such as their drinking habits, intellectual and emotional capacity (IQ), Data about the sale or supply of a product or service from which a person’s health status could reasonably beinferred, discrete points of information when elaborated upon (for example, through collection over time), analysed, or combined with additional sources of information.”
The Working Party had also added that “grey areas tended to arise where it is not obvious at first sight whether or not the processing of these data should qualify as the processing of health data.”
The Court of Justice of European Union about biometric data
The Court of Justice (the Court) had addresses the issues of biometric data. It was asked to interpret the data protection rules applicable to the further use of biometric data after it was collected for the purposes of passports.
The Court ruled that “the passport Regulation only governed the use of data for the purposes of that Regulation. Any further use of that data, as specified in the preamble, was regulated by national law.” Pursuant to this conclusion, neither “EU Charter (of Fundamental Rights) did not apply either, although such further use of data might be restricted by national law or the ECHR.”
For more information, follow this interesting article.
Biobanks and its legal regulation
The article includes an interview with Professor Jens Kersten about the legal regulation of biobanks. Biobanks are repositories of personal medical data and biological material, such as DNA, blood and tissue samples, collected for research purposes.
In an interview, he argues that “there is a great deal of uncertainty among researchers regarding the legal limits to the use of this material. (…) it is extremely difficult even to work out what statutory provisions are relevant in this area. The legal position is tremendously confusing.” Therefore, he decided to prepare a framework for such regulation.
He also addressed the issue of current practices. “In principle, consent should be sought every time the data is to be employed for a specific purpose. This presents problems for biobanks and for research projects, because one cannot anticipate what follow-up investigations may be required. That in turn raises the question of whether anyone can demand – or grant – global or blanket consent.”
Misuse of private information of an individual by Google – case from UK
The UK Court of Appeal dealt with the case about the misuse of private information by Google.
The claimants were users of a web browser. They argued that “Google had caused them distress and anxiety by enabling advertisers (through the installation of third party cookies) to send them targeted adverts (some of which related to sensitive personal data) which might have been viewed by third parties who had used or seen their Apple devices.”
Cookies had tracked online behaviour and stored private information (Browser Generated Information). Google allows advertisers to use BGI to send targeted advertising. The Court of Appeal had finally “confirmed that there is a tort of misuse of private information.”
The significance of the judgment is in the fact that it “potentially paves the way for compensation claims from individuals under the DPA in relation to data collected by third party cookies.”
Is Latin America a safe area to move data?
The article deals with legal and risk issues associated with moving business into Latin America, in relation to data protection law. It examines which data protection regime governs the business, localized in Latin American country, but targeting customers in other country.
One of the solutions the article provides is an example of India. “(T)he Indian authorities came out and said the notice and consent duties only apply if you’re dealing with Indian consumers.”
On the other hand, the authors describe a confusing situation for these countries: “(Y)ou might want it to be more relaxed to attract business from the United States, but if you were trying to attract business from Europe you might want it to be stricter.”
The authors concluded that “the way India ultimately resolved its problem was a reasonably good way to go.”