Malaphor: Digital Health Law in Canada

health + tech in law = mixing chalk + cheese

UN Special Rapporteur makes health-data protection recommendations

In 2015, the Human Rights Council of the United Nations appointed its first Special Rapporteur on the right to privacy, Professor Joseph Cannataci. Under his mandate, Prof. Cannataci produced this Recommendation for health-data protection (the “Recommendation”), along with an Explanatory Memorandum (the “Memo”). (See also this page for other related documents.)

A lot of health-data protection topics

The 40-ish page Recommendation contains a series of principles for creating laws to protect privacy. And if you are looking to see the broad swathe of topics relevant to health data, read the Recommendation and Memo.

Given the scope of these documents, I expect many stakeholders contributed. For example, some of the recommendations are for “hot topic” issues, including AI (Chapter XVII). Other recommendations relate to protecting the rights of particular groups, such as indigenous peoples (Chapter XI).

Right to privacy as a human right

Aside from the content of the documents, I found the fact of their existence interesting for two overlapping reasons. The overlap has to do with the notion that we are approaching things from a human rights perspective. As per Article 12 of the UDHR, the right to privacy, in and of itself, is a fundamental human right.

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

– Article 12, Universal Declaration of Human Rights

The first reason I found the Recommendation interesting is that it purports to provide a “baseline” for privacy protection for health-data (provision 1). However, several parts of it have very similar wording to Europe’s General Data Protection Regulation.

Compare, for example, clause 17.1a of the Recommendation vs para. 1(a) of Article 49 of the GDPR, and 17.1d of the Recommendation vs para. 2. Both these provisions relate to exceptions against the prohibition of crossborder data flows when other safeguard criteria are not met. I agree that crossborder data flows need to be regulated. But given that the GDPR is often considered the “gold standard” of privacy laws, are these recommendations really “baseline”? What about the other provisions in the Recommendation that seem to have been taken from the GDPR?

I think that for privacy, the question of the extent that it is a human right is a tricky question. Societies and cultures around the world may disagree on what are “human-rights-violating-” privacy incursions. I would have liked to have seen more detailed reasons for the recommendations, especially in these more “technical” areas.

Privacy’s “impressive international career”

My second point of interest was the focus on health data. I do understand the motivation and the worldwide-need to investigate this topic. As stated in the Memo, “[t]he protection of health-related data is important due to the sensitivity of that information, and also the fact that every individual will at some point have contact with the health system to generate such data.” The Memo also notes the increasing digitization around the globe.

However, the UN General assembly adopted the UDHR way back in 1948. Article 12 doesn’t specifically mention health-data, but would the protection of health data line up with the conceptual basis for the right?

Two professors at the University of Zurich have sought to clarify conceptual basis of the right to privacy. One reason stated for their inquiry was that the right to privacy made “an impressive international career in the second half of the twentieth century[…]” and that in our digital age, the integral right of privacy became a key right.

To answer the question, the researchers reviewed the drafting history of the UDHR and other related documents created around the same time. Surprisingly, they concluded that it seemed that “there was no conscious decision to create an integral guarantee.” They also concluded that the drafting history seems to support the notion that “privacy is inextricably linked to more than one idea.”

In conclusion, I don’t think it’s odd to think of the right to privacy as a fundamental human right. However, I think there are many questions on how to apply that general notion to a specific situation such as for health-data protection. It will be interesting to see to what extent countries will adopt the provisions in the Recommendation.