News

In the wave of evolution of the modern healthcare system, ‘digitalisation’ and ‘intelligence’ have become the core engine driving the fundamental transformation and continuous upgrading of the healthcare industry, and its development has shown an irreversible and powerful characteristic.

 This profound change has widely and deeply penetrated into every link and level of medical services: from the electronic health records (EHRs) and hospital information systems (HIS) commonly established and deeply applied in large tertiary hospitals, these systems have recorded patients' medical records in great detail. From the Electronic Health Records (EHRs) and Hospital Information Systems (HIS) commonly established and deeply applied in large tertiary care hospitals, which record every patient's visit, drug allergy history, detailed medication records, laboratory test results, and various types of imaging data (e.g., X-rays, CT, and MRI scans); to the numerous commercial health data platforms with different functions, which collect users' individual vital signs data on a 24/7 basis with the help of wearable devices, such as smart bracelets and smartwatches, as well as mobile applications (APPs) for health management. They collect users' individual vital signs data (e.g., real-time heart rate, sleep cycle and quality, and blood oxygen saturation), daily habits data (e.g., daily steps, exercise duration and intensity, dietary structure and calorie intake), and even subtle mood fluctuations and psychological state information; and then to the extensive deployment and deep integration of artificial intelligence (AI) assisted diagnosis and treatment systems in clinical practice, which are relying on complex machine learning and deep learning algorithms to improve the quality of health data. These advanced systems rely on complex machine learning and deep learning algorithms to perform sophisticated analysis and pattern recognition on massive medical image data (such as pathological slices and fundus images), genome sequence information, protein structure data, etc., with the aim of achieving ultra-early risk screening and accurate prediction of diseases, tailoring personalised treatment recommendations for patients, or significantly accelerating the research and development cycle of innovative medicines and the process of clinical trials.

 The common cornerstone of these emerging technologies and application scenarios invariably relies heavily on the large-scale, multi-dimensional and high-frequency collection, secure storage, complex processing and in-depth analysis of personal healthcare-related data, with the core objective of unearthing potential value that can significantly improve the quality and efficiency of healthcare services, facilitate breakthroughs in medical research and innovation, and optimise the management and decision-making of public health. and optimise public health management and decision-making.

However, while this data-driven healthcare revolution brings unprecedented opportunities, it is also accompanied by increasing and unnoticeable risks of privacy leakage and data abuse. Healthcare data is recognised internationally and domestically as one of the most sensitive categories of personal information, as its intrinsic attributes are directly and closely related to an individual's physiological health and psychological state, and may even include highly confidential information such as unique genetic information, detailed past medical history, and sensitive family genetic history. Once these highly sensitive data are subjected to unauthorised disclosure, illegal external access, malicious internal tampering or misuse beyond the scope of authorisation, the possible damaging consequences are often far beyond the general personal information leakage incidents. In less serious cases, it may lead to direct infringement of the patient's right to privacy and improper disclosure or commercialisation of his/her private information such as personal preferences and health status; in more serious cases, it may cause substantial damage to the patient's human dignity, for example, the patient may be subjected to unwarranted social discrimination or unfair treatment in job hunting, insurance and social life due to the fact that he/she suffers from a specific infectious disease or carries a certain hereditary gene for a certain disease; and in some extreme cases, it may even directly threaten the patient's personal dignity. In some extreme cases, it may even directly threaten the personal and property safety of patients, for example, the use of stolen medical information by criminals to carry out precision fraud, identity theft or extortion and other criminal activities.

 In addition, a large-scale medical data breach not only damages the reputation of a single healthcare organisation, but also triggers a crisis of public trust in the entire healthcare industry and even in data processing organisations, which in turn hinders the healthy and sustainable development of the digital healthcare industry.

 This series of articles will focus on two of the most far-reaching and landmark pieces of legislation in the field of data protection in the world - the General Data Protection Regulation (GDPR) of the European Union (EU) and the Personal Information Protection Law of the People's Republic of China (hereinafter referred to as the PRC PDPL). Personal Information Protection Law of the People's Republic of China (‘PIPL’).

Starting from the unique perspective of comparative law research and closely integrating the specific needs of the law at the practical application level, the author will deeply and systematically explore the complex compliance challenges faced by medical big data in the whole life cycle of collection, processing, utilisation, sharing and cross-border transmission in the context of the magnificent digital healthcare era, and actively explore effective strategies and best practice paths to cope with the challenges.

  The selection of GDPR and China's personal insurance law as the core object of the author's discussion is mainly based on the following deep considerations:

 Firstly, since GDPR came into force on 25 May 2018, it has rapidly become the ‘gold standard’ and an important reference system for global data protection legislation by virtue of its extremely strict protection standards, extensive extraterritorial jurisdiction and high fines that are daunting to enterprises, and it is important for the concepts and practical operation of data protection legislation of all countries in the world (including China). It has had a far-reaching and extensive impact on the concept and practice of data protection legislation in countries around the world (including China).

 Secondly, as the first special law in China's history to comprehensively and systematically regulate the processing of personal information, China's Personal Protection Law, which will come into force on 1 November 2021, has made full reference to international advanced legislative experiences and mature systems, including the GDPR, and closely integrated with China's unique socio-economic development and the realities of digital governance, to successfully build a set of laws that are both in line with international standards and highlight the importance of China's digital governance. It has successfully constructed a legal framework for the protection of personal information that is both in line with international standards and manifests Chinese characteristics. These two laws represent the highest achievements and the latest practical development direction of the EU and China in the field of data protection legislation respectively.

Therefore, for any healthcare data platform operators, commercial healthcare service providers, AI-assisted diagnosis and treatment technology developers, multinational pharmaceutical companies and medical research organisations with a global presence, especially those operating in the EU or China and processing personal healthcare data, a deep understanding of and strict compliance with the specific provisions of these two key laws is essential to ensure the legitimacy, compliance and sustainability of their data processing activities, as both laws may directly and mandatorily bind them in the relevant jurisdictions. A deep understanding of and strict adherence to the specific provisions of these two key laws is essential to ensure the legitimacy, compliance and sustainability of their data processing activities, as both laws may directly and mandatorily bind their data processing activities in the relevant jurisdictions.

 Looking back at the dramatic evolution of digital healthcare, it is clear that there is an increasingly symbiotic and mutually reinforcing relationship between ‘data-driven innovation’ and ‘advances in the practice of medicine’. In modern clinical practice, doctors no longer rely solely on traditional clinical experience and intuition-based judgement for their diagnostic decisions and treatment options; they increasingly rely on the results of big data analysis based on large-scale evidence-based medicine, or on AI systems to analyse massive medical images (e.g., computed tomography CT scans, magnetic resonance imaging MRIs, and X-rays) and pathological specimens (e.g., cell smears, tissue biopsy samples). smears, tissue biopsy samples) with intelligent assisted interpretation. The application of these cutting-edge technologies can significantly improve the accuracy and efficiency of disease diagnosis and effectively reduce misdiagnosis and omission caused by human factors.

For example, advanced deep learning algorithms have demonstrated a level of excellence that rivals and, in some cases, surpasses that of senior specialists in identifying tiny cancer lesions at an early stage, and in diagnosing complex fundus disorders (e.g., diabetic retinopathy). In the high-investment, high-risk field of drug discovery and development, major pharmaceutical companies around the world are actively exploring and making extensive use of Real-World Data (RWD) and Real-World Evidence (RWE) based on it. Real-World Evidence (RWE) is used to accelerate the clinical trials of innovative drugs, to more comprehensively and objectively assess the long-term efficacy and safety of drugs in actual clinical applications, and to actively expand new indications for marketed drugs. RWD comes from a wide range of sources, including electronic medical record systems, health insurance claims databases, drug and disease registries, patient-reported outcomes (PROs), and physiological parameters continuously collected by mobile health devices. In particular, the rapid popularity and wide application of smart wearable devices (e.g., smart watches, health trackers) and mobile health apps (mHealth) have made it possible to continuously and dynamically collect massive amounts of individual physiological and behavioural data, which can be used to achieve highly accurate personalised health management, early warning and effective intervention in chronic non-communicable diseases (e.g., hypertension, diabetes), and customised lifestyle guidance, and customised lifestyle guidance, etc. These rich data provide unprecedentedly powerful data support.

 However, the exponential growth of healthcare data in terms of volume, dimension and processing speed has undoubtedly amplified the potential risks of privacy leakage and information security challenges. Medical and healthcare data usually contains a large amount of extremely sensitive personal information, as clearly listed in Article 28 of China's Personal Insurance Law, ‘biometrics, religious beliefs, specific identities, medical and healthcare, financial accounts, whereabouts and trajectories, as well as the personal information of minors under the age of fourteen,’ all of which are strictly defined as sensitive personal information and require more stringent protection measures. The EU's GDPR defines ‘data concerning health’ and ‘data concerning a natural person's sex life or sexual orientation’ in Art. 9. concerning a natural person's sex life or sexual orientation’ and “genetic data, biometric data for the purpose of uniquely identifying a natural person”. data for the purpose of uniquely identifying a natural person’ and “genetic data, biometric data for the purpose of uniquely identifying a natural person” are explicitly classified as “Special Categories of Personal Data” and are, in principle, prohibited from being processed unless specific exemptions are met. Processing is prohibited unless specific exemptions are met.

 If such highly sensitive information is leaked or misused, it will not only directly infringe upon patients' fundamental rights under the law, such as the right to informed consent (e.g., Article 6(1)(a) (Art. 6(1)(a)) and Article 7 (Art. 7) of the GDPR on the details of obtaining and withdrawing consent; Articles 13 and 14 of China's Personal Insurance Law on the “inform-consent” principle) and the right to make autonomous decisions on and control their personal information (e.g., the right to access, copy, correct, supplement, delete, carry, etc.), but may also lead to a series of consequences. (a) and Article 7 (Art. 7) on consent to access and withdrawal; Article 13 and Article 14 of China's Personal Insurance Law on the ‘notice-consent’ principle) and the right to make independent decisions on and control their personal information (e.g., the right to access, the right to copy, the right to make corrections, the right to make additions, the right to erasure, the right to portability, etc.), which may lead to a series of serious negative social effects. These negative effects may include, but are not limited to, employment discrimination based on an individual's health status (such as refusal to hire or unfair promotion), refusal of insurance coverage or maliciously raising premiums, exclusion and isolation of individuals in social interactions, and even, in extreme cases, the possibility of being used by lawless elements for illegal activities, such as precision fraud and extortion, thus posing a potential threat to the safety of individuals' personal property and the stability of society as a whole. (continued) (To be continued) 

Note: The ‘Art.’ cited in this article, e.g. ‘GDPR Art. 9’, is a standard abbreviation of the English word ‘Article’, which refers to a specific article in a law, rule or regulation. Article’ is a standard abbreviation of the English word “Article”, which refers to the number of a specific article in a law, regulation or ordinance. 

   This article was originally written by JIA LAWYER law firm lawyers, and only represents the author's own views, and should not be regarded as a formal legal opinion or advice issued by JIA LAWYER law firm or its lawyers. If you need to reproduce or quote any of the content of this article, please indicate the source.