Google: Our DeepMind health slurp is completely kosher
Now go away, we’re saving the world
Analysis Google’s DeepMind operation insists UK patients have nothing to worry about now that Google has absorbed the subsidiary - but lawyers and privacy campaigners have raised doubts.
DeepMind told The Reg: “It is false to say that Google is 'absorbing' data. This data is not DeepMind’s or Google’s – it belongs to our partners, whether the NHS or internationally. We process it according to their instructions.”
That claim, echoed by DeepMind Health chief Dominic King, brought a swift correction from legal experts.
“It doesn’t belong to DeepMind’s partners, it belongs to the individuals,” Serena Tierney partner at lawyers VWV. “Those ‘partners’ may have limited rights, but it doesn’t belong to them.”
Royal Free London NHS Trust signed its original contract in September 2015 to process patient data with Google UK Ltd, but after this became public and concerns were raised, this was revised to a tightly defined relationship with DeepMind Technologies Ltd. So the question is: has that relationship changed?
Campaigners say it has, but DeepMind disagrees:
At this stage our contracts have not moved across to Google and will not without our partners’ consent. The same applies to the data that we process under these contracts. All decisions about how patient data is processed will continue to lie with our NHS partners.
DeepMind Health chief Dominic King confirmed:
I’ve seen a lot of threads on here since our announcement that the Streams team, which builds our mobile app to help doctors and nurses deliver faster and better care, is moving to Google. I lead this team and wanted to respond to concerns (1/8)— Dominic King (@Dominic1King) November 14, 2018
“Google has thrown Royal Free under a bus,” Med Confidential’s Phil Booth told us. “They were very specific in the revised contract about which personnel could process the data. Because of the controversy Deep Mind Health said it will just be Deep Mind Health personnel who process the data. Once you subsume a team into Google, calling them “Deep Mind” starts to become a bit untenable. Streams is now a ‘product thing’ not a ‘research thing’, and it’s now going into the scaling-up part of Google.
“It was unlawful to get the patient data in the first place, but you need a legal basis to keep using it. We think it’s failed to [do] that. Regardless of the absorption of Deep Mind Health into Google, we believe they have to revise the contracts.”
Patrick Rennie, a data protection lawyer at Wiggin, told us that clarification is needed.
“With DeepMind Health being absorbed into the US side of Google, the main issues the ICO may wish to monitor will be twofold. Will there be any sharing or profiling or access to data, going beyond what a patient in the UK will ever have expected from their medical practitioner?” It may be that there is no controversy whatsoever, but we need to know if there is a new purpose for that data."
“Secondly, even if DeepMind Health stays ‘independent’, will the personal data protected to the same standard as are required in the EU?”
Google swallows up DeepMind Health and abolishes 'independent board'READ MORE
Rennie emphasised that EU data protection law - much of which, as far as the GDPR is concerned, the UK has transplanted into its Data Protection Act - has a special category of "sensitive" data, that we might call very-personal-data. That encompasses medical data, and it’s hard to commercialise. There are also, he added, territoriality issues for the ICO to examine, since GDPR Article 3(2) extends to companies operating outside the EU.
"Where Deep Mind Health or Google is not established in the EU, but it is offering goods or services to individuals in the EU, then it may still be caught by the GDPR under the extra-territorial effect. An argument could be made that where extra-territorial effect applies the transfer of data outside of the EEA will be permitted, although this is not certain and one would expect adequate safeguards to be implemented,” Rennie explained.
Now you see 'em - now you don't.
Top: Royal Free's 2015 agreement was with Google Ltd UK. Bottom: After public concern, 2016 agreement was with DeepMind Technologies Ltd.
Tierney noted that in addition to misrepresenting the property rights of patients - who own their personal data - DeepMind’s services contract with the Trust is far from reassuring. DeepMind bills it as "our agreement" with Royal Free.
“The service agreement has no clear identification of what data is being handed over - it’s sloppy, and defines data as whatever Royal Free hands over. And secondly, there’s no provision about what people will do processing the data, and what is and what isn’t permitted.”
In a statement, Royal Free London NHS Trust told us: “There have been no changes to the way data is processed under our contract with DeepMind and nothing will change without our consent.
“Streams is governed by the strictest guidelines and laws.”
Booth wonders whether it's worth it. "AI and innovation is the smokescreen here. Streams is not very different to other health apps - and it's not even AI." ®
Sponsored: Becoming a Pragmatic Security Leader