I used my telephone digicam to take a greater image of the picture inside it. This allowed me to attract conclusions concerning the particular person’s age and social standing. As a journalist with entry to trendy expertise, I’m assured I might doubtlessly establish this particular person. Nevertheless, pursuing such an investigation solely for the aim of illustrating this text and highlighting the significance of our information could be borderline intrusive.
Please do not mistake my enthusiasm; I deeply worth investigative journalism and would gladly immerse myself in it beneath completely different circumstances. Nevertheless, since I am utilizing this anecdote solely as an instance my story on privateness, I encourage you to belief your judgment and take into account my insights rigorously.
I am unable to say for positive, however I might guess the particular person within the picture did not have any privateness considerations when the image was taken. It is inconceivable that they ever imagined this view-master, bearing their picture, would discover its solution to a journalist’s dwelling in Berlin, Germany, by the yr 2024, not to mention function in an article discussing digital well being information.
Is it true that the service provider promoting this machine obtained the consent of the person depicted within the {photograph} to distribute it? Since I paid for the View-Grasp, do I now have rights over this particular person’s picture? Do we actually perceive the worth of the info we generate about ourselves at the moment and what it would have sooner or later?
These questions have been swirling in my thoughts since I bought this machine. Now, as I concentrate on reviewing wearable gadgets like smartwatches, chest straps, and even Peloton treadmills, I discover myself questioning if we’re really ready to share our most useful info with corporations: our well being information.
First, I am not a specialist within the fields of privateness and safety, so I reached out to my community and gained insights from professionals working immediately within the wellness and well being trade. Furthermore, this isn’t an try to coach anybody on the significance of knowledge safety—to be sincere, the deeper I dive into the subject, the much less I perceive.
Nevertheless, I do imagine there may be worth in understanding the data we produce about ourselves and the way it may be used to learn us or trigger harm. So, right here, I will share with you some greatest practices to make sure you’re defending your well being information whereas nonetheless producing helpful metrics about your self.
To boost consciousness amongst our viewers about well being information privateness and safety, I requested two specialists a easy query: Should you might provide only one recommendation to individuals about defending their well being information, what wouldn’t it be? I spoke with Martha Dörfler, a developer and maintainer on the Berlin-based Drip Collective, which prioritizes privateness of their open-source menstrual cycle monitoring app Drip; in addition to with Vincent Chartier, a cybersecurity engineer at Withings, an organization I belief relating to my private information.
Desk of Contents:
Tip #1: Don’t fall for the “take it or go away it” mannequin
Perhaps you already observed it, however many corporations attempt to make us, the customers, liable for our information, however these days, privateness legal guidelines defend individuals in most locations.
For instance, nextpit’s viewers is principally from the US and the European Union, two main markets the place well being privateness is taken critically. Within the US, well being information safety is ruled by HIPAA (Well being Insurance coverage Portability and Accountability Act), and within the EU, it is protected beneath GDPR (Common Knowledge Safety Regulation).
Moreover, worldwide corporations serving US or EU residents should observe native legal guidelines. Which means even individuals in areas like Latin America, India, and China might see advantages from these privateness protections.
What I wish to emphasize is that you just shouldn’t have to just accept something that feels invasive to make use of a service. Neglect the concept that it’s essential to ‘take it or go away it.’ As an alternative, train your proper to guard your private information: report points, voice complaints, and push corporations to vary their insurance policies. Keep in mind, rights solely exist if we assert them when vital.
However the place to start? An excellent start line for me to grasp the present state of privateness points was partaking with the ‘None of Your Enterprise’ (NOYB) group. Created by Max Schrems, NOYB ensures that corporations adhere to rules concerning the safety of your private info on-line. They make use of intelligent methods and collaborate with numerous teams to safeguard your privateness, particularly in Europe.
In the US, there isn’t a company immediately similar to NOYB when it comes to visibility and particular focus. Nevertheless, organizations such because the Digital Frontier Basis (EFF) and the American Civil Liberties Union (ACLU) fulfill related roles. They advocate for privateness rights and undertake authorized actions to defend these rights.
Tip #2: Do not be lazy; learn the privateness coverage
Based on Vincent Chartier, the Withings cybersecurity specialist, a very powerful factor you are able to do is learn the privateness insurance policies of a service earlier than utilizing it:
Should you discover the privateness coverage too complicated to grasp, it ought to increase considerations concerning the firm’s privateness practices.
Sure, you need to undergo the complete privateness coverage. Nevertheless, Vincent shared some key inquiries to focus your consideration on whereas studying privateness insurance policies which are crucial for figuring out potential pink flags and understanding how your information is managed and guarded. Here’s a cheat sheet:
How does the corporate gather and share your information?
For what functions?
Who truly hosts the info?
Permit me to additional break this down for you in two examples.
Instance 1: Understanding consent
Meta and their enterprise mannequin: Lately, Meta launched the ‘Pay or Okay’ system within the EU to be able to ‘comply with GDPR.’ So now the corporate needs to provide customers a selection: permit Meta to make use of individuals’s on-line info for enterprise functions, or pay to maintain their info personal. This new and notable possibility might change on-line privateness administration, elevating questions on its equity. Meta’s choice may lead different corporations to make on-line privateness a paid service.
Meta is evidently manipulating the idea of consent. Based on Vincent, the significance of understanding consent is the important thing right here, particularly for navigating information privateness and safety:
Consent can solely exist when it is unambiguous. You may give it freely, that means you recognize precisely what’s behind this consent, what course of is behind this consent.
Shifting the main target from a broader overview of privateness to well being information: As we proceed to digitize well being information, use wearables, health apps, and combine expertise into healthcare, securing our private well being info has emerged as a high concern. Furthermore, in response to the IDC Knowledge Age report, roughly 30% of the world’s information quantity is generated by the healthcare trade and is rising at an annual charge of 36%.
This shift towards digital well being information and tech-based well being monitoring instruments has undoubtedly made healthcare providers extra environment friendly and accessible. We are able to now observe well being metrics, entry medical information from wherever, and work together extra successfully with medical professionals. Take my menstrual cycle historical past for instance, once I’m on the gynecologist I can simply export it from my iPhone’s Well being app as a PDF doc to allow them to analyze it in a matter of seconds.
Nonetheless, this comfort imposes a big obligation on expertise corporations, healthcare suppliers, and sufferers to safeguard very important well being info. Well being information is extremely private and delicate, containing particulars we’d not share even with these closest to us. Ought to this information fall into the fallacious palms, it might result in privateness violations, id theft, and discrimination in employment or insurance coverage.
And that is why consent is paramount right here. This implies guaranteeing that our info is shared and used solely with our specific settlement!
Within the digital age, the idea of consent has turn out to be a cornerstone of knowledge safety and privateness. Underneath GDPR, consent is not only a formality; it is a important and sophisticated requirement designed to empower people over their private information.
Consent should be freely given, particular, knowledgeable, and unambiguous, which suggests people should actively ‘opt-in’ for his or her information to be processed. This method seeks to eradicate any ambiguity, guaranteeing that consent is a transparent affirmative motion that can not be derived from silence, pre-ticked packing containers (opt-out), or inactivity.
Furthermore, GDPR emphasizes that people have the fitting to withdraw their consent as simply as they gave it, reinforcing the precept that consent shouldn’t be a one-time notification, however an ongoing selection.
This shift not solely locations extra energy within the palms of the person, making consent a real selection, but additionally challenges organizations to undertake clear and user-friendly practices, marking a big step ahead in information privateness and safety.
This implies corporations can’t merely current a sequence of choices inside a prolonged paragraph that explains (or fails to clarify) the explanations for information assortment, sharing, and storage. They need to break it down into choices which are straightforward to learn and perceive, requiring easy ‘sure’ or ‘no’ responses.
Nevertheless, as emphasised by Vincent Cartier, it’s at this level that corporations are likely to push the boundaries to the restrict. To keep away from future nightmares, he suggests delving deep into the background of an organization to grasp the so-called respectable curiosity—at Meta, as an illustration, their enterprise mannequin is commercial:
There are a variety of authorized bases relevant to non-public information. The perfect identified is consent. Authentic curiosity represents one other authorized foundation that enables corporations to course of information with out acquiring consent. It’s a difficult path as a result of it in some way bypasses the necessity for consent. […] Sadly, corporations typically exploit this as a result of they anticipate little to no pushback from regulatory authorities, given the huge variety of companies concerned. Subsequently, defend your privateness, it is essential to understand and adeptly navigate points just like the misuse of respectable curiosity. For instance, it appears fairly unfair for corporations to share my information based mostly on respectable curiosity.
Instance 2: Understanding the place content material is being processed
Contemplate the relevant guidelines to your information: It’s possible you’ll be using a service from a German firm, however the information may be saved by a US firm, equivalent to AWS, Amazon’s main cloud supplier. Now, who truly hosts the info?
Cloud storage is at its peak proper now. It is a lot in order that in 2025, IDC Knowledge Age report predicts that 49% of the world’s saved information will reside in public cloud environments—Google Cloud Platform, Amazon Net Providers, or Microsoft Azure.
Vincent explains that “at its core, cloud computing includes operating packages on another person’s pc, which instantly presents problems with management and safety.” So it is clear why there is a notable concern concerning the compliance of those providers with European rules, particularly GDPR. And do not get me fallacious, individuals within the US will face the identical points with European cloud corporations as effectively, nevertheless, since these corporations have a smaller market share, it’s typically not seen with the identical concern.
So, as highlighted by Withings cybersecurity specialist, “the dominance of American corporations within the cloud market brings authorized and privateness considerations.” The U.S. legal guidelines, such because the Cloud Act, permit American authorities to entry information saved by these corporations, whatever the information’s bodily location. This immediately conflicts with GDPR ideas.
However how will you navigate your well being information on all of those?
Within the realm of well being information safety, technological measures play a pivotal function in safeguarding person info in opposition to unauthorized entry, breaches, and cyber threats. The key phrase right here is ‘on-device processing.
Once we say well being information is being processed “on-device,” it implies that every little thing from gathering to analyzing your well being info occurs proper in your private gadget, like a smartwatch or smartphone. That is completely different from the info being despatched off to some faraway server or a cloud to be handled. This technique has a giant plus for protecting your well being particulars personal and safe as a result of the data stays with you, slicing down the danger of it moving into the fallacious palms or being mishandled.
On high of boosting privateness, dealing with well being information on-device could make issues work sooner and extra easily, particularly for apps that want up-to-the-minute well being updates to operate appropriately. It is also helpful whenever you’re out of vary of excellent web service, letting these apps preserve operating simply.
Plus, for the reason that information would not need to journey forwards and backwards over networks, it might imply your machine’s battery will last more. Nevertheless, doing all this proper on the machine may imply the machine must be a bit extra highly effective to handle these duties, which may very well be a trade-off in some circumstances.
In conclusion, information safety can’t be ignored, or privateness will undergo.
Tip #3: Pay attention to the legal guidelines in your area
As a part of creating a menstrual cycle software, Martha Dörfler emphasizes the significance of understanding the content material you create about your self and, much more importantly, how this content material can and shall be utilized by corporations and public establishments. Subsequently, she believes that the important thing to protecting your well being information personal and safe is, above all, being conscious of the legal guidelines in your area.
It tremendously depends upon the particular person’s menace mannequin. For instance, for those who reside in a rustic the place abortion is extremely unlawful, you could take into account completely different options for gathering and storing information about your self.
As you possibly can see, the implications prolong past simply the legal guidelines surrounding your privateness. Producing content material about your well being might additionally doubtlessly contain violating extra severe legal guidelines. This concern isn’t restricted to abortion—which is authorized in some US states however not in others—but additionally applies to using unlawful substances within the context of well being points and health, as an illustration.
Instance 3: Accumulating information means creating information
Police testing ladies for abortion medicine: In 2023, the channel Tortoise Media reported that the British police had been checking ladies for abortion medicine and asking for info from interval monitoring apps following unexplained miscarriages. That stated, relying on the place you reside, even one thing so simple as recording your menstrual cycle might doubtlessly be used in opposition to you.
As said initially, privateness rules range between Europe and the U.S. In Europe, there is a important mistrust in the direction of corporations, whereas People are primarily anxious about authorities intrusion into their privateness. So, as emphasised by Martha, what you share also needs to be thought-about based mostly on the tradition you’re a part of, and the area you’re in.
In the US, HIPAA is prime to well being information safety legal guidelines, setting strict privateness and safety requirements for protected well being info (PHI). This impacts healthcare suppliers, tech corporations like Apple and Google, and customers. Compliance is essential for any entity dealing with PHI, together with well being information and billing info.
For tech corporations coming into the well being sector—through wearables, apps, or information administration—HIPAA compliance is essential for dealing with U.S. residents’ well being information. This requires defending person privateness and guaranteeing affected person information’s confidentiality, integrity, and availability throughout all information dealing with phases.
Apple, as an illustration, has delved deeply into well being with its Well being app, Apple Watch, and different health-related applied sciences and providers. Identical for Google with the Well being Join and Google Pixel Watch and Fitbit. These services and products are designed with privateness and information safety at their core, typically emphasizing their dedication to person privateness, which aligns with HIPAA’s goals.
When Apple or Google’s services and products deal with PHI, they have to guarantee HIPAA compliance to guard this delicate info from breaches and unauthorized entry. We’ve got the identical compliance requirement relating to European residents, however it’s associated to the GDPR.
What for those who’re not coated by HIPAA or GDPR? To know how your information is dealt with in your home, I counsel accessing the Morrison Foerster Privateness Library. This complete software gives entry to privateness legal guidelines, rules, studies, multilateral agreements, and particulars from authorities authorities for over 150 nations worldwide.
Why ought to I care?
Underneath the privateness regulation the place I dwell, which falls beneath the GDPR, there isn’t any hierarchy of well being content material sorts. Nevertheless, the safety of well being info is taken very critically because of its extremely personal nature. In any case, the EU launched these guidelines to safeguard our most personal particulars.
As I start to take a extra severe method in the direction of digital well being in each personal {and professional} facets of my life, my concern about producing information about myself—and at a special scale, proposing others do the identical or not—has reached a peak that impressed me to jot down this text.
I wish to entry and perceive my well being info to make higher life selections however preserve my information personal. I do not need my info used for advertisements, product segmentation, coaching AI like LLMs, or on the mercy of cyberattacks. These are my rights, and I imagine they need to be yours too.
The excellent news is that the majority corporations within the well being and wellness sector, particularly these we talk about at nextpit, perceive information safety and adjust to regulatory requirements. When there are lapses, privateness organizations maintain these corporations accountable.
For instance, Drip is an open-source app with privateness as a central a part of its philosophy, as proven in its privateness coverage. Firms like Withings rigorously select their companions to make sure information processing meets European legal guidelines.
Equally, within the U.S., companies like Apple concentrate on processing information on-device, a follow additionally adopted by Google, though their enterprise fashions introduce some complexities. Manufacturers like Amazfit course of information on-device too, and in Germany, place their information servers throughout the nation, enhancing privateness.
Final however not least, defending our well being information from misuse begins by understanding its worth and responsibly selecting whom to share it with. It is important to carry corporations accountable for his or her dealing with of our information. Failing to take action might lead to our info getting misplaced within the huge world information market, a state of affairs nobody needs, paying homage to what might occur with one thing as innocuous as a View-Grasp buy.