Greetings from Brussels!

An interesting story has been gathering momentum recently in the partnership agreement between Google’s AI company DeepMind and the Royal Free NHS Foundation Trust, the U.K.’s national health care system. This concerns a partnership arrangement on data sharing that will reportedly give DeepMind access to a "wide range" of health care data on 1.6 million patients. A truly staggering figure, and a rich source of data for health analytics.

Through this data access, DeepMind will reportedly be able to see, for example, whether patients are HIV-positive, or whether they have overdosed on drugs, or had an abortion. Hospitals will also share the results of certain pathology and radiology tests. This includes up to five years of historical data, as well as access to logs of day-to-day hospital activities, such as records of the location, visits and status of patients. This is fairly comprehensive in terms of personal and confidential data.

Using AI in health care could significantly improve the way and speed at which people are diagnosed and treated, according to the team at DeepMind. The partnership, which was established back in February, coincided with DeepMind’s announcement of its new app called “Streams” designed to help hospital staff monitor patients with kidney disease, or acute kidney injury, as it is otherwise known. However, the data-sharing agreement implies that DeepMind could also be looking at other illnesses. Incidentally, you might ask why the focus on kidney disease? In brief, AKI is linked to as many as 100,000 deaths in U.K. hospitals per annum, and estimated to cost the taxpayer between 434 million and 620 million GBP every year, more than skin cancer and lung cancer combined. AKI is a significant medical affliction.

There is certainly merit to incorporating new technology into health care practices. This has already been successfully demonstrated elsewhere; the likes of GE Healthcare, Siemens and IBM have been in the business for some time. Indeed, there is a certain inevitability when it comes to patient privacy and the use of innovative technologies such as AI in health care. We generally accept that in order to realize the full potential of the information society, personal and confidential data must be processed and invariably shared — at times — across organizational entities in order to facilitate patient care or fulfill effective service. This is not a new phenomenon.

The key question from the privacy perspective: Did the patients sign up for this? This issue again highlights the flaw of how "consent" is obtained by the NHS (or other national health care systems for that matter). It is fundamental to health care that a person receiving care or treatment agrees to receive it. Consent is a key concept in the provision of health care — this is true across ethical, legal and practical considerations. As it stands, the NHS is coved by "implied consent”; it did not require patient consent for direct treatment and care. The great unknown is whether implied consent will be extended to fit the purpose of the scope of activity that DeepMind will undertake. Moreover, will the scope of activity be considered as direct or indirect patient care; how is that defined distinctively, and what does it imply for data subject rights? The NHS has announced it is allowing patients to opt out of the data sharing deal by contacting the Trust's data protection officer as covered by its privacy policy. One wonders if the 1.6 million patients will be made aware of this in very explicit terms. Is it necessary?

The interdependence of regulations and professional obligations in the area of medical information sharing are complex as well as layered, which in turn can blur the reality of ongoing practices. Lack of consent is not a simple issue. Nor is it a simple task to guarantee and protect the data subject’s rights or ensure data controller obligations. Both organizational and individual challenges remain, and confusion around how consent works is a major hurdle. A more streamlined regulatory approach would certainly be desirable where practical. Perhaps the new GDPR, which includes a more prominent role for explicit, informed consent will help shape future health care consent frameworks. We shall see.