Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Three weeks after the FTC’s seminar on Consumer Generated and Controlled Health Data (CGHD), the French data protection authority, the CNIL, held its own workshop on connected health and wellness devices. The results of the CNIL and FTC workshops are broadly similar. Health data generated in the context of medical care benefits from high levels of protection both in the United States and in France. In the United States, HIPAA imposes strict security rules on companies that store health data collected by hospitals or insurance companies. In France, the public health code imposes draconian security measures on service providers that host health data generated in the context of medical care.
Regulation of medical devices also provides security rules for data generated by the devices such as glucometers. However, many of the body sensors and wellness devices that consumers use today fall outside of these categories. The question asked at the CNIL seminar was whether the current legal framework for protecting personal data in France is adapted to these new devices. Part of the problem is that the French data protection law classifies health data as sensitive, requiring a particularly high justification for its processing. Both the Directive 95/46/EC and the French data protection law prohibit processing of health data, unless one of the narrow exceptions applies.
One of the senior staff members of the CNIL, Sophie Vulliet-Tavernier, speculated that the current definition of health data may not be adequate to cover the multitude of body sensors that consumers now use to collect data about themselves. Vulliet-Tavernier speculated that it might be appropriate to define a new category of personal data consisting of data generated by the human body. Lawmakers could then consider whether it is appropriate to impose limitations on the purposes for which data generated by the human body can be used. This is closely linked to the bioethical debates in France surrounding use of human organs, DNA and cells. Hogan Lovells partner Winston Maxwell spoke at the CNIL workshop, highlighting international approaches to the regulation of body sensors and wellness devices.
Like the FTC seminar, the CNIL seminar did not yield any concrete recommendations. The CNIL seminar was the occasion for the CNIL to distribute its new publication on “the connected body” (in French). The publication includes twelve articles addressing different aspects of the “quantified self” phenomenon, including the ethical and regulatory challenges posed by the massive collection of data generated by the human body. The regulatory chapter cites portions of the Hogan Lovells study on regulation of wellness devices throughout the world, which was commissioned by the CNIL in the context of the CNIL’s work on ubiquitous body sensors.
Authored by the HL Chronicle of Data Protection Team