Healthcare applications: data protection and competition challenges in Ukraine 

Digital healthcare is an area of the most acute interest right now. Ever increasing costs for maintaining healthcare facilities and scarce resources make digitalizing the healthcare industry inevitable. Preventing diseases by permanently monitoring health measurements, patient tracking, and other methods can easily be carried out by an application downloaded to the patient's phone from mobile app distribution platforms.

Application developers are targeting various aspects of the healthcare industry: (i) self-management of healthcare by constantly submitting information about health, where the application can signal when the measurements lie outside safe parameters and that visiting a healthcare professional ("HCP") is required, (ii) “patient monitoring” or connecting HCPs and their patients to track the efficiency of a treatment plan, (iii) healthcare staff scheduling, keeping medical records, internal databases, processing patients’ requests, patient studies, (iv) pharmacovigilance management, (v) remotely monitoring the health of elderly members of a family, (vi) software for medical devices, (vii) enhancing telemedicine, etc. Digitalizing healthcare also reduces fraud by setting a transparent and trackable approach to the industry`s operation.

However, the most valuable outcome of using healthcare applications is the chance to access an enormous amount of personal medical data, which is then available for further processing – not only to provide personalized recommendations to the user, but to sell datasets to companies that operate in different markets, such as pharmaceutical, medical services, and marketing sectors, etc. Thus, medical data is becoming the new “oil” for the whole healthcare industry.

Privacy issues for Ukrainian users

When operating a digital healthcare application, processing personal data, including sensitive personal data, is unavoidable.

Personal data is any information about an individual that can help identify such an individual; sensitive personal data is, for example, a patient’s health-related data (such as a diagnosis). Processing of this information includes any action taken with regard to such data (from its collection to its deletion).

Considering the particularities of healthcare applications and the services provided to the patients, a separate personal data processing consent will often be required. Very often persons processing personal data include all kinds of possible personal data processing in their consent forms.

However, these catch-all consent forms are not a magic shield. If the processing exceeds the scope of the initially established purpose (such as provision of healthcare services), for example, transferring such data to third parties who then use it for marketing purposes, even when directly permitted by the consent form, will still be a violation, as such a data transfer exceeds the initial scope of processing: namely, the provision of health care services.

Quite often, personal data collected by applications is transferred outside Ukraine. Depending on the country where the data is transferred, consent to this transfer might also be required. For example, if the data is transferred to Germany and the transfer does not exceed the scope of the processing purpose, no additional consent is required. However, if the data is transferred to the USA, a patient (or any other individual whose data is being processed) needs to first consent to such transfer.

Another important detail about data transfer, besides its purpose and the country of transfer, is whether personal data is transferred to a third party or to a processor appointed by the initial controller of personal data. Depending on very individual specifics of each case, these roles might be distributed differently, and different procedures need to be followed, such as the conclusion of a written data processing agreement, for instance.

Additional actions also need to be taken with regard to processing sensitive (medical) personal data: notification to the Human Rights Ombudsman, appointment of a person specifically responsible for personal data processing matters, etc. Quite often it is mistakenly thought that if a patient’s diagnosis (or any other specific medical data) is stored separately from the patient’s name, then no sensitive personal data is processed. If any information is stored and is categorized as a patients’ data, it will still be regarded as sensitive, and its processing will still impose additional obligations on the data controller.

In the end, all digital healthcare application operators process not only personal data, but also sensitive personal data, and there are always additional actions to be taken besides all the policies and broad consent forms to insure a patient’s right to privacy as well as the operators’ compliance with the legislation.

Responsibility for confidentiality and personal data processing violations

Processing of personal data and especially of sensitive (medical) personal data is always at risk of:

• Revisions by the Human Rights Ombudsman;
• Civil lawsuits by patients (other personal data subjects);
• Administrative responsibility;
• Criminal responsibility.

The above responsibility and its scope mainly depend on the actual harm caused to an individual. In this regard healthcare application operators are always at a higher risk since the data they process is mostly medical data and processed in large amounts.

So far, Ukrainian controlling authorities have not been imposing heavy fines for personal data protection violations. However, this will most likely change in the near future due to upcoming personal data protection reform. The reform will result not only in additional requirements for data processing but also in higher and more probable fines for personal data protection violations that will be calculated based on a companies’ annual turnover and might amount to millions.

The competition aspect of the data sharing market

Whenever a market emerges, the competition rules should be observed, especially considering the interest of the competition authorities across the world in Big Tech companies and the ability of their products to soak personal data from users in order to personalize and stimulate consumption.

The competition rules apply even if the product is information, data, or data processing services. Since healthcare applications collect unique patient information cleared from personal details, data holders gain exclusive private (or even monopolistic) control over the valuable datasets targeted by other medical companies to be utilized successfully in their business.

At the same time, numerous competition issues may arise: (i) discriminatory third-party access to data, (ii) restrictions imposed by data-sharing agreements, (iii) abnormal conditions under which a dominant data holder decides to give access to data, (iv) exploitation of dominance through manipulation of the information displayed to the customer, etc. All of these violations were investigated by competition authorities, but in the sphere of customer data collected by the most popular digital gatekeepers. Therefore, this law enforcement trend is valid regarding data sharing in the healthcare industry and eventually may affect the Ukrainian IT industry as well. Thus, the data holders and their employees must stay up to date with current practice to avoid investigations and inspections. In addition, the compliance policies may help keep data holders from crossing red lines set by competition law.