2.1.5 Data Protection Law

It is generally agreed that robust data protection laws can provide a more comprehensive framework compared to privacy law for protecting a range of forms of personal data, and can also include additional rules for categories like health and research data. The EU’s GDPR is an influential example of data protection rules designed to remedy gaps caused by fuzzy definitions of what constitutes personal data; it specifies steps any organisation or agency handling ‘personal data’ must take in order to uphold the right to privacy. This includes ‘sensitive personal data’, which extends to ‘data concerning health’. In the US, the California Consumer Privacy Act takes a similar direction, though the scope of the GDPR is broader.²⁴⁰

The GDPR explicitly does not include the term ‘health data’ and instead uses the broader phrase ‘data concerning health’. Schneble and colleagues argue that this important distinction ‘opens the door to indirect and inferred health data falling within the scope of the GDPR’, and therefore strengthens its application outside as within the formal healthcare system. It is too early to determine the extent to which Schneble and colleagues are correct.

Others remain sceptical that even leading data protection laws like the GDPR can sufficiently protect people in the mental health context against the full range of the harms that may arise. Nicole Martinez-Martin and colleagues, for example, refer to the risk of misuse of data that is used to infer things about the health of an individual, and stated that:

Even where harmful or potentially harmful practices are identified and found to be violating data protection laws, the success of those laws is dependent on the capacity of authorities to enforce compliance, which remains an issue with the GDPR.²⁴² In any case, the GDPR is complex and only applies to organisations based in the EU. More conceptual and regulatory work is required to better define and regulate ‘data concerning health, mental health and disability’ and their use in automated profiling, to address issues of ‘indirect, inferred, and invisible health data’

Regarding law more generally, just as there is a risk of idealising technology’s promise, so there is of law: vigilance is required as to whether law reinforces unjust power relations. For example, if regulatory regimes to protect privacy are characterised by light-touch, pro-industry approaches that are designed to ease market authorisation of digital mental health services and products, this may promote the spread of cheap (if limited) software to replace more expensive, expert, and empathetic professional support, and disrupt care service provision.243 Regulation should aim to reduce all forms of domination, but there is always a risk that it will fail and/or reinforce domination.244 Some legal scholars have argued that laws governing privacy, data protection, and consumer protection have failed to govern the platform dominance of major technology corporations. Further, such laws have contributed to the massive expansion of big technology corporations into market-like structures that distort social relations and convert individuals into ‘users’—a resource to be mined for data and attention.²⁴⁵

More work is required to bring together those working on algorithmic and data-driven technology in response to disability and distress, with those who are pursuing broader alternative arrangements for the governance of our digitally mediated lives and economies. Possible alternatives include collective approaches to governing data and platforms, and community-produced data resources.