Protection of Personal Medical Data in the Era of Digitalization: Legal Guarantees and Prospects
Keywords:
digital technologies, GDPR, HIPAA, data protection models, AI-driven health analyticsAbstract
This article explores the protection of personal medical data in an era defined by digital technologies, global connectivity, and new healthcare paradigms. Given the heightened sensitivity of health information, we analyze existing international frameworks—namely the EU General Data Protection Regulation (GDPR), the Council of Europe’s Convention 108, and U.S. regulations such as HIPAA—and discuss how they apply in an environment increasingly shaped by cloud computing, big data analytics, and artificial intelligence. Drawing on leading case law from the Court of Justice of the EU, the European Court of Human Rights, and U.S. courts, we highlight ongoing challenges, including informed consent, data re-identification, cross-border transfers, and cyberattacks targeting healthcare systems. By juxtaposing stringent European data protection models with the more fragmented American healthcare privacy landscape, we identify practical and conceptual gaps that require urgent regulatory attention. Finally, the article suggests possible avenues for greater harmonization and stronger enforcement—ranging from sector-specific standards for AI-driven health analytics to clearer frameworks for data ownership and accountability—aimed at safeguarding individual privacy while facilitating innovation in digital healthcare.
References
Regulation (EU) 2016/679 (General Data Protection Regulation).
Council of Europe, Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data (and Convention 108+).
Health Insurance Portability and Accountability Act (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (1996).
California Consumer Privacy Act (CCPA) (2018), amended by the California Privacy Rights Act (CPRA) (2020).
Google Spain SL and Google Inc. v AEPD and Mario Costeja González (Case C-131/12).
Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems (Case C-311/18, “Schrems II”).
Z v. Finland, 25 February 1997, Application No. 22009/93.
I v. Finland, 17 July 2008, Application No. 20511/03.
Sorrell v. IMS Health Inc., 564 U.S. 552 (2011).
Moore v. Regents of the University of California, 51 Cal.3d 120 (1990).
OECD, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (2013).
World Medical Association, WMA International Code of Medical Ethics (last revised 2022).
World Health Organization, Guidelines on Digital Health Interventions (2019).
