A critical comparative policy analysis of deficiencies in digital health privacy: Proposing a comprehensive U.S. Federal framework


 This article explores the evolving landscape of data protection law in Vietnam, focusing specifically on the responsibilities of data controllers under Vietnam's new Personal Data Protection Decree (Decree No. 13/2023/ND-CP - hereinafter referred to as Decree 13) and compares it with the European Union's General Data Protection Regulation (GDPR). The main objective is to assess how the provisions regarding data controllers’ responsibilities under Decree 13 align with international data protection standards, identifying its progress and challenges. The analysis uncovers both convergence and divergence points between the related provisions under Decree 13 and the GDPR, particularly in terms of clarity, scope, and enforcement mechanisms. A significant challenge identified is the ambiguity in Decree 13’s provisions on data controllers’ responsibilities and the absence of several essential elements, which could undermine the effectiveness of Vietnam's data protection framework. To address these issues, the article offers strategic recommendations for legislative improvements and practical adjustments for data controllers in Vietnam. In conclusion, while navigating the path to a comprehensive data protection framework poses challenges for Vietnam, this journey offers an opportunity to align with regional and global developments in data protection laws. By learning from the GDPR and adapting to its specific features, Vietnam can develop a robust, effective, and trustworthy data protection environment, safeguarding its citizens' privacy rights and facilitating a favorable international business climate.

Ideas and Opinions5 March 2019Are Requirements to Deposit Data in Research Repositories Compatible With the European Union's General Data Protection Regulation?Deborah Mascalzoni, PhD*, Heidi Beate Bentzen, LLM*, Isabelle Budin-Ljøsne, PhD, Lee Andrew Bygrave, LLD, Jessica Bell, PhD, Edward S. Dove, PhD, Christian Fuchsberger, PhD, Kristian Hveem, MD, PhD, Michaela Th. Mayrhofer, PhD, Viviana Meraviglia, PhD, David R. O'Brien, JD, Cristian Pattaro, PhD, Peter P. Pramstaller, MD, Vojin Rakić, PhD, Alessandra Rossini, PhD, Mahsa Shabani, PhD, Dan Jerker B. Svantesson, PhD, Marta Tomasi, PhD, Lars Ursin, PhD, Matthias Wjst, MD, and Jane Kaye, DPhilDeborah Mascalzoni, PhD*Institute for Biomedicine, Eurac Research, Bolzano, Italy, and Uppsala University, Uppsala, Sweden (D.M.), Heidi Beate Bentzen, LLM*Norwegian Research Center for Computers and Law and Centre for Medical Ethics, University of Oslo, Oslo, Norway (H.B.B.), Isabelle Budin-Ljøsne, PhDNorwegian Institute of Public Health, Oslo, Norway (I.B.), Lee Andrew Bygrave, LLDNorwegian Research Center for Computers and Law, University of Oslo, Oslo, Norway (L.A.B.), Jessica Bell, PhDUniversity of Oxford, Oxford, United Kingdom, and University of Melbourne, Melbourne, Victoria, Australia (J.B., J.K.), Edward S. Dove, PhDUniversity of Edinburgh, Edinburgh, United Kingdom (E.S.D.), Christian Fuchsberger, PhDInstitute for Biomedicine, Eurac Research, Bolzano, Italy (C.F., V.M., C.P., P.P.P., A.R.), Kristian Hveem, MD, PhDInstitute for Biomedicine, Eurac Research, Bolzano, Italy; HUNT Research Center and K.G. Jebsen Center for Genetic Epidemiology, Norwegian University of Science and Technology, Levanger, Norway (K.H.), Michaela Th. Mayrhofer, PhDBBMRI-ERIC, Graz, Austria (M.T.M.), Viviana Meraviglia, PhDInstitute for Biomedicine, Eurac Research, Bolzano, Italy (C.F., V.M., C.P., P.P.P., A.R.), David R. O'Brien, JDHarvard University, Boston, Massachusetts (D.R.O.), Cristian Pattaro, PhDInstitute for Biomedicine, Eurac Research, Bolzano, Italy (C.F., V.M., C.P., P.P.P., A.R.), Peter P. Pramstaller, MDInstitute for Biomedicine, Eurac Research, Bolzano, Italy (C.F., V.M., C.P., P.P.P., A.R.), Vojin Rakić, PhDCenter for the Study of Bioethics, University of Belgrade, Belgrade, Serbia (V.R.), Alessandra Rossini, PhDInstitute for Biomedicine, Eurac Research, Bolzano, Italy (C.F., V.M., C.P., P.P.P., A.R.), Mahsa Shabani, PhDKU Leuven and Leuven Institute for Human Genomics and Society, Leuven, Belgium (M.S.), Dan Jerker B. Svantesson, PhDBond University, Gold Coast, Queensland, Australia (D.J.S.), Marta Tomasi, PhDUniversity of Trento, Trento, Italy, and Free University of Bozen-Bolzano, Bolzano, Italy (M.T.), Lars Ursin, PhDNorwegian University of Science and Technology, Trondheim, Norway (L.U.), Matthias Wjst, MDHelmholtz Zentrum München and Technical University Munich, Munich, Germany (M.W.), and Jane Kaye, DPhilUniversity of Oxford, Oxford, United Kingdom, and University of Melbourne, Melbourne, Victoria, Australia (J.B., J.K.)Author, Article, and Disclosure Informationhttps://doi.org/10.7326/M18-2854 SectionsAboutFull TextPDF ToolsAdd to favoritesDownload CitationsTrack CitationsPermissions ShareFacebookTwitterLinkedInRedditEmail To reproduce study findings and facilitate new discoveries, many funding bodies, publishers, and professional communities are encouraging—and increasingly requiring—investigators to deposit their data, including individual-level health information, in research repositories. For example, in some cases the National Institutes of Health (NIH) and editors of some Springer Nature journals require investigators to deposit individual-level health data via a publicly accessible repository (1, 2). However, this requirement may conflict with the core privacy principles of European Union (EU) General Data Protection Regulation 2016/679 (GDPR), which focuses on the rights of individuals as well as researchers' obligations regarding transparency and accountability.The GDPR ...

The one-year anniversary since the European Union's General Data Protection Regulation (GDPR) came into effect has recently passed (25 May 2019). During the past year or so, Data Protection Authorities (DPAs) across different countries have worked diligently to enforce compliance and ensure that the core principles at the heart of the GDPR are met – namely responsible and transparent handling and protection of individuals’ personal data. Data Protection Authorities (DPAs) across Europe have worked diligently to enforce compliance and ensure that the core principles at the heart of the General Data Protection Regulation (GDPR) are met. Meanwhile, organisations have worked to ensure compliance. Paul Breitbarth of Nymity looks at what has been learned in the past year. How have businesses responded? Has the GDPR impacted other national data protection regulations? And what impact will the UK's impending exit from the European Union (EU) have on regulatory compliance and data flows?

While digital health or mHealth applications (apps) have become accessible resources for the support of personal health, the privacy and security of users' data have been the subject of concern and controversy. As large numbers of mHealth apps are created and are increasingly widely used by people with various health conditions, it is crucial to have clear and valid methods for evaluating the data practices within them. Recent regulatory initiatives such as the European Union's General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have had the effect of raising awareness and establishing a minimal set of expectations. However, they do not in themselves address the issue of the development of systems which meet privacy and security requirements. There is a growing body of research on evaluation techniques and frameworks to support the assessment of the privacy and security of health apps, and guidelines to support their design. However, it can be challenging to navigate this space and choose appropriate techniques for a given context. Addressing this issue, this paper examines the recent literature on security and privacy of m-Health applications, using a scoping review methodology. It analyses data security and privacy evaluation techniques and frameworks that have been proposed for mHealth applications, as well as relevant research-based design recommendations. This work consolidates recent research on the topic to support researchers, app designers, end users, and healthcare professionals in designing, evaluating, recommending and adopting mHealth applications.

The article examines the theoretical and legal foundations of international regulation of medical data security in the context of the accelerated digitalization of the healthcare system. The author pays special attention to the analysis of regulatory legal acts aimed at protecting confidential medical information, including the European Union's General Data Protection Regulation (GDPR), World Health Organization guidelines on digital health, recommendations of the Organization for Economic Co-operation and Development (OECD), and the activities of other international institutions. The importance of forming unified legal standards and principles that ensure reliable protection of medical information in the context of global integration of digital healthcare systems is emphasized. The author also examines the risks associated with unauthorized access to data, their cross-border transfer, and the lack of unified approaches to the storage, processing, and use of personal medical data. The law enforcement practice of individual countries and the activities of regional associations, such as the European Union and the CIS, in the field of digital security and medical ethics are analyzed. The article concludes with specific proposals for harmonizing national legislation with international standards, developing a comprehensive policy for ensuring information security in the healthcare sector, and strengthening the role of regulatory bodies and transnational cooperation. At the same time, the need to maintain a balance between technological progress and fundamental human rights - privacy, immunity, and the protection of personal data - is emphasized.

The incompleteness of patient health data is a threat to the management of COVID-19 in Africa and globally. This has become particularly clear with the recent emergence of new variants of concern. The Virus Outbreak Data Network (VODAN)-Africa has studied the curation of patient health data in selected African countries and identified that health information flows often do not involve the use of health data at the point of care, which renders data production largely meaningless to those producing it. This modus operandi leads to disfranchisement over the control of health data, which is extracted to be processed elsewhere. In response to this problem, VODAN-Africa studied whether or not a design that makes local ownership and repositing of data central to the data curation process, would have a greater chance of being adopted. The design team based their work on the legal requirements of the European Union's General Data Protection Regulation (GDPR); the FAIR Guidelines on curating data as Findable, Accessible (under well-defined conditions), Interoperable and Reusable (FAIR); and national regulations applying in the context where the data is produced. The study concluded that the visiting of data curated as machine actionable and reposited in the locale where the data is produced and renders services has great potential for access to a wider variety of data. A condition of such innovation is that the innovation team is intradisciplinary, involving stakeholders and experts from all of the places where the innovation is designed, and employs a methodology of co-creation and capacity-building.

The European Union's general data protection regulation (GDPR) came into effect in May 2018. It is intended to prevent the unwanted sharing of private data and it has significant implications for healthcare research. A well-established research methodology that GDPR is likely to affect is the retrospective reviewing of patients' data. This has been used widely in healthcare research and commonly involves examining patients' medical records. To examine GDPR and its potential effects on the use of patients' data in healthcare research. Previous misuse of patients' data has affected public confidence in healthcare research. GDPR is intended to improve the public's confidence in the handling of their data, but it may negatively impact healthcare research. Researchers who want to review patients' data will need to consider consent issues carefully. GDPR does include exceptions to the rules of consent, but there is uncertainty about this process. If GDPR results in stricter requirements to achieve patients' consent in research, the validity of some studies may be affected. Nurse researchers and organisations may need to consider innovative ways of engaging patients in research. Research using patients' data has played an important role in shaping nursing and healthcare policy and practice. Imminent Europe-wide changes prompted by GDPR could affect how patients' data are used in research.

Software has become an integral part of human life. This gives rise to the need of developing software that respects human values such as transparency, fairness and privacy. Software that compromises on human values (e.g. privacy) can affect people's reputation and impinges on their ability to function in society with the usual freedom and autonomy. Integrating human values into software is, however, a challenging task due to its imprecise and subjective nature. Enforcing regulations is one way to make software development considerate of the desired standards and values. The European Union's General Data Protection Regulation (GDPR) on software is one such effort to protect EU citizens' data and personal information. GDPR prescribes data protection principles and data subject rights mainly to protect user privacy. Looking beyond privacy, we studied GDPR to identify the extent to which it covers human values. We mapped GDPR's data protection principles and data subject rights to a widely accepted human values structure adopted from social sciences. Our results show that GDPR addresses not only privacy but also several other human values including power, security and universalism. Moreover, fairness and transparency stand out as the most value-conscious principles prescribed in GDPR.

The European Union's General Data Protection Regulation (GDPR) is widely viewed as setting a new global standard for the protection of data privacy that is worthy of emulation, even though the relationship between the GDPR and existing international legal protections for the right to privacy remain unexplored. Correspondingly, this essay examines the relationship between these two bodies of law, and finds that the GDPR's provisions are neither necessary nor sufficient to protect the right to privacy as enshrined in Article 17 of the International Covenant on Civil and Political Rights (ICCPR). It argues that there are other equally valid and effective approaches that states can pursue to protect the right to privacy in an increasingly digital world, including the much-maligned American approach of regulating data privacy on a sectoral basis.

The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Its privacy regulations apply to any service and company collecting or processing personal data in Europe. Many companies had to adjust their data handling processes, consent forms, and privacy policies to comply with the GDPR's transparency requirements. We monitored this rare event by analyzing the GDPR's impact on popular websites in all 28 member states of the European Union. For each country, we periodically examined its 500 most popular websites - 6,579 in total - for the presence of and updates to their privacy policy. While many websites already had privacy policies, we find that in some countries up to 15.7 % of websites added new privacy policies by May 25, 2018, resulting in 84.5 % of websites having privacy policies. 72.6 % of websites with existing privacy policies updated them close to the date. Most visibly, 62.1 % of websites in Europe now display cookie consent notices, 16 % more than in January 2018. These notices inform users about a site's cookie use and user tracking practices. We categorized all observed cookie consent notices and evaluated 16 common implementations with respect to their technical realization of cookie consent. Our analysis shows that core web security mechanisms such as the same-origin policy pose problems for the implementation of consent according to GDPR rules, and opting out of third-party cookies requires the third party to cooperate. Overall, we conclude that the GDPR is making the web more transparent, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.

PurposeThis paper investigates the European Union's General Data Protection Regulation (GDPR) in information systems (ISs). The GDPR consists of 99 articles, and two articles are emphasised – namely Article 15, which deals with rights of access by the data subject, and Article 20, which deals with the right to data portability.Design/methodology/approach15 companies operating in the Norwegian consumer market were randomly selected. Each company received an inquiry pertaining to rights of access by the data subject (Article 15) and the right to data portability (Article 20). The research team carefully analysed the answers received and categorised the responses according to the two articles emphasised.FindingsThe findings show extensive variations among the companies in terms of response time, quality of feedback and how companies handle requests concerning rights of access by the data subject (Article 15) and the right to data portability (Article 20). Differences are also pertaining to the types of files, along with the content of these files. It should be noted, however, that most of the companies replied to the inquiry before the deadline. The findings show that companies comply better with Article 20 than Article 15. However, it appears that they do not differentiate between the two articles.Originality/valueThis study explores a research topic that is relatively new. It addresses a gap in the extant research by highlighting how the GDPR works in practice from a consumer's perspective. In addition, guidelines are offered to the consumers and companies affected by the GDPR.

Web pages have maintained their popularity from the moment the internet entered our lives becoming a social media catalogue for every sector. Websites facilitated and accelerated many processes such as reaching target audiences, advertising, or sales. Thus, the presence of every sector in the social environment was ensured. With the development of information technology, design opportunities have also developed and the visuality and attractiveness of web pages have gradually increased. Video and text effects are at the top of the design possibilities. Apart from the attractive possibilities of these developing design possibilities, they have also been used for malicious purposes such as stealing or damaging information. This study addresses how the use of Google Fonts conflicts with the European Union's General Data Protection Regulation (GDPR) and the ways to solve this problem. The GDPR has introduced strict rules on the protection and processing of personal data. However, Google Fonts, which is widely used by web developers and designers, sends users' IP addresses to Google's servers without explicitly stating how this data is processed. This is contrary to the GDPR principles of transparency and data minimization. This article elaborates on the privacy implications of using Google Fonts as well as the GDPR violations. As a solution, this study introduces alternatives such as local font hosting, open-source font libraries, and associated best practices. It also emphasizes the significance of the adoption of privacy-oriented design principles by web developers and designers and discusses the potential of these approaches to achieve GDPR compliance. In terms of theoretical and practical perspective, this study aims to provide a roadmap for harmonizing the use of Google Fonts and similar services with applicable privacy-related legislation.

The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Its privacy regulations apply to any service and company collecting or processing personal data in Europe. Many companies had to adjust their data handling processes, consent forms, and privacy policies to comply with the GDPR's transparency requirements. We monitored this rare event by analyzing the GDPR's impact on popular websites in all 28 member states of the European Union. For each country, we periodically examined its 500 most popular websites - 6,579 in total - for the presence of and updates to their privacy policy. While many websites already had privacy policies, we find that in some countries up to 15.7 % of websites added new privacy policies by May 25, 2018, resulting in 84.5 % of websites having privacy policies. 72.6 % of websites with existing privacy policies updated them close to the date. Most visibly, 62.1 % of websites in Europe now display cookie consent notices, 16 % more than in January 2018. These notices inform users about a site's cookie use and user tracking practices. We categorized all observed cookie consent notices and evaluated 16 common implementations with respect to their technical realization of cookie consent. Our analysis shows that core web security mechanisms such as the same-origin policy pose problems for the implementation of consent according to GDPR rules, and opting out of third-party cookies requires the third party to cooperate. Overall, we conclude that the GDPR is making the web more transparent, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.

On May 25, 2018, the European Union's General Data Protection Regulation (GDPR) came into force. EU citizens are granted more control over personal data while companies and organizations are charged with increased responsibility enshrined in broad principles like transparency and accountability. Given the scope of the regulation, which aims to harmonize data practices across 28 member states with different concerns about data collection, the GDPR has significant consequences for individuals in the EU and globally. While the GDPR is primarily intended to regulate tech companies, it also has important implications for data use in scientific research. Drawing on ethnographic fieldwork with researchers, lawyers and legal scholars in Sweden, I argue that the GDPR's flexible accountability principle effectively encourages researchers to reflect on their ethical responsibility but can also become a source of anxiety and produce unexpected results. Many researchers I spoke with expressed profound uncertainty about 'impossible' legal requirements for research data use. Despite the availability of legal texts and interpretations, I suggest we should take researchers' concerns about 'unknowable' data law seriously. Many researchers' sense of legal ambiguity led them to rethink their data practices and themselves as ethical subjects through an orientation to what they imagined as the 'real people behind the data', variously formulated as a Swedish population desiring data use for social benefit or a transnational public eager for research results. The intentions attributed to people, populations and publics - whom researchers only encountered in the abstract form of data - lent ethical weight to various and sometimes conflicting decisions about data security and sharing. Ultimately, researchers' anxieties about their inability to discern the desires of the 'real people' lent new appeal to solutions, however flawed, that promised to alleviate the ethical burden of personal data.

The revolution of the digital era has swept through privacy laws across the globe. Widespread application of data harvesting, storage, and transmission on digital media, social networks, and Internet of Things (IoT) has posed connected legal and ethical questions regarding protection of personal data. This paper discusses the evolution of privacy laws, with a focus on the change from traditional legal structures to modern, data-oriented laws. It covers significant milestones in privacy legislation, such as the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the impact of emerging technologies on the application and interpretation of privacy laws. The research discovers the relevant problems that the digital age has raised, including data protection vs. innovation, consent and transparency problems, and mounting issues of data breaches and cyber security. The essay also considers the role played by international co-operation in shaping privacy law through terms of global data flows and cross-national data exchange. From a review of existing case law and scholarship, the paper gives the evolution of privacy law from their earliest origins through to today and considers the future of privacy protection in an increasingly networked world. It finally advocates for flexible legal regimes that evolve to keep up with ongoing technological change without trading off individual rights to privacy.