How secure is our health-related data in the digital age?

Share

Author: Ani Mikiashvili – Visiting Trainer at the Legal Concept training center; Legal Practitioner in the healthcare sector.

The collection and subsequent use of health-related data represent one of the most complex issues at the intersection of medical law, personal data protection, and digital innovation. This is particularly relevant in cases where data collected for medical services is subsequently used for research, analytics, or technological development.

Both European and Georgian law provide special protection for health data as a special category of personal data. According to Article 9 of the GDPR, the processing of health data is prohibited unless there is a specific legal basis, such as explicit consent, public health objectives, or scientific research, provided that appropriate protective mechanisms are in place.

A similar principle is established by the Law of Georgia “on Personal Data Protection,” according to which data must be collected only for specific, predefined purposes, and its use in a manner incompatible with the original purpose is prohibited.

In this context, the data controller bears significant obligations, including: ensuring the lawfulness of data processing, adhering to the principle of purpose limitation, implementing appropriate technical and organizational measures for data security, and conducting a compatibility assessment in cases of secondary use.

The jurisprudence of the Court of Justice of the European Union (CJEU) provides various interpretations regarding this matter. In the Lindenapotheke case (C-21/23, 2024), the Court noted that information that enables conclusions to be drawn about a person’s health status must also be considered health data and, consequently, be subject to special legal protection. Furthermore, in Meta Platforms v Bundeskartellamt (C-252/21, 2023), the Court once again emphasized that large-scale data processing must be carried out in full compliance with GDPR principles, including the principles of purpose limitation and proportionality.

For Georgia, this issue is particularly relevant against the backdrop of the rapid digitalization of the healthcare sector, the development of electronic medical systems, and the growth of scientific research. Although Georgian legislation largely shares European data protection principles, the legal assessment of the secondary use of health data, the determination of purpose compatibility, and the effective implementation of appropriate protection mechanisms remain challenges in practice.

An op-ed is a non-editorial category where authors share their ideas and positions. Texts published in this format represent the author’s opinion only and may not necessarily reflect the editorial board’s views.

Share

spot_img

Other news