Your Consent Is Worth 75 Euros A Year – Measurement and Lawfulness of Cookie Paywalls
Victor Morel, Cristiana Santos, Yvonne Lintao, Soheil Human
Workshop on Privacy in the Electronic Society [Los Angeles, USA], 7 November 2022
Most websites offer their content for free, though this gratuity often comes with a counterpart: personal data is collected to finance these websites by resorting, mostly, to tracking and thus targeted advertising. Cookie walls and paywalls, used to retrieve consent, recently generated interest from EU DPAs and seemed to have grown in popularity. However, they have been overlooked by scholars. We present in this paper 1) the results of an exploratory study conducted on 2800 Central European websites to measure the presence and practices of cookie paywalls, and 2) a framing of their lawfulness amidst the variety of legal decisions and guidelines.
Data Medicine: ‘Broad’ or ‘Dynamic’ Consent?
Henri-Corto Stoeklé, Elisabeth Hulier-Ammar, Christian Hervé
Public Health Ethics, 2 September 2022
The General Data Protection Regulation imposes, at European level, a need to seek express or explicit consent for the processing of health data. In the framework of biomedical research, some favor the use of express ‘broad’ consent, whereas other maintain, or wish to maintain the use of presumed or implicit consent, often referred to as ‘non-opposition’ in conditions in which such consent is still authorized. In our view, broad consent and presumed consent are likely to prove to be easy solutions in the short term but much less relevant in the long term, for both hospital and patients, if the bioethical objective remains the improvement of patient quality of life and/or survival, regardless of the disease considered. Dynamic consent could be the best way to achieve this objective because only this type of consent could improve hospital transparency and increase patient confidence by allaying certain fears.
Broad Consent—Are We Asking Enough?
Lisa E. Smilan
Ethics & Human Research, 1 September 2022
Biobanks and health data repositories provide rich reservoirs of information for use in biomedical research. These repositories depend on participants donating identifiable health data and biospecimens that may be used in perpetuity by unlimited numbers of researchers for unnamed research topics. Since 1991, U.S. federal regulatory provisions, collectively known as the Common Rule, have required informed consent of participants in federally funded human subjects research, but recent changes to the Common Rule now sanction “broad consent” in the repository research context. Broad consent is not defined in the revised Common Rule; thus, researchers and their institutions are left to determine ad hoc what broad consent means and requires. Without leadership and guidance from the U.S. Department of Health and Human Services, stakeholders with potential conflicts of interest will reach their own conclusions and craft new and varied standards for consent. The result will be uneven protections for participants.
Patients’ Willingness to Provide Their Clinical Data for Research Purposes and Acceptance of Different Consent Models: Findings From a Representative Survey of Patients With Cancer
Anja Köngeter, Christoph Schickhardt, Martin Jungkunz, Susanne Bergbold, Katja Mehlis, Eva C Winkler
Journal of Medical Internet Research, 25 August 2022
Secondary use of clinical data for biomedical research purposes holds great potential for various types of noninterventional, data-driven studies. Patients’ willingness to support research with their clinical data is a crucial prerequisite for research progress.
The aim of the study was to learn about patients’ attitudes and expectations regarding secondary use of their clinical data. In a next step, our results can inform the development of an appropriate governance framework for secondary use of clinical data for research purposes.
A questionnaire was developed to assess the willingness of patients with cancer to provide their clinical data for biomedical research purposes, considering different conditions of data sharing and consent models. The Cancer Registry of the German federal state of Baden-Württemberg recruited a proportionally stratified random sample of patients with cancer and survivors of cancer based on a full census.
In total, 838 participants completed the survey. Approximately all participants (810/838, 96.7%) showed general willingness to make clinical data available for biomedical research purposes; however, they expected certain requirements to be met, such as comparable data protection standards for data use abroad and the possibility to renew consent at regular time intervals. Most participants (620/838, 73.9%) supported data use also by researchers in commercial companies. More than half of the participants (503/838, 60%) were willing to give up control over clinical data in favor of research benefits. Most participants expressed acceptance of the broad consent model (494/838, 58.9%), followed by data use by default (with the option to opt out at any time; 419/838, 50%); specific consent for every study showed the lowest acceptance rate (327/838, 39%). Patients expected physicians to share their data (763/838, 91.1%) and their fellow patients to support secondary use with their clinical data (679/838, 81%).
Although patients’ general willingness to make their clinical data available for biomedical research purposes is very high, the willingness of a substantial proportion of patients depends on additional requirements. Taking these perspectives into account is essential for designing trustworthy governance of clinical data reuse and sharing. The willingness to accept the loss of control over clinical data to enhance the benefits of research should be given special consideration.
Digital Transformation of Big Data
Po-Chang Lee, Chih-Hsing Ho, Joyce Tsung-Hsi Wang
Digital Health Care in Taiwan, 14 August 2022; pp 219–228 [Springer]
The virtual National Health Insurance (NHI) card not only represents digitization but also enables contactless health care during the pandemic. Under the process of full-scale digitization, the National Health Insurance Administration (NHIA) continues to refine the health service delivery measures, especially in the field of home-based medical care and telemedicine.
Under the personal data protection regulation, the NHI data are opened for academic research purposes. More than 6550 published journal articles have utilized the NHI data, and these articles are made searchable online to support health policy management and clinical research. The NHI medical images combined with the application of artificial intelligence (AI) are the cornerstones of Taiwan’s smart health care. Domestic research teams are eligible to use the NHI database to verify or build their AI models after their research proposals are approved by the Management Council of the AI Application of NHI Data. The NHIA also plans to use NHI big data to develop digital patient decision aids by establishing a two-way digital interaction model to address the concerns of the healthcare providers and the public. By comparing the secondary use of health data in different countries, Taiwan is seeking a balance between innovation and conservative policies and is creating an environment that ensures the well-being of the next generation.
Big Health Data Research and Group Harm: The Scope of IRB Review
Megan Doerr, Sara Meeder
Ethics & Human Research, 8 July 2022; 44(4) pp 34-38
Much of precision medicine is driven by big health data research—the analysis of massive datasets representing the complex web of genetic, behavioral, environmental, and other factors that impact human well-being. There are some who point to the Common Rule, the regulation governing federally funded human subjects research, as a regulatory panacea for all types of big health data research. But how well does the Common Rule fit the regulatory needs of this type of research? This article suggests that harms that may arise from artificial intelligence and machine-learning technologies used in big health data research—and the increased likelihood that this research will affect public policy—mean it is time to consider whether the current human research regulations prohibit comprehensive, ethical review of big health data research that may result in group harm.
Formal Models for Consent-Based Privacy
Neda Peyrone, Duangdao Wichadakul
Journal of Logical and Algebraic Methods in Programming, 20 June 2022
The General Data Protection Regulation (GDPR) has changed the way businesses handle personal data. The GDPR is a set of conditions within the European Union (EU) law on data protection and privacy. The law requires software systems that store and manage personal data to use only the necessary information (‘data minimisation’) and manage the information fairly and appropriately (‘lawfulness, fairness and transparency’). Furthermore, personal data that can lead to direct or indirect identification must be kept safe. Therefore, the risk management of personal data within software mainly depends on the developers’ experience. The consent under the GDPR is an agreement between organizations (‘data controllers’) and individuals (‘data subjects’), which provides provisions for protecting personal data. The data controller must gain explicit consent from the data subject before collecting and processing the data. Hence, consent management is an essential component of a software system. This research proposes a set of formal models for consent management that take Privacy by Design (PbD) into account. We used the Event-B method to formalize the proposed models close to a real system. The Rodin platform proved each Event-B model to be corrected and deadlock-free. We also described how developers could transform Event-B models into the actual codes and demonstrated this result by mapping Event-B models into class diagrams. The proposed models meet consent compliance and privacy awareness requirements. In particular, the models cover certain aspects of privacy, including managing the consent of data subjects and controlling authorized access based on the data subject’s consent.
Consent and the Right to Privacy
Journal of Applied Philosophy, 2 June 2022
There is currently intense debate about the significance of user consent to data practices. Consent is often taken to legitimate virtually any data practice, no matter how invasive. Many scholars argue, however, that user consent is typically so defective as to be ‘meaningless’ and that user privacy should thus be protected by substantive legislation that does not rely (or does not rely heavily) on consent. I argue that both views rest on serious mistakes about the validity conditions for consent. User consent is sufficiently impoverished that it does not guarantee legitimacy but is not so impoverished as to be ‘meaningless’; it can legitimate data practices that are independently reasonable but not those that are exploitative. Since many valuable data practices must be consented to if they are to be legitimate (or so I argue), our privacy legislation should continue emphasizing the importance of user consent, even if auxiliary protections are also desirable.
Emergency department patients’ attitudes towards the use of data in their clinical record for research without their consent
Chase Schultz-Swarthfigure, Anne-Maree Kelly, Deborah Zion
Journal of Medical Ethics, 18 May 2022
Health research often uses health information, a subcategory of personal information, collected during clinical encounters. Conditions under which such health information can be used for the secondary purpose of research are set out in state, national and international law. In Australia, consent is required or the relevant conditions for a waiver of consent must be met and approved by a human research ethics committee (HREC). Consent for use of health information for research is rarely sought at an emergency department (ED) presentation. Research often occurs after the index visit and gaining consent can be difficult. Waiver of consent provisions are frequently used, but acceptability of this approach to patients is unclear.
To identify ED patients’ knowledge and attitudes towards the use of health information for research, consent preferences and acceptability of waiver of consent.
An online, anonymous survey of adult patients attending two large EDs in Melbourne, Australia.
103 patients completed the survey. We found that 52% were unaware that health information might be used for research. A majority (77%) felt that HREC approval for use of health information without consent was acceptable. However, 36% would prefer to be contacted regarding consent.
These findings suggest a lack of awareness that health information can be used for research and that waiver of consent is acceptable, but not necessarily preferred, in most of the ED patient population. Efforts to increase awareness and provide opportunities to express preferences about health information use for research are needed.
Patient-centered cross-enterprise document sharing and dynamic consent framework using consortium blockchain and ciphertext-policy attribute-based encryption
Liang Zhang, Haibin Kan, Honglan Huang
Proceedings of the 19th ACM International Conference on Computing Frontiers, 17 May 2022; pp 58–66
Patient-centered healthcare data sharing and data usage consent are gaining popularity. Cross-enterprise document sharing (XDS) is the crucial system of sharing personalized healthcare data. Furthermore, dynamic consent is vital to the XDS system, because it respects people’s autonomy and achieves recognition of data sovereignty. Because of its transparency, blockchain is a powerful system for managing storage and computing without a trusted third party. Besides, ciphertext-policy attribute-based encryption (CP-ABE) extends public-key encryption by implying access control policies in ciphertexts, making it suitable for protecting the privacy of individual healthcare data in versatile cases. Particularly, we use hospital name, “date” and “department” as attribute strings in the access control policies. Consequently, based on consortium blockchain and CP-ABE, we propose a patient-centered XDS and a dynamic consent framework. Compared with previous related literature, we make the proposed framework consistent with current practices and achieve favorable criteria, such as data confidentiality, data recoverability and time-aware ciphertext. Further, we conduct comprehensive experiments to show the feasibility and practicality.