story
We helped manufacture medical devices. We sold a device that took medical images, and then sent the images to a server. The server would do tons of processing on the images, and help manufacture a medical device custom to the patient.
We ran our servers in the United States.
We could not sell our product in France, until we stood up servers in France to store and process the data.
Why would we do such a thing? To provide excellent healthcare to people. Even ungrateful French people. Our product was lower cost and higher quality than our competitors, with better patient outcomes.
What monsters we were for running our servers in the U.S., right?
Other people exist and have rights. It's about time that people assert their rights over data that is absolutely consequential to their lives, instead of being tiny pawns of companies who treat them like a highschool science experiment with live ants.
The idea that storing your data, encrypted at rest, on spinning rust platters inside your country somehow makes it safer than storing that same data, encrypted at rest, on spinning rust platters inside my country, is bizarre to me.
But that's fine. I think giving you the choice makes tons of sense. I'm not saying France should have a law forcing all data to be kept in the US. I'm saying it's bonkers that I cannot offer a product in France that happens to store data and process data on a server in the US. Even with a waiver. French citizens do not have the right to let their health care information be stored on a server in a different country. (As I understood the laws, at least - perhaps our legal representatives were misinformed.)
If you want control over your medical data, then I'm sorry, none of the existing tooling does what you should actually want it to. It should be stored on systems you designate. Not on some lowest-bidder French server that has unknown security practices.
It's amazing to me that you're lecturing me about other people's rights, when you're literally denying French people the right to buy my product, unless I meet some ultimatums. I'm not denying them, you are.
And you talk about consequential to their lives? My product lowered costs and had better patient outcomes, and we couldn't sell it. Maybe try a different argument.
At some point in your project there seems to have been a time, when such basic questions of consent were overlooked and later you paid the price. Your intentions may have been nothing but good, but I for one am glad, that such practice was not allowed to happen.
Walk me through exactly what you would like to happen.
If you think the best outcome is that only radiologists who live in country X can look at your medical images, then please really think about what that means for under-developed countries.
Please also think about the fact that people have medical imaging exams 24 hours a day, and think about where radiologists live and sleep.
The next time you get a CT scan and have to wait 4 days for the results, you'll know that your hospital system doesn't have teleradiology.
We absolutely understand patient consent, and then France started establishing laws that denied patients the right to consent to having their data transferred to the US. (As I understood our legal representatives, at least.)
(For the record, in case it's confusing to anyone following along, I worked on half a dozen different medical products in my career, in different companies, in different parts of the body, in different modalities, etc.)
My guess is, that they want to avoid the situation entirely, in which a doctor (or other people in the hospital or other institution) has to ask the patient for their consent for such a thing. It would come down to things like framing, for example: "The best people for x are in country y.", which might be true or just opinion of that doctor. There are issues with this:
(1) Usually the doctor is not informed about these data protection issues themselves. Usually the doctor did not also graduate in some mathematical / statistical / data science subject or following along the various data protection scandals. Most of the doctors probably have other things to do. Just like the rest of the population is mostly not well informed.
(2) We probably don't want a situation, in which the doctor dangles a carrot (the best people are in country x) in front of the patient, luring them into consenting.
(3) Doctors want to get their work done. They don't want to have to ask every patient for consent for things outside of their own expertise. Even if you transfer the paperwork to someone else, who will want that additional workload? Also the people going to a hospital might not want to have to deal with that stuff.
(4) What is the legal side of this? For example say you send data to the best experts in another country and you get a misdiagnosis and operate based on that. How does this work?
I think it is possible to keep data generally in France for example and only have the experts look at the data via conferencing tools. Then the experts can be made aware, that obviously they may not share any of that data with anyone and that they can only look at it, while it resides in France. For that we need a secure conferencing system, which is not run by big corp living off selling data directly or indirectly. We need capable tech people in the right place to set things up. We might also need Computer literacy on higher levels for the experts.
Tell me you were at least running anonymisation software in hospitals before you transferred?
We don't do it for fun. This is a part of patient care.
Radiologists awake in Australia can read images from the United States. It saves lives.
The radiologists are licensed and certified in the hospitals and states.
And by the way, if I get a CT scan of your head, I can trivially reconstruct your face. Might even recognize you with it.
If you want to freak out, medical records are sent by fax machine ALL THE TIME.
I am truly interested in this since I am in EU and use Azure for similar processing.
So blaming the GDPR and new rules, seems a bit weird in this case.
Now, consumer protection regulation is always a balancing act. And most consumer protection laws will hurt some companies that didn't actually do anything bad. That doesn't mean I don't want any regulations. Particularly when it comes to healthcare.
And my real concern was people who want that cake, and also want to pretend they're not "fragmenting" the Internet. I wish people would call it what it is.
