Data protection breaches of health related sensitive data might occur through a mere video scanning an individual’s face according to a recent research. 

Face scan technology

According to a recent study, cardiac diseases can be identified and diagnosed using contactless video monitoring of the face through a technology and an algorithm that scan the face and detect skin colour changes imperceptible to the naked eye.  Colour changes detected by video monitoring corresponded with an individual’s heart rate as detected on an electrocardiogram.

Google Vividown precedent

While this is a very interesting improvement, it also raises some data protection issues relating to the potential development of such technologies.  And indeed, as experienced by Google in the recent Vividown case where a video published on Google Video showing an handicapped minor posted by a user was challenged for illegal processing of sensitive data, the possibility to gain information about the health conditions of an individual through a mere video might trigger the unlawul processing and disclosure of personal data.

Data protection issues

I previously discussed about the data protection issues relating to eHealth technologies and indeed the processing of health related sensitive data gives rise to considerable obligations in terms of privacy information notice to be given to individuals, hand written consent to be obtained from them, security measures to be implemented in the storage of such data etc..

Yet, the breach of such obligations may lead not only to potential fines that with the new EU Data Protection Regulation will reach a value up to 5% of the global group turnover of the breaching entity, but also to criminal sanctions against the directors of the company liable for the relevant decisions which caused the breach as initially challenged to Google’s directors in the case referred above.

If the development of such technologies will allow to scan individuals’ faces and obtain health related data relating to them through a mere video taken for instance at an event, this might considerably increase on the one hand the potential unlawful processing of personal data and on the other hand the compliance obligations to which entities operating such videos will be subject.  Likewise wearable technologies might be able to gain data about users according to modalities unpredictable up until recently.

The above will require to a higher level of data protection compliance also in the storage of collected data to avoid risks of cybercrime.