Matthew Cunningham-Cook: How the TPP Will Create a Medical Privacy Hellscape

By Matthew Cunningham-Cook, who has written for the International Business Times, The New Republic, Jacobin, Aljazeera, and The Nation and has been a labor activist

On October 6, the European Court of Justice issued a sweeping ruling invalidating the existing cross-Atlantic data transfer agreement, putting the entire business model of companies like Facebook and Google at risk. The ruling gives data privacy regulators in individual EU states  expansive powers to demand data localization from multinational tech firms. Observers noted that the Snowden revelations contributed to the decision, with EU judges looking unfavorable at the fact that the NSA had basically unfettered access to the data of EU citizens.

Lo and behold, just a month later comes a trade agreement that will make sure that Facebook and Google’s little legal problems in Europe won’t happen in. say, Australia, Japan, New Zealand or Canada.

To wit, from the TPP’s electronic commerce chapter:

Each Party shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.

Public Citizen as always had a good rundown, right after the TPP’s release. “The E-Commerce chapter has serious implications for online privacy,” said Peter Maybarduk, director of Public Citizen’s information society program. “The text reveals that policies protecting personal data when it crosses borders could be subject to challenge as a violation of the TPP.”

The Public Citizen press release also points out that “These TPP standards replicate language in World Trade Organization agreements under which tribunals have ruled against domestic policies in 43 of 44 challenges.”

But beyond the E-commerce chapter’s impact on Facebook and Google, which has been discussed, I’m interested in how there is no carveout for medical data. The TPP language means that insurers and other companies can take medical data across borders willy-nilly without any type of fear of running into pesky data privacy laws–like, say HIPAA,  which protects personal health information from misuse.

This is particularly interesting in the case of Vietnam. A memo from the international law firm Russin and Vecchi states that:

Notwithstanding the existence of some privacy regulations that relate to healthcare services, certain gaps remain. Is a healthcare entity liable for a breach of a patient’s privacy by a doctor or medical worker employed by that entity? If yes, to what extent is the healthcare entity liable? May private information about a patient be stored, used and transferred within a healthcare entity and, if so, to what extent? Who may have access to a patient or his private information during a medical examination and/or treatment?

Basically a legal wild west for data, now in the TPP zone, being advertised as a great place for more IT offshoring.

It’s unfortunately widely accepted–even in the EU–that companies like Facebook and Google consider consumer data a commodity to be bought and sold. There is little variance across the world as to this fact. But medical data is a whole other area entirely, with a range of laws protecting medical privacy across the TPP zone. But what happens when medical data is transferred to another country? The EU’s  Directive on Data Protection explicitly prohibits the offshoring of EU citizen data to countries with lower security standards. But HIPAA has none of the same protections–an overhaul of HIPAA to make its protections stronger could be prevented by TPP rules.

The Inspector General of the Department of Health and Human Services already found data protections sorely lacking in 2014, when it wrote: “For example, Medicaid agencies or domestic contractors who send [personal health information] offshore may have limited means of enforcing provisions of BAAs [business associate agreements] that are intended to safeguard PHI. Although some countries may have privacy protections greater than those in the United States, other countries may have limited or no privacy protections to support HIPAA compliance.”

So the short of it is this: medical data protection in the US is already poor compared to the EU, and TPP could preempt any effort to strengthen protections–sending any changes directly to an investor-state tribunal, where it is more likely than not to be overturned.

Yet another reason to oppose this truly awful, anti-people deal.

Print Friendly, PDF & Email


  1. Torsten

    And, cf. Lambert’s post in yesterday’s Links illustrating just how noisy and labyrinthine medical databases are: Even more so than routine public records data, they are riddled with noise, much of the noise being potentially lethal. The great danger is not merely to targeted persons’ records, but the probability of collateral damage to unintended targets.

    1. JTMcPhee

      …interesting, using the language of warfare to characterize this drone-equivalent attack on the old Body Politic…”collateral damage to unintended targets”: how the memes pervade and penetrate and pervert our collective idiocies…

  2. pintada

    “… data privacy laws–like, say HIPAA, which protects personal health information from misuse.”

    Actually, I have personal knowledge that WellPoint (the largest blue cross insurance company in the US) has shipped personal health information to India for the past decade at least. In the HIPAA regulations, that practice is supposedly regulated, but the Justice Department was not interested in my official complaint. Apparently, the administration trusts the data security of WellPoint without reservation, even after the company lost control of millions of records last spring.

  3. flora

    OMG. Already insurance co and medical record data bases have been hacked. They want to set up more hacker target points off shore? What a ducky idea. This attempt to codify in law the idea that one’s personal data is corporate property is repugnant.

  4. TedWa

    If they’re looking to open more ways to blackmail people, politicians, military leaders, etc… this would be it.

  5. Kris Alman

    This article is spot on. Canadians are rightfully worried.

    Oregon used Milliman Inc. to both store and analyze claims data in an All Payer All Claims Database. (Without consent of course!) Milliman is a global actuarial company.

    Milkman’s contract with the Oregon Health Authority is available at this link.

    Contractor agrees to hold Confidential Information in confidence, using at least the same degree of care that Contractor uses in maintaining the confidentiality of its own confidential information, and not to copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give, or disclose Confidential Information to third parties (other than its subcontractors solely for the provision of Services to Agency hereunder), or use Confidential Information for any purposes whatsoever other than the provision of Services to Agency hereunder, and to advise each of its employees and agents of their obligations to keep Confidential Information confidential.

    While the contract notes that their data is in “a secured, off-site co-location facility in Seattle, Washington,” there is nothing in the contract that would preclude storage off-shore.

    The competing services clause states “nothing in this Contract shall preclude or limit in any way the right of Contractor to: (i) provide services similar to those contemplated in this Contract, or consulting or other services of any kind or nature whatsoever to any individual or entity as Contractor in its sole discretion deems appropriate; or (ii) develop for Contractor or for others deliverables or other materials that are competitive with those produced as a result of the Services provided hereunder, irrespective of their similarity to the Deliverables.”

    So, I’m no lawyer… but what would stop them from seeking Google or Amazon Web Services for their data center?

    Google is off and running with Amazon Web Services in wooing corporate customers.

    The House Oversight and Government Reform Committee recently held hearings on data security. They released a scorecard assigning letter grades to federal agencies on their implementation of the bipartisan Federal Information Technology Acquisition Reform Act (FITARA), enacted in December 2014. This was in reaction to the OPM and IRS data breaches. (And I have been impacted by both!)

    All federal agencies are failing to keep data secure.

    Department of Ed had the worst scorecard (All Fs except for 1 D) and a separate hearing. This agency uses 3 vendors for their data centers and pay no attention to the contractors that maintain databases. The CIO for USED is strictly adhering to an OMB definition of data centers when he maintains they have adequately centralized their data. And never mind that the systems could be penetrated!

    • The Department of Education (DoEd) has at least 139 million unique social security numbers in its Central Processing System (CPS).
    • Reminiscent of OPM’s dangerous behavior, DoEd is not heeding repeat warnings from the Inspector General (IG) that their information systems are vulnerable to security threats.
    o In the IG’s latest report, there were 6 repeat findings and 10 repeat recommendations.
    o The Department scored NEGATIVE 14% on the OMB CyberSprint for total users using strong authentication
    o The Department received an “F” on the FITARA scorecard
    • The Department maintains 184 information systems.
    o 120 are managed by outside contractors
    o 29 are valued by the Office of Management and Budget (OMB) as “high asset”
    • The National Student Loan Database (NSLD) houses significant loan borrower information. There are 97,000 accounts/users with access to this significant data yet only 5,000, less than 20%, have undergone a background check to establish security clearance.
    o The IG penetrated DoEd systems completely undetected by both the CIO or contractor
    • The Department needs significant improvement in four key security areas:
    o Continuous monitoring
    o Configuration management
    o Incident response and reporting
    o Remote access management

    Google is one of the biggest repositories for education data through Google Apps for Education. I have recently obtained Oregon’s current contract with Google.

    Section 1.7 Data Transfer: As part of providing Service, Google may store and process Customer Data in the United States or any other country in which Google or its agents maintain facilities. By using the Services, Customer consents to this transfer, processing and storage of Customer Data.

  6. JTMcPhee

    This post seems to be mostly about vulnerabilities. A while back, it occurred to me that it might be possible to construct something along the lines of the Bulletin of Atomic Scientists Doomsday Clock, with the index of concern being “vulnerability” rather than “threat.” A thought I posted here for the heck of it.

    So: “We” continue, us ordinary people, to be ever more and more vulnerable, in our persons and property and Purfuit of Happineff, and either more apprehensive, on some geometric scale, or more suppressed because of the enormity of It All. Vulnerable to nuclear arsenals, of course, to teeming megatons of “conventional weapons” and their delivery systems, to that whole raft of chemical and biological and nano and autonomous-killing-robot stuff that’s coming on line. All that stuff, whether expressly part of the “defence idiocy” bubble that is always in search of weaponizable or improved-lethality horrors, and excuses and locales to deply them, or in the fetid imaginations of “scientists” who decide it would be really cool to resurrect or re-create the 1917 influenza virus particle, or see if current flus can be generation-skipped and augmented to avoid the human immune system, and how about drones of all sizes from sand flea to the flying machines from “Terminator” movies. And vulnerable because the imaginary boundaries of nation-states and “ruleoflaw” have pretty much vanished. And of course there’s “code,” present, future and legacy, with all its promise of “profit” and all the endless perverse uses it’s actually put to, killing privacy and killing people. And then there’s the Dimons and Blankfeins and Buffetts and Gates’s and so forth, using the giant club labeled “markets” to beat the rest of us to near death, behind the shield of financialized Too Big To Do Anything About.

    So “we” also get to be ever-increasingly vulnerable to personal public or covert exposure, and identity and wealth theft including being relieved of our homes by fraudulent foreclosure, and concealed- and open-carry mass killings, and of course those cops who are now being told they need to shoot more people, and all the financializers and their incredibly inventive inventories of scams. And on the global scale, the US Imperial military with its beyond-control expenditures and enormous spread to blanket the world with “COMs” that take “responsibility” for everything except the horrors they create by just doing the only stuff they know how to do, as constantly amended and expanded.

    It would be nice if there were system-wide means to reduce if not eliminate vulnerabilities, which I guess are really a different way of looking at “threats.” Failing that, to build such cushions and walls as we mopes can, to protect our little lives and those we love from all the other stuff that inventive chimp-brains can come up with, fed and financed by the rest of us.

    Some of these items are factored into the Bulletin of Atomic Scientists’ algorithms. What might be missing from the subtle realities under all this is that the current “analysis” that our rulers and their minions employ, and that we mopes have come to internalize too, is all about “threats.” Too bad that can’t be turned around to have us mopes thinking about the vulnerabilities that we collectively create and sustain and suffer, and then what might be done to reduce our vulnerabilities to others and our less-better natures…

  7. Questor

    I do, really, understand that everyone wants to feel safe…inviolate against other’s knowing one’s business, or taking one’s property, or simply being physically safe from being shot, or blown up, or targeted by some insane scientists idea of what would be fun to find out (regardless of the cost to others of that insane curiousity).

    What I do not understand is where this idea of inviolable privacy, or protection of ownership rights in property, or safety of body and mind came about.

    I cannot recall a time in history when everyone who was anyone was NOT trampling on the underclass, and stealing everything in sight, and killing at will.

    Where did this insane idea…that life was safe…come from? Nature constantly proves that we are always at risk, and nature, the physical universe, is always on the rampage somewhere. And mankind has always been raping and pillaging someone.

    Nowadays, those in command of day to day affairs on this planet simply slap a legal ruling around such action, and politely, or even rudely, force one to comply.

    I see very little difference in what is going on in the world except that everyone wants to be in that safe place that everyone talks about, and yet no one I know seems to be able to find any such place.

    Discomfort and unfairness and death are guaranteed in this mortal coil. All that one can do is attain the ability to enjoy life in spite of it all, while doing what one can do, to do no wrong to anyone, to be kind to one another, and to walk humbly with one’s G-d.

  8. Wade Riddick

    This isn’t even the most interesting question.

    What will they do with this information?

    Why, seek rents, of course! Patients make the perfect captive market to extort.

    Owners of patented drugs employ an army of lobbyists whereas makers of cheap, rival generics containing public domain chemicals cannot match the rent-seeking networks.

    Imagine if big pharma pipes private medical data out of the country to examine it away from regulatory scrutiny, finds certain patients with certain illnesses are suppressing corporate profits by substituting cheap, non-patented chemicals and then they decide to have drug reps – or worse, medical licensing boards – threaten doctors for writing off-label prescriptions. If they can drive down use of their competitors, patients seeking relief will have nowhere else to turn and these corporations can drive up their own profits.

    What will stop them?

    There are plenty of cheap chemicals that have long been effective for various conditions and their use is supported by all sorts of data; these chemicals simply haven’t been through expensive clinical trials because no one has exclusive rights to them.

    It’s the classic pattern of rent-seeking. Deny the public access to a public good and force them to use an inferior, more expensive private substitute so the politically connected “aristocrat” can collect rents from people using his “estate” – in this case, the intellectual property of a patented molecule.

    If you think corporations won’t intrude on the practice of medicine even more than they already have using the provisions in these kinds of anti-science treaties, you’re kidding yourselves. Imagine them suing the FDA for allowing off-label use in the first place as granting an unfair competitive advantage to someone who never paid for a clinical trial. Imagine them suing over a competing molecule that’s been grandfathered in with the original FDA act.

    I don’t think you guys understand how many people are already dying from these price-fixing schemes and carefully scripted shortages. The pharma cartel will use any tool at its disposal to shut down its rivals. Rent-seeking is the only analysis that explains exactly why we’ve seen everything from Valeant to market-rigging limitations in compounding pharmacies, exploding prices and chronic drug shortages. When prices are exploding, why would shortages occur in so many of the cheapest generics?

    If you don’t prepare yourself for this and fight it now, when you’re healthy, then you’re really going to get clobbered once you’re sick and need some specialty chemical. Citizen medical autonomy is definitely not a goal of this government. Think about all the lobbyists who would scream bloody murder if it were.

Comments are closed.