Consent, control and compliance : legal perspectives on processing health data in the development of AI through anonymization and pseudonymization under the GDPR
Pakarinen, Alari (2025)
Lapin yliopisto
2025
All rights reserved
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi-fe2025042229481
https://urn.fi/URN:NBN:fi-fe2025042229481
Tiivistelmä
This thesis explores the legal and ethical challenges associated with processing health data for artificial intelligence (AI) development under the General Data Protection Regulation (GDPR). Specifically, it examines how privacy-preserving techniques, such as anonymization and pseudonymization, reconcile GDPR’s consent requirements with the practical needs of utilizing sensitive health data in AI training. The study addresses the complexities of defining personal, pseudonymized, and anonymized data, particularly in the context of multiple parties involved in AI development.
Using a legal-doctrinal approach, the research highlights that the anonymity of data can vary depending on the parties’ capabilities to identify its origin. For example, data pseudonymized by a hospital may be considered anonymized once transferred to an AI developer, provided the developer does not have access to the original dataset or operate under the authority of the hospital. When data is rendered anonymous for the AI developer, consent from the data subject is no longer required under the GDPR. Consequently, the focus of consent should shift to the anonymization process itself, ensuring that robust safeguards and appropriate data handling practices are in place to achieve genuine anonymization.
The findings emphasize that the GDPR, when effectively implemented, provides a pathway to balance technological innovation and data protection. By clarifying the roles of parties and enforcing robust safeguards, such as separating data sets and ensuring access restrictions, hospitals and AI developers can mitigate risks and build trust among patients, authorities, and the public. The study offers actionable recommendations for policymakers, healthcare organizations, and AI developers to navigate the intersection of legal compliance and ethical data use. It concludes by advocating for a harmonized regulatory framework that supports responsible and compliant AI innovation in the healthcare sector.
Using a legal-doctrinal approach, the research highlights that the anonymity of data can vary depending on the parties’ capabilities to identify its origin. For example, data pseudonymized by a hospital may be considered anonymized once transferred to an AI developer, provided the developer does not have access to the original dataset or operate under the authority of the hospital. When data is rendered anonymous for the AI developer, consent from the data subject is no longer required under the GDPR. Consequently, the focus of consent should shift to the anonymization process itself, ensuring that robust safeguards and appropriate data handling practices are in place to achieve genuine anonymization.
The findings emphasize that the GDPR, when effectively implemented, provides a pathway to balance technological innovation and data protection. By clarifying the roles of parties and enforcing robust safeguards, such as separating data sets and ensuring access restrictions, hospitals and AI developers can mitigate risks and build trust among patients, authorities, and the public. The study offers actionable recommendations for policymakers, healthcare organizations, and AI developers to navigate the intersection of legal compliance and ethical data use. It concludes by advocating for a harmonized regulatory framework that supports responsible and compliant AI innovation in the healthcare sector.
Kokoelmat
- Pro gradu -tutkielmat [4650]