Alphabet’s London-based AI lab DeepMind made history in 2016 when its AlphaGo software defeated a champion at the complex board game Go. On Tuesday the company said it was handing off a seemingly much simpler software challenge: a healthcare app for hospital staff called Streams being tested by UK hospitals.
That project and its staff will be transferred to DeepMind’s much larger sister Google. The announcement prompted an outcry from privacy researchers, which, along with legal constraints on the move, illustrate the challenges Google faces expanding its data-hungry operating style into the more sensitive business of healthcare. Last week, Google hired veteran healthcare executive David Feinberg, who previously led Pennsylvania health system Geisinger, to unify its scattered health projects.
Google didn’t respond to a request for comment on its plans. A DeepMind spokesperson said transferring Streams to Google would not change the project’s strict controls on use of data, which remains under the control of its partner hospitals.
Google acquired DeepMind in 2014 for a reported $650 million. The following year DeepMind became part of the new holding company Alphabet, and started working with north London’s Royal Free hospital on a project to reduce deaths from acute kidney injury, a form of sudden kidney failure that can be fatal. The project coalesced around an app called Streams that can alert staff when patients show early signs of the condition—and quickly earned regulatory scrutiny.
UK magazine New Scientist revealed that the project’s data-sharing agreement gave DeepMind access to five years of expansive health records for 1.6 million people. Some of the data seemed unnecessary for Streams to function; it included details such as whether a person was HIV positive, had suffered depression, or had had an abortion. In 2017, UK data regulator the Information Commissioner’s Office said Royal Free had breached the law by allowing DeepMind to use the data without appropriate patient consent, and providing a broader swath of data than justified. The hospital was required to audit its project but wasn’t fined, and DeepMind was not cited.
DeepMind has tried to deflect criticism about its data use, promising that “data will never be connected to Google accounts or services, or used for any commercial purposes like advertising or insurance.” Tuesday’s announcement that it is transferring the whole project to Google sparked renewed concerns among some privacy researchers. “The big story here is Google wants to have all the health data it can,” says Eerke Boiten, a professor of cybersecurity at De Montfort University in the UK. “Its promises have not proved to be reliable.”
History suggests cause for concern. When Google acquired online ad network DoubleClick in 2008, it played down the idea it would merge the two company’s datasets, and kept them separate for almost a decade. In 2017, at a time it was losing market share to Facebook, Google merged the data troves after all.
Rahael Maladwala, a healthcare analyst at research firm GlobalData, says Google has clear ambitions in healthcare. In 2011, the company abandoned its first major health project, a records service called Google Health, after weak interest from patients or providers, but it is showing renewed interest. Google lately has spun up projects such as testing AI software to diagnose eye disease in India, and launching health-tracking mobile software to compete with Apple’s HealthKit for iPhones. Google’s top AI boss said last week that new hire Feinberg would help organize the company’s various projects, and coordinate more with fellow Alphabet company Verily, which works on life sciences R&D.
Google isn’t the only data-centric tech company with growing healthcare ambitions. Amazon is building a healthcare delivery company with Berkshire Hathaway, and JP Morgan. Maladwala says the slow digitization of healthcare has reached a point where tech industry data smarts can significantly improve diagnoses and efficiency. “We’re going to see a lot more technology companies moving into healthcare,” he says.
Legal complications surrounding Google’s planned absorption of Streams show how tech companies can’t roll out their usual data-centric strategies unimpeded. Google is less free to do as it wants with data from the clinic than it is with records of online activity. In the US and Europe, health data is subject to special protections that constrain moves like the one DeepMind announced Tuesday more difficult. Under UK data protection law, DeepMind is not the “controller” of the clinical data crunched by Streams, its partners are. That means Google doesn’t own the data or get to choose how it is processed and used. Similarly in the US, the federal HIPAA law prevents organizations working with health data from arbitrarily adapting it to new purposes.
Worse for Google executives who want to move quickly, the company can’t immediately assume DeepMind’s contracts with hospitals. Those institutions need to give consent, potentially giving them a chance to negotiate different terms. “Nothing changes until [the partners] consent and undertake any necessary engagement, including with patients,” says Dominic King, a former NHS surgeon who now works at DeepMind and will lead Streams at Google.
Not all those partners have signed off. Asked if their institutions would consent to new contracts, a spokesperson for Royal Free said it was “committed” to developing the Streams app; Taunton and Somerset, a hospital in southwest England also using the app, said it was ‘in discussion” with DeepMind about the project’s change of ownership.
Despite the power of regulators and healthcare organizations to shape Google’s healthcare plans, Liz McFall, a researcher at the University of Edinburgh who has followed DeepMind’s efforts, says they may not exercise real oversight. Aging, sickening populations in the US and UK drive health systems to work with tech companies to reduce costs—but also leave them ill-equipped to monitor data use, she says. Medical and data authorities also seem out of their depth. “Existing regulation and ethics standards weren’t written for a digital health world,” McFall says.