We helped manufacture medical devices. We sold a device that took medical images, and then sent the images to a server. The server would do tons of processing on the images, and help manufacture a medical device custom to the patient.
We ran our servers in the United States.
We could not sell our product in France, until we stood up servers in France to store and process the data.
Why would we do such a thing? To provide excellent healthcare to people. Even ungrateful French people. Our product was lower cost and higher quality than our competitors, with better patient outcomes.
What monsters we were for running our servers in the U.S., right?
Other people exist and have rights. It's about time that people assert their rights over data that is absolutely consequential to their lives, instead of being tiny pawns of companies who treat them like a highschool science experiment with live ants.
The idea that storing your data, encrypted at rest, on spinning rust platters inside your country somehow makes it safer than storing that same data, encrypted at rest, on spinning rust platters inside my country, is bizarre to me.
But that's fine. I think giving you the choice makes tons of sense. I'm not saying France should have a law forcing all data to be kept in the US. I'm saying it's bonkers that I cannot offer a product in France that happens to store data and process data on a server in the US. Even with a waiver. French citizens do not have the right to let their health care information be stored on a server in a different country. (As I understood the laws, at least - perhaps our legal representatives were misinformed.)
If you want control over your medical data, then I'm sorry, none of the existing tooling does what you should actually want it to. It should be stored on systems you designate. Not on some lowest-bidder French server that has unknown security practices.
It's amazing to me that you're lecturing me about other people's rights, when you're literally denying French people the right to buy my product, unless I meet some ultimatums. I'm not denying them, you are.
And you talk about consequential to their lives? My product lowered costs and had better patient outcomes, and we couldn't sell it. Maybe try a different argument.
At some point in your project there seems to have been a time, when such basic questions of consent were overlooked and later you paid the price. Your intentions may have been nothing but good, but I for one am glad, that such practice was not allowed to happen.
Walk me through exactly what you would like to happen.
If you think the best outcome is that only radiologists who live in country X can look at your medical images, then please really think about what that means for under-developed countries.
Please also think about the fact that people have medical imaging exams 24 hours a day, and think about where radiologists live and sleep.
The next time you get a CT scan and have to wait 4 days for the results, you'll know that your hospital system doesn't have teleradiology.
We absolutely understand patient consent, and then France started establishing laws that denied patients the right to consent to having their data transferred to the US. (As I understood our legal representatives, at least.)
(For the record, in case it's confusing to anyone following along, I worked on half a dozen different medical products in my career, in different companies, in different parts of the body, in different modalities, etc.)
Tell me you were at least running anonymisation software in hospitals before you transferred?
We don't do it for fun. This is a part of patient care.
Radiologists awake in Australia can read images from the United States. It saves lives.
The radiologists are licensed and certified in the hospitals and states.
And by the way, if I get a CT scan of your head, I can trivially reconstruct your face. Might even recognize you with it.
If you want to freak out, medical records are sent by fax machine ALL THE TIME.
I am truly interested in this since I am in EU and use Azure for similar processing.
So blaming the GDPR and new rules, seems a bit weird in this case.
Now, consumer protection regulation is always a balancing act. And most consumer protection laws will hurt some companies that didn't actually do anything bad. That doesn't mean I don't want any regulations. Particularly when it comes to healthcare.
And my real concern was people who want that cake, and also want to pretend they're not "fragmenting" the Internet. I wish people would call it what it is.
