By Alain Ai ‘21

The technology industry is no stranger to privacy controversies; for many companies in Silicon Valley, the sale of data is their bread and butter, their fundamental way of keeping their doors open. As such, privacy concerns start to rise about what is being done with the sold data, resulting in the now classic battle between privacy activists and big technology companies. Due to the backlash that many companies face for data collection, the only logical next step seems to be to make data acquisition and data sales as clandestine as possible.

Such clandestine operations can’t always stay under the radar forever; the recent discovery of Google’s secret medical data hoarding operation, dubbed “Project Nightingale”, sheds some light into the overbearing power that big technology companies have in their battle for personal data. The data discovered in Project Nightingale includes personally identifying information such as birthdays and hospitalization records of patients treated by Ascension, a nonprofit Catholic health system based in St. Louis. The agreement made to transfer Ascension’s data to Google’s databases came without the knowledge of any of Ascension’s patients, resulting in a potential Health Insurance Portability and Accountability Act (HIPAA) violation to be investigated by the Department of Health and Human Services. Although Google acquired this data without the consent of the patients, further investigation needs to be done on whether or not Google is handling the information in a safe and secure manner in order to meet HIPAA standards. 

In a blog statement, Google stated that their actions conform to industry standards, claiming that Google employees themselves had limited access to the data. Additionally, Google has declared that they will be cooperative in the subsequent investigation into any potential wrongdoing. While the tech giant may not have violated HIPAA, questions persist surrounding the relative ease with which Google was able to acquire personal data without consent. By moving behind the patients’ backs, both Ascension and Google have shown the world that no data is truly off limits, especially since the data provided could be easily traced back to an individual with minimal effort. Google has stated that they intended to use the collected data to analyze and improve patient care, and that none of the data would be sold to a third party; however, such reassurances do little in the face of the bigger picture, which indicates that Silicon Valley companies have free reign to gather personal data without consent through a simple purchase or acquisition. The fact that Google indicated that Project Nightingale’s data would not be sold certainly does not indicate that future data acquisitions could take a similar shape, moving back to the data sales that, as always, have been their bread and butter from the very start.