Alphabet’s London-based AI lab DeepMind made history in 2016 when its AlphaGo software defeated a champion at the complex board game Go. On Tuesday, the company said it was handing off a seemingly much simpler software challenge: a health care app for hospital staff called Streams being tested by UK hospitals.
That project and its staff will be transferred to DeepMind’s much larger sister, Google. The announcement prompted an outcry from privacy researchers, which, along with legal constraints on the move, illustrating the challenges Google faces expanding its data-hungry operating style into the more sensitive business of health care. Last week, Google hired health industry veteran David Feinberg, who previously led the Pennsylvania health system Geisinger, to unify its scattered projects in the field.
Google didn’t respond to a request for comment on its plans. A DeepMind spokesperson said transferring Streams to Google would not change the project’s strict controls on use of data, which remains under the control of its partner hospitals.
In 2014, Google acquired DeepMind for a reported $650 million. The following year DeepMind became part of the new holding company Alphabet, and started working with north London’s Royal Free hospital on a project to reduce deaths from acute kidney injury. a form of sudden kidney failure that can be fatal. The project coalesced around an app called Streams that can alert staff when patients show early signs of the condition—and quickly earned regulatory scrutiny.
UK magazine New Scientist revealed that the project’s data-sharing agreement gave DeepMind access to five years of expansive health records for 1.6 million people. Some of the data seemed unnecessary for Streams to function; it included details such as whether a person was HIV positive, had suffered depression, or had had an abortion. In 2017, UK data regulator the Information Commissioner’s Office said Royal Free had breached the law by allowing DeepMind to use the data without appropriate patient consent, and providing a broader swath of data than justified. The hospital was required to audit its project but wasn’t fined, and DeepMind was not cited.
DeepMind has tried to deflect criticism about its data use, promising that “data will never be connected to Google accounts or services, or used for any commercial purposes like advertising or insurance.” Tuesday’s announcement that it is transferring the whole project to Google sparked renewed concerns among some privacy researchers. “The big story here is Google wants to have all the health data it can,” says Eerke Boiten, a professor of cybersecurity at De Montfort University in the UK. “Its promises have not proved to be reliable.”
History suggests cause for concern. When Google acquired online ad network DoubleClick in 2008, it played down the idea it would merge the two company’s data sets, and kept them separate for almost a decade. In 2017, at a time it was losing market share to Facebook, Google merged the data troves after all.
Rahael Maladwala, a health care analyst at research firm GlobalData, says Google has clear ambitions in health care. In 2011, the company abandoned its first major health project, a records service called Google Health, after weak interest from patients or providers, but it is showing renewed interest. Google lately has spun up projects such as testing AI software to diagnose eye disease in India, and launching health-tracking mobile software to compete with Apple’s HealthKit for iPhones. Google’s top AI boss said last week that new hire Feinberg would help organize the company’s various projects, and coordinate more with fellow Alphabet company Verily, which works on life sciences R&D.
Google isn’t the only data-centric tech company with growing health care ambitions. Amazon is building a health care delivery company with Berkshire Hathaway and JP Morgan. Maladwala says the slow digitization of health care has reached a point where tech industry data smarts can significantly improve diagnoses and efficiency. “We’re going to see a lot more technology companies moving into health care,” he adds.
Legal complications surrounding Google’s planned absorption of Streams show how tech companies can’t roll out their usual data-centric strategies unimpeded. Google is less free to do as it wants with data from the clinic than it is with records of online activity. In the US and Europe, health data is subject to special protections that make moves, like the one DeepMind announced Tuesday, more difficult. Under UK data protection law, DeepMind is not the “controller” of the clinical data crunched by Streams; its partners are. That means Google doesn’t own the data or get to choose how it is processed and used. Similarly in the US, the federal HIPAA law prevents organizations working with health data from arbitrarily adapting it to new purposes.
Worse for Google executives who want to move quickly, the company can’t immediately assume DeepMind’s contracts with hospitals. Those institutions need to give consent, potentially giving them a chance to negotiate different terms. “Nothing changes until [the partners] consent and undertake any necessary engagement, including with patients,” says Dominic King, a former NHS surgeon who now works at DeepMind and will lead Streams at Google.
Not all those partners have signed off. Asked if their institutions would consent to new contracts, a spokesperson for Royal Free said it was “committed” to developing the Streams app; Taunton and Somerset, a hospital in southwest England also using the app, said it was "in discussion" with DeepMind about the project’s change of ownership.
Despite the power of regulators and health care organizations to shape Google’s health care plans, Liz McFall, a researcher at the University of Edinburgh who has followed DeepMind’s efforts, says they may not exercise real oversight. Aging, sickening populations in the US and UK drive health systems to work with tech companies to reduce costs—but also leave them ill-equipped to monitor data use, she adds.
Medical and data authorities also seem out of their depth, according to McFall: “Existing regulation and ethics standards weren’t written for a digital health world.”