DK_en 1x 03 - The mother of all datagrabs

Episode first aired on Obtober 6, 2016. Listen to the audio on Spreaker.com

There's this story I have been following since last April which has had very very little coverage in the English-speaking world, especially in the mainstream media.

I'm talking of an agreement signed over a year ago between Italy's PM and IBM Watson Health, according to which IBM would gain access to all health data regarding over 60 million Italian citizen:s.

Welcome to The Mother Of All Datagrabs.

Music: Pink Panther Theme

Our story starts on the 31st of March 2016, when Italy's then Prime Minister signs an Agreement with IBM's CEO for the launch of a new Watson Health Research Center in Italy.

While IBM quantifies its investment for the centre at about 150Million Euros,
Prime Minister Renzi promises 60 of those millions will come from Italy: 30 from the central government, and 30 more from Lombardy, the region where the research centre will be created.

On the 26th of January 2017, the government receives a proposal for an "industrial exploitation plan" from IBM. The proposal says that, as a precondition to launch the Watson Health centre, IBM expects full access to all data in Italy's public health system.

Watson, after all, is but a bunch of Machine Learning Algorihtms: unless they are fed mountains of data, they are of no use.

Just to make things clear, IBM's request concerns:

• all prescriptions
• all patient files
• all hospital dismissal forms
• all ER documents
• all rehab information
• and of course, all genetic data.

I find it very unlikely that IBM never mentioned this before the agreement was signed. These are not some tech bros from the Valley, IBM has been around long enough to know very well how governments work.

I do not see IBM's CEO signing an agreement without having carefully explained what it will mean for the counterpart. On the other hand, I can easily see a politician overpromising.

Be what may, Italy has signed an agreement that mentions no controls, no warranties, no goals, and no economic return, since the agreement DOES mention that IBM will states it will assert exclusive rights to all research results.

There are two alternatives: first, IBM's requirements come out of the blue and Mr. Renzi was unaware of them when he signed; second, the requirements were mentioned at the appropriate time, and kept out of the original agreement to spare negotiation time and give Mr. Renzi a quick result to brag about at home.

Again, I think the first alternative is completely unrealistic.

Still, an agreement has been signed, and IBM is quite ready to collect. The industrial exploitation proposal reads:

As a prerequisite for the realization of the program and the investment, IBM expects to be able to access -in ways to be defined- and treat the health data (past, current and future data) of approximately 61 million Italian citizens, in anonymous and identified form, for specific project purposes, including the right to secondary use of the aforementiond health data for purposes beyond the scope of the projects.

By the way, this is not the actual text from IBM, just my translation from the Italian blockquote that appeared in the media. Still, you get the idea.

Now, if this wasn't bad enough, Mr. Renzi also promised to fund the endeavor with 60 million euros of public money. This is not unusual; champions of the free market that they are, corporations know how to secure public money for their "investments" (You can hear the quotes, can you?).

Of those 60 million, 30 will come from Lombardy's own coffers, extra budget.
Little problem: no one told Lombardy. What's 30 million among friends, after all.

Lombardy's governor is not exactly bursting with joy at the idea.
I mean, if you have to shell out 30 million extra budget, you at least want them to mean some political advantage, don't you? But Lombardy was not at the table when the agreement was signed. Its money has been commandeered. And if you are a politician, this is the kind of thing you do not like.

But Lombardy wasn't supposed to only pay. Its citizen's data were to be the first batch delivered to IBM. Now, here's a catch if you're looking for one.

So Lombardy's governor plays the compliance card, and files an inquiry to Italy's Data Protection Authority, an inquiry that must have sounded suspisciously like:

beg your pardon, Data Protection Authority, is it OK for you if we give our citizen's data to IBM with no reason, no tender, no contract, and no warranties?

I'm told a large van labelled Xanax has been sighted at the Authority that very afternoon.

In response to Lombardy's inquiry, the Authority takes some deep breaths and asks Lombardy what it is doing to ensure that the data it is going to hand over are treated lawfully, when strictly necessary, proportionally to the stated goals and exclusively for the stated goals.

Because it just happens to be what the law demands.

Now, all this is already history.

Over the summer the DataKnightmare decided to do a little private investigation himself.

Music: Dire Straits, Private investigations

Answers came back fast, much faster than I expected. I must say people in Public Relations can do their job. They are good listeners, courteous, they reply fast and especially in the private sector, when necessary, can talk without saying anything at all.

So. I first wrote to the Italy's Data Protection Authority, asking what follows:

1. to confirm that no health data has been made available to IBM yet what warranties as to the safety of the data will the Authority require (surely not the non-existent ones in the signed agreement) in order to OK a data transfer from Italy's public health system to IBM
2. if the Authority has required a reduced, more precise scope definition for IBM's project

The Authority replied thus:

Regarding point 1, according to the first information this Authority has requested from Lombardy, the project is still in a preliminary phase and, to date, this authority has no evidence that any data of Lombardy citizens has been transferred, pending an opinion from this Authority. Lombardy has also declared it will preempitevely acquire this Authority's opinion before launching the project. Without a detailed project from Lombardy, this Authority cannot express any opinion on the lawfulness of the treatments that would be performed. To date, the roles of Lombardy and IBM regarding the treatment of health data of Lombardy's population are not clear. Also not clear is the legal basis for IBM to gain access to these data. This Authority will monitor the project to balance the freedom of scientific research against the protection of patient's rights.

Regarding points 2 and 3, the initial information in our possession describes a very generic MoU that needs to be detailed in order to be developed into a functional project. The Authority will insure the rules regarding health data protection are enforced, and that the guarantees regarding health data and scientific research are honored.

So, according to Italy's Data Protection Authority:

• nothing concrete has happened yet, declarations to the media notwithstanding
• no data has been transferred to IBM yet
• there is still no operational project, which is the prerequisite for Lombardy to grant access to its health data
• the Authority will be authoritative, which is no trifle, because the Authority has concrete powers of interdiction.

I doubt anything will happen unless at least formal proprieties are observed (and form is of the essence for the Authority to OK a project of this kind).

Music: Pink Panther theme

Next I wrote to IBM Italy, asking three simple questions:

1. whether the project has started in early July, as announced on the media
2. whether the chosen site for the project is IBM's offices in Cornaredo, near Milan, or in the offices of Lombardia Informatica, a technology and consulting provider for Lombardy
3. which IBM company is in charge of feeding the health data of Italian citizens to Watson health.

IBM's response has been remarkably fast, and I cannot help but admire its elegance.

Again, I quote:

We considered your request but are at the moment unable to provide you with the information you are interested in.
We will therefore come back to you in the next months.

End quote.

CLIP: Good Morning Vietnam "If the VP is such a VIP, we better keep his visit on the QT. If the VC find out, we'll all be on KP" - Robin Williams

Of course nobody beats Robin Williams, still IBM's response is a marvel of saying nothing.

What does it mean that IBM is "unable to provide" information?

I asked three simple questions: a simple yes/no would answer the first; one of the proposed alternatives would answer the second. The third only required the mention of one of IBM's italian companies: not an infinite set to choose from. By the way, I already have heard a name for that company, but I'd rather have it confirmed.

So, IBM "cannot provide the information". And we're speaking of a project announced with great fanfare by IBM's CEO and Italy's then Prime Minister, for one of IBM's top technologies, the mythical Watson.

The Authority says the project is only in a preliminary phase, and without tangible plans the Authority cannot give its opinion.

But without a favorable opinion from the Data Protection Authority, a project like this just cannot start, because most of the treatments involved require preemptive Authority assent.

And yet, IBM won't even confirm whether the project has started or is still in a development phase. Why?

You want the truth? The truth is I don't know.

I could assume but when you assume you make an ass of you and me.

Personally, I am not inclined to believe IBM has signed an MoU without having precise guarantees. Of course, it's possible that Mr. Renzi has painted an easier picture and, once he's lost his position as prime minister, he's been unable to push events in the desired direction.

Still, the truth is we don't know what is going on. We don't know what should be going on, because neither the March 2016 MoU nor January 2017 contract proposal for industrial expolitation have been subjected to public scrutiny.

We only know what Gianni Barbacetto quoted in his newspaper, il Fatto Quotidiano. And the quotes only give us a partial picture. The actual text of the two documents is unknown.

In the meantime, the Ministry for Health, Hon. Lorenzin, has been sitting for the past four months on a parliamentary interrogation that asks her to make Parliament current on this issue.

I was told that in Italy, some parliamentary interrogations get answers after YEARS. So much for the sovereignty of the Parliament.

Still, it does not end here. I keep investigating, and in a few weeks we'll know something more.

In the meantime, Italy has the dubious honour of being the first country in the world to have promised all of its health data to a corporation with no guaranteed and in return for exactly nothing.