Article: Privacy concerns of IoT medical applications: an empirical analysis of the current privacy policies under the GDPR Journal: International Journal of Electronic Healthcare (IJEH) 2025 Vol.14 No.2 pp.155 - 175 Abstract: Recently, significant privacy concerns have arisen with the integration of IoT in healthcare. Healthcare data is vulnerable to threats in ubiquitous computing, where data is processed across clouds, fogs, and external servers, including unauthorised third-party access, which negatively impacts the acceptance and sustainability of IoT. The study examines whether the privacy policies of 25 US-based IoT medical applications comply with the General Data Protection Regulation (GDPR) by mapping their data collection practices against GDPR principles such as data transparency, purpose limitation, user control, security, and data retention. Results reveal strong compliance in transparency and data collection but notable shortcomings in security measures and data retention practices. Only 56% of the companies explicitly mention GDPR in their policies, suggesting a predominant focus on US legislation. The paper presents three scenarios illustrating varied GDPR compliance, emphasising the necessity of enhancing alignment with GDPR to ensure sufficient protection of EU residents' personal data. Inderscience Publishers - linking academia, business and industry through research

Title: Privacy concerns of IoT medical applications: an empirical analysis of the current privacy policies under the GDPR

Authors: Fatma Alshohoumi

Addresses: Communication and Information Research Center, Sultan Qaboos University, Oman

Abstract: Recently, significant privacy concerns have arisen with the integration of IoT in healthcare. Healthcare data is vulnerable to threats in ubiquitous computing, where data is processed across clouds, fogs, and external servers, including unauthorised third-party access, which negatively impacts the acceptance and sustainability of IoT. The study examines whether the privacy policies of 25 US-based IoT medical applications comply with the General Data Protection Regulation (GDPR) by mapping their data collection practices against GDPR principles such as data transparency, purpose limitation, user control, security, and data retention. Results reveal strong compliance in transparency and data collection but notable shortcomings in security measures and data retention practices. Only 56% of the companies explicitly mention GDPR in their policies, suggesting a predominant focus on US legislation. The paper presents three scenarios illustrating varied GDPR compliance, emphasising the necessity of enhancing alignment with GDPR to ensure sufficient protection of EU residents' personal data.

Keywords: data privacy; IoT; personal information; General Data Protection Regulation; GDPR.

DOI: 10.1504/IJEH.2025.147445

International Journal of Electronic Healthcare, 2025 Vol.14 No.2, pp.155 - 175

Accepted: 26 Mar 2025
Published online: 15 Jul 2025 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: Privacy concerns of IoT medical applications: an empirical analysis of the current privacy policies under the GDPR

Keep up-to-date