The European Union General Data Protection Regulation (EU 2016/679) and the Australian My Health Record Scheme - A Comparative Study of Consent to Data Processing Provisions.

As a general rule, lawfulness of data processing under the European Union General Data Protection Regulation (EU 2016/679) (GDPR) is based on affirmative, unambiguous, voluntary, informed, and specific or "granular" consent to processing of their data, including health data, by individuals referred to as data subjects. The GDPR grants data subjects the legal right to specifically agree to (or refuse) having their data processed in any of the ways statutorily defined as "processing". Individuals also have the legal right to be fully informed about each and every intended use of their data by data processors and controllers, and the right to refuse such use. In Australia, once registered on the My Health Record (MHR) system, "healthcare recipients" as patients-cum-data subjects are called under the MHR scheme, have the right to remove documents from their MHR files and block some health care providers from accessing their data. However, this study demonstrates that the notion of "standing" consent that the MHR scheme appears to have created does not conform to any of the principles and rules governing data subjects' consent rights under GDPR.