When there's an obvious breach, hopefully. How would we even know if Google were abusing this data though? Does anyone have access to it besides Google? Are we literally asking Google to regulate itself with this data?
EDIT: I guess I don't understand. Once we give Google the sensitive information, how do we have any way of knowing what they do with it? I'm guessing an audit on all of Google's data is out of the question.
The point of this article is that a whistleblower is saying "they're not controlling access properly".
While the Grauniad is trying to spin it to sound worse, the whole point is Google are providing data processing services to a valid HIPAA processor via Google Cloud, not that they nefariously bought the data to integrate it with the search results.
Much like health data stored on AWS with a dedicated internal project team could be accessed by "Amazon" staff. It's kinda the point, the google staff have been brought in to help manage the data.
Your point is valid, but I think there was a mis-read or mis-statement. The parent comment probably should have addressed the difficulty of enforcing such provisions.
EDIT: I guess I don't understand. Once we give Google the sensitive information, how do we have any way of knowing what they do with it? I'm guessing an audit on all of Google's data is out of the question.