01/11/16

EU Code of Conduct for mobile health apps almost finalized

A code of conduct for mobile health (mHealth) apps has been drafted by the European Commission (the “Code of Conduct”) to guide mHealth-app developers towards complying with their data protection obligations.

The EU Commission acknowledges the undeniable importance of these kinds of apps in society, but it is also aware that many people are concerned about their own privacy when they use these apps. The Code of Conduct is thus an effective and efficient tool for developers to ensure that the mHealth apps have been developed while meeting privacy compliance so as to reinforce trust amongst users when they use apps that monitor their health or that give them health advice.

The Code of Conduct targets app developers, regardless of whether they have outsourced part of the development process or whether the health-related data remain on the device or are transferred to an external data store. The Code of Conduct applies to mobile apps that process data concerning one’s health, i.e. a subcategory of personal data. While personal data in general unsurprisingly include information on the user, device identifiers, location data and any other information relating to an identified or identifiable natural person, health-related data (i.e. a subcategory of personal data) are “the personal data related to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health status.” Information that merely qualify as “lifestyle data”, i.e. raw data about an individual’s habits and behavior that are not inherently health-related (e.g. footsteps-tracking app in which data are not stored or combined with other data) are outside the scope of the Code of Conduct. Also, note that biometric data and genetic data are very specific types of health data and are subject to additional requirements under the new EU General Data Protection Regulation (the “GDPR”).

Part II of the Code of Conduct lays down further the classic data protection principles that apply to the health subject area. We will here focus on three main topics: 1) consent from and information to the data subject; 2) big data; and 3) security breach reporting. The free, explicit and informed consent of the app users must be gathered prior to or as soon as they use the app. It therefore does not suffice if they do not object to the use of their data, even after having been informed about the nature of the processing. For the consent to qualify as an “informed” one, the users must have been provided with the following information: the purposes of the processing, the identity and contact details of the app developer, information on whether health data relating to them might be stored in another location than their device, etc. The Code of Conduct recommends informing the users through a “layered approach”, i.e. by firstly giving them a short notice containing the main information relating to the processing, and then giving them the possibility to access a full privacy policy that would explain in detail all the aspects of the processing.

About the answer to question “Can developers use the health data collected for secondary purposes, e.g. for big data analysis?”: In principle, this kind of data may only be processed for the purposes for which they have been initially collected and about which the users have been informed. For being allowed to use it for big data analysis, and to the extent that EU law applies, additional requirements have to be met, e.g. anonymization of data if possible or pseudonymisation (the Code of Conduct refers to the Article 29 Data Protection Working Party Opinion 05/2014 on Anonymisation Techniques with regard to this).

Lastly, if a security breach occurs, the developer concerned must first evaluate whether the breached data qualifies as personal data. If so, the developer should check whether it must, pursuant to the national applicable law, report such breach to the national data protection authority and to the person (data subject) concerned. Note that as from 25 May 2018, these two requirements will become mandatory across the EU under the GDPR.

The Code of Conduct is currently under review by the Article 29 Data Protection Working Party. Once the Working party 29 approves it, it will be applied in practice. App developers will then have the possibility to publicly declare their commitment to the principles enshrined in the Code of Conduct. This Code will inevitably bring awareness amongst developers in the field of apps that process personal, especially health-related, data and certainly create more trust amongst their users.

dotted_texture