Articles

EU Code of Conduct for mobile health apps almost finalized

EU Code of Conduct for mobile health apps almost finalized

13.10.2016 EU law

A code of conduct for mobile health (mHealth) apps has been drafted by the European Commission (the “Code of Conduct”) to guide mHealth-app developers towards complying with their data protection obligations.

The EU Commission acknowledges the undeniable importance of these kinds of apps in society, but it is also aware that many people are concerned about their own privacy when they use these apps. The Code of Conduct is thus an effective and efficient tool for developers to ensure that the mHealth apps have been developed while meeting privacy compliance so as to reinforce trust amongst users when they use apps that monitor their health or that give them health advice.

The Code of Conduct targets app developers, regardless of whether they have outsourced part of the development process or whether the health-related data remain on the device or are transferred to an external data store. The Code of Conduct applies to mobile apps that process data concerning one’s health, i.e. a subcategory of personal data. While personal data in general unsurprisingly include information on the user, device identifiers, location data and any other information relating to an identified or identifiable natural person, health-related data (i.e. a subcategory of personal data) are “the personal data related to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health status.” Information that merely qualify as “lifestyle data”, i.e. raw data about an individual’s habits and behavior that are not inherently health-related (e.g. footsteps-tracking app in which data are not stored or combined with other data) are outside the scope of the Code of Conduct. Also, note that biometric data and genetic data are very specific types of health data and are subject to additional requirements under the new EU General Data Protection Regulation (the “GDPR”).

Part II of the Code of Conduct lays down further the classic data protection principles that apply to the health subject area. We will here focus on three main topics: 1) consent from and information to the data subject; 2) big data; and 3) security breach reporting. The free, explicit and informed consent of the app users must be gathered prior to or as soon as they use the app. It therefore does not suffice if they do not object to the use of their data, even after having been informed about the nature of the processing. For the consent to qualify as an “informed” one, the users must have been provided with the following information: the purposes of the processing, the identity and contact details of the app developer, information on whether health data relating to them might be stored in another location than their device, etc. The Code of Conduct recommends informing the users through a “layered approach”, i.e. by firstly giving them a short notice containing the main information relating to the processing, and then giving them the possibility to access a full privacy policy that would explain in detail all the aspects of the processing.

About the answer to question “Can developers use the health data collected for secondary purposes, e.g. for big data analysis?”: In principle, this kind of data may only be processed for the purposes for which they have been initially collected and about which the users have been informed. For being allowed to use it for big data analysis, and to the extent that EU law applies, additional requirements have to be met, e.g. anonymization of data if possible or pseudonymisation (the Code of Conduct refers to the Article 29 Data Protection Working Party Opinion 05/2014 on Anonymisation Techniques with regard to this).

Lastly, if a security breach occurs, the developer concerned must first evaluate whether the breached data qualifies as personal data. If so, the developer should check whether it must, pursuant to the national applicable law, report such breach to the national data protection authority and to the person (data subject) concerned. Note that as from 25 May 2018, these two requirements will become mandatory across the EU under the GDPR.

The Code of Conduct is currently under review by the Article 29 Data Protection Working Party. Once the Working party 29 approves it, it will be applied in practice. App developers will then have the possibility to publicly declare their commitment to the principles enshrined in the Code of Conduct. This Code will inevitably bring awareness amongst developers in the field of apps that process personal, especially health-related, data and certainly create more trust amongst their users.

Team

Related news

26.10.2017 NL law
Autoriteit Persoonsgegevens adviseert negatief over Implementatiewet PSD2

Short Reads - Het wetsvoorstel Implementatiewet herziene richtlijn betaaldiensten ("Wet PSD2") voorziet in de wijziging van verschillende wetten (waaronder de Wet financieel toezicht (Wft) en het Burgerlijk Wetboek (BW)) en de nationale omzetting van Richtlijn (EU) 2015/2366 van het Europees Parlement en de Raad van 25 november 2015 betreffende betalingsdiensten in de interne markt, houdende wijziging van de Richtlijnen 2002/65/EG, 2009/110/EG en 2013/36/EU en Verordening (EU) nr. 1093/2010 en houdende intrekking van Richtlijn 2007/64/EG.

Read more

25.10.2017 NL law
Ontwerpwet Generieke Digitale Infrastructuur voor advies naar de Autoriteit Persoonsgegevens

Short Reads - Met de ontwerpwet Generieke Digitale Infrastructuur ("Wet GDI") wordt beoogd dat burgers de beschikking krijgen over elektronische identificatiemiddelen ("eID") met een hoger betrouwbaarheidsniveau dan het huidige DigiD. Tegelijkertijd krijgen publieke dienstverleners meer zekerheid over de identiteit de burger aan wie zij die diensten verlenen.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy and Cookie Policy