Articles

EU Code of Conduct for mobile health apps almost finalized

EU Code of Conduct for mobile health apps almost finalized

EU Code of Conduct for mobile health apps almost finalized

13.10.2016 EU law

A code of conduct for mobile health (mHealth) apps has been drafted by the European Commission (the “Code of Conduct”) to guide mHealth-app developers towards complying with their data protection obligations.

The EU Commission acknowledges the undeniable importance of these kinds of apps in society, but it is also aware that many people are concerned about their own privacy when they use these apps. The Code of Conduct is thus an effective and efficient tool for developers to ensure that the mHealth apps have been developed while meeting privacy compliance so as to reinforce trust amongst users when they use apps that monitor their health or that give them health advice.

The Code of Conduct targets app developers, regardless of whether they have outsourced part of the development process or whether the health-related data remain on the device or are transferred to an external data store. The Code of Conduct applies to mobile apps that process data concerning one’s health, i.e. a subcategory of personal data. While personal data in general unsurprisingly include information on the user, device identifiers, location data and any other information relating to an identified or identifiable natural person, health-related data (i.e. a subcategory of personal data) are “the personal data related to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health status.” Information that merely qualify as “lifestyle data”, i.e. raw data about an individual’s habits and behavior that are not inherently health-related (e.g. footsteps-tracking app in which data are not stored or combined with other data) are outside the scope of the Code of Conduct. Also, note that biometric data and genetic data are very specific types of health data and are subject to additional requirements under the new EU General Data Protection Regulation (the “GDPR”).

Part II of the Code of Conduct lays down further the classic data protection principles that apply to the health subject area. We will here focus on three main topics: 1) consent from and information to the data subject; 2) big data; and 3) security breach reporting. The free, explicit and informed consent of the app users must be gathered prior to or as soon as they use the app. It therefore does not suffice if they do not object to the use of their data, even after having been informed about the nature of the processing. For the consent to qualify as an “informed” one, the users must have been provided with the following information: the purposes of the processing, the identity and contact details of the app developer, information on whether health data relating to them might be stored in another location than their device, etc. The Code of Conduct recommends informing the users through a “layered approach”, i.e. by firstly giving them a short notice containing the main information relating to the processing, and then giving them the possibility to access a full privacy policy that would explain in detail all the aspects of the processing.

About the answer to question “Can developers use the health data collected for secondary purposes, e.g. for big data analysis?”: In principle, this kind of data may only be processed for the purposes for which they have been initially collected and about which the users have been informed. For being allowed to use it for big data analysis, and to the extent that EU law applies, additional requirements have to be met, e.g. anonymization of data if possible or pseudonymisation (the Code of Conduct refers to the Article 29 Data Protection Working Party Opinion 05/2014 on Anonymisation Techniques with regard to this).

Lastly, if a security breach occurs, the developer concerned must first evaluate whether the breached data qualifies as personal data. If so, the developer should check whether it must, pursuant to the national applicable law, report such breach to the national data protection authority and to the person (data subject) concerned. Note that as from 25 May 2018, these two requirements will become mandatory across the EU under the GDPR.

The Code of Conduct is currently under review by the Article 29 Data Protection Working Party. Once the Working party 29 approves it, it will be applied in practice. App developers will then have the possibility to publicly declare their commitment to the principles enshrined in the Code of Conduct. This Code will inevitably bring awareness amongst developers in the field of apps that process personal, especially health-related, data and certainly create more trust amongst their users.

Team

Related news

26.08.2021 BE law
Sarah De Wulf and Malik Baba co-authored a book dedicated to the legal aspects of the video-game industry

Articles - The book, entitled 'Legal Aspects of the video-game industry', provides a first answer to the most important legal questions that might arise in the lifecycle of a video-game company. These insights are intended to be applicable irrespective of jurisdictions, illustrated by real-life situations and easy to read for individuals without a legal background.

Read more

13.09.2021 NL law
Adopting the new Standard Contractual Clauses to secure international personal data transfers

Short Reads - Recently, the European Commission issued an implementing decision on standard new contractual clauses (“SCCs”) for the transfer of personal data to countries outside the European Economic Area. Organisations need to use the new SCCs from 27 September 2021 and onwards. Transitional periods apply for existing international data transfer agreements. To meet their obligations under the General Data Protection Regulation, organisations need to make the appropriate changes in time.

Read more

26.08.2021 EU law
Facebook/Belgian DPA: Landmark ruling on cross-border enforcement under the GDPR

Short Reads - On 15 June 2021, the CJEU delivered an important judgment on the one-stop-shop mechanism. While the CJEU reinforced that the lead supervisory authority is the sole interlocutor in cross-border processing operations, it also contributed to the effective enforcement of the GDPR by reiterating the conditions under which supervisory authorities other than the lead supervisory authority can bring enforcement actions against such processing operations.

Read more

09.09.2021 BE law
Digital Law Up(to)date: (1) Parliamentary initiatives about cyber attacks; (2) ‘Zero tariff’ options before the CJEU; and (3) Council of State, GDPR and encryption

Articles - In this blog, we briefly present three interesting news in the field of digital law: (1) Parliamentary initiatives to tackle cyber attacks (2) "Zero tariff" options and open internet access do not mix! (3) Council of State, GDPR and encryption: validation of a decision of the Flemish Authorities

Read more

22.07.2021 NL law
Towards a European legal framework for the development and use of Artificial Intelligence

Short Reads - Back in 2014, Stephen Hawking said, “The development of full artificial intelligence could spell the end of the human race.” Although the use of artificial intelligence is nothing new and dates back to Alan Turing (the godfather of computational theory), prominent researchers – along with Stephen Hawking – have expressed their concerns about the unregulated use of AI systems and their impact on society as we know it.

Read more