Articles

EU Code of Conduct for mobile health apps almost finalized

EU Code of Conduct for mobile health apps almost finalized

EU Code of Conduct for mobile health apps almost finalized

13.10.2016

A code of conduct for mobile health (mHealth) apps has been drafted by the European Commission (the “Code of Conduct”) to guide mHealth-app developers towards complying with their data protection obligations.

The EU Commission acknowledges the undeniable importance of these kinds of apps in society, but it is also aware that many people are concerned about their own privacy when they use these apps. The Code of Conduct is thus an effective and efficient tool for developers to ensure that the mHealth apps have been developed while meeting privacy compliance so as to reinforce trust amongst users when they use apps that monitor their health or that give them health advice.

The Code of Conduct targets app developers, regardless of whether they have outsourced part of the development process or whether the health-related data remain on the device or are transferred to an external data store. The Code of Conduct applies to mobile apps that process data concerning one’s health, i.e. a subcategory of personal data. While personal data in general unsurprisingly include information on the user, device identifiers, location data and any other information relating to an identified or identifiable natural person, health-related data (i.e. a subcategory of personal data) are “the personal data related to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health status.” Information that merely qualify as “lifestyle data”, i.e. raw data about an individual’s habits and behavior that are not inherently health-related (e.g. footsteps-tracking app in which data are not stored or combined with other data) are outside the scope of the Code of Conduct. Also, note that biometric data and genetic data are very specific types of health data and are subject to additional requirements under the new EU General Data Protection Regulation (the “GDPR”).

Part II of the Code of Conduct lays down further the classic data protection principles that apply to the health subject area. We will here focus on three main topics: 1) consent from and information to the data subject; 2) big data; and 3) security breach reporting. The free, explicit and informed consent of the app users must be gathered prior to or as soon as they use the app. It therefore does not suffice if they do not object to the use of their data, even after having been informed about the nature of the processing. For the consent to qualify as an “informed” one, the users must have been provided with the following information: the purposes of the processing, the identity and contact details of the app developer, information on whether health data relating to them might be stored in another location than their device, etc. The Code of Conduct recommends informing the users through a “layered approach”, i.e. by firstly giving them a short notice containing the main information relating to the processing, and then giving them the possibility to access a full privacy policy that would explain in detail all the aspects of the processing.

About the answer to question “Can developers use the health data collected for secondary purposes, e.g. for big data analysis?”: In principle, this kind of data may only be processed for the purposes for which they have been initially collected and about which the users have been informed. For being allowed to use it for big data analysis, and to the extent that EU law applies, additional requirements have to be met, e.g. anonymization of data if possible or pseudonymisation (the Code of Conduct refers to the Article 29 Data Protection Working Party Opinion 05/2014 on Anonymisation Techniques with regard to this).

Lastly, if a security breach occurs, the developer concerned must first evaluate whether the breached data qualifies as personal data. If so, the developer should check whether it must, pursuant to the national applicable law, report such breach to the national data protection authority and to the person (data subject) concerned. Note that as from 25 May 2018, these two requirements will become mandatory across the EU under the GDPR.

The Code of Conduct is currently under review by the Article 29 Data Protection Working Party. Once the Working party 29 approves it, it will be applied in practice. App developers will then have the possibility to publicly declare their commitment to the principles enshrined in the Code of Conduct. This Code will inevitably bring awareness amongst developers in the field of apps that process personal, especially health-related, data and certainly create more trust amongst their users.

Team

Related news

15.07.2019 EU law
ICO to impose record-breaking fines for inadequate security measures and data breaches

Short Reads - Though the European data protection authorities have taken their time in enforcing the GDPR, two announcements by the ICO in the UK regarding proposed fines for British Airways and Marriott demonstrate that large fines are about to start landing regularly. Both of the substantial fines are to be handed out as a result of shortcomings in handling data breaches caused by cyber-attacks.

Read more

27.06.2019 NL law
Stibbe launches website about Digital Economy

Inside Stibbe - Stibbe's Digital Economy group published a new website this week: Stibbedigital.com With this new website we aim to view technological developments including artificial intelligence (AI), blockchain, the Internet of Things, smart mobility and the rise of digital platforms from a legal perspective.

Read more

05.07.2019 EU law
The two sides of the ECS coin

Articles - The concept of ‘electronic communications service’ (“ECS”) defined in Article 2(c) of Directive 2002/21/EC (“Framework Directive”) has been interpreted in two decisions of the ECJ in June 2019: C‑142/18 Skype communications and C-193/18 Google LLC.

Read more

21.06.2019 NL law
Nieuw boetebeleid van de Autoriteit Persoonsgegevens

Short Reads - Op 14 maart 2019 zijn de nieuwe Boetebeleidsregels Autoriteit Persoonsgegevens 2019 ("Boetebeleidsregels") van de Autoriteit Persoonsgegevens ("AP") gepubliceerd. Dit boetebeleid heeft de AP opgesteld vanwege de inwerkingtreding van de Algemene verordening gegevensverwerking ("AVG") en omdat er op Europees niveau nog geen boeterichtsnoeren zijn opgesteld.

Read more

02.07.2019 NL law
Debate night: HR Analytics: opportunity or threat?

Seminar - On 2 July 2019, Stibbe's Digital Economy Group will host a debate night in Amsterdam on the hot topic of HR analytics. During Stibbe's debate night, speakers from the world of business, politics, science and law will exchange views on HR analytics, how they can be used in practice, and their development in the context of employment and privacy law.

Read more

21.06.2019 NL law
Dutch Data Protection Authority publishes new fining policy

Short Reads - The Dutch Data Protection Authority ("DPA") has published its new Fining policy for Administrative Fines. The new policy was drafted in response to the lack of such guidelines at the European level following the entering into force of the General Data Protection Regulation ("GDPR"). In the policy, the DPA elaborates on how the amount of fines for infringements of the GDPR, the Police Data Act, the Judicial and Criminal Records Act and the Telecommunications Act will be calculated. In this blog post, we will discuss the outline of this new policy.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring