Articles

EU Code of Conduct for mobile health apps almost finalized

EU Code of Conduct for mobile health apps almost finalized

EU Code of Conduct for mobile health apps almost finalized

13.10.2016

A code of conduct for mobile health (mHealth) apps has been drafted by the European Commission (the “Code of Conduct”) to guide mHealth-app developers towards complying with their data protection obligations.

The EU Commission acknowledges the undeniable importance of these kinds of apps in society, but it is also aware that many people are concerned about their own privacy when they use these apps. The Code of Conduct is thus an effective and efficient tool for developers to ensure that the mHealth apps have been developed while meeting privacy compliance so as to reinforce trust amongst users when they use apps that monitor their health or that give them health advice.

The Code of Conduct targets app developers, regardless of whether they have outsourced part of the development process or whether the health-related data remain on the device or are transferred to an external data store. The Code of Conduct applies to mobile apps that process data concerning one’s health, i.e. a subcategory of personal data. While personal data in general unsurprisingly include information on the user, device identifiers, location data and any other information relating to an identified or identifiable natural person, health-related data (i.e. a subcategory of personal data) are “the personal data related to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health status.” Information that merely qualify as “lifestyle data”, i.e. raw data about an individual’s habits and behavior that are not inherently health-related (e.g. footsteps-tracking app in which data are not stored or combined with other data) are outside the scope of the Code of Conduct. Also, note that biometric data and genetic data are very specific types of health data and are subject to additional requirements under the new EU General Data Protection Regulation (the “GDPR”).

Part II of the Code of Conduct lays down further the classic data protection principles that apply to the health subject area. We will here focus on three main topics: 1) consent from and information to the data subject; 2) big data; and 3) security breach reporting. The free, explicit and informed consent of the app users must be gathered prior to or as soon as they use the app. It therefore does not suffice if they do not object to the use of their data, even after having been informed about the nature of the processing. For the consent to qualify as an “informed” one, the users must have been provided with the following information: the purposes of the processing, the identity and contact details of the app developer, information on whether health data relating to them might be stored in another location than their device, etc. The Code of Conduct recommends informing the users through a “layered approach”, i.e. by firstly giving them a short notice containing the main information relating to the processing, and then giving them the possibility to access a full privacy policy that would explain in detail all the aspects of the processing.

About the answer to question “Can developers use the health data collected for secondary purposes, e.g. for big data analysis?”: In principle, this kind of data may only be processed for the purposes for which they have been initially collected and about which the users have been informed. For being allowed to use it for big data analysis, and to the extent that EU law applies, additional requirements have to be met, e.g. anonymization of data if possible or pseudonymisation (the Code of Conduct refers to the Article 29 Data Protection Working Party Opinion 05/2014 on Anonymisation Techniques with regard to this).

Lastly, if a security breach occurs, the developer concerned must first evaluate whether the breached data qualifies as personal data. If so, the developer should check whether it must, pursuant to the national applicable law, report such breach to the national data protection authority and to the person (data subject) concerned. Note that as from 25 May 2018, these two requirements will become mandatory across the EU under the GDPR.

The Code of Conduct is currently under review by the Article 29 Data Protection Working Party. Once the Working party 29 approves it, it will be applied in practice. App developers will then have the possibility to publicly declare their commitment to the principles enshrined in the Code of Conduct. This Code will inevitably bring awareness amongst developers in the field of apps that process personal, especially health-related, data and certainly create more trust amongst their users.

Team

Related news

12.10.2018 BE law
Ignace Vernimme and Michiel Van Roey speak on IP rightsduring Agoria's Research & Standardization Event

Speaking slot - On Thursday 25 October, Agoria's Regulatory and Standardization Expertise Center organizes its 5th information day about regulations and standards for topics including international trade, privacy and contract law, transport, Internet of Things and blockchain, eHealth, ... at regional, national and European level.

Read more

11.10.2018 NL law
Stibbe hosts NGB Extra Seminar about product development and counsel’s role at the interface of new technology and law

Seminar - On 11 October 2018, Stibbe will host the NGB (Dutch Association of Corporate Lawyers) Extra Seminar.  IT/IP lawyers Judica Krikke, Jasper Klopper, Marc Spuijbroek and Frederiek Fernhout will discuss the practical aspects of the development of innovative new products. 

Read more

12.10.2018 NL law
Tim Berners-Lee's Solid proposal: the future of data traffic?

Short Reads - The General Data Protection Regulation (GDPR) aims to strengthen the rights of individuals in respect of their personal data. Although this aim has been achieved to a certain extent, the fundamental framework of the way personal data is processed remains unchanged. Companies are still able to use large amounts of user data, in many cases without even obtaining their consent. Tim Berners-Lee, the inventor of the World Wide Web, has announced his plans for a decentralised web, in which users remain in control of their personal data.

Read more

10.10.2018 NL law
Ongevraagd advies Raad van State: normering van geautomatiseerde overheidsbesluitvorming

Short Reads - Op 31 augustus 2018 heeft de Afdeling advisering van de Raad van State (hierna: "Afdeling advisering") een 'Ongevraagd advies over de effecten van de digitalisering voor de rechtsstatelijke verhoudingen' betreffende de positie en de bescherming van de burger tegen een "iOverheid" uitgebracht. Het gebeurt niet vaak dat de Afdeling advisering zo een ongevraagd advies uitbrengt. Dit onderstreept het belang van de voortdurend in ontwikkeling zijnde technologie en digitalisering in relatie tot de verhouding tussen de overheid en de maatschappij.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring