On 7 June 2016, the European Commission published a final draft of a Code of Conduct on privacy for mHealth mobile applications (the “Code”). This new Code has come to fruition as a direct result of responses to the European Commission’s Green Paper on mHealth in 2014 (discussed in our previous post), which highlighted consumers’ concerns regarding the security of mHealth apps and drew attention to the importance of data protection in this area (mHealth apps can collect and process large quantities of sensitive health information). The draft Code was submitted to the Article 29 Working Party (an independent advisory body comprised of representatives from all EU Data Protection Authorities) for comment on 7 June.

What is the Code for? The Code is targeted at app developers, providing specific guidance on how European data protection legislation should be applied in relation to mHealth apps. In an effort to future proof the Code, it takes account of both the requirements under the current EU Data Protection Directive as well as the provisions of the new EU General Data Protection Regulation, which will apply from 25 May 2018. However, developers should be sure to check whether there are any additional data protection requirements under local law in the countries in which the app is to be used (that is, until the General Data Protection Regulation comes into effect).

What does the Code cover? The Code contains guidance on a number of issues that are likely to be of interest to app developers, including:

  • obtaining consent;
  • information provision requirements, with an example privacy notice and privacy policy contained in an annex;
  • privacy by design and default (i.e. designing your app with privacy in mind and defaulting to the least privacy-invasive option when offering users a choice);
  • data retention and security measures;
  • advertising (i.e. when to use opt-ins/opt-outs);
  • processing data for secondary purposes (e.g. “big data” analysis);
  • sharing data with third parties, and the requirement for, and content of, data processing agreements;
  • the restrictions on and methods for transferring data outside of the European Economic Area; and
  • steps to be followed in the event of data breaches, including detail on notifying Data Protection Authorities and/or individual users.

Will developers be required to adhere to the Code? While the Code will not be binding, it will guide best practice. Furthermore, developers will be able to voluntarily commit to follow its rules (by submitting a privacy impact assessment to a “Monitoring Body” for review) in order to demonstrate to app users that they are complying with the relevant European data protection requirements. In the event that the impact assessment is found to be acceptable, the app developer and its app will be identified in a centralised public register. The Monitoring Body will audit a random sample of app developers on a “rolling basis”, and any developer found to be in breach will have their declaration voided and their app will be marked as having failed the adherence requirements.

What are the next steps? As noted above, the Code is still in draft form and has now been formally submitted to the Article 29 Working Party for comment. Once approved by the Article 29 Working Party (following any re-drafts required as a result of comments received), the Code will be made available for use by developers. However, given the shortage of guidance in this area, developers may choose to follow the Code in the meantime in order to conform to best practice. Further guidance on best practice for app developers can be found in the recently published draft EU guidelines on assessment of the reliability of mobile health applications (see our previous post for further details).