Mobile health (mHealth) apps are becoming more and more popular. Back in 2013, more than 97,000 health apps were already on the market.[1] According to the European Commission (EC), this figure now amounts to around 100,000 globally.[2] App developers have created health apps for almost everything: Through mHealth apps, user of smartphones can nowadays measure vital signs such as their heart rate, blood glucose level or brain activities, access health related communication and motivation tools or collect physiological data from ingestible sensors in order to monitor medication adherence, just to name a few.[3] It is expected that by 2017 mHealth apps would be deployed on approximately 50 per cent of all mobile devices.[4] The influence of mHealth apps for the daily routine of mobile device users will therefore increase significantly in the next few years. mHealth apps together with other forms of telemedicine may also play an important role in initiatives aimed to mitigate the lack of easily accessible medical care in geographical areas without residing doctors, a fact that is of growing concern for example in certain areas in Germany.[5] The growing importance of mHealth apps and the diversity of their usability lead to various stakeholders playing important roles in the development, commercialization and use of mHealth apps and, most notably, the user generated data. Not surprisingly, the interests of these stakeholders differ from each other. This gives rise to a variety of legal questions. This article aims to give an overview about the regulatory framework in the EU that mHealth apps may have to comply with as well as data protection topics related to the use of mHealth apps. Other interesting areas not addressed in this article include (product) liability questions and bonus schemes offered by health insurance companies or funds.

EU Regulatory Framework

For the purpose of identifying the applicable regime, two categories of mHealth apps may broadly be distinguished: (a) apps designed for the prevention, diagnosis, and treatment of diseases (medical apps), and (b) apps encouraging lifestyle, fitness and well-being (nonmedical apps). It is obvious that this distinction is not always easy to make in an area which is in flux due to the rapidly changing technological environment.

mHealth apps need to have a "medical purpose" to fall under EU legislation for medical devices

In principle, mHealth apps may fall under the EU regulatory framework for medical devices. Medical devices are subject to the European Medical Devices Directive (93/42/EEC - MDD)[6] or the European In Vitro Diagnostic Medical Devices Directive (98/79/EC - IVDD) (the "Directives"). The current regime is under revision and will, pending legislative approval, prospectively be replaced by two European regulations.[7] Neither the present nor the proposed legislation provide for an explicit definition of mHealth or medical apps. Whether mHealth apps fall within the scope of the Directives must therefore be determined based on the general definition of medical devices. Unlike software embedded or incorporated into medical hardware (e.g. software controlling radiation devices), mobile health apps as "stand alone software" do not per se fall within the remit of the Directives, unless they are designed to fulfill a medical purpose.[8] Accordingly, mHealth apps are a medical device if the apps are specifically designed to perform a medical task in a medical setting (ð "medical apps"). By contrast, apps designed for general or domestic purposes (ð "nonmedical apps") are not subject to the Directives, even though they might be used in a healthcare setting or a medical context. Whether or not an app is deemed to be specifically designed to perform a medical task in a medical setting depends, in general, on the manufacturer's (i.e., in an app context, the provider's) intended purpose; such purpose is inferred from the data supplied on the device's labelling, or in the device's instructions and/or promotional materials (e.g. brochures, webpages).[9]

As healthcare models become more patient-centric, there can be some uncertainty as to the criterion of the "intended medical use". For example, the distinction between general "wellness" apps and "medical" apps may become somewhat unclear, as "wellness" apps supporting preventive and self-monitoring fitness or dietary activities or measuring vital signs for wellness purposes may also significantly improve health outcomes.

Soft law guidance on medical devices classification

The EC offers guidance as to the classification of standalone healthcare software, including mHealth apps, in its guidelines on the qualification and classification of stand-alone software published in January 2012.[10] While the Guidelines offer a helpful framework, national authorities have often adopted a stricter/broader interpretation of the medical device classification when it comes to mHealth apps. The EC has also confirmed that the Guidelines may need to be updated. Nonetheless, the Guidelines currently constitute a code of practice that companies launching mHealth apps are well advised to take into account.

The Guidelines' decisive criterion for a medical device classification is whether the software is intended to interpret (or to facilitate the interpretation of) data by modifying or representing health related individual information.[11] Altering the representation of data purely for embellishment purposes is a non-medical task.[12] Accordingly, a mHealth app is not a medical device if it merely performs an action limited to storing, archiving, compressing or transferring medical data, without interpreting/altering it. The same applies to an app limited to collecting and transmitting medical data from a(n) (in vitro) diagnostic medical device in the home environment to a doctor, without modifying its content. However, according to the Guidelines, the Directives do apply to tools combining medical knowledge with patient-specific physiological parameters. In addition, apps providing immediate decision-triggering information, or altering the representation of data in a way that contributes to the interpretative or perceptual tasks performed by medical professionals, generally pose a risk for the patient's health and are subject to the Directives.[13] Likewise, apps intended to provide additional information that contributes to diagnosis and/or treatment (e.g. generate alarms) are qualified as medical devices.

With regard to apps on the threshold between domestic and medical purposes, stakeholders may consult the Manual on Borderline and Classification in the Regulatory Framework issued by the European Working Group on Borderline and Classification.[14]

Data Protection

In its Green Paper on mHealth ("Green Paper"),[15] the EC underlined the role of mHealth in improving the quality and efficiency of healthcare delivery. According to the EC, mHealth allows the collection of considerable medical, physiological, lifestyle, daily activity and environmental data, which could serve as a basis for evidence-driven care practice and research activities, while facilitating patients' access to their health information anywhere and at any time.[16] Analysis of the big data that mHealth generates may boost innovation and help improve healthcare effectiveness and disease prevention.[17]

Health related data may also be valuable for health insurance companies or funds. As part of its campaign to strengthen "digital prevention", a regional German social health insurance fund recently announced its plans to subsidize wearable devices enabling users to track physiological parameters.[18] Its offer to contribute 50 euros towards wearable devices such as wristbands or smart watches converges with projects promoted by other German social health insurance funds who award premiums for collecting bonus points by using mHealth apps[19] or signing up for fitness courses etc. So far, German social health insurance funds have abstained from collecting personal data transmitted by mHealth apps.

Currently, data analysis and processing within the EU is governed by the Data Protection Directive (95/46/EC). Ongoing negotiations about a uniform European General Data Protection Regulation[20] have also fueled the debate on health data. As a particularly sensible category of data, health information is subject to stricter legislation than general personal data. Under Art. 8 para. 1 of the Data Protection Directive, processing health data is in principle prohibited, unless an exception applies. The narrow examples set out in Art. 8 para. 2 of the Data Protection Directive reflect the particular sensitivity of health data. Misuse of health related data may have irreversible ramifications for the individual as well as his or her social or work environment.

Since the Data Protection Directive does not define the category of health data, the EC consulted the Article 29 Working Party[21] on the concept of health data with regard to apps and devices, including lifestyle and wellbeing apps. In response to the request, the Article 29 Working Party offered guidance on the definition and stressed that the qualification as health data does not depend on whether the software collecting the data is considered a medical device.[22] The Working Party clarified that it is not just data which is inherently or clearly medical data, i.e. data about the physical or mental health status of a data subject which is generated in a professional, medical context,[23] which is considered health data. In fact, also raw sensor data that can be used in itself or in combination with other data to draw conclusions about the actual health status or risk of a person, and personal data that based on which conclusions are drawn about a person's health status or health risk (irrespective of whether these conclusions are inaccurate, illegitimate or in-adequate) are deemed health data.[24] Thus, while as such, an app, e.g. counting steps during a single walk for domestic purposes, may not be of significant substance with regard to a person's health, it may provide information on a health condition when connected with other information, processed for additional purposes or transferred to third parties.[25] Consequently, the data generated by this app may be classified as health data and, subject to Art. 8 para. 3 of the Data Protection Directive, the explicit consent of the user pursuant to Art. 8 para. 2 of the Data Protection Directive is therefore required.

Therefore, app providers are well advised to clearly define the scope and purpose of a prospective data analysis and processing. Such clear definition must then correctly be implemented in the necessary contractual relationships, such as the terms of use of the respective app, in order to avoid legal pitfalls. Needless to say, it is of likewise importance for the confidence of end users, and consequently for the realization of the potential of mHealth to improve the quality and efficiency of healthcare delivery, that the controller lives up to its obligations set forth in Art. 17 para. 1 of the Data Protection Directive to implement adequate and effective technical and organizational measures to protect the data against, amongst other things, unauthorized disclosure or access.


Given the speed of technological developments and the development of mobile solutions in a health context, the regulatory landscape is currently in flux. To ensure compliance, medical devices/pharmaceutical companies often opt for a broad interpretation of the term "medical device" or "medical purpose" - which results in a proportion of their mHealth apps falling under the Medical Devices Directives. However, it can be argued that such a conservative approach could hamper innovation, and, consequently, the realization of the benefits that mHealth could bring to healthcare in Europe. Updated guidance by the Commission would therefore be advantageous to all stakeholders involved. During the ongoing negotiations relating to the General Data Protection Regulation, it remains to be seen if the Commission continues to evaluate possible actions to address the data protection concerns as outlined in its Green Paper.