The European Commission published its final draft Code of Conduct on privacy for mobile health apps. The Code aims to stimulate awareness of the data protection rules regarding mHealth apps, facilitating and increasing compliance at the EU level for app developers.
The Code contains guidance on several issues that should reasonably be of interest to app developers, including:
- User's consent: the need to obtain valid explicit consent from the data subject to collect and use their data;
- Data protection principles: purpose limitation, data minimization, transparency, privacy by design and privacy by default and data subject rights;
- Data retention: an acknowledgement that it can be difficult to irreversibly anonymize health data when the retention period expires;
- Security: the requirement to carry out a Privacy Impact Assessment and adopt security measures recommended by the European Network and Information Security Agency;
- Advertising: although any advertising must be authorized by the user, there is a difference in approach depending on whether the advertising involves the processing of personal data;
- Use of personal data for secondary purposes: in instances where data could be used for scientific research or other big data analysis;
- Disclosing data to third parties: an agreement in place with the third party is essential;
- Data transfers: all apps must comply with the rules applicable to international data transfers;
- Personal data breaches: what to do and whom to notify when a data breach occurs; and
- Children’s data: when apps are deliberately aimed at children.
The final version of the Code will be prepared following its examination in accordance with the Article 29 Data Protection Working Party, which may approve or suggest re-drafts. Notwithstanding this, mHealth application developers may, in the meantime, find it useful to follow the draft Code given the current shortage of guidance in this area.
While the Code will not be automatically binding on mHealth app developers, those developers who wish to proclaim their adherence will be required to submit a privacy impact evaluation. Acceptance of an impact evaluation by the relevant monitoring body will lead to the inclusion of the application and its developer on a public register.