The European Data Protection Supervisor (“EDPS”), Giovanni Buttarelli, has published an opinion on Mobile Health (“mHealth”); a rapidly evolving sector that stems from the convergence of healthcare and information communication technology.  mHealth includes mobile applications designed to provide health-related services through smart devices by processing personal information about an individual’s health, well-being, and lifestyle.

The opinion discusses the growing ubiquity of mHealth, which in large part is due to the proliferation of smartphones and wearable computing devices.  Current estimates suggest that by 2017, nearly 3.4 billion people worldwide will own a smartphone, and half of those individuals will use mHealth applications.  While the opinion acknowledges that mHealth has the potential to improve healthcare by improving the lives of users and providing new insights into medical research, which could reduce costs and improve patient outcomes, it also recognizes that there will be an increased need to protect the privacy of users given the sensitivity of health-related information.

In order to address the growing need for privacy and data protection related to mHealth, the opinion makes a number of recommendations:

  • the EU legislator should, given multiplicity of parties involved in the mHealth industry, foster accountability and allocation of responsibility of those involved in the design, supply, and functioning of apps (including designers and device manufacturers);
  • app designers and publishers should design devices and apps to increase transparency, provide individuals with greater detail about how their health information is being processed, and avoid collecting more data than is necessary to perform the expected function.   App designers and publishers should do so by embedding privacy and data protection settings in the design, and by making them applicable by default;
  • industry should use Big Data in mHealth for purposes that are beneficial to individuals and avoid using it for practices that could cause individuals harm, such as discriminatory profiling for price-discrimination or to deny individuals insurance coverage; and
  • the legislator should enhance data security and encourage the application of privacy by design and by default through privacy engineering and the development of building blocks and tools that can be applied throughout the mHealth ecosystem.

The EDPS opinion on mHealth reflects the difficulty legislators face in crafting rules that protect the privacy of users, while simultaneously creating an environment that fosters innovation from key stakeholders and allows users to realize the benefits of the mHealth.