On February 5, 2015, the Article 29 Working Party (the “Working Party”) published a letter that responds to a request of the European Commission to clarify the scope of the definition of health data in connection with lifestyle and wellbeing apps. In the annex to this letter, the Working Party identifies criteria to determine when personal data qualifies as “health data,” a special category of data receiving enhanced protection under the EU Data Protection Directive 95/46/EC (the “Directive”). The Working Party further discusses the current legal regime for the processing of such health data and provides its view on the requirements for further processing of health data for historical, statistical and scientific research under the Directive. The letter also includes the Working Party’s recommendations for the regime that should be provided in the proposed EU General Data Protection Regulation (the “Proposed Regulation”).
Scope of Health Data
The Working Party identifies three main scenarios where personal data processed by lifestyle and wellbeing apps and devices are health data:
- The data processed by the app or device is inherently/clearly medical data. In other words, the data provides information about an individual’s physical or mental health status generated in a professional medical context (e.g., healthcare providers);
- The raw sensor data processed by the app or device can be used, independently or in combination with other data, to draw conclusions about an individual’s actual health status or health risks; and
- The data allows for conclusions to be drawn about an individual’s health status or health risks (irrespective of whether these conclusions are accurate or inaccurate, legitimate or illegitimate or otherwise adequate or inadequate).
Legal Requirements for Processing Health Data
In addition to identifying which data should be considered health data, the Working Party also discusses the requirements that should be taken into account when processing such data.
First of all, the Working Party clarifies that the users of lifestyle and wellbeing apps do not have to comply with the Directive when the data is not transmitted outside their device, as this qualifies as purely personal use of personal data. If the processing of health data does not solely take place on the device itself, such processing is only allowed in limited cases listed in Article 8 (2), (3) and (4) of the Directive. Except in cases where the data is processed in a strict medical context (implying processing by individuals subject to professional secrecy obligations for the purpose of preventive medicine, medical diagnosis, the provision of care or treatment, or the management of health care services), the Working Party is of the opinion that explicit consent will most likely be required to legitimize the processing.
The Working Party further stresses the importance of providing clear and easily accessible information to the users before they install the app or buy the device, the need to define clear compatible and legitimate purposes of the data processing, as well as the requirement to implement proper anonymization techniques and other security measures, such as privacy by design and data minimization.
Current and Proposed Requirements for Further Processing of Health Data for Historical, Statistical and Scientific Purposes
Finally, the Working Party addresses the current rules and the proposed exception for further processing of health data for historical, statistical and scientific purposes under the Proposed Regulation. The Working Party would like the European Commission to make a clear statement that, under the Directive, such processing generally requires explicit consent, unless specific exceptions provided in national law apply. Furthermore, the Working Party calls on the European Commission to ensure that, under the Proposed Regulation, such further processing of health data also will be limited to cases where the concerned individuals have explicitly consented to the processing or circumstances where: (1) the concerned research serves high public interests, (2) the research cannot possibly be carried out otherwise, (3) other safeguards apply, and (4) the individual is offered the possibility to opt-out.