The EU Article 29 Working Party (“WP29”) has published a letter to the European Commission (“EC”) on the scope of health data in relation to lifestyle and well-being apps, following the EC’s Working Document on mHealth and the outcome of its public consultation, which generated interest in strong privacy and security tools, and strengthened enforcement of data protection.
In the letter, WP29 addresses the exceptions to processing health data for historical, statistical or scientific research, and requests that the EC ensure that any secondary processing of health data only be permitted after having obtained explicit consent from individuals.
The Annex to the letter acknowledges that determining the scope of health data is particularly complex and can have a wider interpretation depending on context, and is likely to capture apps measuring blood pressure or heart rate – exactly the types of apps that are already widely available.
The Annex makes recommendations for those gray areas where it is not always clear whether personal data is medical data, and gives examples of possible indicators to consider, such as the intended use of the data and, over time, if it is combined with other data, would it be possible to create a profile about the health of an individual, such as risks related to illness, weight gain or loss and the consequential health issues that may arise, or an indication of heart disease. To be considered ‘medical data’, the WP29 states that there has to be a relationship between the raw data set collected through the app and the ability to determine a health aspect of a person, either from the raw data itself or when that raw data is combined with other data (irrespective of whether these conclusions are accurate or not).
Finally, WP29 suggests that the data protection exception relating to further processing of health data for historical, statistical and scientific purposes should be limited to research that serves high public interests, cannot otherwise be carried out or where other safeguards apply, and where individuals may opt out.
The view of the WP29 is likely to capture most of the existing apps relating to well-being, which at present a lot of organizations may have been considered to be outside the scope of the additional protections afforded to sensitive data.