“Health apps” for smart phones and tablets have had a considerable impact on the German market so far. This type of software enables the saving and transferring of information on a user’s blood sugar or blood pressure, for example, or may remind a user to take medication and monitor his BMI. Recently a number of devices have entered the market leading to a new popular trend of “wearing” hardware to make use of software-based health monitoring. These devices are sometimes used in connection with cloud computing services. German law provides little guidance on the use of such devices but the following regulatory and legal requirements are noteworthy.
With regard to regulatory matters, when developing this type of product the manufacturer should take the requirements of the German Medical Devices Act into account. In line with some of its provisions, hardware or software products created for diagnostic or therapeutic purposes may be categorised as “medical devices”. Such products would require a “CE” marking and would be subject to a so-called Conformity Assessment Procedure under the Medical Devices Act. This does not, however, apply to products which only save or transfer health data for health or fitness purposes or which function as a personal health assistant.
With regard to privacy matters, German Data Protection law requires a higher degree of protection for personally identifiable information relating to an individual's health as such data is deemed to be “special personal data”. Any data which may be used to identify or make an individual identifiable and which describes an individual’s mental or physical condition will be considered to be health data. As a result, such information may only be processed with the explicit consent of the user. The consent declaration has to point out that health data is processed unless the processing is required to deliver a service requested by the user. Processing that would require such consent includes where a transfer to a third party e.g. for use of a cloud computing service that works in connection with the wearable device’s software, occurs. Furthermore, when profiles which have been created from the user’s health data are used for other purposes than those originally requested, consent must be obtained. The requirement to obtain consent does not, however, apply if the device in question is only collecting anonymised data. Under German data protection law this requires a high degree of time, effort and manpower to ensure the user is no longer identifiable. If the data controller is able to re-render the data afterwards and to make the user identifiable again, the consent requirement would still apply.