The Internet of Things is of particular relevance with regard to health and well-being. Health apps for smartphones and tablets as well as wearable devices such as smart watches, smart earplugs or other connected devices (“Wearables”) have had a considerable impact on the German market so far. Their aim is to collect information about a user’s health and process it by providing the user with analytics about his physical or mental condition. For example, heart rate or blood pressure can be measured. A user can be reminded to take medication and can monitor his activity, sleeping cycles or other factors that are relevant for the user’s health and well-being. The majority of Wearables use cloud computing services to store the information collected. This, together with the fact that sensitive information of users is collected, raises the bar for the legal requirements. Although German law provides little guidance specifically on the use of such devices, the following regulatory and legal requirements as well as guidance by Data Protection Regulatory Authorities (“Regulators”) are to be noted and observed.
Specific requirements for Medical Devices
With regard to regulatory matters, when developing products such as Wearables or health apps the requirements of the German Medical Devices Act need to be taken into account. In line with some of its provisions, hardware or software products created for diagnostic or therapeutic purposes may be categorised as “medical devices”. Such products would require a “CE” marking and would be subject to a so-called Conformity Assessment Procedure under the Medical Devices Act. This does not apply however, to products which only save or transfer health data for health or fitness purposes or which function as a personal health assistant.
Personal health data and Wearables
With regard to privacy matters, German and EU Data Protection law by way of the General Data Protection Regulation (“GDPR”) which will come into effect on 25 May 2018, requires more caution for personally identifiable information relating to an individual’s health. The GDPR specifically defines “genetic” and “biometric” data as well as “data concerning health”. The GDPR places a high burden on the processing of such data. This being said, according to German Regulators even under the current Data Protection regime any data which may be used to identify or make an individual identifiable and which describes an individual’s mental or physical condition will be considered “health data”. This means that the scope of information that falls into this special category was and will remain broad.
Requirements for processing personal health data
As a general principle, personal health data may only be processed with the express consent of the user. The requirement to obtain consent does not apply however, if the Wearable is only collecting anonymised data. Under the current German regime this requires a high degree of time, effort and manpower to ensure the user is no longer identifiable. If the data controller is able to re-render the data afterwards and to make the user identifiable again, the above requirements would still apply. Something similar will apply under the GDPR although Regulators are yet to provide specific guidance in relation to the threshold of anonymization.
The GDPR shall, in a similar way to the current German regime, also allow for processing of health data on the basis that this is required for the performance of a contractual obligation, such as the delivery of a service. Thus, where the user requests a Wearable to perform a certain task, the related processing would be covered by the contractual performance exemption. Equally, this processing would not require consent.
Another question is whether storing of data by the Wearable in a cloud that is operated by a third party and stored on its servers would also be covered by the exemption. Since this requires a transfer of the data to a third party, it is not usually inherently related to the service and not always clear to the user. In such cases, obtaining consent seems advisable.
Furthermore, when profiles which have been created from the user’s health data are used for purposes other than those originally requested, consent must be obtained. The GDPR allows for a profiling without the user’s consent to the degree that such profiling is not required for the performance of a contract. If the Wearable or health app does not primarily offer the profiling as part of the service, then again it is advisable to obtain consent.
In Germany, Regulators had issued specific guidance in relation to apps. In this context, they had also provided requirements for apps that process sensitive information such as personal health data. Regulators mentioned that additional security measures both in terms of safeguarding the data stored on the device and during a transfer would be advisable. Furthermore, Regulators recommend to app developers to avoid storing access data on the device on which the health app is installed and to use state of the art encryption means. This shows that Regulators had spent time in the past assessing technical and organizational security measures in relation to health apps. It is fair to assume that they will take a similar look at the protection of personal health data processed by Wearables under the GDPR. The GDPR will place a specific focus on the “Privacy by Design” and “Privacy by Default” requirements. These concepts will be of particular importance in the Internet of Things context as they require that processes and products are structured and developed in a way that collects as little data as possible. Therefore, both hardware manufacturers and software developers should take privacy requirements into account at an early stage of product design.