eHealth and fitness/wellness applications are being investigated and potentially sanctioned by the Italian data protection authority that found half of them not compliant with applicable privacy laws.

We have already discussed in this post about the potential data protection issues affecting eHealth applications.  However, this is the first time that the Italian data protection authority takes a strong move against their lack of compliance with privacy regulations.  Indeed, as part of the initiative named Privacy Sweep 2014 undertaken by the Global Privacy Enforcement Network (GPEN), the international network aimed at enhancing the cooperation between data protection authorities, 1,200 applications have been reviewed and 59% of them were found to operate in breach of data protection laws.

Issues identified in eHealth/wellness apps

The lack of compliance was identified in the fact that through such eHealth applications:

  1. An adequate privacy information notice compliant with applicable data protection laws is not provided at the time of the installation or very generic information are provided which are not in line with the requirements imposed by data protection laws;
  2. The volume of personal data requested from users is excessive if compared to the services provided and 3/4 of the applications reviewed require consents to the processing of:
    • localization data,
    • device ID data,
    • other accounts data
    • video recording functionalities and
    • contact lists.
  3. The size of the privacy information notice is not adapted to the reduced size of the screen which makes it almost unreadable or the privacy information notice is placed in the section of the app dedicated to technical specifications.

Actions that might be taken against eHealth/wellness apps

The Italian data protection authority is considering the next steps to be taken against such eHealth and wellness applications with the view of adopting potential sanctions against them.  This practice is also part of the monitoring activity that will be run through the consultation on mobile health launched by the European Commission.

Additionally, it should be considered that if the above mentioned eHealth and wellness applications process health related personal data the data protection compliance applications and potential sanctions will further increase.  And this is not an issue relevant only for European companies since also US or Asian companies offering their applications to European users shall comply with the above mentioned obligations.

Finally, as mentioned in this post, with the growth of wearable technologies the data protection and regulatory obligations might become more stringent.