New apps are being developed at the speed of light, and almost simultaneously, legislators around the world are busy revising existing, or drafting new, data privacy legal frameworks. While ideally both should move in harmony, it appears that they are not, with (new) privacy rules often being too theoretical, leaving app developers puzzled.
The importance of creating an intelligible legal framework for data processing apps, and in particular apps collecting and processing health data (“mHealth apps”), was confirmed by the Article 29 Working Party last year in February, when they published a letter responding to the European Commission, who requested clarification of the scope of the definition of health data in connection with lifestyle and wellbeing apps. In the annex to the letter the Working Party identified three main scenarios where personal data processed by such apps are to be considered as “health data”:
- The data processed by the app is inherently/clearly medical data;
- The data is raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person;
- Conclusions are drawn about a person’s health status or health risk (irrespective of whether these conclusions are accurate or inaccurate, legitimate or illegitimate, or otherwise adequate or inadequate).
App developers themselves have not been standing still either. A group of stakeholders representing the industry have been organizing meetings with the European Commission in view of creating clarity in the mHealth app landscape. As a result of such meetings, in December last year, a Draft Code on Privacy for Mobile Health Applications was released, reflecting the ongoing discussions and the overall goal of the industry to translate existing (and future) privacy rules into workable criteria and guidelines.
The draft Code aims to provide specific and accessible guidance on how European data protection legislation should be applied in relation to mHealth apps. While the app industry consists of many different stakeholders (including the actual developers, OS and device manufacturers, app stores, users of the app, and other third parties such as advertising networks and similar intermediaries), the draft Code specifically targets app developers due to the consideration that they are the ones responsible for designing and/or creating the software which will run on the smartphones of the users, and thus for deciding the extent to which the app will access and process different categories of personal data in the device and/or through remote computing resources.
Further to the clarification previously given by Article 29 Working Group, the draft Code defines “data concerning health” as any data related to the physical or mental health of an individual, or to the provision of health services to the individual. Examples of data concerning health include inter alia data describing the health status or health risk of an individual, or data describing a medical intervention undertaken in relation to an individual. The definition is further clarified in the draft Code by means of use cases, for instance the following:
An app allows a user to track whether she has taken her prescribed medications and thus complies with the advice provided by her doctor. This app will be deemed to process data concerning health, since the consumption of medication is indicative of the health of an individual.
While the Code is a work in progress, it nevertheless already provides helpful tools and guidance that can be used by up and coming and established app developers, such as:
- practical guidelines on obtaining consent from app users,
- an overview of the main principles that must be complied with before making an mHealth app available,
- a set of questions to allow app developers to carry out a Privacy Impact Assessment,
- what information is to be provided to the users before they may use the app (including a short and long form information notice),
- how long the data can be retained,
- what to do in the event of a personal data breach, and
- how to ensure the security measures in place are adequate taking into account the types of data and nature of the data processing operations.
The draft Code clarifies that whether or not the actual app developer falls within the scope of applicability of European data protection law, largely depends on the design choices when the app was created. Futhermore, the Code specifies that if an app developer does not exercise any control over the processing of personal data through the app, and does not use the outcome of the processing (which will commonly be the case if no personal data is ever sent to the app developer or to any other third party by the app) then the app developer will not fall within the scope of EU data protection law.