Introduction to mobile Health and data protection laws

The mobile Health (mHealth) sector is rapidly developing and revolutionising the healthcare market. More and more consumers share information such as medical and physiological conditions, lifestyles, daily activity and geolocation via all kinds of health-related mobile applications and devices. The growing success of mHealth, however, inevitably casts a spotlight on compliance with privacy protection laws. Data protection agencies (DPAs) and supervisory bodies in the EU recently raised concerns about the collection, processing and use of customers’ data by mHealth apps and mobile devices. This blog introduces the key hot spots involving mHealth and data protection laws, before we dig deeper on other issues in a series of consecutive posts on this blog in the upcoming weeks.

mHealth raises concerns with the DPA’s

Without doubt, mHealth apps and devices are a success story of the past few months. But what is the position of competent DPAs that are constantly monitoring the mHealth environment? Recently, the German Federal Commissioner for Data Protection published a press release in which she issued a warning to the German public about the risks of unlawful handling of personal information collected by providers of health and fitness apps. Although she acknowledged that providing personal health data to third parties (for example, health insurance funds) may create short-term monetary benefits, she warned that incalculable risks may occur in the long term. In Germany, this is a widespread view. In June 2014, the association of all German DPAs (the so-called “Düsseldorfer Kreis”) took the view that health apps must meet specific and increased requirements.

This position of the German DPAs corresponds with the legal opinion of the European Data Protection Supervisor of 21 May 2015 on Mobile Health who drew attention to certain conflicts with privacy protection and security standards and pointed out a significant lack of regulation.

Likewise, the Article 29 Working Party (the advisory body of DPA representatives from each of the EU Member State) raised its concerns about the compliance of mHealth solutions with mandatory EU privacy protection laws in an official statement of 5 February 2015.

Since all DPAs take the view that legal responsibility lies with the mHealth industry, further enforcement activities (e.g. administrative proceedings or even fines) by the authorities are highly likely. Companies operating in the mHealth sector are advised to identify legal risks at an early stage and to monitor DPA press releases and legal opinions that are published in the future.

In our series of posts on mHealth and data protection issues we will examine the DPA’s concerns in more detail.

mHealth and the legal debate – what’s the story?

First of all, what’s in the mix when legal experts talk about mHealth and data protection issues? In the current legal debate, mHealth is used as a collective term for medical and public health practices supported by mobile devices, such as mobile phones, personal digital assistants (PDA’s), smart watches and other wireless devices. It also includes applications (apps) such as lifestyle and wellbeing apps connecting to and interchanging with mobile devices. Through different kinds of sensors and apps, mHealth allows the collection of all kinds of health data and information about the physical activities of the individual who is wearing or using the device or app. If combined with other personal information and Big Data from other sources, mHealth data plays a crucial role in building a digital image of the individual concerned.

Legal responsibility or “who should read this post”?

Like any other service or product which facilitates the collection, processing and use of personal information, mHealth solutions must comply with mandatory statutory laws. As a consequence, it is the app developers, app stores, device manufacturers, various service providers and advertisers who are legally responsible for ensuring compliance with mandatory data protection and other regulatory provisions. At least, this is the undisputed view of the DPAs in charge of supervising compliance with data protection rules.

Hot spots: mHealth and data protection

Taking the positions of the DPAs and the statutory legal framework in Germany and the EU into account, the most relevant legal questions arising in relation to mHealth and privacy laws are:

What specific information in the mHealth environment is considered to be personal data? And when is this personal data considered to be sensitive data? What specific requirements apply to sensitive data under EU data protection laws?

We will elaborate on this issue in part 2 of our series on mHealth and data protection laws. Further topics of interest will be:

How can the collection and processing of data through apps or devices be lawfully implemented and conducted? What is the most effective way to obtain a legally valid consent from individuals? What are the requirements in order to lawfully share collected information with third party service providers?

Part 3 of our series will answer these questions. Since many mHealth service providers are located outside the European Economic Area (EEA), personal information collected by mHealth devices or apps within the EEA will be transferred to third party countries. This prompts the question:

How can an organization lawfully make cross-border transfers of personal information collected in the mHealth context?

In view of the sensitivity of health-related information, the principles of privacy by design and privacy by default are important topics in the mHealth business, particularly for app developers and device manufacturers. The question that consequently arises is:

What are the necessary technical safeguards and measures that have to be implemented into mHealth devices, apps and tools in order to protect personal information?

Once the mHealth device or app has been properly designed, the involved parties will additionally have to provide its users with adequate notice, before they use the gadgets. Mandatory statutory provisions require easy-to-read privacy notices and implementation of opt-in or opt-out solutions. This leads to the questions:

How should the privacy notice be presented and what content should it include? And: Are there ways to mitigate liability risks, in particular by providing terms of use?

We will tackle this issue in one of our upcoming posts.

Non-compliance with privacy laws can have a considerable impact on organizations and lead to unpleasant legal consequences, including the imposition of fines or civil proceedings brought by a competitor. In one of our following posts, we therefore will detail:

the specific sanctions that can apply and the other consequences that may occur if a mHealth service provider fails to comply with privacy protection laws.

Finally, from a pharmaceutical law point of view, we will consider in what circumstances health-apps have to meet the strict regulatory requirements that apply for medical devices.

Summary findings

The questions raised above indicate that the legal assessment of mHealth services, applications, tools and gadgets is one of the most exciting and stimulating topics in the field of data protection law. Keep reading this blog and we will try to steer you through this minefield and provide you with answers that will help you operate in this fascinating field of business!