Mobile health or ‘mHealth’ applications commonly raise complex privacy issues as a result of processing large amounts of sensitive personal data. Following the publication of its Green Paper on the topic in 2014, the European Commission has recently published a draft code of conduct on privacy for mobile health applications (‘the code’).
The code provides targeted guidance setting out how mHealth application developers can create products that comply with the stringent requirements of European data protection legislation, including those of the Data Protection Directive (Directive 95/46/EC) and the forthcoming General Data Protection Regulation (Regulation 2016/679).
The code covers topics including:
- How to obtain the consent of users
- Which data protection principles should be taken into account during development
- Information that should be provided to users (including the use of privacy notices and privacy policies)
- Security measures and what to do in a data breach situation
- Advertisements and marketing (including information about opt-in and opt-out consent)
- The use of personal data for ‘secondary purposes’ such as ‘big data’ analysis
- Disclosures to third parties
- Transferring data within and out of the EU/EEA
- Collecting data from children
The final version of the code will not be automatically binding on mHealth app developers. However, when in force, those developers who wish to declare their adherence will be required to submit a privacy impact assessment. Acceptance of an impact assessment by the relevant monitoring body will lead to the inclusion of the application and its developer on a public register.
The final version of the code will be prepared following its examination by the Article 29 Working Party, which may approve or suggest re-drafts. However, mHealth application developers may find it helpful to draw on the draft code in the interim, given the current lack of advice in this area.