- The European Commission has drafted a code of conduct for mHealth app developers.
The 23-page document, presented earlier this month by an EU Working Group, is designed to “foster trust among users of mobile applications which process personal data that includes data concerning health.” It now awaits a vote of the EU Data Protection Working Party.
“mHealth apps must provide users with clear and prominent information about how their data will be used to help them make informed decisions prior to using an app,” the document states. “This will help ensure data are used in a fair and transparent manner, which is crucial for fostering trust. The Code thus aims to facilitate data protection compliance1 and to promote good practices in this field.”
The code covers several hot-button issues facing mHealth app developers and users. As described by Victoria Hordern, a London-based senior associate in the privacy and information management practice of the Hogan Lovells law firm, they are:
- User Consent: the need to obtain valid explicit consent from the data subject to collect and use their data;
- Data Protection Principles: purpose limitation, data minimization, transparency, privacy by design and privacy by default and data subject rights;
- Data Retention: an acknowledgement that it can be difficult to irreversibly anonymize health data when the retention period expires;
- Security: the requirement to carry out a Privacy Impact Assessment and adopt security measures recommended by ENISA;
- Advertising: any advertising must be authorized by the user, but there is a difference in approach depending on whether the advertising involves the processing of personal data;
- Use of Data for Secondary Purposes: in instances where data could be used for scientific research or other big data analysis;
- Disclosing Data to Third Parties: an agreement in place with the third party is essential;
- Data Transfers: all apps must comply with the rules around international data transfers;
- Data Breaches: what to do and whom to notify when a data breach occurs; and
- Children’s Data: when apps are deliberately aimed at children.
While the EU’s General Assembly will finance and supervise governance of the code, a Governance Board will handle the day-to-day maintenance and interpretation, as well as any amendments. In addition, a Monitoring Body will enforce the code, reviewing app developers’ applications and maintaining a public registry of app developers who have met the code’s requirements. That board will also monitor apps for adherence and deal with complaints.
The push to create a code follows a 2014 EU report which found that many Europeans don’t trust mHealth apps, particularly in safeguarding personal health data.
“It was concluded that an appropriate action to help increase and promote trust, would be the industry themselves setting up a code of conduct on mobile health apps,” EU officials said in a press release announcing the code. “This code would cover privacy and security principles and be signed by app developers. The aim should be to provide easily accessible guidance on how European data protection legislation should be applied in relation to mHealth apps.”
In her analysis, Hordern calls the code “a good starting point for app developers.”
“The development and use of mHealth apps raises a number of privacy issues,” she wrote in Lexology. “In particular the stakes are higher because the technology is ubiquitous and mobile and the data is often very intrusive and private to individuals. While we will need to wait and see whether the Working Party gives the Code an unequivocal ‘thumbs up,’ it remains a good starting point for app developers. In time it may require some changes to bring it fully in line with the requirements of the GDPR but its governance framework allows for further amendments in the future.”