The advent of smartphones brought with it a variety of mobile applications or, as they are more commonly known, apps. This new technological feature is accessible through free or paid downloads, and is rapidly changing the way consumers obtain inform-ation and transmit data.

In particular, mobile health and fitness apps are gaining momentum. There are many different types of applications in this sector. Some apps are merely informational – such as those that provide nutritional values of food and drink and assist in diet and exercise regimes. Other apps purport to be illness symptom checkers or even chronic condition managers.

In this sector, privacy protection comes to the forefront, given the inherent risks for users of mobile health apps. Apps downloaded on mobile devices can be highly invasive because they collect large quantities of personal information on the user, including name, age, gender, height, weight, food consumption and exercise habits. These apps create a record sheet of one’s health and lifestyle.

European bodies have increased their focus on the data protection implications of mobile health. The working party respons-ible for data protection, dubbed the Article 29 Working Party, has published a document relating to the processing of health data in the context of lifestyle and well-being apps.

A wide range of personal data may fall into the category of health data. The working party indicated that mobile apps processing data that are clearly medical, relating to the physical or mental health status of an individual, constitute processing of ‘health data’. This includes diagnosis, treatment, medical history, clinical treatment and other related information.

Likewise, data that allow for conclusions to be drawn about an individual’s health status or health risks constitute ‘health data’. According to the working party, health data include information about a person’s obesity, smoking habits or alcohol consumption. Conversely, raw data generated by lifestyle apps from which no conclusions can be reasonably drawn about one’s health status do not fall under this category. This would include apps that calculate information without being able to combine that information with other data from and about the same data subject.

The working party document also dealt with the legal requirements relating to the processing of health data. It highlighted the necessity for explicit consent from the data subject if data are collected through apps with a medical purpose or where health data can be reasonably inferred from the data tracked.

Apps that contain reminders to take medication, or apps that track food and exercise in a dieting programme, require the data subject’s consent because they involve sensitive health data. The working party underlined the importance of providing the data subjects with clear information about the purposes for which data are collected and processed.

Following on from the working party’s recommendations, the European Data Protection Supervisor (EDPS) has published his own opinion on mobile health software, stressing the significant privacy concerns raised by the large volume of lifestyle and well-being information processed through mobile applications. While acknowledging the potential that mobile health has for improving healthcare in general, the EDPS considered the necessity of protecting individuals’ dignity and fundamental rights, particularly privacy and data protection, in this new and developing sector.

The EDPS suggested the introduction by the EU legislator of measures to foster accountability and allocation of respons-ibility for those involved in apps. The Data Protection Supervisor favoured a broad definition of health data, which would include any data relating to a person’s physical or mental health information, while abandoning a narrow interpretation of health data that could deprive individuals from the appropriate protection of the intimate information they reveal. Insufficient protection of users’ health data could impact on the trust that users have in mobile health.

The European Commission is in the process of unifying data protection in the EU with a single law: the General Data Protection Regulation. The regulation proposes new guiding principles and rules applicable in the context of mobile health. In the interim, the European Commission is working with stakeholders to create an industry-led EU code of conduct on mobile health apps, covering data privacy and security best practices. The code is intended to axe consumers’ distrust in mobile health apps by facilitating compliance with EU data protection rules for app developers.

jgrech@demarcoassociates.com

Josette Grech is an adviser on EU law at Guido de Marco & Associates.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.