EU Commission releases draft Privacy Code of Conduct for mHealth apps

The European Commission has drafted a code of conduct on privacy for mobile health (mHealth) apps (the “Code”). The Code has been submitted to the Article 29 Data Protection Working Group for approval. The Code aims to provide a user friendly guide to compliance with European data protection legislation for mHealth app developers. Once the Code has been approved, app developers will be able to voluntarily apply to adhere to its rules to demonstrate compliance with good data protection practice.

Background

In the introduction to the Code, the Commission recognises the potential of mHealth apps to improve the health of individual users, as well as society as a whole. It also acknowledges that using and storing data concerning health poses significant challenges in terms of data protection. The purpose of the Code is to encourage app developers to design mHealth apps with protection of the privacy of users as a key consideration, with the aim of fostering a culture of trust among users of mHealth apps. The principles of the Code reflect the principles in the EU General Data Protection Regulation (which will come into force in 2018). Interestingly, the Code distinguishes between “data concerning health” (any personal data relating to the physical or mental health of an individual, or to the provision of health services to an individual which reveal information about that individual’s health status) and lifestyle data (raw data that relates to an individual’s habits and behaviour which is not intrinsically linked to the individual’s health) giving examples to aid app developers to determine when data will be deemed data concerning health.

Governance

The first part of the Code sets out its governance structure:

• A General Assembly will be established, with members made up of app developers, industry associations and end-users of apps. The General Assembly will supervise the governance and maintenance of the Code but will not have day-to-day decision-making powers. It will also provide annual financial contributions to secure the financial stability of the Code.
• A Governance Board will have the decision-making powers in respect of the Code. It will be responsible for decisions on the maintenance, interpretation and evolution of the Code.
• A Monitoring body will have an operational role which includes enforcement of the Code. The Monitoring body will also maintain a centralised public register of the app developers who comply with the Code. Once an app developer is added to the public register, they may add a trust mark to their app to indicate compliance with the Code.

Practical Guidelines

The second part of the Code sets out the practical guidelines applicable to app developers. These include:

• Consent: in order to process user data, apps must obtain the free, specific and informed consent of users prior to or as soon as the app is installed. The consent must be explicit and developers must be able to provide evidence of that consent. Users must be able to withdraw their consent easily through a simple and accessible process. The withdrawal of the user’s consent should result in the deletion of the user’s data from any systems the app developer controls.
• Data protection principles: apps must adhere to the principles of purpose limitation (to collect data for specific, defined and legitimate purposes), data minimisation (not to collect or process more data or for a longer duration than is necessary), transparency (to provide users with a clear description of the purposes for which their data will be processed), privacy by design and default (that privacy measures are considered at every stage and built in to the app at the design phase) and data subject rights (where users have the right to access any personal data relating to them that is stored by the app).
• Information for users: users must be given contact information in order to raise complaints or exercise their rights to access their personal data. Users must also be made aware if any health data will be stored somewhere other than their device. The Code suggests providing this information through a layered approach, using a condensed notice leading to a more extensive privacy policy. There are examples of a condensed notice and privacy policy in Annex II of the Code.
• Storage of data: apps must not store any personal data for longer than is necessary for the functioning of the app. Clear criteria must also be formulated for the deletion of user data.
• Security measures: app developers must adopt a risk-based approach to determine the security measures required for a particular app by conducting a Privacy Impact Assessment. An example of a Privacy Impact Assessment is contained at Annex I of the Code.
• Advertisements: the use of advertisements must be clearly authorised by the user before the app is installed. Where an app uses contextual advertisements which appear to the user without any personal data being shared with third parties and without processing any of that individual’s health data, the user must be given the option to opt-out of the contextual advertising before data processing for the purpose of contextual advertising takes place or alternatively, the prior opt-in consent of the user must be obtained explicitly and separately from the consent of the user to install the app.
• Secondary purposes: secondary processing of data collected via an app for scientific and historical research purposes or statistical purposes will be compatible with the original purposes, so long as it is done in accordance with national or EU rules.
• Disclosures to third parties: app developers may only make personal data available to a third party for processing after the user has been appropriately informed. Before making the data available, the app developer must enter into a binding legal agreement with the third party which stipulates the purposes for which the data may be processed (which must align with the purposes for which the app developer processes the data). The agreement must also prohibit processing of the data for any other purposes.
• Data transfers: app developers must comply with the rules relating to international data transfers.
• Data breaches: the Code provides a helpful checklist setting out the steps an app developer should take in the event of a personal data breach.
• Children: app developers must opt for the most restrictive data protection measures where children under the age of sixteen are using apps. App developers must also be aware that the age limit defining children is not necessarily the same in all each Member States. Parental involvement is also key for apps aimed at children.

Comment

The mHealth market is predicted to grow exponentially in the next few years, with mHealth apps playing a significant role in this growth. The industry has expressed concern in relation to the regulatory burden placed on mHealth app developers and the limitations this may have on innovation. The Code should help to allay some of those concerns as it may provide welcome guidance to the industry on compliance with data protection rules, and should hopefully promote greater trust in app users in relation to data privacy. More generally, the Code is an example of the drive by the EU institutions to encourage technological innovation while securing greater protection of data.