In April 2014, the European Commission published a Green Paper on mobile health (mHealth). This launched a broad stakeholder consultation on identifying barriers to the deployment of mHealth. This work is part of the wider EU Digital Single Market initiative.
The Commission issued a summary of the consultation. That concluded that the key challenges to mHealth were:
- lack of knowledge amongst manufacturers about the legal framework;
- data protection and trust;
- lack of interoperability between EU healthcare systems; and
- safety notices around mHealth apps.
The biggest risk identified by respondents related to data privacy. the European Commission concluded that:
- strong privacy and security tools are needed to build users’ trust;
- data encryption both “in transit “and “at rest” are needed;
- authentication mechanisms are needed (e.g. digital certificates, biometric parameters, tokens); and
- user’s consent and access controls are crucial; and secured networks are important to prevent data interception.
Draft Code of Conduct on privacy for mHealth applications
In March 2015, the European Commission encouraged the industry to create a voluntary Code of Conduct. The Code is intended to address the concerns around data privacy and trust. The Code is targeted at app developers and aims to promote compliance and best practice.
On Monday 7 December 2015, the Commission facilitated a meeting in Brussels, which we attended, with stakeholders to explain the current draft of the Code.
There was a presentation outlining the Code on behalf of the industry working group who created the draft. There were many constructive comments in the meeting aimed at revising the draft. Bleddyn Rees, our Digital Health consultant, is a member of the Working Group.
Key features of the Code and next steps
The current draft Code is relatively short at18 pages including appendices. It includes guidelines on:
- obtaining consent;
- main principles to follow around purpose limitation, data minimisation; transparency , privacy by design and default and data subject rights;
- information to provide to users before they use a mHealth app;
- how long data can be kept;
- security measures;
- secondary use of data;
- disclosing data to third parties;
- what to do if there is a personal data breach; and
- how to treat data gathered from children.
Comments on the draft Code
There are a number of challenges for this Code:
- How will the Code be enforced: A number of those at the stakeholders meeting felt that it needs to be actively enforced if it’s to have a real value to consumers, and that of course needs to be kept up-to-date. However, considerable resources would be needed for any enforcement mechanism, and it and it is unclear how would these be paid for. There was discussion about a suggested tiered fee for app developers based on the size of the business.
An alternative suggestion was for users to rely on the Unfair Commercial Practices Directive which creates a remedy where a business says it complies with a Code but does not do so. It remains to be seen whether either the global industry players will contribute to the enforcement costs to support the growth of the market, and/or whether the European Commission will make a contribution as part of the development of a single digital health market in Europe.
- The distinction between health and life style apps is not straight forward. Health apps may need to comply with the Medical Device Directive, so understanding what constitutes a health app is important.
- How not to prevent secondary research use of data which at the time it was collected the research could not have reasonably been foreseen.
- Currently the Code does not offer any new interpretation of various laws or Opinions. The Dutch Data Protection Authority explained that it does not approve any Codes which do not add value by explaining, clarifying or interpreting the law rather than simply restating or quoting the draft of the legislation. To date the Code has avoided expressing its own views to avoid possible conflicts which might be counterproductive.
- The long-awaited revised EU General Data Protection Directive (GDPR) is likely to introduce new provisions, such as clarifying the distinction between medical and lifestyle apps.
- There was some discussion around having an organisation certify apps as compliant with the Code, on a pan-EU basis, for a fee. This is beginning to happen in some countries on a national basis e.g. France.
Data: the future currency for digital good and services?
The growth of health and lifestyle apps is supported by our Connected Consumer research which you can download here. Our report identified how the” always on” Connected Consumer data is becoming the new currency for digital goods and services. The approach in the Code will reinforce the rigid consent approach, which we do not believe is fit for purpose in today’s digital world.
The industry working group is looking for written responses to the draft Code by mid-January 2016, so that it can be revised and submitted to the Working Party under Article 29 for approval. Written responses to the draft Code can be sent to Bleddyn Rees. Please get in touch with one of our experts if you would like help with your submission.
Marcus Vass, Jon Fell and Bleddyn Rees