The Article 29 Working Party (“WP29”) (a European advisory body on data protection and privacy) recently published its comments on the Code of Conduct on privacy for mobile health (mHealth) apps.
The Code, which was facilitated by the European Commission and submitted to the WP29 last June, consists of practical guidelines for app developers in the context of health apps – for example, on consent and complying with key data protection principles such as purpose limitation and data minimisation.
The W29 has analysed the Code’s compliance with the existing Data Protection Directive and in light of the new requirements of the General Data Protection Regulation (“GDPR”) which will apply from 25 May 2018.
The WP29 considers that the Code would benefit from further clarification in some areas and references to the existing legal framework, and has provided examples which it believes will help to strengthen the Code. This includes:
- Clarification of roles and responsibilities: Clarifying the roles and responsibilities of the parties involved in processing (app developers may act as data controller, data processor or possibly both, depending on the circumstances).
- Practical guidelines for data controllers: Clarifying that consent should fulfil all the requirements of the GDPR and the Data Protection Directive, but also acknowledging that there are other conditions, besides consent, which render the data processing fair and lawful. The Code implies that the processing of personal data in most mHealth apps is almost exclusively based or dependent on the consent of individuals. However, the WP29 is concerned that consent might not always be ‘freely given’ by individuals (which is a requirement for valid consent under the Data Protection Directive and the GDPR), particularly if the use of the app has been recommended to them. The WP29 also considers that the guidance on verifying guardian consent where processing children’s data should be more thorough.
- Data protection principles: Referring to those principles which are not currently mentioned, such as the accuracy and quality of data, its accessibility and security issues linked with data storage, or explaining why those principles are not seen as relevant.
- Data subject rights: Explaining or giving practical examples of how data subjects can exert their rights and how data controllers and data processors ought to meet their obligations related to data subject rights (including the new right to data portability under the GDPR).
- Security: Including more details and relevant examples of how app developers can integrate “privacy by design” (which is a basic requirement of the GDPR with regard to any processing operation) and “privacy by default” in their development process. The Code should also consider security issues raised, for example, where users allow third parties (their personal doctors) to access their data.
- Marketing: Clarifying the legal basis and requirements for processing data for marketing purposes.
- Transfers to third countries: Addressing issues related to transfers of personal data to public authorities and commercial entities based in third countries and requiring that information on the transfer destination is provided.
- Personal data breaches: Taking into consideration the relevant definitions in the Data Protection Directive and the GDPR (in this regard, the WP29 considers that the example seems to be misleading).
Once approved by the relevant institutions, the Code will be applied and app developers will be able to voluntarily commit to follow its rules.