Out-Law / Your Daily Need-To-Know

Out-Law News 2 min. read

App developers should be given greater responsibility for protecting privacy in digital health environment, says watchdog


An extra onus should be placed on developers of mobile apps in the health and wellbeing market to protect people's privacy, an EU privacy watchdog has said.

European data protection supervisor (EDPS) Giovanni Buttarelli said that EU law makers should "foster accountability and allocation of responsibility of those involved in the design, supply and functioning of apps", including designers of those apps and device manufacturers, when setting out future policy related to m-health.

He said data security in the m-health environment should also be enhanced by law makers.

"The legislator should require that all actors guarantee confidentiality, integrity and availability of the personal data processed according to data protection rules, international standards and best practices," Buttarelli said. "Among all possible options for information security, continuous risk management shall be the keystone to any security activity."

In his new paper, the EDPS said mobile health (m-health) services "has great potential for improving healthcare and the lives of individuals". The proliferation of data and the increasing interconnectedness of devices means "new insights for medical research" could be gleaned and the cost and complexity of "patient´s recourse to healthcare" could be reduced, it said.

However, Buttarelli said businesses involved in the m-health market must "respect the [EU] data protection rules and be accountable for their data processing" if they process personal data (18-page / 889KB PDF).

Buttarelli said designers of m-health apps must ensure those apps are developed in a way that offers users more transparency and greater detail about the processing of personal data. The design of those apps should also ensure that no more personal data than necessary is collected for the "expected function" being performed by those apps.

Privacy and data protection settings should be embedded in the design of m-health apps and be "applicable by default", the EDPS' opinion said.

Buttarelli said that health market businesses and organisations should look to harness 'big data' "for purposes that are beneficial to the individuals" and not exploit datasets and analytics software for "practices that could cause them harm, such as discriminatory profiling", he said.

People using m-health apps should be given greater control over how their personal data is used, the EDPS said.

"One of the goals of developing m-health is to enhance patients’ empowerment, which consists of greater individual control over their healthcare," the opinion said. "We consider that a greater level of empowerment should be achieved also in data protection, by enhancing users’ control over their personal data. App developers and stores should increase transparency to the benefit of individuals. Users should be better informed on processing of their data and allowed, timely and effectively, to give and/or revoke consent or opt out from processing where relevant."

"One very powerful mean to increase users’ control is to grant them the possibility to process their own personal data strictly locally without any transfer to any provider. In this respect, in a landscape of growing complexity, we also support data portability (and interoperability of formats and technologies) as a solution towards simplification, transparency and control by users and against data duplication," it said.

Barry Francis, health and infrastructure law expert at Pinsent Masons, the law firm behind Out-Law.com, said: "Any measures which increase certainty and user trust are to be welcomed so long as they do not disincentivise the development and rolling out of new and beneficial applications. The need to reduce cost and improve healthcare and illness prevention is manifest and m-health will be a key component in this endeavour."

The European Commission held a consultation on m-health in 2014 and published the responses it received earlier this year. In a document summarising the views it gathered, the Commission said "a strong majority" of respondents identified "strong privacy and security principles" for m-health as being necessary "to build users' trust". The Commission is expected to set out its "policy responses" on m-health later this year.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.