The Article 29 Working Party said that businesses wishing to use the data will generally require individuals' "explicit consent" to do so if the data qualifies as health data.
The Working Party, which is made up of representatives from data protection authorities based across the EU, was seeking to "clarify the scope of the definition of data concerning health in relation to lifestyle and wellbeing apps" (1-page / 118KB PDF) after being asked to do so by the European Commission as part of its mobile health (m-health) initiative.
"Raw, relatively low privacy impact personal data can quickly change into health data when the dataset can be used to determine the health status of a person," the Working Party said in correspondence sent to the Commission (8-page / 577KB PDF) that it has published. "To assess this, it does not suffice to look at the character of the data as is. Their intended use must also be taken into account, by itself, or in combination with other information."
"When conclusions are drawn about someone's health, regardless of their reliability, these conclusions are to be treated as health data," it said. "There has to be a demonstrable relationship between the raw data set and the capacity to determine a health aspect of a person, based on the raw data itself or on the data in combination with data from other sources."
In the EU, whether data generated by mobile apps is personal data or sensitive personal data is important because information that is capable of personally identifying an individual must be handled in accordance with data protection laws. Particularly restrictive rules govern the processing of sensitive personal data, which includes information about individuals' medical condition or health more generally.
The Article 29 Working Party said that "the most likely" legitimate way for organisations to make use of health data generated by mobile health apps is to obtain individuals' explicit consent to that prospective use of data. However, it said "legitimate consent" would not be obtained by organisations seeking to use the data unless they first provide "clear and prior information about the well-defined purposes of the processing" to the individuals whose data they want to use.
Explicit consent to process health data generated by mobile apps is not required by doctors and others that are subject to professional medical secrecy obligations, the Working Party said. However, the watchdog said organisations responsible for health data generated by mobile apps "must clearly inform users whether the data are protected by any medical secrecy rules, or not".
"Further information must be made available whether the data will be combined with other data stored on the device or collected from other sources and clear examples of the consequences of such combination of data, what the purposes are of further processing and to what third parties the data may be transferred," the Working Party said. "Such information must be made available in a clear and easily accessible manner before users decide on installing apps or buying devices (also before downloading the app)."
The Article 29 Working Party also used its new guidance to restate its position on the pseudonymisation of health data. It said organisations that pseudonymise health data should not be subject to a "lighter" data protection regulatory regime.
The Working Party also reiterated calls for the planned new EU General Data Protection Regulation to require organisations to obtain individuals' explicit consent if medical researchers wish to process health data for a new purpose.
"In the future General Data Protection Regulation, the further processing of health data should only be permitted after having obtained the explicit consent of the data subjects, or if the narrow exceptions defined by the European Parliament apply," the Working Party said.
"Any proposals to weaken and thereby broaden the scope of this type of further processing, such as a proposal to delete the word 'research', or proposals to remove both the consent and the opt-out requirement, should be negatively assessed in view of the real risks for data subjects of unequal/unfair treatment, based on the further processing, for example through profiling, of intimate data concerning their private life," it said.
The wording of the draft General Data Protection Regulation is currently being negotiated by EU law makers. MEPs last year gave their backing to rules that would give EU countries the opportunity to exempt organisations from having to obtain explicit consent to process health data where the information was necessary for "historical, statistical or scientific research".
Under those proposals, the data would need to be at least pseudonymised to "the highest technical standards" and measures taken to "prevent unwarranted re-identification" of individuals to whom the data refers. However, individuals would have a right to object to such processing under those rules.
The MEPs' proposals will only be introduced into law if justice ministers from across the 28 EU countries agree with them. Those ministers are currently working on their own amendments to the proposed new Regulation.