Extensive Web use has become a global phenomenon which has nonetheless brought to surface certain issues -personal data protection being one of them. The health industry is certainly positively influenced by the increasing new technological developments that lead to the improvement of medical services. Although the design of websites, accessible both to Healthcare Professionals and the general public, as well as the creation of medical apps represent new information sources, they also create several problems regarding the processing, storage and sharing of personal data.
Some of the following questions come naturally: are there any specific legal rules regulating the protection of personal data exchanged through the Web? In what possible ways can Internet users protect themselves from the unauthorized use of their personal data?
In Europe, personal data protection has already been legally established since 1995 via Directive 95/46/EC. In Greece, law 2472/1997 foresees similar provisions to that Directive; responsible for its enforcement is the Greek Data Protection Authority.
In this context, the publication of the e-Privacy Directive (2002/58/EC), which has been further amended by Directive 2009/136/EC, is the first to regulate data exchange through electronic communications and -more importantly- the first to regulate the use of cookies by requiring websites to obtain the informed consent of users regarding cookies, i.e. small files which are stored on a user’s computer. They are designed to hold a modest amount of data specific to a particular client and website, and can be therefore accessed by a web server.
In addition, it is important to keep in mind that the e-Privacy Directive has a wider range of applicability than the Data Protection Directive; the first does not apply only where personal data is processed, but more broadly in relation to any kind of information creation, storage and exchange.
The above mentioned Directives (2002/58/EC and 2009/136/EC) have been further on implemented in Greece by laws 3471/2006 and 4070/2012. The latter, in compliance to the e-Privacy Directives, specifically foresees the obligation of websites to obtain the informed consent of users regarding cookies. The same law also empowers the Greek Data Protection Authority to ensure enforcement by specifying under which conditions and in which ways the user’s consent must be given.
Moreover, the Personal Data Working Party issued an Opinion which confirms that the e-Privacy Directive also applies in the context of smart device apps. This is of particular interest as new article 5(3) of the e-Privacy Directive states that “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing”.
For example, imagine that a pharmaceutical company develops an app that provides reference information for Healthcare Professionals about a particular medical condition or disease. The app does not allow users to enter any personal data of themselves or of patients, and the pharmaceutical company does not collect the users’ IP addresses or device information (such as UDID). While the Data Protection Directive would not apply to the pharma company for this particular app, the e-Privacy Directive would. Therefore, before allowing users to use the app for the first time, the company must first inform them of its identity, its purposes in storing information on their smart device and must also give them the option to uninstall the app.
Our law firm’s comment:
Given that a patient’s medical file includes personal data which is transferred, stored and processed through an electronic network, the issue of data protection becomes paramount.
In the context of e-Health, it is critical that users are always given the option to refuse processing. If an app processes personal data, something quite common in most e-Health apps, it will also have to comply with the more stringent requirements of the Data Protection Directive.
Due to the absence of any legal context regulating e-Health programs, we consider that the patient’s written consent followed by the National Data Protection Authority’s permission for such personal data exchange as well as record maintenance, is an absolute necessity.
