The use of mobile applications in healthcare has been rapidly growing, globally. Meanwhile, a long and intense discussion has emerged between users and entrepreneurs, resulting from the forthcoming adoption of the General Data Protection Regulation, which will have legally binding force in all EU member states and will replace existing relevant legislation by the end of 2015.
Mobile health can be beneficial to both patients and the society as a whole. Its development can contribute to the improvement of healthcare services, since it guarantees more efficient services at a lower cost – both for individual patients and for public health in general. Moreover, it calls out for more patient participation by promoting the idea of “personalized” medicine and greatly facilitates the access to medical care and medical information.
However, the various methods of utilizating data stored in these apps may pose significant risks to personal data protection. Through the rapid development of mHealth, “Big Data” and the use of “profiling” inevitably lead to the proliferation of data use as well as to possibilities of privacy violations. Due to its potential transmission to third parties and, in many cases, due to the fact that users are not adequately informed, a paramount issue of personal data control leads all relevant legal and legislative discussions for a long time. Noticeably, much research currently undertaken proves that people are so concerned about the unwanted use of their data, that often they refuse to engage with mobile health apps, even if such an engagement would obviously benefit them both financially and results-wise.
For these reasons, it is expected that the adoption of the New Regulation will lead to a strict limitation of the potential applications of mobile health and the implementation of data protection rules and international standards high would safeguard the appropriate supervision and enforcement by national Data Protection authorities and will in short, reinforce the trust of users in mHealth apps, leading to safer and more controlled patient empowerment.
It should be mentioned that the existing European Data Protection Direction (Directive 95/46/EC) does not contain a clear definition of health data. In contrast, clear definitions can be found in other texts, not legally binding, drafted by other ΕU institutions (ex. in Art 29 Working Party opinion 4/2007, European Data Protection Supervisor Opinion of 27-3-2013). Nevertheless, the pending General Data Protection Regulation (GDPR) involves a definite and indisputable description of health data, as the basis of a harmonized common level of protection in all EU countries (Recital 26, άρθρα 4(12),20. 33, 81).
Currently, all legislative efforts take into account the business uses of health data, the huge volumes of information gathered and distributed the machine-learning methods of processing and their prerequisites and oftentimes, the lack of transparency in the data’s algorithmic treatment. Such business opportunities are often patient privacy constraints and are likely to make the patient the weaker party, by turning any meaningful consent, as required by law, practically a purpose-beating banality that does not lead to any protection. For example – and the range of examples here can be limitless – how can users of an mHealth app which monitors cholesterol levels, feel secure if they know that their cholesterol data could be fed to an insurance company’s internal database in order for the latter to be able to hand-pick preferred customers and corresponding insurance rates? If such data remains freely at the hands of the developers, why shouldn’t they reach an agreement with such companies to monetize their business? Is an insurance company entitled to ask for health information concerning the personal genetic identity without any limits, before the appearance of a disease, with the aim to decide, if it will come into agreement with a particular person or not?
Current consensus in health data is that there should be a high level of protection and safeguards concerning gathering, manipulation and sharing of results. Primarily, the purpose of data processing should be strictly limited by the controller/developer, so that the user knows the kind of use of her personal data, to which the latter consents. Second, app designers and app developers should comply with the principle of data minimization (use only the data required to achieve the identified purpose of processing). Third, the default settings of the apps should be set on a high privacy and data protection standard (application of privacy by default). Additionally, users should be given the choice to revoke their consent. Furthermore, users should be provided with clear “push” and “pull” notifications about the transmission of their data to any third party. Responsibility for any data processing should be assigned coherently and systematically so that the liability can be easily assessed. Finally, all the stakeholders of the burgeoning mobile health market should support the principles of transparency and integrity and seek the adoption of precise codes of conduct.
Our law firm’s comment:
The legal landscaping of Mobile Health apps, whose development and wide use is currently supported by all stakeholders due to market trends, appears to be a high priority. The enforcement of a new legal framework, which will provide users with the necessary and adequate security backstops and enforce practical and non-bureaucratic business compliance, is a prerequisite for the wider use of existing technological innovations in healthcare, for the benefit of both healthcare professionals and their great, expectant community of users.