Article 8 of the EU Data Protection Directive (95/46/EC) qualifies health data as a “special” (i.e. sensitive) category of data to which a higher level of data protection applies. Organizations are normally legally prohibited to process such data in the EU unless an exception applies, such as explicit consent of the data subject.
However, the Directive does not clearly define the meaning of “health data”; as a result, it may be unclear whether additional legal restrictions apply to the data held by lifestyle/wellbeing apps and devices (i.e., step counters, heart rate monitors, calorie counters, and so on). As the Working Party letter notes, health data “represents one of the most complex areas of sensitive data”, on which “the [EU] Member States display a great deal of diversity and legal uncertainty”.
Although the Working Party’s opinions are not legally binding, it is not uncommon to see them regularly invoked by the courts; after all, the Working Party is composed of representatives from data protection authorities throughout the EU, tasked with issuing uniform guidance on key questions of EU data protection law.
Working Party Interpretation of “Health Data”
The Working Party letter interprets the term “health data” broadly. In the Working Party’s view, health data clearly includes medical data generated in a professional medical context, such as clinical treatment histories, or data generated by medical apps or hardware. However, it also potentially includes data regarding a wide range of information about an individual, such as their drinking habits, intellectual and emotional capacity (IQ), exercise habits, or even diet, amongst others.
Data about the sale or supply of a product or service from which a person’s health status could reasonably be inferred can also be “health data”; the Working Party gives the example of a person’s membership of Weight Watchers or their tobacco consumption. Ill-health is not a precondition; information indicating that somebody is not ill, obese, or otherwise, could also be “health data”.
The Working Party also noted that although discrete points of information from which conclusions cannot reasonably be drawn about a person’s health do not necessarily amount to health data (such as “raw” data from a step counter in the absence of specific medical context), they may nevertheless become “health data” when elaborated upon (for example, through collection over time), analysed, or combined with additional sources of information (held either by the app service or by a third party). The Working Party further warns that this may also be a question of scale: a week’s worth of step counter data may not be “health data”, but several years’ worth of data could.
The Working Party stated that grey areas tended to arise “where it is not obvious at first sight whether or not the processing of these data should qualify as the processing of health data. This is especially the case where the data are processed for additional purposes and/or combined with other data or transferred to third parties [….] (the) risk specifically applies to further processing of such data for profiling and marketing purposes, given that the key business model of most apps is based on advertising”.
The Annex also provides useful regulatory guidance as to the legal requirements surrounding the use of health data in the EU, and also addresses aspects of the Working Party’s position on how health data may be defined and regulated under the proposed General Data Protection Regulation, which continues to undergo legislative debate in the Council of the EU.)