May 2015 saw a number of developments in the EU mHealth sector worthy of a brief mention. The European Commission announced that it would work on new guidance for mHealth apps, despite the European Data Protection Supervisor and British Standards Institution publishing their own just weeks earlier. In parallel, the French data protection authority announced a possible crackdown on mHealth app non-compliance with European data protection legislation. This post briefly summarizes these developments.
European Commission announces new mHealth policy measures
The European Commission announced a number of mHealth policy measures following eHealth Week 2015. In particular:
- The Commission said that it intends to work with stakeholders to create an EU “Code of Conduct” for mHealth mobile apps. The new Code would cover data privacy and security best practices.
- The Commission also suggested that it intends to look at whether guidelines or standards could also be drafted regarding mHealth app safety and quality. This could cover, in particular, the extent to which app developers need to provide clinical evidence of the utility of their app.
British Standards Institution publishes health and lifestyle app Code of Practice
Stealing a march on the Commission, the BSI, in collaboration with a broad group of stakeholders, published PAS 277:2015 “Health and wellness apps. Quality criteria across the life cycle. Code of practice”. The BSI mHealth Code of Practice goes further than the Commission’s proposed mHealth Code of Conduct, since it covers adequacy for purpose, quality, safety and life-cycle management of mHealth apps, not just data protection.
European Data Protection Supervisor (EDPS) publishes Opinion on mHealth
Further adding to the already substantial volume of mHealth data protection guidance in the EU, the EDPS published Opinion 1/2015 “Mobile Health: Reconciling technological innovation with data protection”. The new Opinion argues, inter alia, that all mHealth apps should offer users a custom setting that prevents remote processing, storage and backup of their data (so that it is only processed and stored on the device itself). It also argues that apps should offer users the fine-grained ability to disable sharing of their data with third parties.
French Data Protection Authority, the CNIL, announces mHealth as a priority enforcement area
One of the most active and well-resourced EU data protection authorities, the CNIL, has announced that health/wellness apps and devices will be going under its microscope in the year ahead. Clarity of mHealth privacy notices and the validity of user consents will be one of six priority areas for its plan to execute over 500 app and website sweeps, on-site inspections, hearings and information requests for 2015.