The Code of Conduct on privacy for mobile health apps has now been formally submitted for comments to the Art 29 Data Protection Working Party. Once approved by this independent EU advisory group, the Code will be applied in practice: App developers will be able to voluntarily commit to follow its rules, which are based on EU data protection legislation.

The Code has been drafted with the vision to be easily understandable, also for SMEs and individual developers who may not have access to legal expertise.

It is expected to raise awareness of the data protection rules in relation to mHealth apps, facilitate and increase compliance at the EU level for app developers.

These are the issues covered by the Code:

  • user's consent,
  • purpose limitation and data minimisation,
  • privacy by design and by default,
  • data subjects rights and information requirements,
  • data retention,
  • security measures,
  • principles on advertising in mHealth apps,
  • use of personal data for secondary purposes,
  • disclosing data to third parties for processing operations,
  • data transfers,
  • personal data breach, and
  • data gathered from children.

On 7 June 2016, the Code of Conduct has been formally submitted for comments to the Article 29 Data Protection Working Party. Once approved by the Working Party, the Code will be applied in practice: App developers can sign it on a voluntary basis, thereby committing to following its rules.

Trust in mHealth apps

As revealed by the European Commission's 2014 mHealth Green Paper consultation, people often do not trust mHealth apps, such as those monitoring your health or giving health advice. Respondents to the mentioned consultation considered that having users' consent as well as strong privacy and security tools in place is a crucial issue in relation to mobile health apps.

This becomes even more important as these apps process health data which is amongst the most sensitive personal data. Therefore, the scope of this Code are mobile apps which process data concerning health.

Appropriate action

It was concluded that an appropriate action to help increase and promote trust, would be the industry themselves setting up a code of conduct on mobile health apps. This code would cover privacy and security principles and be signed by app developers. The aim should be to provide easily accessible guidance on how European data protection legislation should be applied in relation to mHealth apps.

This idea was very much welcomed by app developers. A drafting team of industry members was set up whose task it was to develop the text of the code. The European Commission's role in this process has been to act as a facilitator.

The possibility of drawing up codes of conduct is foreseen in Article 27 of the Data Protection Directive (Directive 95/46/EC) and this possibility continues to exist under the General Data Protection Regulation.

Next steps

While waiting for the Opinion of the Article 29 Working Party, discussions are already taking place on the practicalities of the governance and on how to ensure a proper communication of the Code to app developers and the general public.