1. “mHealth enablers” panel
The Health & Wellness @ Mobile World Congress 2015
Giuseppe Busia
Segretario generale
Garante per la protezione dei dati personali
1
2. • I dati pubblicati devono essere:
mHealth main concern
Mobile Health (mHealth) raises many concerns about the appropriate processing
of the data collected through apps or solutions by individuals, developers, health
professionals, advertising companies and public authorities…
any personal data can become health data
(if it is collected for the purpose of inferring health status)
Therefore mHealth apps require a baseline
of privacy and security protections appropriate to sensitive data
2
3. • I dati pubblicati devono essere:EU data protection legal framework
applicable to lifestyle and wellbeing Apps
The relevant legal framework applicable:
- Data Protection Directive
(Directive 95/46/EC)
- ePrivacy Directive
(Directive 2002/58/EC)
3
These rules apply to any apps installed/used by users in the EU,
regardless of the location of the app developer or the app store…
4. • I dati pubblicati devono essere:
Data Protection Directive
The legal ground for processing personal data varies according to the nature of
the data processed.
Article 8 of the Data Protection Directive (95/46/EC)
qualifies health data as a special category of data to which a higher
level of data protection applies
The processing of special categories of data is prohibited, unless an exception applies
such as:
• the explicit consent of the data subject; except where in accordance with
national law the prohibition to process such personal data cannot be lifted by the
consent of the data subject (art. 8, 2 (a))
• the vital interest of the data subject or of another person where the data subject
is physically or legally incapable of giving his consent (art. 8, 2 (c))
• where processing of the data is required for the purposes of preventive
medicine, medical diagnosis, the provision of care or treatment or the management
of healthcare services, and where those data are processed by a health professional
or any professional bound by the obligation of secrecy (art. 8, 3)
4
5. • I dati pubblicati devono essere:
Article 29 Working Party Opinions (1)
WP29 Advice Paper on special categories of data (April 2011):
the rationale behind Article 8 stricter legal regime…
• Lifestyle and wellbeing apps can collect indifferently personal data of
general nature (e.g. information on the data subject's hobbies) and
health data (e.g. heartbeat or oxygenation of the blood)
• The data subject's explicit consent to the processing of his
health data must be freely given, informed and specific
• The other principles relating to data quality (including data
minimisation, data retention limitation and the adoption of
appropriate safeguards in this regard) are applicable too (Article 6
of the Directive)
5
6. • I dati pubblicati devono essere:
Article 29 Working Party Opinions (2)
WP29 Opinion 02/2013 "on apps on smart devices“
seeks to clarify the legal obligations of each of the parties involved in the
development and distribution of apps (February 2013):
• guidance to all the players, in particular the need to provide clear
and unambiguous information about data processing to users
• the need for explicit consent of the user as the processing will be
done for a distinct purpose than the one of the app developer
• the level of complexity of identifying the role of a third party can
be well illustrated by the case of cloud computing providers …
(see also WP29 Opinion 05/2012 on Cloud Computing, July 2012)
6
7. • I dati pubblicati devono essere:
Article 29 Working Party Opinions (3)
WP29 Opinion 08/2014 on the Internet of Things (IoT)
eHealth and Quantified-self devices such as body trackers are always carried by
users who want to record information about their own habits and lifestyles…
WP29 adopted on 16 September 2014, Opinion 8/2014 on the Internet of Things
(IoT), which highlights the privacy and data protection challenges posed by
the IoT and puts forward recommendations to help stakeholders comply with
current EU data protection legislation for the development of a sustainable IoT
• WP29 stated that the quantified self focuses on motivating users to closely
monitor their biological rhythms, it has many connections with e-health
• WP29 stressed that the application of Article 8 to sensitive data in the IoT
requires that data controllers obtain the user’s explicit consent, unless
the data subject has made himself the data public
7
eHealth and Quantified-self devices such as body trackers are always carried by users who
want to record information about their own habits and lifestyles
8. ePrivacy Directive 2002/58/EC, as revised by Directive 2009/136/EC
sets a specific standard to any entity worldwide that wishes to store or access
information stored in devices of users located in the EEA.
Cookies: the storing of information or the access to information already stored in
the terminal equipment of a user is only allowed on condition that he has given his
consent, having been provided with clear and comprehensive information about the
purposes of the processing (Article 5(3) of this Directive).
This consent requirement applies to any information (i.e. not limited to
personal data as information can be any type of data stored on the device)
This means that when installing an app, users should be given the choice to accept or refuse
cookies or similar tracking technologies to be placed on their device
In this regard, on 17 February 2015, WP29 issued a press release
on the joint survey made by European regulators on website cookie usage
• I dati pubblicati devono essere:ePrivacy Directive
8
9. • I dati pubblicati devono essere:
WP29 recent letter to European Commission,
clarifying Scope of Health Data Processed by Lifestyle
and Wellbeing Apps (February 2015)
In the Annex to this letter, the Working Party identifies criteria to determine when
personal data qualifies as “health data,” a special category of data receiving enhanced
protection under the EU Data Protection Directive 95/46/EC
Scope of Health Data
WP29 identifies three main scenarios:
1) data processed by the app or device is inherently/clearly medical data (i.e. data
provides information about an individual’s physical or mental health status generated in
a professional medical context (e.g., healthcare providers);
2) raw sensor data processed by the app or device can be used, independently or in
combination with other data, to draw conclusions about an individual’s actual health
status or health risks;
3) data allows for conclusions to be drawn about an individual’s health status or
health risks (irrespective of whether these conclusions are accurate or inaccurate,
legitimate or illegitimate or otherwise adequate or inadequate).
9
WP29 recent letter to European Commission (1)
10. • I dati pubblicati devono essere:
Legal Requirements for Processing Health Data
users of lifestyle and wellbeing apps do not have to comply with the Directive when
the data is not transmitted outside their device, as this qualifies as purely personal
use of personal data
WP29 letter also underlines:
• the importance of providing clear and easily accessible information to
the users before they install the app or buy the device
• the need to implement proper anonymization techniques and other security
measures, such as privacy by design and data minimization
Further Processing of Health Data for Historical, Statistical and Scientific
Purposes
WP29 would like the EC to make a clear statement that, under the Directive, further
Processing of Health Data for Historical, Statistical and Scientific Purposes requires
explicit consent, unless specific exceptions provided in national law apply
10
WP29 recent letter to European Commission (2)
11. • I dati pubblicati devono essere:
EC mHealth public consultation results
The recently published results of the EC public consultation on
mHealth well show how WP29 concerns are shared by different
stakeholders (January 2015)
From the analysis of comments from the 211 respondents (71% were
from organizations and 29% were from individuals): there is a great
interest in strong privacy and security tools, and strengthened
enforcement of data protection rules not only among data protection
stakeholders but also among european citizens…
The success of an mHealth concept is based on its capacity to
generate TRUST from a wide range of users
11
12. • I dati pubblicati devono essere:
2014 GPEN PRIVACY SWEEP
On 10 September 2014, the
Global Privacy Enforcement
Network (GPEN) published the
results of its privacy enforcement
survey or “sweep” carried out
earlier in 2014 with respect to
popular mobile apps
…many raised concerns about
mobile apps
12
13. • I dati pubblicati devono essere:
About GPEN…
The GPEN Global Privacy
Enforcement Network was
established in 2008 upon
recommendation by the OECD to
foster cross-border cooperation
among privacy regulators in an
increasingly global market
13
The informal network is comprised
of 47 privacy enforcement authorities in 37
jurisdictions around the world…
14. • I dati pubblicati devono essere:2014 App Sweep purpose
Over the course of a week in May 2014, GPEN’s “sweepers” (made up of 26 data
protection authorities, including the Italian DPA, across 19 jurisdictions)
participated in the survey by downloading and briefly interacting with the
most popular apps released by developers in their respective jurisdictions, in
an attempt to recreate a typical consumer’s experience.
GPEN 2014 App Sweep purpose was to increase public and commercial
awareness of data protection rights and responsibilities as well as
identify specific high-level issues which may become the focus of future
enforcement actions and initiatives……
14
The results of the sweep suggest that a
high proportion of the apps
downloaded did not sufficiently explain
how consumers’ personal information would
be collected and used….
15. • I dati pubblicati devono essere:
2014 App Sweep highlights
- 3/4 of all apps examined requested one or more permissions, the most
common of which included location, device ID, access to other accounts,
camera and contacts
- Some 59 % of apps left sweepers scrambling to find pre-installation
privacy communications
- For nearly one-third of the apps (31%), sweepers expressed concern
about the nature of the permissions being sought
- Some 43 % of apps did not tailor privacy communications to the small
screen
- Just a fraction of apps examined, 15 %, provided a clear explanation of
how it would collect, use and disclose personal information
15
16. • I dati pubblicati devono essere:Italian DPA medical App Sweep
The Italian DPA (Garante), as part of the "2014 GPEN Privacy Sweep,
chose to sweep medical applications…
WHY medical Apps?
Because it was not possible to postpone medical App evaluation in terms of usefulness/data
protection requirements….and our decision was in line with the concerns that were voiced recently
at European level in this regard (EC Green Paper on mHealth and public consultation on mHealth)
The results of the italian sweeping activity show that the degree of transparency on the processing
of user data and the permissions required them to download the selected medical App are, in
some cases, not in line with the Italian data protection legislation…
16
17. 50% of the medical apps surveyed by the Italian DPA's "sweepers" out of a
sample including those with the highest number of downloads on the various
platforms do not provide information on data use prior to installation
(or else provide very general information or request excessive data compared to
their features)
In many cases the privacy notice is not tailored to the small screen size and
is thus hard to decipher; in yet other cases the privacy notice is found, for instance,
in the technical credits area of the given device
Italian DPA medical App Sweep highlights
17
18. • I dati pubblicati devono essere:Italian DPA further steps
The italian medical App Sweep was not an investigation,
nor was it intended to conclusively identify compliance issues
or possible violations of privacy legislation
Nevertheless…
- any profiles of privacy violation detected will be evaluated by
the Garante
- at the national level, we are planning an assessment in
terms of needed inspections and any possible prescriptive
measures/sanctions
18
19. • I dati pubblicati devono essere:2014 GPEN Sweep follow up letter
On December 9, 2014, 23 privacy authorities
from around the world have signed an open
letter to the operators of seven app
marketplaces (Apple, Google, Samsung,
Microsoft, Nokia, BlackBerry and
Amazon.com), urging them to make links to
privacy policies mandatory for apps that
collect personal information
The Italian DPA, as well as all the other
undersigned privacy enforcement authorities,
strongly believe that an app marketplace
operator should, acting as a responsible
corporate citizen, make the basic
commitment to require each app that can
access or collect personal information, to
provide users with timely access to the
app’s privacy policy
19
20. • I dati pubblicati devono essere:Which future of mHealth…?
20
mHealth apps will surely be “a
large part of the future” of health
care…but there are still too many
unresolved questions of what to do
with mHealth….
those issues of mHealth
regulation and standardisation
must become “surmountable”
...thanks to our common efforts…