Once approved, compliance to the code of conduct will represent a competitive advantage for its members since any apps that they develop will be included in a public registry confirming that they follow European regulations on data protection.
The constant growth of mobile health applications (commonly known as mHealth apps), as well as the resulting market mistrust, has prompted European bodies to create a privacy code of conduct for the developers of mHealth apps.
The preparation of codes of conduct related to data protection had already been considered in Directive 95/46/EC, although the EU’s General Data Protection Regulation (the “GDPR“) apparently grants said codes a larger role, mainly in connection with their subjective and territorial scope, as well as with their preparation, approval and control processes.
The European Commission highlights the benefits that mHealth apps bring to society, but they are also aware of their particularities, the type of data being processed and, accordingly, the type of protection they require. Therefore, the code of conduct aims to be a tool that promotes the development of applications that respect and ensure the privacy of users, as well as reinforce a user’s belief that all data will be processed respecting the principles set out in the European data protection laws.
The principles on which the code of conduct is based are a reflection of those explicitly included in the GDPR. In fact, it is not by chance that the code only targets application developers, because when designing an application, they must guarantee that they fully comply with privacy by design and default principles, among others.
Aware of the large number of health applications that may cast doubt on the type of data being processed, the draft of the code of conduct defines what should be understood by health data, as well as provide examples that differentiate health data from a user’s basic lifestyle data.
The draft of the code clarifies the concept “secondary processing purposes” and in what circumstances can personal data be used for purposes different from the ones they were originally collected for. In this regard, the code specifies that data may only be used for purposes different from the original if they are compatible, for instance processing data for scientific or historical research or for statistical purposes, provided that the data processing is carried out in accordance with the corresponding national legislation applicable to the secondary processing. Because not all analysis of big data can be considered compatible, this concept has its limitations. Therefore, as long as the secondary processing differs from the context in which the data was collected (for example, the analysis of data for commercial purposes) it must be previously collected the consent of the individual.
The draft also sets out the requirements that must be followed by mHealth apps developers when they insert advertisements in relation to health matters. If the advertisements are shown without processing the users’ personal data or these do not imply sharing personal data with any third party, the app developer only needs to allow the user to opt-out of the contextual advertising. Otherwise, showing advertisements to a user will require their prior opt-in consent, which must be obtained specifically and separately.
Although the draft of the code of conduct is being the object of review by the Article 29 Working Party, the text already provides the guidelines and tools that may be useful to developers when creating apps that follow European regulations on data protection. Consequently, once the code of conduct is finally approved, developers of health apps should adhere to said code, since it would prove they follow correct data protection practices, adding value to their applications. However, developers should be aware of the need to pay attention to other equally important regulations, such as the legislation on e-commerce or health products.