GDPR Compliance Through the Lens of mHealth Apps’ Privacy Notices
GDPR Compliance Through the Lens of mHealth Apps’ Privacy Notices
6 September 2022
Digital technology has now permeated our everyday lives, enhancing the well-being of citizens, and supporting the progress of healthcare developments. Mobile health (mHealth) applications have rapidly emerged in the health industry, improving the efficiency and quality of healthcare. They have been used for providing treatment, examine diagnoses and monitoring illnesses. Individual users can now track, monitor, and evaluate their lifestyles via apps.
The development of mHealth has a great potential for improving the efficiency and quality of healthcare and people’s lives. Due to the volume of information and quality of inferences drawn from this information, “Big Data” combined with the “Internet of Things” will have a high impact on mHealth and medical research. It will reduce costs, and enhance access to healthcare. mHealth applications can create new innovative services and can help to predict and prevent epidemic disease (such as the current Covid-19 pandemic). This will alleviate health problems at a low cost, ultimately improving the efficiency and quality of healthcare.
While mHealth applications offer significant benefits, there are also concerns about the potential risks in relation to privacy and data protection. When using mHealth apps, “the end users” share personal information such as name, age, gender, date of birth, contact details, username, password and, particularly, their health information. Users’ data may be shared with professional healthcare providers, family members, and app developers. However, this data can be shared with unknown parties such as marketing/advertising agencies, bank institutions, insurance companies, researchers, and big tech companies. Sharing of this data can potentially be used to cause loss of privacy and harm to the user.
mHealth Apps have significant benefits to individuals and the society by improving accuracy and increasing the quality of healthcare treatment for patients. Apps encourage end users to actively manage their own healthy lifestyles. Maximizing the use of health data will increase productivity in the healthcare sector. Society will greatly benefit from the new knowledge, services, and innovations these apps will provide. However, the apps could cause great risks and concerns in relation to privacy and data protection for the users and developers of such apps should therefore be careful to respect data protection and privacy requirements.
This has become particularly important since GDPR came into play in May 2018. The GDPR is a regulation that governs the processing of personal data and therefore ensures the development of new technologies in accordance with fundamental rights. In the context of mHealth apps, the GDPR establishes a series of data protection principles with a number of requirements to govern high levels of protection of personal data of users.
To be GDPR compliant, these applications will therefore have to implement measures or actions to be followed up. Firstly, the principles of Privacy by Default and Privacy by Design are fundamental principles to be respected. This means that the principles of the GDPR must be accounted for at the design stage of these applications and must be implemented by default.
The GDPR also provides for the principle of accountability to ensure parties processing data understand the responsibility of processing and remain accountable to the user. For mHealth apps, the owners of these apps must be able to prove that they fully comply with the GDPR. Apps’ developers must be responsible and able to perform their compliance with the GDPR. Failure to comply is subject to a substantial penalty.
The Regulation also requires a lawful basis for data processing, laying down several requirements that must be satisfied for data processing. Of particular importance is the requirement to properly inform data subjects of how their data is used while respecting their data subject’s rights.
Unauthorized collecting, processing, sharing, and mishandling of users’ information are the most common risks to users’ data derived from using the apps through mobile devices. mHealth apps collect and process a large amount of data that relates to health. This information is considered as sensitive under the GDPR and could potentially pose high risks to users’ fundamental rights. There are other situations that can cause problems that should be considered, like when user’s data are deployed in decisions likely to cause individual and societal harm. A recent example is the case of Cambridge Analytica, where the company used data collected from mobile apps without users’ consent for voter-profiling in the US.
Further risks include a lack of transparency as well as noncompliance with data protection principles, as specified in the GDPR. Several mHealth apps did not provide essential information to the users in their privacy notices. Without authorization, users’ data can be widely transmitted to any number of third parties for undefined purposes. The data collected may not be relevant to the functionality of the app but rather for the interest of the apps’ developers and/or their partners. This can also impose substantial risks to the user.
After conducting research where privacy notices of commonly used healthcare and well-being applications were analyzed, the results revealed an alarming lack of fairness and transparency in their privacy notices. Furthermore, there was a lack of full respect to data protection principles and legal obligations, with required information only being partially disclosed if at all. The language used remained vague and broad, and the information provided was not sufficiently clear nor comprehensive. Users may not fully understand the extent of the processing operations carried out by the app developers. Efforts must be made to further raise awareness and increase the demand for more transparency to foster trustworthiness among users.
When the consent is the legal basis to process personal data, the consent should not be based on “one size fits all”. Consent must be free, specific, unambiguous, and informed. Unless exceptions apply, explicit consent should be obtained and/or other legal bases must be provided for processing of health data. When the legitimate interest of the app developers is the legal basis for processing, a balancing test should be carried out considering the rights and interests of both developers and users.
To ensure users properly understand the processing of their data, the apps’ privacy notices should be in clear and easy to read language while being convenient to access, The necessary information required must be provided and be as specific as possible. Moreover, cross-border data transfer may only be carried out in full compliance with the GDPR and a legal valid “transfer tool”, such as modernized EU Standard Contractual Clause (SCCs) and sufficient safeguards must be implemented to ensure levels of protection in third countries that are “essentially equivalent” to the protection in the EU.
Another important principle to be respected regarding these mHealth applications is the principle of minimization. Many apps require the collection of a significant amount of personal data, yet some of this data may not be necessary for the app to fulfill its purpose. However, it is necessary to collect only data that are necessary, adequate, and relevant in relation to the purposes for which they are processed. Additionally, the personal data should not be kept longer than necessary, so apps developers will need to ensure that data is deleted or anonymized where necessary.
Compliance with the existing data protection principles of the GDPR will enhance legal certainty and trust in mHealth applications. Apps’ developers should adopt internal policies and implement measures to demonstrate compliance with the GDPR including minimizing the processing of personal data, pseudonymizing personal data, increasing transparency regarding the processing of personal data, and enabling the data subject’s rights. Security measures also need to be put in place, specifically regarding the sensitive nature of certain personal data. Conducting a data protection impact assessment (DPIA) may be necessary under GDPR and, in any case, is strongly recommended to assess users’ data processing activities, mitigate risks, and improve data protection. Apps’ developers should also regularly review and update their privacy notices, always informing the user of any new process of their data and ensuring this processing is lawful.
Compliance with the GDPR may create a “double-edge effect”. A heavy burden and potentially large fine for noncompliance may be levied on apps’ developers, making business (SME) and non-EU apps’ developers reconsider offering their services in the EU. This may result in reduced innovation and slow down the rapid growth of technology in healthcare development, having the opposite effect than was intended with the creating the GDPR.
Consequently, a single solution from one perspective cannot solve the whole spectrum of privacy and data protection concerns. Cooperation among relevant stakeholders including legislators, policymakers, apps’ developers, physicians and patients for healthcare apps and users is essential to determine various flexible alternatives and develop practical effectiveness of GDPR guidelines. A standard Code of conduct approved by the European Commission and establishing a specialized authority to monitor data compliance would be useful to elevate legal certainty. This will improve the effectiveness and compliance of the GDPR to govern rapid modernization of mobile health applications, develop new knowledge, services, and advanced innovations and, importantly, foster a healthier society.