European Commission Issued Draft Code of Conduct on mHealth Apps’ Privacy

The European Commission released its final draft Code of Conduct on privacy for mHealth application developers. The Code targets to give awareness of the information protection rules regarding to the mHealth application developers, facilitating and increasing agreement at the European Union level for app developers.

The Code consists of instructions on several problems that should reasonably be of interest to app developers, involving:

• User's consent: the requirement to gain valid explicit consent from the information subject to gather and use their information;


• Data retention: an appreciation that it can be hard to irreversibly anonymize health information when the retention time expires;


• User information: Data to give to users before they utilize the app, like guidance on adopting a layered notice access and utilizing a condensed notice and complete privacy policy;


• Data protection rules: purpose limitation, transparency, information minimization, privacy by design and privacy by default and information subject rights;


• Revealing data to third parties: a compliance in place with the third party is necessary;


• Security: the need to carry out a Privacy Impact Assessment and adopt security steps suggested by the European Network and Information Security Agency;


• Use of personal data for secondary purposes: in instances where the information could be utilized for scientific research or other big data analysis;


• Data transfers: entirely apps must comply with the principles applicable to international information transfers;


• Advertising: however any advertising must be authorized by the user, there is a difference in approach relying on whether the advertising includes the processing of personal information;


• Personal information breaches: what to do and whom to notify when a information breach happens; and


• Kids’ data: when applications are deliberately targeted at kids.

The last version of the Code will be made following its examination in accordance with the Article 29 Data Protection Working Party, which might approve or recommend-drafts. Notwithstanding this, mHealth application developers might, in the meantime, find it beneficial to follow the draft Code given the present shortage of guidance in this place.

While the Code won’t be automatically binding on mHealth application developers, those developers who need to proclaim their adherence will be needed to submit a privacy impact evaluation. Adoption of an impact evaluation by the relevant monitoring body will lead to the path of inclusion of the app and its developer on a proposed public register.