Skip to main content Accessibility help

We use cookies to distinguish you from other users and to provide you with a better experience on our websites. Close this message to accept cookies or find out how to manage your cookie settings.

Close cookie message
×
Hostname: page-component-8448b6f56d-dnltx Total loading time: 0 Render date: 2024-04-23T12:19:49.482Z Has data issue: false hasContentIssue false

5 - The mHealth Power Paradox

Improving Data Protection in Health Apps through Self-Regulation in the European Union

from Part II - European Regulation of Medical Devices

Published online by Cambridge University Press:  31 March 2022

By
Hannah van Kolfschooten
Edited by
I. Glenn Cohen ,
Timo Minssen ,
W. Nicholson Price II ,
Christopher Robertson  and
Carmel Shachar
I. Glenn Cohen
Affiliation:
Harvard Law School, Massachusetts
Timo Minssen
Affiliation:
University of Copenhagen
W. Nicholson Price II
Affiliation:
University of Michigan, Ann Arbor
Christopher Robertson
Affiliation:
Boston University
Carmel Shachar
Affiliation:
Harvard Law School, Massachusetts

Summary

An increasing number of EU citizens uses self-monitoring mHealth apps. The extensive processing of health data by these apps poses severe risks to users’ personal autonomy. These risks are further compounded by the lack of specific EU regulation of mHealth and the inapplicability of the EU legal framework on health and patients’ rights, including the Medical Devices Regulation. While the General Data Protection Regulation provides a solid legal framework for the protection of health data, in practice, many mHealth apps do not comply. This chapter examines the feasibility of self-regulation by app stores as a complementary form of regulation in order to improve the level of protection of EU mHealth app users. App stores already play an important role by top-down regulating third-party mHealth apps distributed on their platforms by means of app review procedures. In order to assess the effectiveness of these existing practices, a case study analysis is performed on the regulatory practices of Apple’s App Store and Google’s Google Play. This analysis is used to provide recommendations on how to strengthen current self-regulation initiatives by app stores in the context of health data protection.

Keywords

mHealth appsEU law (or European Union law)PrivacyData protectionSelf-regulation
Type
Chapter
Information
The Future of Medical Device Regulation
Innovation and Protection
 , pp. 63 - 76
Publisher: Cambridge University Press
Print publication year: 2022
Creative Commons
Creative Common License - CCCreative Common License - BYCreative Common License - NCCreative Common License - ND
This content is Open Access and distributed under the terms of the Creative Commons Attribution licence CC-BY-NC-ND 4.0 https://creativecommons.org/cclicenses/

5.1 Introduction: mHealth Apps: Promise or Threat?

An increasing number of European Union (EU) citizens use mobile apps to monitor their own fitness, lifestyle, or general health to take control over their health outside of a clinical setting.Footnote 1 This growing trend is reflected in the content of mobile app stores: self-monitoring mobile health (mHealth) apps such as running trackers and medication reminders are omnipresent. While mHealth apps are said to hold great potential for empowering individuals, the apps also constitute threats to users’ fundamental rights in the European Union.Footnote 2 The main risk is posed by the extensive processing and sharing of health data with third parties by mHealth apps. Users have limited awareness of, and control over, who has access to their health data.Footnote 3 This leads to a paradox: users turn to mHealth to increase self-empowerment, but at the same time surrender power due to this lack of data control.Footnote 4

These risks are further compounded by the lack of effective EU regulation. The EU legal framework on health and protection of patients’ rights does not apply to self-monitoring mHealth app users.Footnote 5 Furthermore, while the EU’s General Data Protection Regulation (GDPR) provides a solid legal framework for the protection of health data, in practice, many mHealth apps do not comply with its provisions.Footnote 6 When traditional legislative regulation does not lead to the intended effect, complementary alternative forms of regulation may be the solution.Footnote 7 In the context of health data protection in mHealth apps, mobile app distribution platforms (app stores) may be well positioned to improve health data protection by means of self-regulation. App stores in the European Union already occupy an important place in this regard by offering a top-down regulation of third-party mHealth apps distributed on their platforms by means of app review procedures. App stores require app developers to comply with certain rules as part of a preapproval process and remove noncompliant apps. This “gatekeeping function” empowers app stores to influence app developers’ conduct: a form of industry self-regulation.Footnote 8 Starting from this premise, the purpose of this chapter is to evaluate whether and to what extent self-regulation by app stores may contribute to the level of health data protection in the European Union.

The chapter is structured as follows. First, it outlines health data protection issues concerning mHealth apps (Section 5.2). Next, it describes the EU legal framework governing mHealth apps, focusing on the GDPR (Section 5.3). Subsequently, it discusses the benefits and risks of industry self-regulation as an alternative means to protect data protection rights in light of current mHealth regulation practices by Apple’s App Store and Google’s Google Play (Section 5.4). Finally, this chapter proposes several improvements to self-regulation in this field (Section 5.5), which will provide the basis for conclusions (Section 5.6).

5.2 Health Privacy Issues in Self-Monitoring mHealth Apps

Popular examples of mHealth apps include calorie counters, apps to monitor menstruation cycles, and running trackers. These types of apps continuously monitor users’ behavior over an extended period of time. While the focus of mHealth apps ranges from health to fitness and lifestyle, all of them collect large amounts of health-related data, such as biometric data, data concerning vital body functions, and health indicators. Most of these data qualifies as “data concerning health” within the meaning of the GDPR.Footnote 9 Health data should be understood in a broad manner.Footnote 10 The GDPR’s definition of health data implies that information about users’ weight, blood pressure, tobacco, and alcohol consumption is considered health data because this information is scientifically linked to health or disease risks.Footnote 11 Furthermore, certain types of information may not be health data as such, but may transform into health data when monitoring takes place over a longer period of time (i.e., average steps per month), or the data is combined with other data sources (i.e., daily calorie intake and social media profile).Footnote 12

The risk for a violation of the users’ fundamental rights is high, since misuse of health data may be irreversible and have long-term effects on data subjects’ lives and social environments.Footnote 13 Several studies show that the extensive processing of health data by mHealth apps poses numerous threats to privacy.Footnote 14 This is mainly caused by the fact that health data is a valuable commodity: big data companies are increasingly interested in health data as it is scarce because of the expensive collection process.Footnote 15 Therefore, mHealth apps may encourage users to provide more health data in order to make more profit. Passively collected data, such as calculated overviews of average steps, are regularly collected beyond users’ control.Footnote 16 Moreover, mHealth apps often use a standard Terms of Service, setting the rules on a “take it or leave it” basis.Footnote 17 Consequently, users are often unaware of the exact type and volume of collected data.Footnote 18

Additional concerns are raised with regard to the user’s control over access to the collected health data. Most apps provide for the possibility to disclose information to an “undefined (future) audience.”Footnote 19 For example, many apps share health data among unspecified users to provide comparisons, and app operators may sell health data to third parties, such as advertisers and insurance companies.Footnote 20 Apps often do not provide the option to consent granularly: users have to consent to all receivers and all types of data at once.Footnote 21 In conclusion, the extensive processing and third-party sharing of health data by mHealth apps compromises users’ control and therefore poses threats to users’ privacy rights.

5.3 The Effectiveness of EU Legal Protection of Health Data in mHealth Apps

5.3.1 Inapplicability of the EU Health Framework

In the European Union, health privacy in technology is regulated via multiple legal instruments. At the national level, health privacy is protected through patients’ rights frameworks. One basic right can be identified in all Member States: medical confidentiality. Medical confidentiality entails both the patient’s right to confidentiality of personal data and the duty for health professionals to keep this data confidential.Footnote 22 However, mHealth app users are generally not considered patients by app developers nor in their own experience, as the apps do not serve a medical purpose and health professionals are not involved.Footnote 23 Therefore, users are not protected under the patients’ rights framework.

At the EU level, health technology is mainly regulated through regulation of medical devices under the Medical Devices Regulation (MDR).Footnote 24 Software, including apps, may also fall under the MDR.Footnote 25 However, in order to qualify as a medical device, the intended purpose of the app needs to fall within one of the medical purpose categories stipulated by the MDR.Footnote 26 As most self-monitoring mHealth apps (monitoring fitness, general health, or wellbeing) are not intended for medical purposes but instead focus on general health, they usually do not qualify as medical devices.Footnote 27 The MDR specifically excludes software intended for general purposes and lifestyle and wellbeing purposes.Footnote 28 However, when apps do have an intended medical purpose, for example, self-monitoring apps prescribed by a physician, the MDR may apply. In any case, the MDR protects health privacy primarily with reference to the GDPR.Footnote 29

5.3.2 The GDPR Protects Health Data in Theory

The main instrument for health privacy protection in the European Union is the GDPR. The GDPR provides individuals with several rights concerning personal data processing.Footnote 30 The GDPR applies to mHealth apps available in the European Union.Footnote 31 The basic premise of the GDPR is that every processing of personal data must be underpinned by a legal basis.Footnote 32 Moreover, it imposes duties on data processors and controllers and confers rights on data subjects in order to increase control.Footnote 33 Data subjects’ rights include the right to information,Footnote 34 the right to access,Footnote 35 and the right to withdraw consent.Footnote 36 Furthermore, the GDPR provides for a special data protection regime for health data, which stipulates a general prohibition on the processing of health data but provides for limited derogations.Footnote 37 However, these derogations are arguably inapplicable to mHealth apps, because app developers do not process health data in the public interestFootnote 38 and are not bound by professional secrecy.Footnote 39 Therefore, typically, health data can only be processed in mHealth apps when users provide their explicit consent.Footnote 40 This implies that the data subject must give an “express statement of consent.”Footnote 41 The GDPR’s extensive protection of data rights in combination with the strict health data regime gives it the potential to sufficiently protect mHealth users’ health data.

5.3.3 But the GDPR Does Not Effectively Protect Health Data in Practice

However, several empirical studies show that many mHealth apps do not comply with relevant GDPR provisions related to health data.Footnote 42 For example, from a study on twenty mHealth apps available in the European Union, it was found that the majority of mHealth apps do not comply with provisions on user consent: 55 percent of the analyzed apps provide information about the app provider’s privacy policy before registration, only 5 percent ask for consent every time the user shares additional personal information, none of the apps comply with the requirement of expressing “explicit” consent by specific questions or an online form and only 35 percent offer the possibility to withdraw consent and thereby delete their health data.Footnote 43 Another analysis of privacy policies of thirty-one EU mHealth apps shows that none complied with the right to information: only 42 percent mentioned the right to object and 58 percent the right to rectification and access.Footnote 44 A different study on twenty-four mHealth apps shows that 79 percent send users’ health data to third parties in a nontransparent manner.Footnote 45

Thus, in practice, many mHealth apps do not seem to comply with the GDPR. This can be explained by the fact that apps are often developed by individuals located all over the world, with little understanding of applicable data protection legislation.Footnote 46 Furthermore, due to the great number of available apps, regulatory oversight is difficult because of insufficient resources.Footnote 47 The majority of Member States do not have an entity that is responsible for the regulatory oversight of mHealth apps.Footnote 48 Knowledge of lack of oversight may also result in lower compliance. In sum, the GDPR offers a relevant and sufficient legal framework for protection of health data, but lack of compliance and enforcement make the GDPR a practically ineffective instrument to protect mHealth users. Therefore, as long as compliance is not strengthened, traditional legislative regulation does not suffice.

5.4 Self-Regulation by App Stores as a Solution to Improve Health Data Protection

When traditional (legislative) regulation does not lead to the intended effect, complementary alternative forms of regulation, such as self-regulation, may be the solution.Footnote 49 While the important role of app stores in securing GDPR compliance has been recognized by the European Union on several occasions,Footnote 50 and the role of digital platforms in protecting fundamental rights online is a popular topic in legal scholarship, the discussion seems to focus mainly on social media platforms and does not elaborate on app stores.Footnote 51 However, app stores may be well positioned to improve health data protection by means of self-regulation.

5.4.1 Self-Regulation in Data Protection

Industry self-regulation can be defined as “a regulatory process whereby an industry-level, as opposed to a governmental- or firm-level, organisation … sets and enforces rules and standards relating to the conduct of firms in the industry.”Footnote 52 Often-mentioned benefits of self-regulation are flexibility in adapting rules to technological changes, greater quality of rules, and more commitment to the rules.Footnote 53 However, self-regulation also has its limitations, specifically with regard to fundamental rights protection. Self-regulation instruments often lack effective enforcement and monitoring mechanisms. Furthermore, in some cases, self-regulation instruments are not consistent with other existing regulation, which makes the overall regulatory system increasingly complex. Other challenges include risks for favoritism and lack of accountability.Footnote 54

In the context of data protection, self-regulation by the industry is becoming more common. Companies often choose to complement existing legislation with self-regulatory instruments for reasons of protecting consumer interests, increasing public trust and reputation, and combatting negative public opinions.Footnote 55 Also, self-regulation has been given prominence in the context of data protection at the EU level: the GDPR supports and encourages self-regulation by businesses in the form of codes of conduct and Binding Corporate Rules.Footnote 56 Moreover, the European Commission has (so far unsuccessfully) taken steps to set up a voluntary Privacy Code of Conduct on mHealth apps for app developers.Footnote 57

5.4.2 App Stores as Privacy Regulators

With regard to industry self-regulation of mHealth apps in the European Union, we see that app stores already play an important role by top-down regulating third-party mHealth apps distributed on their platforms by means of app review procedures.Footnote 58 The app-ecosystem works as follows: in order for app developers to distribute their apps to the general public, they need to publish their app in app stores for consumers to download onto their mobile devices. App stores require app developers to comply with certain rules as part of a preapproval process and remove noncompliant apps. This “gatekeeping function” empowers app stores to influence app developers’ conduct.Footnote 59 Therefore, app stores are the central orchestrators in the app-ecosystem and have a large amount of control over consumers.Footnote 60

App stores are not regulated under the GDPR. They do not qualify as data processors or controllers under the GDPR themselves, as they do not exercise any control over personal data of users, but simply provide a platform for app providers to offer their apps.Footnote 61 However, app stores can impact the manner in which third-party apps – who do qualify as data processors – handle data protection.Footnote 62 Moreover, they are encouraged by the GDPR to fulfil this role.Footnote 63 In this regard, app stores conduct a form of industry self-regulation.Footnote 64 While app stores voluntarily impose these rules on third-party apps, although encouraged by the GDPR, self-regulation is not voluntary from the point of view of the app developers. In order to examine these app stores’ behavior toward privacy of mHealth apps and to assess the effectiveness of these existing practices for health data protection in mHealth apps, this chapter performs a case-study analysis on Apple App Store and Google Play, today’s leading app stores.Footnote 65

5.4.3 Case Studies

5.4.3.1 Apple App Store

In order for app developers to submit apps to the Apple App Store, they must register to the Apple Developer Program, governed by the Apple Developer Program License Agreement.Footnote 66 Furthermore, Apple App Store reviews all submitted apps and app updates according to the App Store Review Guidelines.Footnote 67 As shown in Table 5.1 above, these Guidelines contain specific rules on mHealth apps and state that these apps may be reviewed with greater scrutiny.Footnote 68 The guidelines also contain general provisions on processing of personal data and privacy. First, apps must include a privacy policy, explaining how users can exercise their rights to data retention, deletion, and withdraw consent.Footnote 69 Second, data collection must be based on user consent and users must be provided with an easily accessible and understandable option to withdraw consent.Footnote 70 Third, apps should minimize data collection.Footnote 71 With regard to sharing of data with third parties, user consent is required.Footnote 72 Furthermore, apps should not attempt to build a user profile on the basis of collected data.Footnote 73 The Apple Developer Program License Agreement also states that app developers must take into account user privacy and comply with privacy legislation.Footnote 74

Table 5.1 Health data protection in app store policies

Source: author’s analysis (2020)

Furthermore, as can be seen in Table 5.1, the guidelines contain explicit rules on health data processed by mHealth apps.Footnote 75 First, apps may not use or disclose collected health data to third parties for the purpose of advertising, marketing, or other data-mining purposes.Footnote 76 In addition, apps may not use health data for targeted or behavioral advertising.Footnote 77 However, they may use or disclose health data for the purposes of improving health management and health research, but only with user permission.Footnote 78 Second, app developers may not write inaccurate data into mHealth apps.Footnote 79 Third, mHealth apps may not store health information in the iCloud.Footnote 80

5.4.3.2 Google Play

Google Play’s review criteria are outlined in the Developer Distribution Agreement and Developer Program Policies.Footnote 81 The Agreement functions as a legally binding contract between the app developer and Google.Footnote 82 With regard to processing of personal data, the Agreement states that apps should comply with applicable data protection laws.Footnote 83 More specifically, apps must inform users of what personal data is processed, provide a privacy notice, and offer adequate data protection. Furthermore, apps may only use personal data for the purposes the user has consented to.Footnote 84 As shown in Table 5.1 above, the Agreement does not specifically mention mHealth apps or health data.

The Developer Program Policies provide more guidance on processing of personal (health) data. With regard to processing of personal data, the Policies state that apps that are intended to abuse or misuse personal data are strictly prohibited.Footnote 85 Furthermore, apps must be transparent about the collection, use, and sharing of personal data.Footnote 86 As to sensitive personal data, which probably also include health data, the Policies state that collection and use should be limited to purposes directly related to functionality of the app. Furthermore, an accessible privacy policy must be posted within the app itself. It must also disclose the type of parties the sensitive data is shared with.Footnote 87 Moreover, the in-app disclosure must contain a request for users’ consent prior to data processing, requiring affirmative user action. These permission requests must clearly state the purposes for data processing or transfers. Furthermore, personal data may only be used for purposes that the user has consented to.Footnote 88 The Policies do not contain explicit provisions on mHealth apps, except for a prohibition on false or misleading health claims.Footnote 89

5.4.3.3 Case Study Analysis

The above examination of app stores’ guidelines shows that app stores are indeed concerned with privacy issues. However, it is questionable whether this leads to a higher level of protection of mHealth app users’ health privacy. Both app stores’ guidelines state that apps must comply with privacy legislation and integrate a privacy policy. However, the level of detail of the respective app stores’ privacy provisions differs significantly. While Apple App Store specifically recalls most of the GDPR’s data protection principles and data subjects’ rights, Google Play’s privacy guidelines are formulated in somewhat vague terms and do not mention data subjects’ rights. Therefore, Google Play’s guidelines do not offer app developers the needed guidance on how to protect personal data, specifically with regard to data subjects’ rights. This entails a strong risk that users’ rights will simply end up in the app’s privacy policy fine print and will not lead to better privacy protection in practice.

Furthermore, while Apple App Store has specific guidelines on health data processing, Google Play’s Policies only mention “sensitive personal data.” This lack of specific regulation of health data does not reflect the risky nature of this type of data and therefore does not increase awareness of the need for protection. Most notably, both guidelines miss a provision on “explicit consent” for health data processing, which is required for app developers under the GDPR. While both guidelines contain provisions on user consent, no distinction is made between “regular” and “explicit” consent and thus no clarification on how to obtain explicit consent is offered. This puts privacy at risk, as control over health data is not sufficiently protected.

Both guidelines state that noncompliant apps will be removed, but do not elaborate on the structure of the monitoring process. Therefore, actual enforcement of the guidelines faces risks of uncertainty and inconsistency, which does not ensure compliance with the GDPR. After all, app stores are likely facing the same capacity problems as data protection authorities, and it could take months before noncompliant apps are taken down. Compliance issues also come into play in the differences between the respective guidelines, as this leads to the risk of unequal standards of protection of iOS and Android users.

Taken together, it can be concluded that the current self-regulation practices, Google Play’s especially, do not live up to their potential and do not adequately ensure mHealth app users’ control over their health data. However, due to the central position of app stores, self-regulation by app stores may still contribute to a higher level of health data protection if certain amendments are made to the content and form of their policies. Recommendations on how to improve the policies are touched upon in the next section.Footnote 90

5.5 Recommendations to Improve Current App Store Self-Regulation Practices

App stores have a powerful position in the mHealth app sector. By setting requirements for mHealth apps to be listed on and removed from their platforms they hold the most promising means to improve the level of health data protection of users. Their current self-regulation practices could be improved on multiple fronts. First, app stores could provide app developers with clearer guidelines on data processing obligations and data subjects’ rights. This should include stating all applicable obligations and rights under the GDPR and providing practical guidance on how to adequately implement this in apps. For example, app stores could issue technical guidelines on how to include consent withdrawal mechanisms in the apps. Translating privacy rights to technical measures will enhance adequate understanding and implementation by app developers.Footnote 91 Furthermore, app stores could make data subject rights and principles part of their contractual agreements with app developers to further strengthen compliance.Footnote 92

Second, specific provisions on health data protection should be included, in order to point out its importance and increased privacy risks. These provisions should at least include the requirement to obtain explicit consent on health data processing and provide technical guidance on how to implement this.Footnote 93 There should also be specific provisions on limiting sharing of health data with third parties and possible commercial use. Additionally, app stores can further strengthen users’ control by requiring apps to include user report tools on data protection infringement or provide for these tools in the app store itself.Footnote 94 Furthermore, app stores should commit to raising awareness of the risks of health data processing. For instance, a standard text on the risks could be provided for in the guidelines, which app developers would be required to include in their privacy policies. App stores could educate users of the risks by adding “health data processing warnings” to the downloading environment.

Moreover, app stores could strengthen user protection if they would mainstream their policies and engage in a shared EU Code of Conduct under the GDPR.Footnote 95 The GDPR codes are voluntary tools that set out specific data protection rules. They provide a detailed rulebook for controllers and processors in a specific sector. Bodies representing a sector – such as app stores – can create codes to aid GDPR compliance.Footnote 96 Codes have to be approved by the European Data Protection Board (EDPB) and compliance will be monitored by an accredited, independent supervisor.Footnote 97 Consequently, present self-regulation would turn into coregulation, and current guidelines would be replaced or supplemented by this GDPR code. App stores could make adherence to the code by app developers a requirement to offer apps on their platforms. This would have more effect than current self-regulation initiatives as preapproval of the code by the EDPB will give the code greater authority and the monitoring mechanism will lead to better compliance. Moreover, the unequal level of protection and risks of legal uncertainty and inconsistency would be minimized.Footnote 98 For mHealth app users’ health privacy, a GDPR code will provide for more transparency regarding apps’ approaches to data processing.Footnote 99 For example, the code would have to include specification of all applicable rights related to control over health data, explicit consent included.Footnote 100

The preceding sections allow for the conclusion that app stores could positively impact GDPR compliance and thus strengthen mHealth users’ health privacy by engaging in a GDPR code with specific health data safeguards. While there is no guarantee that app stores will make these changes, there are compelling reasons for them to do so. Foremost, the increased legal certainty offers app stores a competitive advantage. It reduces the complexity of app developers’ entrepreneurial process, which may positively impact app stores’ businesses.Footnote 101 For app developers, a code would be beneficial because it could be used to demonstrate compliance with the GDPR.Footnote 102 Furthermore, app stores will benefit from good privacy practices by third-party apps because this will likely also enhance their own trustworthiness. In this regard, privacy can be seen as a positive marketing statement.Footnote 103 Moreover, both Apple and Google were stakeholders in the European Commission’s attempt at a voluntary mHealth Privacy Code of Conduct, which shows their interest in such an initiative.

5.6 Conclusion: Improved App Store Self-Regulation Strengthens Health Privacy

Paradoxically, the wish to achieve self-empowerment by using mHealth apps leads to users surrendering power due to a lack of control over their health data. While the GDPR offers a solid solution for the protection of mHealth app users’ health data in theory, it lacks practical effectiveness. Self-regulation of third-party apps by app stores by means of review procedures could fill the regulatory gap and thereby contribute to the level of health data protection in the European Union. However, the performed case-studies show that current self-regulation does not fulfil this promise. None the less, given the platforms’ central and powerful position in the sector, complementary regulation of mHealth apps by app stores may still be the most promising means to improve the level of health data protection of mHealth app users. This conclusion sheds light on the heavily debated role of the European Union in regulating technological phenomena and related fundamental rights risks: in some cases, the sector itself is in a better position to regulate these risks and enforce legal compliance than independent supervisory authorities. This finding is in line with the European Union’s growing tendency to promote and support self-regulation structures to supplement EU legislation.

Despite the important role of app stores in achieving this, in the end, the ultimate responsibility for safeguarding users’ health privacy lies with the mHealth app developers and providers that process health data. mHealth apps should provide users with the adequate means to exercise privacy rights by ensuring concrete and effective opportunities to have control over decisions regarding health data processing. In this regard, effective possibilities for actual enforcement of self-regulation standards are of key importance. While app store self-regulation may steer mHealth app developers in the right direction by translating the GDPR’s privacy provisions into technical preapproval requirements, compliance with the relevant privacy provisions is also aided by increased awareness among both mHealth users, developers, and health data brokers as to the risks mHealth apps entail for individual fundamental rights. The European Union could play a central role in accomplishing this, in order to assist mHealth users to achieve the highly desired self-empowerment by bringing the GDPR to life in mHealth apps.

Footnotes

1 Incisive Health International, Taking the Pulse of eHealth in the EU: An Analysis of Public Attitudes to eHealth Issues in Austria, Bulgaria, Estonia, France, Germany, Italy, and the UK (2017).

2 European Commission, Green Paper on mobile Health (“mHealth”) (2014).

3 Keith Spiller et al., Data Privacy: Users’ Thoughts on Quantified Self Personal Data, in Self-Tracking: Empirical and Philosophical Investigations 111–24 (Btihaj Ajana ed., 2018).

4 Federica Lucivero & Karin R. Jongsma, A Mobile Revolution for Healthcare? Setting the Agenda for Bioethics, 44 J. Med. Ethics 685, 685–9 (2018).

5 Commission Staff Working Document on the existing EU legal framework applicable to lifestyle and wellbeing apps Accompanying the document Green Paper on mobile Health (“mHealth”) (2014); See also Recital 19 of the MDR.

6 Quinn Grundy et al., Data Sharing Practices of Medicines Related Apps and the Mobile Ecosystem: Traffic, Content, and Network Analysis, 364 BMJ l920 (2019); Achilleas Papageorgiou et al., Security and Privacy Analysis of Mobile Health Applications: The Alarming State of Practice, PP IEEE Access 1–1 (2018).

7 Anil K. Gupta & Lawrence J. Lad, Industry Self-Regulation: An Economic, Organizational, and Political Analysis, 8 AMR 416, 416–25 (1983).

8 Adrian Fong, The Role of App Intermediaries in Protecting Data Privacy, 25 Int’l J.L. & Info. Tech. 85, 85114 (2017).

9 GDPR, 2016 O.J. (L 119) Recital 35.

10 Art. 29 Data Protection Working Party, Annex – health data in apps and devices (2015) 2.

11 Footnote Id.

12 Footnote Id. at 3–5.

13 Z v. Finland (1997) 25 Eur. Ct. H.R. 371, 94–6.

14 See generally Dominik Leibenger et al., Privacy Challenges in the Quantified Self Movement – An EU Perspective, 2016 Proc. on Privacy Enhancing Techs. 315, 315–34 (2016).

15 Grazia Cecere et al., Economics of Free Mobile Applications: Personal Data as a Monetization Strategy 45 (2018).

16 Papageorgiou et al., supra Footnote note 6.

17 Footnote Id.

18 Kirsten Ostherr et al., Trust and Privacy in the Context of User-Generated Health Data, 4 Big Data & Soc’y (2017).

19 Marjolein Lanzing, The Transparent Self, 18 Ethics & Info. Tech. 9, 916 (2016).

20 Leibenger et al., supra Footnote note 14.

21 Commission Staff Working Document, supra Footnote note 5.

22 Tamara K. Hervey & Jean V. McHale, European Union Health Law (2015).

23 Commission Staff Working Document, supra Footnote note 5.

24 NB: Regulation (EU) 2017/745 (MDR) will replace the current Directive 93/42/EEC in May 2020.

25 CJEU, Case C-329/16 (SNITEM).

26 See Helen Yu, Regulation of Digital Health Technologies in the EU: Intended versus Actual Use, in The Future of Medical Device Regulation: Innovation and Protection (I. Glenn Cohen et al. eds., 2021).

27 European Commission, Guidance Document Medical Devices – Scope, Field of Application, Definition – Qualification and Classification of Stand Alone Software (2016).

28 MDR, Recital 19.

29 MDR, art. 109–10.

30 GDPR, 2016 O.J. (L 119) Recitals 7, 63 GDPR.

31 GDPR, art. 2–3, 2016 O.J. (L 119); European Data Protection Supervisor, Opinion 1/2015 Mobile Health: Reconciling technological innovation with data protection (2015).

32 GDPR, art. 6, 2016 O.J. (L 119).

33 GDPR. 2016 O.J. (L 119) Chapter III.

34 GDPR, art. 12–13, 2016 O.J. (L 119).

35 GDPR, art. 15, 2016 O.J. (L 119).

36 GDPR, art. 7(3), 2016 O.J. (L 119).

37 GDPR, art. 9, 2016 O.J. (L 119).

38 GDPR, art. 9(2)(b–j), 2016 O.J. (L 119).

39 GDPR, art. 9(3), 2016 O.J. (L 119).

40 GDPR, art. 9(2)(a), 2016 O.J. (L 119).

41 Data Protection Working Party, art. 29, 2016 O.J. (L 119), Guidelines on consent under Regulation 2016/679 (2018) 18–19; GDPR, art. 32.

42 See generally Grundy et al., supra Footnote note 6.

43 Papageorgiou et al., supra Footnote note 6.

44 Trix Mulder, Health Apps, Their Privacy Policies and the GDPR, 10 Eur. J. L. and Tech. (2019).

45 Grundy et al., supra Footnote note 6.

46 Fong, supra Footnote note 8, at 98.

47 David Wright, Enforcing Privacy: Regulatory, Legal and Technological Approaches 2931 (David Wright & Paul De Hert eds., 2016).

48 Carrie Beth Peterson et al., From Innovation to Implementation: eHealth in the WHO European Region (2016).

49 OECD, Alternatives to Traditional Regulation (2013) at 47; Gupta & Lad, supra Footnote note 7, at 417.

50 European Union Agency for Cybersecurity, Privacy and Data Protection in Mobile Applications 16 (2018); Data Protection Working Party, art. 29, supra Footnote note 41, at 11–12.

51 See, e.g., Christina Angelopoulos et al., Study of Fundamental Rights Limitations for Online Enforcement through Self-Regulation 96 (2015).

52 Gupta & Lad, supra Footnote note 7, at 417.

53 Rebecca Ong, Mobile Communication and the Protection of Children 247–9 (2010).

54 OECD, supra Footnote note 49, at 6–7, 42.

55 Artyom Dogtiev, App Stores List (2019), Business of Apps 131–2 (2017), www.businessofapps.com/guide/app-stores-list/.

56 GDPR, art. 40, 47, 2016 O.J. (L 119).

57 European Commission, supra Footnote note 27.

58 Apple App Store, App Store Review Guidelines (2019), https://developer.apple.com/app-store/review/guidelines/; Google Play, Google Play Developer Distribution Agreement (2019), https://play.google.com/intl/ALL_uk/about/developer-distribution-agreement.html/.

59 Fong, supra Footnote note 8, at 96–8; Luis Hestres, App Neutrality: Apple’s App Store and Freedom of Expression Online, 7 Int’l J. Comm. (2013) at 1265–80.

60 The Netherlands Authority for Consumers & Markets, Market Study into Mobile App Stores 40 (2019).

61 European Union Agency for Cybersecurity, supra Footnote note 50.

62 Footnote Id.

63 GDPR, 2016 O.J. (L 119) Recital 78.

64 Fong, supra Footnote note 8.

65 Dogtiev, supra Footnote note 55.

66 Apple App Store, Apple Developer Program License Agreement (2020), www.imperial.ac.uk/media/imperial-college/staff/web-guide/public/Apple-Developer-Agreement.pdf.

67 Apple.com, supra Footnote note 58.

68 Footnote Id. at § 1.4.1.

69 Apple App Store, App Store Review Guidelines (Sept. 12, 2019), https://developer.apple.com/app-store/review/guidelines/, § 5.1.1 (i).

70 Footnote Id. at § 5.1.1 (ii).

71 Footnote Id. at § 5.1.1 (iii).

72 Footnote Id. at § 5.1.2 (i)–(ii).

73 Footnote Id. at § 5.1.2 (iii).

74 Apple Developer Program License Agreement 2020, supra Footnote note 66, at § 3.3.7–3.3.11.

75 App Store Review Guidelines Sept. 12, 2019, supra Footnote note 69, at § 5.1.3.

76 Footnote Id. at § 5.1.3 (i).

77 Footnote Id. at § 3.1.7.

78 Footnote Id. at § 5.1.3 (i).

79 Footnote Id. at § 5.1.3 (ii).

80 Footnote Id.

81 Google Play, Google Play Developer Distribution Agreement (Nov. 5, 2019), https://play.google.com/intl/ALL_uk/about/developer-distribution-agreement.html/.

82 Footnote Id. at § 2.1.

83 Footnote Id. at § 4.6.

84 Footnote Id. at § 4.8.

85 Google Play, Google Play Developer Program Policies (2019), https://play.google.com/about/developer-content-policy/ under “Privacy, security and deception.”

86 Footnote Id.

87 Footnote Id.

88 Footnote Id.

89 Footnote Id. under “Unapproved Substances.”

90 This section does not consider intermediary liability under the e-Commerce Directive.

91 Data Protection Working Party, art. 29, supra Footnote note 41.

92 Fong, supra Footnote note 8, at 108–11.

93 Masooda Bashir et al., Online Privacy and Informed Consent: The Dilemma of Information Asymmetry, 25 Proc. of the Assc’n for Info. Science and Tech., 1, 110 (2015).

94 Daithi Mac Sithigh, App Law Within: Rights and Regulation in the Smartphone Age, 21 Int’l J. L. & Info. Tech. 154, 154–86 (2013).

95 GDPR, art. 40, 2016 O.J. (L 119).

96 European Data Protection Board, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (2019) 6.

97 Footnote Id. at 8; GDPR, art. 40(5), 40(9), 41(1), 2016 O.J. (L 119).

98 Maximilian von Grafenstein, Co-Regulation and the Competitive Advantage in the GDPR: Data Protection Certification Mechanisms, Codes of Conduct and the “State of the Art” of Data Protection-by-Design, in Research Handbook on Privacy and Data Protection Law: Values, Norms and Global Politics (forthcoming).

99 European Data Protection Board, supra Footnote note 96, at 7–9.

100 GDPR, art. 40(2), 2016 O.J. (L 119).

101 von Grafenstein, supra Footnote note 98.

102 See GDPR, art. 24(3), § 3.2.3; 2016 O.J. (L 119); European Data Protection Board, supra Footnote note 96, at 9.

103 Mulder, supra Footnote note 44.

Figure 0

Table 5.1 Health data protection in app store policies

Source: author’s analysis (2020)

Save book to Kindle

To save this book to your Kindle, first ensure coreplatform@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.

Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Available formats
×

Save book to Dropbox

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.

Available formats
×

Save book to Google Drive

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.

Available formats
×