Why we should push for the Privacy code of conduct on mobile health apps to be approved

When using a new medical app, it is only natural to have some initial scepticism about whether or not you can trust the app with your personal data. And who can blame us? We are putting some of our most sensitive information into these apps, and hearing about the numerous health data breaches happening worldwide is not very reassuring.

Gaining trust from users is one of the most important hurdles when successfully launching a new mobile health app into the ever-growing digital health market. Of course, the market is heavily regulated, with stringent data regulations such as the GDPR being in place. The GDPR exists to protect the personal data of individuals, but when it comes to medical apps, the picture becomes even more complex.

And that’s where the Privacy code of conduct on mobile health apps comes into play. But first, some background information to get you up to speed.

In the beginning, there was the European Commission Green Paper on mobile health

So let’s start at the very beginning, before the GDPR even came into force. When the European Commission published a Green Paper on mobile health back in 2014, it revealed that people often do not trust mobile health apps due to privacy concerns. In fact, the paper revealed that 67% of consumers did not want to use their mobile phone in support of their health at all. At a time when digital health apps are offering a number of life-changing benefits to patients, it’s pity that some people might miss out due to privacy concerns.

The solution? A Privacy Code of Conduct on mobile health apps

Motivated by the findings of the Green Paper, the European Commission decided to encourage the creation of a Privacy Code of Conduct on mobile health apps. Created by industry stakeholders, the purpose of the code was to increase trust amongst mobile health app users. Work on the code started less than a year after the Green Paper consultation, in April 2015.

Important guidance on data principles, made specifically for medical app developers

The code contains guidance catered specifically to the developers of medical devices. As developers are the ones creating the apps, and deciding to what extent the apps will access and process personal data, it only seems logical to have a standardised and consistent guide to data principles specifically for medical app developers.

The code addresses the following topics:

• User consent
• Purpose limitation and data minimisation
• Privacy by design and by default
• Data subject rights and information requirements
• Data retention
• Security measures
• Advertising in mobile health apps
• Use of personal data for secondary purposes
• Disclosing data to third parties for processing operations
• Data transfers
• Personal data breaches
• Data gathered from children
  

So, why was the code not approved in the first place?

As the Code was submitted on 7th December 2017, before the GDPR was in effect, it was submitted for approval under the Data Protection Directive (DPD), which was the predecessor to the GDPR. However, when the assessment of the code was published in April 2018, just one month before the GDPR came into effect, it was determined that the GDPR should be applied instead of the DPD. Thus, the code was not approved, as it was not written with the GDPR in mind.

But why add more rules and regulations on top of the GDPR?

It may sound like a lot of work to comply with both the GDPR and the Privacy code of conduct on mobile health apps, but in my opinion, this is not the right way to look at it. Although the GDPR already provides thorough guidance in terms of data privacy and security, these rules and regulations have yet to be reworked into suitable criteria and guidelines for the medical app industry. Introducing the Privacy code of conduct on mobile health apps will fill this knowledge gap, and will be a useful companion to existing privacy regulations, including the GDPR.

The future of the privacy code of conduct on mobile health apps

Although the first version of the code was not approved, the European Commission continues to encourage industry stakeholders to develop the code, in the hopes that it will eventually be approved by the European Data Protection Board - and I feel strongly that we should be supporting this.

So, why should we be striving to get this code of conduct finished and approved?

A code written by developers, for developers

First of all, the idea of this code of conduct is very much welcomed by medical app developers. Industry members took the lead in developing the code itself, with the European Commission acting as a facilitator of the code. In essence, it is a code written by developers, for developers. 

Having the code officially approved will mean that these industry-specific criteria and guidelines will finally be widely available, bringing the regulatory and app development worlds together in a language that developers understand. This will iron out any confusion and uncertainties, and keep developers on the same page across the industry.

Provides specific guidance on European data protection rules

The code raises awareness of the data protection rules in the EU. With developers not necessarily being experts in the field of medical device regulations, a thorough guide to the necessary data and privacy rules is an extremely useful resource for programmers looking to build compliant medical device software. If developers have one common code of conduct to adhere to, less time will be spent figuring out the often-puzzling data regulations, and developers will have more time to focus on creating high-quality and life-changing digital health solutions.

Empowering users

The privacy code of conduct on mobile health apps plays a pivotal role in highlighting the numerous benefits of medical apps, and reassuring users that their data is in safe hands. With medical apps transforming the world of healthcare and changing the lives of patients, we should be doing everything we can to reassure the 67% of people that medical apps can be trusted. Plus, this statistic was recorded in 2014 - who knows how high that number could still be in 2023? Getting the Privacy code of conduct on mobile health apps finished and approved will provide some much-needed reassurance to the people who are hesitant to trust mobile health apps.

To conclude

Although it’s likely to take a lot of time and effort to get the current draft of the code into shape, the benefits to the medical app industry will be astronomical. The code will not only benefit the creators of these apps, but also the users, who will be able to sleep easy at night knowing that their data and their health are in good hands. Working at Extra Horizon, where we create a medical backend platform built for medical apps in particular, I can only applaud the current efforts being made with this code.

About Sophie

Sophie is the content expert at Extra Horizon. She has done lots and lots of research into the wonderful world of digital health applications. During her research, she encounters lots of interesting topics like this one.