The European Commission (the “Commission”) recently asked the Article 29 Working Party (“WP29″) to clarify the definition of “health data” in relation to lifestyle/wellbeing apps and wearable devices. In its response the WP29 took a cautious approach, one that may lead to compliance difficulties for app developers and device manufacturers.
Defining “health data”
Wearable devices such as Fitbit, a wristband which collects data about a user’s movements and sleep patterns, are becoming increasingly popular. The WP29 sensibly notes that the proposed use of such data and its scale should be factors in determining whether it is sensitive. Not all lifestyle apps collect health data. Should the data be retained on the device, or deleted after a set period, or kept separate from other data sets, it will unlikely be considered health data.
The difficulty of defining health data is that non-health data can become health data depending on the duration of collection, proposed use, or combination with other data sets. A pedometer that measures the number of steps a user takes each day in isolation does not collect health data, but in combination with body mass index and mood data could build up a picture of an individual’s health state.
However, the WP29 then defines health data so broadly that it is likely to capture almost any data collected through a lifestyle app or wearable device. Health data self-evidently includes medical records, information about diagnosis or treatment and medical history. The group notes that national legislators, courts and data protection authorities have found it also includes whether an individual wears glasses, whether he smokes or drinks, his IQ, any allergies, any support groups he attends, any tax deductions for home alterations and medical product purchase history. The data do not have to be collected on a medical device and do not have to indicate poor health. When conclusions about an individual’s health status are drawn as a result of combining non-health data they become health data, even if the conclusions are incorrect. The danger for users of wearable technology is that they may be unaware their data are being transmitted from their device or combined with other sets.
The WP29 goes on to say that under the draft General Data Protection Regulation (the “draft Regulation”), the definition will include test samples and any information on an individual’s physical state or disease risk. Data from apps measuring heart rates or tobacco consumption would thus be included.
The role of consent
The WP29 conclude that explicit consent is the best justification for the processing of health data. The app developer or device manufacturer will thus have to provide clear information on the well-defined purpose(s) of the processing, whether it will be covered by professional confidentiality and whether it will be combined with other data sets. The group suggests providing examples of the consequences of combining the data, likely purposes of processing and types of third party processors.
This echoes last year’s global apps sweep (discussed in a previous blog post) coordinated by the Global Privacy Enforcement Network (“GPEN”), which found that most app developers fail to provide sufficient information for their processing activities. However, an obligation to provide even more information would appear to contradict GPEN’s recent open letter to app stores to make concise privacy policies for all apps a mandatory requirement. In a similar vein, a UK government report from November 2014 argued that consent obtained from lengthy incomprehensible unread terms and conditions is arguably meaningless.
To give an example, a Fitbit user who has bought the device to intentionally track his fitness regime and is likely well aware that the app is collecting his location data and heart rate. This raises the question of whether the action of purchasing the product itself could infer consent if sufficient information is provided in the packaging. The WP29 feel that updated consent is required each time the data are processed for a further purpose. This will cause a headache for developers who must provide sufficiently well-defined purposes but who will want to avoid seeking fresh consent if they later decide on a new purpose. It is also hard to see how a piece of wearable technology with little or no interface could request consent at a later stage.
The WP29 took the opportunity to reiterate its concerns about the Council’s suggestion that pseudonymised data should be subject to lighter touch regulation. The Council feels this is justified, provided safeguards of requiring the highest technical standards and measures taken to prevent re-identification are put in place.
The group also called for the draft Regulation to require specific consent to the further processing of health data for research purposes. Researchers may feel it necessary to list all possible purposes, which could frighten data subjects away from allowing their data to be used in important scientific research.
The guidance in practice
The WP29 stated that the recent Commission consultation on mHealth found there was “great interest” in strong privacy tools and strengthened enforcement of data protection rules. In fact, less than half of respondents felt strong privacy and security tools are required and less than half asked for increased transparency of information. Some warned of the risks of overregulation.
The misuse of health data has potentially serious and irreversible consequences. For that reason it was awarded protected status by the European legislators. However, given the popularity of wearable devices and their likely proliferation (the Commission’s mHealth Green Paper predicts that personal sensor data are expected to increase from 10% of all stored data to an astonishing 90% within the next decade), it seems a more practical approach could be taken going forward. In guiding data controllers who wish to take advantage of this information windfall, the WP29 need to strike a balance between protecting the potentially sensitive data collected by wearable devices whilst avoiding overly strict regulatory controls that will be difficult to implement in practice and may unnecessarily encumber the user’s experience.