21 septembre 2023
The digitalization of health care is advancing in leaps and bounds and is changing the way health care is provided. In addition to classic treatment methods, so-called digital health apps, such as online video consultations and digital medication management, are being used more and more frequently and form a new pillar of health care.
In addition, there are numerous fitness trackers that are designed to promote a healthy lifestyle. Counting calories and steps, tracking sleep phases, fitness programs, nutrition plans, mindfulness and well-being apps – these are only a fraction of the possible services offered by digital health apps.
All digital health apps have in common that they generate and process a large amount of health data. Compliance with data protection law is therefore of particular importance. This is the only way to limit the associated data protection risks and strengthen users’ trust in the data protection-compliant use of digital health apps. Violations of the provisions of the General Data Protection Regulation (“GDPR”) may result in damage to its image and financial burdens – for example in form of data protection fines and claims for damages.
The following overview is intended to support providers of digital health apps in ensuring a GDPR-compliant use of digital health apps.
Already in the initial phase of app development, data protection requirements must be considered and implemented in a legally compliant manner in accordance with Art. 25 GDPR (“privacy by design”). By default, data protection settings should be set to the highest level (“privacy by default”). In fact, the use of privacy-friendly default settings and protection-need or risk-oriented technologies is the first and decisive step in designing a digital health app that complies with the GDPR.
Data protection impact assessments are already mandatory for many digital health apps under Art. 35 GDPR. Even where they are not mandatory, they are useful to identify potential risks for users in the planned data processing and to find ways to address these risks in a user-friendly way. In addition, data protection impact assessments are essential to meet the accountability requirement set out in Art. 5 para. 2 GDPR and to demonstrate the required GDPR compliance. Data protection impact assessments must therefore be documented and regularly reviewed.
Any data processing must be based on a suitable legal basis. Because digital health apps often involve health data and thus “special categories of personal data”, the processing must be in accordance with Art. 9 para. 2 GDPR.
As a rule, the express consent of the user is required for the processing of health data by means of digital health apps (Art. 9 para. 2 lit. a) GDPR). For special data processing, such as for research purposes, special legal processing bases may be relevant – in addition to classic consent (e.g., Art. 9 para. 2 lit. j) GDPR).
Finally, it is important to note that the data, once collected, may not be processed for another purpose that is incompatible with the original purpose for which it was collected (Art. 5 para. 1 lit. b) GDPR). If other data processing purposes are intended in addition to the provision and use of the app, such as for data donation or for research and development purposes, these purposes must also be specified when the data is collected and legitimized by appropriate legal bases.
In any case, special attention must be paid to a transparent and user-friendly privacy policy (Art. 13 and 14 GDPR) in order to strengthen the user’s trust in a GDPR-compliant data processing. The data processing should be described as concretely and app-specific as possible. Timing also plays a role: the privacy policy must be provided early and “at the time when personal data are obtained”, i.e., immediately with access to personal data – usually already on the download platform, e.g. the app store. Finally, the privacy policy should also be placed in the digital health app itself and be easily accessible and findable for the user at any time.
Which data are actually necessary for the operation of the app and which data really need to be linked to an identifiable person? Any lawful data processing requires that it is adequate for the purpose and limited to what is necessary for the processing (Art. 5 para. 1 lit. c) GDPR). Here, it always depends on the specific app: If customized treatment therapies are tracked, the processing of health data is probably always necessary. If, on the other hand, the focus is on more general topics, such as data donation or the use of data for research and development purposes, the question arises as to whether the processing of personal data is actually necessary. The possibility of anonymization or at least pseudonymization in particular must be kept in mind here. By means of pseudonymization, personal data can no longer be assigned to a specific person without addition of further information. In contrast to anonymous data, however, pseudonymized data is still subject to the GDPR, since the reference to a person can be restored by means of an assignment rule. In case of anonymization, this is no longer the case, which is why the provisions of the GDPR are not applicable and subsequently do not have to be considered (Recital 26 sentence 5 GDPR).
Some digital health apps choose a decentralized approach, whereby the personal data collected remains on the user’s device. The data is therefore not hosted externally (via server or cloud), which at the same time significantly reduces the risk of misuse. A decentralized approach also strengthens user trust in a privacy-friendly and abuse-proof infrastructure of the respective digital health app. If, on the other hand, it is necessary to store the data collectively on a server/cloud, the data must be transmitted and stored in sufficiently encrypted form to ensure data security.
The more sensitive the type of data processed, the higher the level of security must be (Art. 32 GDPR). While any data breach can attract the attention of data protection authorities and damage a company’s own reputation – in case of sensitive health data, there is an increased likelihood that data protection authorities will initiate investigations and may impose severe fines if there is evidence of a personal data breach. Applying security-related patches and updates, minimum password standards, automatic log-outs, and encrypted data transfers are key to privacy-compliant design.
To avoid a certain mistrust of the use of digital health apps, data processing must be transparent and comprehensible. The user should also be able to check at any time what health data is being collected about him or her. At the same time, a transparent user interface should enable users to change their data protection settings at any time and without obstacles.
Users must have control over its data. This includes, e.g., the ability to access, correct, or delete the data. Transparent and user-friendly implementation of these options strengthens data protection and the user’s trust in the app. As early as the app development stage, therefore, care must be taken to ensure that providers can also comply with the rights of the users concerned through the design of the app.
It is not sufficient to only comply with and implement the requirements of the GDPR. Rather, the controller must be able to demonstrate to the supervisory authorities that the GDPR has been implemented as part of the data processing procedures that have taken place (Art. 5 para. 2 GDPR). This requires clear structures, internal guidelines, processes and audits. The aforementioned data protection impact assessment goes hand in hand with this.
Special attention must be paid to the topic of “data transfers”. This does not only apply when the data leave the European Union. Rather, it must always be critically examined who is granted access to personal data and why. Particular caution is required if trackers from external service providers are built into the digital health app, e.g. for product improvement, which evaluate user behavior. In this case, special attention must always be paid to the lawfulness of the data processing as well as to the purpose limitation in order to adequately consider the requirements of data protection law.
When commissioning processors, the conclusion of a suitable agreement on commissioned data processing must always be ensured (Art. 28 GDPR) so that the provider retains control over the data processing.
When transferring personal data outside the European Union, the requirements for data transfers to third countries pursuant to Art. 44 to 50 GDPR must also be taken into account. International data transfers are particularly in the focus of the European data protection authorities. Therefore, appropriate data transfer mechanisms must be ensured.
In addition, the privacy policy must provide transparent information about the data recipients and the location of the data processing.
Personal data may not be stored for longer than is necessary for the purpose for which it was collected (Art. 5 para. 1 lit. e) GDPR). The principle of data minimization means that the personal reference of data may only exist as long as it is necessary for the specific purpose. This shows another advantage of anonymization: if data is anonymized, there is no time limit on data storage due to the lack of applicability of the GDPR.
If the prescription of digital health apps as “app on prescription” is in question, the app providers must provide proof of compliance with the requirements for data protection and data security in accordance with the state of the art (Sections 33a, 139e para. 2 sentence 2 no. 2 of the Fifth Book of the German Social Code (Sozialgesetzbuch Fünftes Buch, “SGB V”)). This is done in accordance with the Digital Health Applications Ordinance (Digitale Gesundheitsanwendungen-Verordnung, “DiGAV”) by means of a self-declaration by the app provider to the Federal Institute for Drugs and Medical Devices (BfArM). For this purpose, the app provider fills out a questionnaire, which is attached as Annex 1 to DiGAV. In this respect, app providers must independently assess whether they meet the requirements and also bear the risk of a false assessment. The BfArM provides a general guideline for digital health app (DiGA) providers as an aid.
It is noteworthy that the DiGAV goes beyond the requirements of the GDPR that must be observed. Among other things, the DiGAV provides that data processing is permitted solely on the basis of the express consent of the user. In addition, the DiGAV conclusively lists the permissible purposes of data processing. According to this, processing is limited to purposes relevant to care (e.g., intended use, proof of positive effects on care) and ensuring the technical functionality and further development of the digital health applications. Processing for other purposes, in particular for advertising purposes, on the other hand, is expressly prohibited. The place of data storage is limited to countries within the European Union or the European Economic Area and third countries with an effective adequacy decision pursuant to Art. 45 GDPR.
Providers of digital health apps “on prescription” must therefore, in addition to the general data protection requirements, also observe the special data protection requirements of the DiGAV. A detailed overview of the special data protection requirements of the DiGAV can be found here.
Digital health apps are the basis for new innovative treatment options and services in healthcare. Given the importance of health data, it is tempting to collect as much data as possible for as many purposes as possible. This data processing must always be in compliance with the GDPR.
In order to further increase the acceptance of the use of digital health apps, confidence-building data protection measures are also required. Above all, the economic interests of the app providers must be aligned with the requirements of the GDPR (and, if necessary, with those of SGB V and DiGAV). The implementation of the above to-dos provides an initial overview for app providers on how they can ensure data protection-compliant use of their digital health apps.