Embed Size (px)
Citation preview
“mHealth enablers” panelThe Health & Wellness @ Mobile World Congress 2015
Giuseppe BusiaSegretario generale
Garante per la protezione dei dati personali
1
• I dati pubblicati devono essere:mHealth main concernMobile Health (mHealth) raises many concerns about the appropriate processingof the data collected through apps or solutions by individuals, developers, healthprofessionals, advertising companies and public authorities…
any personal data can become health data(if it is collected for the purpose of inferring health status)
Therefore mHealth apps require a baseline of privacy and security protections appropriate to sensitive data
2
• I dati pubblicati devono essere:EU data protection legal frameworkapplicable to lifestyle and wellbeing Apps
The relevant legal framework applicable:
- Data Protection Directive (Directive 95/46/EC)
- ePrivacy Directive (Directive 2002/58/EC)
3
These rules apply to any apps installed/used by users in the EU, regardless of the location of the app developer or the app store…
• I dati pubblicati devono essere:Data Protection DirectiveThe legal ground for processing personal data varies according to the nature ofthe data processed.
Article 8 of the Data Protection Directive (95/46/EC)qualifies health data as a special category of data to which a higher
level of data protection applies
The processing of special categories of data is prohibited, unless an exception appliessuch as:• the explicit consent of the data subject; except where in accordance with
national law the prohibition to process such personal data cannot be lifted by theconsent of the data subject (art. 8, 2 (a))
• the vital interest of the data subject or of another person where the data subjectis physically or legally incapable of giving his consent (art. 8, 2 (c))
• where processing of the data is required for the purposes of preventivemedicine, medical diagnosis, the provision of care or treatment or the managementof healthcare services, and where those data are processed by a health professionalor any professional bound by the obligation of secrecy (art. 8, 3)
4
• I dati pubblicati devono essere:Article 29 Working Party Opinions (1)
WP29 Advice Paper on special categories of data (April 2011): the rationale behind Article 8 stricter legal regime…
• Lifestyle and wellbeing apps can collect indifferently personal data ofgeneral nature (e.g. information on the data subject's hobbies) andhealth data (e.g. heartbeat or oxygenation of the blood)
• The data subject's explicit consent to the processing of hishealth data must be freely given, informed and specific
• The other principles relating to data quality (including dataminimisation, data retention limitation and the adoption ofappropriate safeguards in this regard) are applicable too (Article 6of the Directive)
5
• I dati pubblicati devono essere:Article 29 Working Party Opinions (2)
WP29 Opinion 02/2013 "on apps on smart devices“seeks to clarify the legal obligations of each of the parties involved in the
development and distribution of apps (February 2013):
• guidance to all the players, in particular the need to provide clear and unambiguous information about data processing to users
• the need for explicit consent of the user as the processing will be done for a distinct purpose than the one of the app developer
• the level of complexity of identifying the role of a third party can be well illustrated by the case of cloud computing providers …
(see also WP29 Opinion 05/2012 on Cloud Computing, July 2012)
6
• I dati pubblicati devono essere:Article 29 Working Party Opinions (3)
WP29 Opinion 08/2014 on the Internet of Things (IoT)
eHealth and Quantified-self devices such as body trackers are always carried by users who want to record information about their own habits and lifestyles…
WP29 adopted on 16 September 2014, Opinion 8/2014 on the Internet of Things(IoT), which highlights the privacy and data protection challenges posed bythe IoT and puts forward recommendations to help stakeholders comply withcurrent EU data protection legislation for the development of a sustainable IoT
• WP29 stated that the quantified self focuses on motivating users to closelymonitor their biological rhythms, it has many connections with e-health
• WP29 stressed that the application of Article 8 to sensitive data in the IoTrequires that data controllers obtain the user’s explicit consent, unlessthe data subject has made himself the data public
7
eHealth and Quantified-self devices such as body trackers are always carried by users who want to record information about their own habits and lifestyles
ePrivacy Directive 2002/58/EC, as revised by Directive 2009/136/EC sets a specific standard to any entity worldwide that wishes to store or access
information stored in devices of users located in the EEA.
Cookies: the storing of information or the access to information already stored inthe terminal equipment of a user is only allowed on condition that he has given hisconsent, having been provided with clear and comprehensive information about thepurposes of the processing (Article 5(3) of this Directive).
This consent requirement applies to any information (i.e. not limited topersonal data as information can be any type of data stored on the device)
This means that when installing an app, users should be given the choice to accept or refuse cookies or similar tracking technologies to be placed on their device
In this regard, on 17 February 2015, WP29 issued a press releaseon the joint survey made by European regulators on website cookie usage
• I dati pubblicati devono essere:ePrivacy Directive
8
• I dati pubblicati devono essere:
WP29 recent letter to European Commission, clarifying Scope of Health Data Processed by Lifestyle
and Wellbeing Apps (February 2015)
In the Annex to this letter, the Working Party identifies criteria to determine whenpersonal data qualifies as “health data,” a special category of data receiving enhancedprotection under the EU Data Protection Directive 95/46/EC
Scope of Health DataWP29 identifies three main scenarios:
1) data processed by the app or device is inherently/clearly medical data (i.e. dataprovides information about an individual’s physical or mental health status generated ina professional medical context (e.g., healthcare providers);2) raw sensor data processed by the app or device can be used, independently or incombination with other data, to draw conclusions about an individual’s actual healthstatus or health risks;3) data allows for conclusions to be drawn about an individual’s health status orhealth risks (irrespective of whether these conclusions are accurate or inaccurate,legitimate or illegitimate or otherwise adequate or inadequate).
9
WP29 recent letter to European Commission (1)
• I dati pubblicati devono essere:
Legal Requirements for Processing Health Datausers of lifestyle and wellbeing apps do not have to comply with the Directive whenthe data is not transmitted outside their device, as this qualifies as purely personaluse of personal data
WP29 letter also underlines:• the importance of providing clear and easily accessible information to
the users before they install the app or buy the device• the need to implement proper anonymization techniques and other security
measures, such as privacy by design and data minimization
Further Processing of Health Data for Historical, Statistical and ScientificPurposesWP29 would like the EC to make a clear statement that, under the Directive, furtherProcessing of Health Data for Historical, Statistical and Scientific Purposes requiresexplicit consent, unless specific exceptions provided in national law apply
10
WP29 recent letter to European Commission (2)
• I dati pubblicati devono essere:EC mHealth public consultation results
The recently published results of the EC public consultation onmHealth well show how WP29 concerns are shared by differentstakeholders (January 2015)
From the analysis of comments from the 211 respondents (71% werefrom organizations and 29% were from individuals): there is a greatinterest in strong privacy and security tools, and strengthenedenforcement of data protection rules not only among data protectionstakeholders but also among european citizens…
The success of an mHealth concept is based on its capacity togenerate TRUST from a wide range of users
11
• I dati pubblicati devono essere:2014 GPEN PRIVACY SWEEP
On 10 September 2014, the Global Privacy Enforcement
Network (GPEN) published the results of its privacy enforcement
survey or “sweep” carried out earlier in 2014 with respect to
popular mobile apps
…many raised concerns about mobile apps
12
• I dati pubblicati devono essere:About GPEN…
The GPEN Global PrivacyEnforcement Network wasestablished in 2008 uponrecommendation by the OECD tofoster cross-border cooperationamong privacy regulators in anincreasingly global market
13
The informal network is comprised of 47 privacy enforcement authorities in 37
jurisdictions around the world…
• I dati pubblicati devono essere:2014 App Sweep purpose
Over the course of a week in May 2014, GPEN’s “sweepers” (made up of 26 dataprotection authorities, including the Italian DPA, across 19 jurisdictions)participated in the survey by downloading and briefly interacting with themost popular apps released by developers in their respective jurisdictions, inan attempt to recreate a typical consumer’s experience.
GPEN 2014 App Sweep purpose was to increase public and commercial awareness of data protection rights and responsibilities as well as identify specific high-level issues which may become the focus of future
enforcement actions and initiatives……
14
The results of the sweep suggest that a high proportion of the apps downloaded did not sufficiently explain how consumers’ personal information would be collected and used….
• I dati pubblicati devono essere:2014 App Sweep highlights
- 3/4 of all apps examined requested one or more permissions, the mostcommon of which included location, device ID, access to other accounts,camera and contacts
- Some 59 % of apps left sweepers scrambling to find pre-installationprivacy communications
- For nearly one-third of the apps (31%), sweepers expressed concernabout the nature of the permissions being sought
- Some 43 % of apps did not tailor privacy communications to the smallscreen
- Just a fraction of apps examined, 15 %, provided a clear explanation ofhow it would collect, use and disclose personal information
15
• I dati pubblicati devono essere:Italian DPA medical App Sweep
The Italian DPA (Garante), as part of the "2014 GPEN Privacy Sweep, chose to sweep medical applications…
WHY medical Apps?
Because it was not possible to postpone medical App evaluation in terms of usefulness/dataprotection requirements….and our decision was in line with the concerns that were voiced recentlyat European level in this regard (EC Green Paper on mHealth and public consultation on mHealth)
The results of the italian sweeping activity show that the degree of transparency on the processingof user data and the permissions required them to download the selected medical App are, insome cases, not in line with the Italian data protection legislation…
16
50% of the medical apps surveyed by the Italian DPA's "sweepers" out of asample including those with the highest number of downloads on the variousplatforms do not provide information on data use prior to installation(or else provide very general information or request excessive data compared totheir features)
In many cases the privacy notice is not tailored to the small screen size andis thus hard to decipher; in yet other cases the privacy notice is found, for instance,in the technical credits area of the given device
Italian DPA medical App Sweep highlights
17
• I dati pubblicati devono essere:Italian DPA further steps
The italian medical App Sweep was not an investigation, nor was it intended to conclusively identify compliance issuesor possible violations of privacy legislation
Nevertheless…
- any profiles of privacy violation detected will be evaluated bythe Garante
- at the national level, we are planning an assessment interms of needed inspections and any possible prescriptivemeasures/sanctions
18
• I dati pubblicati devono essere:2014 GPEN Sweep follow up letterOn December 9, 2014, 23 privacy authoritiesfrom around the world have signed an openletter to the operators of seven appmarketplaces (Apple, Google, Samsung,Microsoft, Nokia, BlackBerry andAmazon.com), urging them to make links toprivacy policies mandatory for apps thatcollect personal information
The Italian DPA, as well as all the otherundersigned privacy enforcement authorities,strongly believe that an app marketplaceoperator should, acting as a responsiblecorporate citizen, make the basiccommitment to require each app that canaccess or collect personal information, toprovide users with timely access to theapp’s privacy policy
19
• I dati pubblicati devono essere:Which future of mHealth…?
20
mHealth apps will surely be “alarge part of the future” of healthcare…but there are still too manyunresolved questions of what to dowith mHealth….
those issues of mHealthregulation and standardisationmust become “surmountable”...thanks to our common efforts…
