During their last Data Protection Conference, the German data protection authorities (DPAs) agreed on a resolution on data protection principles that providers of healthcare apps and wearables should consider. According to the resolution, almost a third of the German population 14 years or older uses wearables (body-worn devices that record an individual’s health data) and healthcare apps (mobile device software offering health-related services). The DPAs claim that these devices and apps collect personal health data, which is subsequently transmitted to manufacturers, internet providers, and other third parties.
Healthcare Apps and Wearables Under German Law
In general, under German law, a company may collect, process, and use personal health data only if specifically authorized by law, such as the German Federal Data Protection Act (FDPA), or if the data subject has consented. The resolution clarifies how these requirements apply to wearables and apps:
- Manufacturers of wearables and healthcare apps should use data privacy-friendly technologies and default settings (e.g., privacy by design), and should adhere to the principles of data reduction and data minimization, as well as anonymization/pseudonymization.
- A data subject’s consent regarding the collection, processing, and use of personal health data should be transparent, particularly regarding a transfer to third parties.
- In the context of employment and insurance, any consent to use of personal health data likely is invalid, based on concerns regarding significant negotiating imbalances between the parties. Consistent with the German DPA’s view, the Dutch DPA recently stated that an employee’s consent to the use of wearables to be not valid due to the financial dependence of the employee.
- Legal requirements for data security cannot be waived contractually or via consent.
- In the case that multiple parties are involved in the creation or distribution of wearables and healthcare apps, those parties have a joint responsibility for the wearables and apps, including issues such as meeting quality standards, ensuring IT security, functionality, and the transparency of data usage. However, the resolution does not explain how joint responsibility should operate in practice.
The resolution of the German DPAs creates further challenges for providers of healthcare apps and wearables that rely on users’ consent to their collection, processing, and use of personal health data. Particularly, heightened consent requirements may be required before the new European General Data Protection Regulation, explained here, comes into effect. Accordingly, the providers of such devices and applications have to take the authorities’ position into account. Also, retailers and platform providers should be aware that the German DPAs may seek to hold them responsible for applications, services or devices provided on their platforms by third parties.
Maximilian Bernecker, a trainee in the Frankfurt office, contributed to this post.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.