Paul Quinn, Professor at LSTS, reflected on the EU data protection requirements that have to be considered by entities running and launching mobile health and well-being apps. During the event the following topics were addressed:
Medical Device Regulation: In April 2017, the rules governing standards of quality and safety for medical devices were revised. The Medical Device Regulation (MDR) repealing the Directive on Medical Devices aims at establishing a ‘predictable and sustainable regulatory framework for medical devices which ensures a high level of safety and health whilst supporting innovation’. The MDR defines ‘medical device’ as ‘any instrument, apparatus, appliance, software, implant, reagent, material or other article intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the following specific medical purposes’ (Article 2). Such purposes may include diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease. The term ‘software’ is not a new addition to this definition and it can be found in the Directive on Medical Devices. However, the use of this term means that apps and their accessories that are developed for a medical purpose (e.g., monitoring and measuring blood pressure for diabetes management) are subject to rules as well as safety and performance requirements listed in this regulation, including a comprehensive post-market surveillance system.
Challenges of qualifying mobile apps as a medical device: The speakers argued that a wafer-thin line separates health and well-being apps that are considered to be medical devices from apps that are not. For example, the app that manages and displays information about the glucose meter that is connected to your body will automatically be categorized as a medical device. In general, the participants agreed that if an app provides a personalized advice or feedback based on individuals’ personal data, then, it will always fall within the scope of MDR. At the same time, an app that presents passive information, such as a diet plan or a general advice on a health problem, would not be considered to be a medical device. It is recommended that developers of apps that intend to provide medical assistance consult Guidelines on the qualification and classification of standalone software used in healthcare within the regulatory framework of medical devices.
Data protection concerns: Provided that mobile health and well-being apps process personal data, there is no doubt as to whether security requirements and other obligations stemming from the GDPR apply. Nonetheless, identifying applicable law may be not that straightforward in practice. Article 9(4) of the GDPR grants Member States with a possibility of enacting domestic measures governing the use of data concerning health. Therefore, controllers of such apps should also consult domestic regulation.
Finally, participants agreed that consent is the most appropriate legal basis used in the context of apps. Individuals should be required to consent in order to download an app and in order to enable it on a smart device. Participants encouraged aspiring developers looking for specific solutions to data protection issues to consult the mHealth code of conduct, drafted by the European Commission.
Copyright © Brussels Privacy Hub