Privacy protection is emerging as an important issue for mobile health apps. Users need to trust that the health apps they are using have safeguards in place to protect their personal heath data.
Without these safeguards, companies that market health and medical apps risk falling foul of the law as well as losing the confidence of their consumers.
Reflecting privacy concerns, European authorities have increased their focus on the data protection implications of ‘mobile health’. It’s quite possible Australian regulators will follow Europe’s lead.
Data protection and privacy has always been a strong concern for European law makers.
Mobile health apps and devices have recently been put under the ‘privacy spotlight’ by two of the EU’s most influential privacy bodies – the European Data Protection Supervisor (EDPS) and the Article 29 Working Party (Working Party).
Both the Working Party and the EDPS have published documents  asserting that mobile health software, including medical apps and devices (‘mobile health’), carry significant privacy concerns due to the collection of sensitive health data.
The EDPS Opinion titled “Mobile Health, Reconciling technological innovation with data protection” summarises the mobile health issues being considered in Europe.
It notes that a lack of trust in mobile health arises if there is insufficient protection of users’ health data. A lack of trust obviously needs to be taken seriously by those businesses wanting to succeed in the growing field of mobile health.
In Europe, health data encompasses all data about a person’s health and body, including their intellectual and emotional habits, and membership of patient support groups. Even data that is not health data in isolation can be health data when monitored over a period of time.
For example, the Working Party’s release suggests that calorie-counting applications (such as those found on popular ‘fitness’ apps) can allow a data-collector to develop opinions about a person’s overall health.
The EDPS recommends improvements to security requirements, ‘anonymisation’ techniques, greater accountability of data‑collectors and improved mechanisms for obtaining consent where a person’s data will be used for historical, statistical or scientific research.
It further recommends that the EU legislator addresses these issues through future ‘policy making measures’.
The European Commission is in the process of unifying data protection in the EU with a single law, the General Data Protection Regulation (GDPR). The GDPR proposes new guiding principles and rules applicable in the context of mobile health.
For example, ‘privacy by design’ (building privacy and security settings into an app’s architecture in order to facilitate compliance with privacy and data protection principles) would become a legal obligation under the GDPR rather than just a ‘best practice’ recommendation.
Australia’s privacy laws regulate the handling of health information and treat health information as a category of personal information worthy of special protection.
All corporations that collect or hold health information in Australia, or provide a health service, using mobile health apps must comply with federal privacy and data protection laws under the Privacy Act 1988 (Cth).
Australia’s federal privacy laws are administered by the Office of the Australian Privacy Commissioner (OAIC). State and Territory privacy laws should also be taken into account because they too can apply to dealings with health information.
Considering the increased focus in Europe on mobile health, we could see a parallel move in Australia towards tighter regulation of, or an enforcement focus on, apps or other mobile devices that collect or store health data.
For example, like Europe, privacy by design is currently only a ‘recommendation’ in Australia. If the GDPR becomes law in Europe, we may see Australian legislation amended to make privacy by design a legislative requirement.
Importantly, if a health app or device is intended to be used for a therapeutic purpose, such as diagnosing or treating a disease, injury or disability, or for the purpose of controlling conception, approval for the app or device must first be sought from Australia’s Therapeutic Goods Administration (TGA).
While the TGA is not charged with administering Australia’s privacy laws, privacy by design affects how a medical app works and could, in the future, have more of an influence on the TGA’s assessment of mobile health apps or the development of guidance on mobile health by the TGA or the OAIC.
For more on privacy protections in mobile apps see our article, “Is your mobile app privacy friendly?”.
While it does not appear that the regulation of mobile health under Australian law is about to materially change any time soon, the TGA and OAIC are likely to have regard to developments in Europe with respect to the privacy risks associated with mobile health.
 A privacy by design approach is recommended by the Office of the Australian Information Commissioner (OAIC) in its September 2014 publication ‘Mobile privacy: A better practice guide for mobile app developers’.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.