At the beginning of the years 2000 the media, IT and electronic communication industries began to converge, creating both a new business environment and new regulatory issues. Similarly, today, the healthcare industry has found new opportunities for development and growth in the convergence with new technologies (smart devices and related mobile apps). This combination aims ultimately at administering healthcare to users through smart devices, and is considered as an "emerging and rapidly developing field which has the potential to play a part in the transformation of healthcare and increase its quality and efficiency.[1]

            The development of mHealth has great potential for improving healthcare and the lives of individuals. In addition, Big Data, together with the "Internet of Things"("IoT”) is expected to have a significant impact on mHealth because of the volume of information available and the quality of inferences that may be drawn from such information. It is expected to provide new insights for medical research and it might also reduce costs and simplify patient´s recourse to healthcare. At the same time, it is necessary to protect individuals’ dignity and fundamental rights, particularly those of privacy and data protection. The wide use of Big Data can reduce users´ control over their personal information. This is partly due to the huge unbalance between the limited information available to people and the extensive information available to entities which offer products involving the processing of this personal information.

Data Protection Implications of Mhealth

Privacy and protection of personal data are fundamental rights under Articles 7 and 8 of the EU Charter of Fundamental Rights. In addition, there are specific rules currently applicable to mHealth laid down in the GDPR.[2] These require that any processing of personal data must respect certain safeguards, for example the requirements that personal information may only be processed for specific purposes (purpose limitation) and should not be transferred to a destination outside the EU which does not offer an adequate level of protection (international transfers). In particular, information relating to health[3] enjoys a higher level of protection and may not be processed unless certain conditions are satisfied, in particular the specific and informed consent of the user.[4]

           Large volume of lifestyle and well-being information that is often shared on smart devices and social applications.[5]

           Pseudonymisation[6] and even anonymization[7] do not fundamentally change the need to apply data protection safeguards to mHealth data. Pseudonymous data remains personal data as it can be re-identified not only by the controller, but also by third parties through combination with external information from other sources.[8]

Problem of definition Between Health data and Life Style Data

            In many cases the data processed in the context of mHealth relate to, or reveal, the state of, physical (or mental) health of the individuals using the devices or apps[9], thus falling under the stricter data protection regime applicable to special categories of data (Article 9 of the GDPR). However, there cannot be a simple definitive answer to this question: the assessment of which data processed in the mHealth field are sensitive health data can only be done on a case-by-case basis. Lifestyle and well-being data will, in general, be considered health data, when they are processed in a medical context (e.g. the app is used upon advice of a patient’s doctor) or where information regarding an individual’s health may reasonably be inferred from the data (in itself, or combined with other information), especially when the purpose of the application is to monitor the health or well-being of the individual (whether in a medical context or otherwise).

            The notion of what constitutes health data should be construed broadly, so as to include any data relating to a person’s physical and mental health information18. Due account must be taken of the fact that it is not only the intrinsic nature of the information that identifies it as health data. Also the circumstances surrounding the gathering and processing of such information play a role. As argued by French data protection supervisory authority, CNIL[10], there is not always a clear distinction between the notion of health data and well-being information. There is, rather, a continuum, from cases where well-being information has little or no relation whatsoever to individual’s health to cases where -depending on the circumstances of data collection and processing, including its scale and the purposes of the processing- the information clearly constitutes health data and perhaps is even used in a medical context.

           A market with many players: allocating responsibility and ensuring users’ empowerment

            The various actors of the mHealth industry -app developers, operating system (OS) manufacturersand device manufacturers, app stores and third parties (e.g. advertisers)- rely, although to a variable extent, on business models based on the monetization of personal data generated by (or concerning) users. 

            As business models shift to new modalities of monetizing personal data (e.g. platforms and so-called coopetition[11]), it becomes increasingly difficult for users to control not only the actual use made of their data, but also the re-use of data by commercial partners of the controller and potential use that might take place once new possibilities of monetization become available due to the development of technology and business. For example, personal data originally disclosed to a patient association, in order to share information on a particular disease, might later be made available by such association to a pharmaceutical company which sells a medication for the disease and will use the information for commercial purposes.

           Information asymmetry

            On the one hand, market operators active in a number of sectors (healthcare, technology,advertising, insurance, etc.) actively study all possibilities to exploit data in the context of newcommercial initiatives and improve profits. On the other hand, users have almost no visibility orunderstanding of the commercial dynamics that entail use of their personal information. Theincreasing amount of data becoming available and processed as an effect of the tendency to rely onBig Data will only magnify the information asymmetry and increase the divide between controllersand users.[12]

            The interaction between the IoT and Big Data in mHealth can pose significant risks to data protection in view of the heavy penetration of smart devices and apps related to mHealth. Particularly relevant to mHealth are wearable computing devices which embed multiple interconnected sensors capable of recording body functions and lifestyle information. The quality of data produced by such devices and sensors may vary from merely raw data to more sophisticated data combinations and inferences concerning the data subject, revealing specific aspects of an individual’s habits, behaviors and preferences[13], thus reinforcing the idea of the individual as a quantified self[14](i.e. digital projection of the individual).

          Profiling

           The widespread collection of sensitive health data will open the door to profiling and possible adverse selection, for example for employment or insurance purposes.

           The main concern is that, if all insurance companies and private healthcare providers adopt as a standard practice an in-depth monitoring of personal health data in order to adapt their commercial offering to each customer, they may automatically refuse coverage to those who object to such disclosure or sharing, regardless of their health conditions or risk factors. As a result, the practice of sharing data will automatically result in discrimination against those who prefer not to disclose or share their health data.

           The lack of trust in mHealth will deter users from using innovative solutions and prevent society from reaping the benefits of mHealth. It is therefore of the utmost importance for all operators to guarantee confidentiality, integrity and availability of the personal data processed according to data protection rules, international standards and best practices.

           In such a context, the application of data protection-by-default and data protection-bydesign principles as prescribed by the article 25 of GDPR combined with a systematic effort towards privacy engineering, is necessary to address the problem of both security and consumers’ lack of trust.

           As EDPS rightly points out Designers and manufacturers should apply the same level of creativity and dynamicity they usually display in introducing attractive devices and apps to also provide individuals with effective and user-friendly privacy notices and setting options. As a result, individuals should be able to set options relevant to their privacy and data protection with the awareness that this is an important element of the devices and apps’ use, in their own personal interest, and not a boring formality or a useless burden.[15]

[1]European Commission Green Paper on mobile health, 10 April 2014, COM(2014) 219 final

[2]Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version of the OJ L 119, 04.05.2016.

[3] Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of health care services to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test. (Recital 35 of the GDPR.)

[4]Article 9 of the GDPR prohibits the processing of special (i.e. "sensitive") categories of data, inter alia health data, subject to a number of exceptions, to be interpreted narrowly.

[5]According to the Commission Green Paper, mHealth covers "medical and public health practice supported by mobile devices, such as mobile phones, patient monitoring devices, personal digital assistants (PDAs) and other wireless devices". This includes "lifestyle and well-being apps that may connect to medical devices or sensors (e.g. bracelets or watches) as well as personal guidance systems, health information and medication reminders provided by SMS and telemedicine provided wirelessly.

[6]‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. (GDPR, Recital 5)

[7]Even when considered as anonymized, data may have intrinsic characteristics that lead to the identification of a specific individual (e.g. if a rare disease is at issue, in cases where a few patients exist worldwide, there is the risk that such patients are easily identified).

[8]Opinion 1/2015 of the European Data Protection Supervisor, “Mobile Health Reconciling technological innovation with data protection”, p. 6.

[9]Health data should also include administrative documents that include personal data relating to the health status of a person. Amongst those documents are medical certificates (e.g. documents certifying medical aptitude for work), forms concerning sick leave or the reimbursement of medical expenses. See: EDPS Guidelines concerning the processing of health data in the workplace by Community institutions and bodies, September 2009, p. 2.

[10] Commission Nationale de l´Informatique et des Libertés (CNIL), Le Corps, Nouvel Object Connecté`, Cahiers IP no. 2. 

[11]Ibid, p.31. The key feature of this model is the operator´s ability to turn actual or potential competitors into commercial partners, shifting from business competition to so-called coopetition. 

[12]Opinion 1/2015 of the European Data Protection Supervisor, p.10 

[13]Article 29 Working Party (now defunct) opinion about the Internet of Things ("Opinion 8/2014 on the Recent Developments on the Internet of Things" ). 

[14]Kelvin Kelly, founder of Wired, established the platform quantifiedself.com with journalist Gary Wolf, and introduced the concept to a broader audience. 

[15] Loc. Cit. p.14.