Digital health apps are increasingly used in practice. They raise various questions under regulatory and data protection and data security laws. On November 6, 2023, the German Conference of the Independent Data Protection Supervisory Authorities (Datenschutzkonferenz, DSK), a national body which brings together Germany’s federal and regional data protection authorities, issued a paper about the GDPR’s application to cloud-based digital health applications (“health apps”) that are not subject to the German Digital Health Applications Ordinance (Digitale Gesundheitsanwendungen-Verordnung, the “DiGA Regulation”).
Germany was the first country in the world that offered reimbursement for digital health apps under the statutory health system. Reimbursable health apps are medical devices and must meet specific requirements set out in the DiGA Regulation and be approved by the German Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte, BfArM). The DiGA Regulation imposes specific data protection and data security requirements on health apps (in addition to safety, functionality, quality and interoperability requirements). The DSK’s paper does not discuss the specific obligations imposed by the DiGA Regulation. The DSK paper also refers to digital health apps that are not subject to reimbursement under the DiGA Regulation.
* * *
In brief, the paper discusses the following topics:
- GDPR roles are fact specific. The determination of the controllership is very complex. A health app manufacturer’s role as a GDPR controller, processor or neither is fact-specific and depends on whether they process personal data and whether they take decisions on the purpose and the means of data processing. The paper also briefly acknowledges that other entities may process personal data in connection with the health app (e.g., doctors and cloud providers), which may be either (separate or joint) controllers or processors subject to a case-by-case assessment. In this context, the DSK further refers to the European Data Protection Board “Guidelines 07/2020 on the concepts of controller and processor in the GDPR”.
- Cloud functionality should be optional. The GDPR’s principle of data protection by design and by default according to Art. 25 Abs. 1 GDPR requires health app manufacturers to configure their health app in such a way that it can be used without creating an account and without activating cloud functionality, unless the cloud function is absolutely necessary to achieve a therapeutic benefit and the function is expressly requested by the data subject. If a user decides not to activate the cloud function, then the data should be stored locally on the device. The paper also states that data subjects should be informed of the potential benefits and risks related to the health app’s use.
- Consent is the preferred GDPR legal basis for research processing. The use of health data for research purposes and the appropriate legal basis is always a hot topic. The paper mentions that explicit consent is usually the legal basis relied on for processing special categories of personal data for health research purposes. In this context, the paper also discusses the use of anonymized data. Anonymous data is not subject to the GDPR. As to whether or not data may be classified as anonymized data, the paper refers to Recital No. 26 of the GDPR. If personal data is anonymized, then the anonymization process should be set out in a data protection impact assessment (“DPIA”).
- The Medical Devices Regulation provides legal basis for processing for quality assurance and risk management purposes. The paper states that manufacturers may rely on their legal obligation to process personal data for the purposes of quality assurance and risk management as required by the Medical Devices Regulation. However, manufacturers must only process as much data as they need to achieve these purposes and they should implement measures to safeguard users’ privacy interests (e.g., deleting data once the data is no longer needed).
- The GDPR requires a separate legal basis for processing personal data for audience measurement and software error tracking. The paper states that this processing is generally not compatible (in the sense of Article 6(4) GDPR) with the data processing required to provide the health app. Although the paper does not say so expressly, this suggests that the processing of personal data for audience measurement and software error tracking require a separate legal basis from that relied on to provide the health app.
- Other GDPR obligations still apply. Although not providing specific guidance, the paper also provides a timely reminder that the full range of GDPR obligations apply to health apps. These include obligations to (i) respond to data subject requests in an effective and prompt manner while ensuring the safety of data subjects’ personal data (e.g., secure authentication mechanism for requestors), (ii) ensure an appropriate level of protection by the effective implementation of technical and organisational measures and the preparation of data protection impact assessments (“DPIAs”) (e.g., following the guidance issued by the German Federal Office for Information Security), and (iii) implement appropriate safeguards for international data transfers (in accordance with EDPB’s recommendations).
Covington regularly advises international companies on cloud-based applications and digital health and will keep monitoring developments at the EU and Member State level. We are happy to assist you if you have any questions about the DSK’s paper or, more generally, digital health and the use of cloud-based products in different sectors.
(This blog post was written with the contributions of Diane Valat.)