Global Standards for Fitness Apps and Wearables Advance With Best Practices from the Future of Privacy Forum and the EU MHealth Code of Conduct
Wearable and mobile devices that help users track physiological information can greatly improve consumers’ lives. Wearable technologies – and related apps and services – can use sensors to collect environmental, behavioral, and social data from consumers. Users can monitor, evaluate, and improve something as simple as a fitness routine or as serious as a medicine schedule. Data generated by wearables is also useful to others. It can help manufacturers improve their products. Researchers can use data collected by wearables to reveal insights, cure diseases, and provide other broad societal benefits. Insurance agencies or employers could use the data to allocate benefits and costs.
Some information produced by wearables is explicitly sensitive. Some data sets that may not seem very sensitive at first blush can reveal more sensitive information if they are combined with other data. Yet much data derived from wearables is not medical information regarding treatment by physicians; rather, it relates to health and fitness activities chosen by consumers. Wearables data raises questions for global privacy regimes – how should privacy frameworks treat this information in light of the varying contexts in which it is collected and used? Data produced from wearables exists on a privacy spectrum. The lack of bright line standards to separate sensitive and non sensitive lifestyle data means that holding all lifestyle data to a high standard would impede innovation, while holding that data to a low standard will create privacy risks for consumers.
In August 2016, the Future of Privacy Forum (FPF) published a set of best practices for consumer wearables and wellness apps and devices. The document articulates a baseline of responsible practices intended to support a targeted FIPPs-based trust framework for the collection and use of consumer-generated wellness data. The best practices build on existing legal expectations and requirements established by leading mobile app platforms, providing organizations with practical guidance that can enhance compliance with legal and contractual norms. The FPF best practices follow the July 2016 European Commission code of conduct on privacy for mobile health apps. The code was drafted to be easily understandable and useful to small companies and individual developers who may not have access to legal expertise. The Commission expects the code to raise awareness of the data protection rules in relation to mHealth apps and facilitate compliance at the EU level for app developers.
The FPF best practices and EU code of conduct have similar goals – to build trust in wellness and fitness technologies while supporting innovation and beneficial uses of devices and apps. They share many priorities, including similar approaches to security and user consent for data sharing.
For example, the FPF best practices recommend a comprehensive security program; similarly, the EU code of conduct recommends appropriate technical and organizational security measures. Both documents recognize that de-identified or anonymized data can be used for beneficial purposes and ought to be subject to more permissive use and sharing norms. In addition, the best practices and mHealth code of conduct both permit use of wellness data for research if certain rules are followed. The best practices require specific, informed consent for research use, unless such use is approved by an ethical review panel. The code of conduct allows the processing data for historical, statistical or scientific purposes, even when such uses are not authorized by the user, provided that it is done in accordance with national and EU rules for secondary processing. Finally, the documents take similar approaches to sensitive data – both the best practices and the code urge enhanced mechanisms for providing notices and obtaining consent for wellness data that is particularly sensitive.
However, there are differences between the approaches regarding advertising and third party data sharing. The best practices focus on the use of consumer wellness data for advertising, while the mHealth code of conduct is focused on advertisements made to consumers generally. The mHealth code requires explicit opt-in authorization from the consumer when advertising is not compatible with the original purpose of collection or processing. The FPF best practices establish similar guidance for third-party sharing generally – it is permissible with users’ opt-in consent. However the best practices forbid sharing covered data with data brokers and ad networks, even if the user explicitly consents. In contrast, the code permits sharing with data brokers and ad networks as long as opt-in consent is obtained.
To read my recent article summarizing these FPF best practices and EU code of conduct, published in October’s issue of Digital Health Legal, click here.
This content has been updated on November 7, 2016 at 16 h 39 min.