Whether pedometers, heart rate monitors or calorie calculators - countless apps for measuring your everyday life (quantified-self) are now part of everyday life. Europe's top data protection experts are concerned about this development and are demanding compliance with strict data protection standards. This is because, according to the so-called Art. 29 Group, the information collected is particularly sensitive as health-related data (see the statement).
Health data is particularly protected under the BDSG - and the underlying EU directive. This is because it allows conclusions to be drawn about the person concerned in a special way. If they fall into the wrong hands or are disseminated in an unauthorized manner, this can lead to massive and almost irreparable damage to the person concerned.
However, it is not so easy to determine what health data actually is in this sense, especially in times of big data. Of course, this includes the original medical data that is generated, for example, during a doctor's or hospital treatment or in the pharmacy.
According to the - correct - view of the Art. 29 Group, however, data that is collected outside of medical treatment and which alone or in combination with other data provides information on the state of health should also be regarded as health data. For example, a pedometer app that permanently collects data but hardly counts any steps will prove a lack of exercise. If the apps are combined with other data on age, height and weight, smoking or drinking habits, for example, in order to make recommendations for the daily number of steps, a very meaningful health profile is quickly created.
If, as is usually the case, this data is not processed solely on the device itself (e.g. the data subject's smartphone), but on the app manufacturer's servers, the data subject's consent is required for this collection and processing to be permissible. Of course, this applies all the more if the data subject shares the data with other users in a community.
The Art. 29 Group recommends using privacy-by-design and anonymization measures to keep the flood of data to a minimum. At the very least, however, the data subject must give informed consent to data processing before (!) downloading the app. These declarations of consent are quite a challenge. This is because the data subject must be aware of all the categories of data that will be collected. They must also be informed exactly for what purposes and by whom the data will be collected, processed and used.
To date, these requirements have often not been met. The Article 29 Working Party is not a legislative body and its recommendations are not binding on any court. However, as a working group of European data protection authorities, the publications repeatedly provide a valuable guideline for how the data protection authorities want to deal with certain issues. It can therefore be assumed that the German supervisory authorities will also take a closer look at health apps in the future.
In addition to the aforementioned requirements regarding the permissibility of data collection via such apps, further requirements resulting from the processing of health data must also be observed. For example, a company data protection officer must always be appointed in such companies, regardless of the number of employees.
