by Lina Jasmontaite, Brussels Privacy Hub, LSTS, VUB



On 24 April 2017, the Brussels Privacy Hub organized a workshop addressing data protection issues in the health app industry. The workshop was part of the GDPR Workshop Series which is providing guidance and information in preparation for the implementation of the General Data Protection Regulation (GDPR).


The workshop focused on legal issues concerning health delivery by mobile apps. Such apps include both mobile health and well-being apps that typically process personal data of individuals, including special categories of their personal data. Nicolas Carbonelle, an associate at Bird & Bird, introduced the regulatory framework applicable to medical devices. Paul Quinn, Professor at LSTS, reflected on the EU data protection requirements that have to be considered by entities running and launching mobile health and well-being apps. During the event the following topics were addressed:

Medical Device Regulation: In April 2017, the rules governing standards of quality and safety for medical devices were revised. The Medical Device Regulation (MDR) repealing the Directive on Medical Devices aims at establishing a ‘predictable and sustainable regulatory framework for medical devices which ensures a high level of safety and health whilst supporting innovation’. The MDR defines ‘medical device’ as ‘any instrument, apparatus, appliance, software, implant, reagent, material or other article intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the following specific medical purposes’ (Article 2). Such purposes may include diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease. The term ‘software’ is not a new addition to this definition and it can be found in the Directive on Medical Devices. However, the use of this term means that apps and their accessories that are developed for a medical purpose (e.g., monitoring and measuring blood pressure for diabetes management) are subject to rules as well as safety and performance requirements listed in this regulation, including a comprehensive post-market surveillance system.


Challenges of qualifying mobile apps as a medical device: The speakers argued that a wafer-thin line separates health and well-being apps that are considered to be medical devices from apps that are not. For example, the app that manages and displays information about the glucose meter that is connected to your body will automatically be categorized as a medical device. In general, the participants agreed that if an app provides a personalized advice or feedback based on individuals’ personal data, then, it will always fall within the scope of MDR. At the same time, an app that presents passive information, such as a diet plan or a general advice on a health problem, would not be considered to be a medical device. It is recommended that developers of apps that intend to provide medical assistance consult Guidelines on the qualification and classification of standalone software used in healthcare within the regulatory framework of medical devices.


Data protection concerns: Provided that mobile health and well-being apps process personal data, there is no doubt as to whether security requirements and other obligations stemming from the GDPR apply. Nonetheless, identifying applicable law may be not that straightforward in practice. Article 9(4) of the GDPR grants Member States with a possibility of enacting domestic measures governing the use of data concerning health. Therefore, controllers of such apps should also consult domestic regulation.

Finally, participants agreed that consent is the most appropriate legal basis used in the context of apps. Individuals should be required to consent in order to download an app and in order to enable it on a smart device. Participants encouraged aspiring developers looking for specific solutions to data protection issues to consult the mHealth code of conduct, drafted by the European Commission.


Connect with us

Brussels Privacy Hub

Law Science Technology & Society (LSTS)

Vrije Universiteit Brussel

Pleinlaan 2 • 1050 Brussels



Stay informed

Keep up to date of our activities and developments. Sign up to our newsletter:

My Newsletter

Copyright © Brussels Privacy Hub