Publishers and operators of mobile health and well being apps: French competition authority and other authorities in Europe are watching you

The rise of Information Technologies and Telecommunications and particularly the Internet of Things allows the implementation of connected tools and services.

The rise of Information Technologies and Telecommunications and particularly the Internet of Things allows the implementation of connected tools and services. These new solutions integrate computer programs for the collection and transmission of data provided by users, and are linked to external systems for analysis and/or retention of this information by third parties.

A mobile computing outburst has thus been observed over the last few years, and a whole new software market of mobile apps is flourishing. One of the most popular software categories within these on-line stores is that of health and well-being and, developers and publishers are increasingly populating the m-health apps market.

The health and well-being market is no stranger to this development. The development of this new generation of solutions - foremost among which are health and well-being applications - raises concerns among consumers and public authorities about the safety of these connected objects, their technical reliability, their imperviousness to cyber-attacks, and the confidentiality of data collected and processed in this context.

Furthermore regarding consumer products, these connected objects and mobile applications must comply with the applicable rules regarding consumer law and data protection rights, for which it is the competent authorities’ responsibility to ensure. It is on this account that the DGCCRF (Directorate General for Competition, Consumption and the Repression of Fraud) published the results of an exploratory inquiry it conducted in 2017 on the market of health and well-being mobile applications, in which it examined 25 downloadable applications intended for the general public (the applications reviewed were not published by the DGCCRF), among the approximately 100,000 applications that are to be currently existing.

Findings from the DGCCRF inquiry: little anomaly and no misleading claim on the qualities or benefits of the analysed applications

The applications concerned by the inquiry offer support and advice on fitness, exercise and diet through a monitoring of parameters that are, depending on the case, (i) directly provided by the consumer, (ii) measured by the device’s sensors or (iii) transmitted by separate connected objects.

The DGCCRF carried out controls in order firstly to verify compliance with the general consumer information rules: no anomaly has been found on this point. Especially, no anomalies were found on the claims: the controlled applications did not claim beneficial effects on a medical pathology. This is an important point because the borderline between commercial/marketing claim and medical claim is sometimes thin and ambiguous as it can be seen from the recurring debates around "functional food" and claims on foodstuffs and related to the reduction of a disease risk.

With regard to medical claims made by mobile health applications, several litigation proceedings were initiated in the United States at the end of last year. Some have led to settlement in exchange of commitments made by developers of the applications at stake to clearly indicate that their application is not intended to provide a medical service, and that they modify their data protection policy by requiring the express consent of users to the collection and sharing of their personal data (see for example the transaction of the Attorney General of New York concerning Cardiio, Runtastic and Matis, 23 March 2017).

It is, moreover, on the data protection policy that most of the criticisms from the DGCCRF were focused on. Indeed, apart from the rare breaches identified concerning the provision of pre-contractual information (information that has to be delivered to the consumer prior to the sale) required for distance selling and notably the mandatory indication of the existence of a 14 days withdrawal period, the DGCCRF criticizes the access by the application to data not necessary to the application functioning.

The need for international standards

Noting that the majority of controlled applications are published by companies that are not established in France, or even in the European Union, the DGCCRF recommends the drawing-up of international standards on the reliability of applications, particularly with regard to measurements made, and on data protection. As such, several companies have already developed standards setting ethical, technical, medical and regulatory criteria, from which they evaluate the applications submitted to them by publishers and which allow them to award a quality label.

The DGCCRF therefore announces forthcoming additional investigations, focusing in particular on the reliability of the measures performed by connected objects to this type of application - other essential aspect in this area that can play a decisive role in the civil and criminal liability of companies operating these applications.

Authorities are increasingly interested in health and well-being applications

The DGCCRF's inquiry, which follows the recent opinion issued by the National Consumers Council (CNC) relative to connected objects in health (and which dealt with regulatory, security (reliability/compliance) and digital issues (protection and ownership of personal data), demonstrates that the authorities intend to strengthen the surveillance and control of a market that has surged in the past two years.
Read the opinion of the National Council of Consumption

Interestingly enough, health-related and well-being applications are heavily scrutinized by independent bodies and scientists (for a recent example: “Security and Privacy Analysis of Mobile Health Applications: The Alarming State of Practice” from IEEE Members Achilleas Papageorgiou, Michael Strigkos, Eugenia Politou, Efthimios Alepis, Agusti Solanas and Constantinos Patsakis), with, more often than not, alarming results on the performance and conformity of these apps to regulation.

In “Security and Privacy Analysis of Mobile Health Applications: The Alarming State of Practice”, which includes a detailed and structured security and privacy analysis of some of the most popular freeware mobile health applications along with tailored testing of each application’s functionalities, outlines the following findings: The majority of the analysed applications does not follow well-known practices and guidelines, not even legal restrictions imposed by contemporary data protection regulations, thus jeopardizing the privacy of millions of users.

Especially the study highlights the following:

  • As for health-related data: 80% of the analysed apps transmit users’ health-related data, while 20% store them locally on the device. In terms of security, only 50% of those apps transmit health-related data over HTTPS connections for all of their communication.

  • As for location privacy: Seven of the analysed apps requested and transmitted location information, that under certain data protection regulations is considered, not only personal, but sensitive as well. More precisely, 35% of the apps transmitted users’ geolocation information or their postal address either to their vendors or to third parties.

  • As for email and device Id. transmission: While 75% of the apps transmit user email addresses to at least one of their connected domains, 33% of those apps use an insecure connection for this transmission to at least one of their connected domains, and 60% of those apps share users’ emails addresses with third parties.

Regarding GDPR compliance, the authors found that 11 out of 19 apps provide, at least, an introductory information regarding their privacy policy or/and term of use before registration. However: (i) Only one of the apps is found to ask for user consent up front each time the user provides additional information; (ii) None of the apps require users to answer specific questions, in electronic form, about their willingness to participate.

As for the right to withdraw consent, 7 out of 19 apps provide users with an option to withdraw their consent, and thus allow for the erasure of any previously consented information.

Publishers of health and well-being applications must remain vigilant

In this context, and more than ever, publishers and operators of these applications must (i) first of all assess precisely, and from the development phase, the potential qualification of these applications as medical devices, the European regulation published in May 2017 (for an application in May 2020) bringing the majority of these applications into the scope of the regulation applicable to medical devices), and where appropriate their classification (IIa, IIb or even III), (ii) anticipate the appropriate pre-contractual information for consumers and (iii) put in place information and collection practices of personal data in accordance with the applicable legislation, which has been significantly reinforced by the European regulation on personal data which comes into force in May 2018.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.