06.09.2018 "The people affected are too little aware of current data protection rules»

Interview with Barbara Widmer. Our health data are particularly sensitive, yet today everyone and everything is tracked. Can we still protect the data that mHealth apps acquire from us and store? In our discussion, the lawyer and expert on data protection issues tells us where the greatest data protection risks lie with mHealth apps and what we can still do to make our data more secure.

Pictures "The people affected are too little aware of current data protection rules»

TODO CHRISTIAN

Dr Barbara Widmer is a lawyer who represents the Conference of Cantonal Data Protection Officers on various eHealth Suisse working groups.

spectra: mHealth apps collect health data. Why are these data particularly sensitive?

Barbara Widmer: Because of the inherent risk of breaching someone's privacy, say by accidentally disclosing a prejudicial medical diagnosis. A lot of people think they have nothing to hide. This assumption is generally false, and particularly so when it comes to health. Everyone has something to hide, and there's nothing wrong with that. You can glean a lot of information from health data that various market players such as health, daily benefits, disability or life insurance providers, authorities, employers or the pharmaceutical industry would be keen to have.

A lot of people think they have nothing to hide. This assumption ist generally false, and particularly so when it comes to health.

What are the greatest data protection-related risks associated with mHealth apps?

There are three major risks.
The first is the misappropriation of data. Under data protection legislation, data can only be used for the purpose communicated when it was gathered. Apchplied to mHealth apps, this will regularly mean measuring, collecting and analysing certain values. Unfortunately, there is also a risk that the manufacturer or provider will be making background use of the data for other purposes, such as advertising, without the consent of the people supplying the
data.
The second risk stems from non-transparent data processing. Users of mHealth apps are often unaware of where the app is storing their data, who has access to it and the extent to which it is passed on to third parties.
The third risk is poor IT security. Data protection legislation stipulates that mHealth apps must provide state-5of-technology security. However, cost considerations mean that manufacturers tend to economise on security, especially with free apps. This jeopardises the accuracy of the data (data that is wrongfully accessed may be falsified or attributed to the incorrect people), and inadequate security increases the risk of data theft.

What should users do to gain maximum benefit from mHealth apps while at the same time minimising the risk of data misuse?

Paid apps give people greater control over how their data are used. This applies to paid apps in general, incidentally, not just to mHealth apps. Many people do not appreciate that in the digital world, free apps are only superficially free because the providers earn money from evaluating the data they collect and, depending on the circumstances, selling them on to third parties – often without the affected people's knowle-
dge. For this reason, anyone who uses mHealth apps should always buy their apps, rather than use free ones, and find out why data is collected, who has access to it, where it is stored and whether and how much of it is passed on to third parties.

What, if anything, can users do to protect themselves?

There's plenty you can do. You should always be wary of mHealth apps that appear to be free (cf. answer to question 4), checking instead to see if there's a paid version, and making sure that you can get answers to the following questions: What purpose does the mHealth app collect the data for, who has access to it, where is it stored and does it get passed on to third parties? If you can't get answers to these questions, don't use the app, even if you have to pay for it.

If the data ist not stored within the EU, you ne to be careful.

What happens if I want to exercise my data protection rights, but the data is abroad, say in the EU, USA, China, Russia or India, for example?

It depends on what country the data is in. If it's in the EU, you have a very good chance of being able to exercise your rights successfully. The EU has completely overhauled its data protection legislation and tightened it up in various areas. The EU's data protection authorities can now impose heavy fines on anyone caught infringing the EU's data protection laws, for example.
If the data is not stored within the EU, you need to be careful. Although the USA does have data protection legislation, there are substantial differences between it and European or Swiss notions of data protection. Countries such as China, India or Russia have no or at best limited data protection legislation. Users of mHealth apps should therefore only use apps that store data in either Switzerland or the EU.

What areas of Switzerland's data protection law do you think need updating?

I think the law is fine as it stands. The problem is less the law itself than the fact that stake-holders are too little aware – if they are aware at all – of existing data protection requirements. Alternatively, they simply don't care about them, something that also goes for a lot of users. In view of this, we need to intensify our efforts to enforce the existing legislation. The EU and eHealth Suisse have now produced guidelines containing checklists that producers and suppliers of eHealth apps can use to audit themselves. As a further measure, Switzerland is discussing the option of setting up a central government-run or partly government-run agency to carry out minimal testing of mHealth apps.

Our interviewee

Dr Barbara Widmer is a lawyer who represents the Conference of Cantonal Data Protection Officers on various eHealth Suisse working groups. These include the mHealth working group, which is addressing the subject of "mobile terminal devices" from various perspectives. She has a postgraduate qualification in international economic law and is a certified internal auditor. She has research interests in economic, intellectual property, information and EU law and also works on supervisory issues that need to be readdressed in the light of the spread of digitalisation.

Nach oben