The most important law in the EU Data Protection regulatory framework is the General Data Protection Regulation - GDPR, which calls for the harmonization of the rules on the protection of EU citizens’ data (contrary to what the old directive 95/46/EC did).
However, since the GDPR defines high level requirements and user rights, there are other laws (e.g. ePrivacy Regulation - or the new Cookie law envisioned for 2019) and soft laws released by official bodies (such as art. 29 Working Party and ENISA), which must be considered in light of their contribution to the most recent and important guidelines on data protection and security.
According to the GDPR, Health Data are "all data pertaining to the health status of a data subject” (See recital 35 and art. 4(15) GDPR). As such, they can be considered as a sub-category of Personal Data. The definition provided by the GDPR is further explained by the Art. 29 Working party, the EU body with advisory status on data protection matters, which allows to identify situations in which personal data can be considered as Health Data.
Examples of Health Data can be heart rate (ECG), weight tracking, blood pressure, healthcare payments, step counts, heartbeat tracking, diseases and many others.
Although the definition provided by the GDPR may seem clear, the presence of some “grey areas” makes data categorisation difficult. Therefore it is essential to define the type of data you will collect: different data bring about different legal challenges. To gain an insight into the legal issues and assess your data collection needs, you can download our Decision Tree, or perform a 5 minute self-assessment test.
To start with privacy law compliance, it is fundamental to understand the service delivery chain and to identify who's the subject responsible for the processing of data in your case.
GDPR and EU data protection laws identify different figures in the liability chain:
Data Subjects: service users to whom data belong.
Data Controllers: the entity responsible
collection and management. If you are delivering your services
directly to consumers (e.g. a fitness/disease tracking app), then you are the
If you are delivering your service to a hospital, and then the hospital delivers your services to its users, then you are not (usually) nominated as Data Controller.
Note that Controllers have to satisfy some organizational requirements that are listed later on.
Data Processors: are entities that
help you in delivering a service. Chino.io for example is a Data Processor
since it provides a set of services to you.
If you are delivering your service to a hospital, and then the hospital delivers your services to its users, then you would be appointed as Data Processor.
Assigning roles is the first step toward the identification of the requirements to be satisfied and implemented within your system.
A typical cloud application has different components on the backend side that are responsible for the user, data and application logic management. The list of technical safeguards affects mainly the API, user and health data. They include:
Their main aim is to ensure that the developers’ data processing is legal and that their service is properly regulated. These measures must be analyzed case by case with lawyers in order to identify implications related to your specific data processing. Chino.io makes documentation much easier.
Implementing technical requirements is complex, expensive, risky in case of errors, and time-consuming. Chino.io strengthens all safeguards offering developers a set of APIs that can be easily integrated within apps or servers to store sensitive data securely.
For example, we assist you in explaining to customers and Data Protection Authorities how you process and store collected data. Nonetheless, supplementary legal advice might still be necessary for a comprehensive analysis.
To learn more, download our guide on health apps GDPR and HIPAA compliance
The reference website for updates on Data Protection in the EU is: http://ec.europa.eu/justice/data-protection/
The reference website for updates on Cyber Security strategy in the EU is: https://ec.europa.eu/digital-agenda/en/cybersecurity
Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27th of April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)(Text with EEA relevance).
Directive 95/46/EC of the European Parliament and of the Council of the 24th of October 1995 (the Data Protection Directive) Harmonises national laws which require high-quality data management practices on the part of the “data controllers” and the guarantees of a series of rights for individuals. It provides generic description about categories of data and general data protection principles. It doesn’t mention security safeguards and it has been defined many years ago so it does not mention topics such as the Cloud. It will be improved by the upcoming GDPR.
Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and the free movement of such data of the 18th of December 2000. It regulates the processing of individuals' personal data when the processing is taking place by Community institutions and bodies.
Directive 2009/136/EC of the European Parliament and of the Council of the 25th of November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services.
Directive 2002/58/EC of the European Parliament and of the Council of 12th of July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
Council Framework Decision 2008/977/JHA of the 27th of November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.
Agreement on the first EU-wide legislation on cybersecurity of the European Parliament, the Council and the Commission. (12/2015).
Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27th of April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
EDPS Opinion 01/2015 on Mobile Health - Reconciling technological innovation with data protection. (5/2015)
EU Commission Green Paper on mHealth (4/2014).
EU Art. 29 Working Party letter on the scope of the definition of health data in connection with lifestyle and wellbeing apps (criteria to determine when personal data qualifies as “health data").
Art. 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.
Art. 29 Working Party Opinion 03/2013 on purpose limitation, Adopted on the 2nd of April 2013, wp 203. (2013)
Art. 29 Working Party Working Document 01/2012 on epSOS, Adopted on the 25th of January 2012, wp 189. (2012)
Art. 29 Working Party Opinion 15/2011 on the definition of consent, Adopted on the 13th of July 2011, wp 187. (2011)
The Art. 29 Working Party - Future of Privacy: joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data, wp 168. (2009)
Working Art. 29 Working Party Document on the processing of personal data relating to health in Electronic Health Records (EHR), Adopted on the 15th of February 2007, wp 131. (2007)
The question on "if and how single Member State privacy laws differ from EU Directives and among each other" is a very difficult one to answer.
Although EU Regulations (e.g. GDPR) are directly enforceable within the Member States, national laws can impose additional and more rigorous requirements than those set by supranational laws. Such complexity calls for a careful analysis of the national laws of the State in which you are delivering your service.
At Chino.io the changes and evolutions, especially those related to our business, are constantly monitored. Our security measures, internal practices and healt data management procedures ensure compliance within each Member State.
It is important to point out that not all security requirements are thoroughly defined by the EU privacy laws. Usually, laws and directives set general principles for the encryption of health and sensitive data or the implementation of security standards. These security standards are usually defined by specific bodies such as ENISA.
National level certifications or public bodies (e.g. hospitals) might require the fulfilment of other specific conditions. Their specificity advocates a case-by-case examination (e.g. of those in France which represent a huge obstacle for startups and innovation), For instance, hospitals frequently ask to deploy services within their own server farm or to implement old-fashioned security strategies like VPN.
Chino.io helps companies to solve these challenges. For any question or doubt, do not hesitate to contact us at firstname.lastname@example.org
Some useful resources:
Overview of the national laws on electronic health records in the EU Member States (2014)
Legal framework of Interoperable eHealth in Europe (2009) analyzes legal and regulatory frameworks for electronic health delivery and services in each Member State
EU Commission Justice Studies on Data Protection including single country reports
EU Commission Comparative Study of different approaches to new privacy challenges in particular in the light of technological developments (2010)
ENISA: Security and Resilience in eHealth Infrastructures and Services investigates the approaches and measures to protect critical healthcare systems
Handbook on European data protection law by the European Union Agency for Fundamental Rights (FRA) and the Council of Europe together with the Registry of the European Court of Human Rights.