Normally we’re used to hear and read about potential health risks connected to the excessive use of smarphones and mobile devices. But this time it’s the other way around: Germany recently passed a digital health act (“Digitale Versorgungsgesetz”) allowing doctors to prescribe to patients the use of certain health applications, whose costs will be covered by public health insurances.

apps medical devices

The explicit recognition of “software” as medical device directly derives from art. 2 of the European Regulation on medical devices (2017/745/EU), that - inter alia - divides medical devices in general in several classes based on their function and on their inherent risks. The German law allows for the recognition of software applications as medical devices (“health apps”) only if included in the two lowest risk-classes (i.e. I and IIa).

Practical examples of how an app could be implemented as a medical device are apps allowing for the tracking of certain health data (e.g. daily glucose values for diabetes patients, or general health data of pregnant women), apps providing psycological assistance, apps helping to measure reactions, such as sight or hearing etc. etc.

Also, the government’s goal is to improve the access to medical aid by allowing for online consultations via apps.

how to get an app approved

There are two aspects in the planned approval process for medical apps:

just as any other traditional medical device, medical apps must in future be approved by the Federal Agency for Pharmaceuticals and Medical Devices (BfArM) in order to be marketed as such (i.e. as “medical”)
once a health app has been approved, doctors may prescribe its use and the costs connected thereto are covered by the public (and private) health insurances

The approval process will consist in checking that the health app complies with a list of requirements of both medical, technological and legal nature.

From a legal perspective, the most important issue deinitely is protection and security of data , which has to be ensured in numerous ways. Also, consumer protection and liability (in particular in connection with the health claims the app is presented under) will play a major role. Currently, a draft regulation concerning the application process in being circulated: although this version is not final yet, it gives already a pretty specific insight into what the approval process will most likely look like, and already allows interested app owners to move into the outlined direction.

new opportunities

The development and approval of health apps represents a major opportunity both for established pharmaceutical enterprises and for smaller companies, that are often faster and more flexible in adopting new technology also in this branch. The approval process in Germany will be open app owners from all over the world, if the current regulation is not amended in that respect. In any case, due to the principle of non-discrimination, owners based elsewhere within the EU could hardly be excluded.

The administrative court of Lazio (“TAR Lazio”), the Italian region surrounding Rome, has recently issued a widely discussed decision (partly) upholding a 5-million sanction imposed to Facebook by the Italian Competiton and Market Authority (“AGCM”).

The following is very synthetic overview of some relevant issues debated during the case, which covered further aspects not commented here.

The facts

The AGCM contested that until april 2018, when new users registered an account on Facebook, they were confronted with a claim stating “It’s free and it will always be”. At the same time, users were not provided with an adequate notice about the processing of their data. Such notice was not precise: in particular it didn’t disclose clearly that Facebook would “sell” personal data gathered via its platform.

Facebook defended itself stating that the AGCM wasn’t even competent to impose sanctions in this case because, on one hand, Facebook’s services were “free” and therefore do not represent a “commercial practice” and, on the other hand, the issue revolved exclusively around the processing of personal data. Therefore, the only competent authority would be the Irish Data Protection Commission, since Facebook is based in Ireland.

The decision

TAR Lazio upheld the sanctions imposed by AGCM for two reasons:

1- There is a clear contradiction between stating that a service “is free and will always be” and exploiting the users’ personal data commercially, as Facebook does. The fact that the “price” of the service is not paid in a standard currency, but in personal data, doesn’t make it less a commercial transaction. Personal data as such are valuable and Facebook’s service cannot be seen as “free” (as in “free beer”) because users “pay” for it by making available their data.

2- An issue revolving around the protection of personal data is not automatically irrelevant with respect to other branches of law. A data protection issue may very well have negative consequences in terms of the protection of consumers, in particular if data is treated as a “currency” to purchase certain services. The protection of personal data resulting from personal data legislation doesn’t exclude that other branches of law - such as consumer law - award a different protection to scenarios that involve the processing of personal data. Different legal protections may coexist.

Takeaways

Considering personal data as a sort of “currency” to pay for services may seem odd at first sight, but it actually corresponds to a reality that’s not even new any more. In this respect, data-based business model cannot be considered free (as in “free beer”).

If that much is true, it triggers the applicability of a whole bunch of provisions that apply to commercial transactions, including those about unfair commercial practices or consumer protection, which would not be applicable if the business model were to be considered free of charge. From a data protection perspective, the reasoning couldn’t be more convincing: treating Facebook-like business models as “free” would otherwise result in a paradoxically lower protection of data subjects precisely in a context of massive personal data exploitation.

And yet, were this approach confirmed, it would have far-reaching consequences for any similar business model, for instance in terms of liability and guarantees (which are considerably higher if the service is provided against payment), consumer law compliance (just think of the right of withdrawal, to name one) etc.

On the other hand, it introduces a new variable in the data protection environment: so far, we know that personal data may be processed according to one of the lawful bases set foth in art. 6 GDPR. None of them mentions personal data as “currency” and, at least at first sight, none of the current lawful bases really apply to this specific scenario.

Paying with personal data belongs to normality nowadays: it’s therefore (already) time to rethink the respective legal framework.