data protection for mobile health apps (mhealth): how gdpr
TRANSCRIPT
Data Protection for mobile health apps (mHealth): how GDPR can help
pharmaceutical companies in Brazil
A thesis submitted to the Bucerius Master of Law and Business Program in partial fulfillment of the requirements for the award of the Master of Laws
(“LL.M.”) Degree
Johanna Ribeiro
July 27, 2018
13.060 words (excluding footnotes)
Supervisor 1: Christian Tinnefeld
Supervisor 2: Anderson Ribeiro
2
“O segredo é não correr atrás das borboletas. É cuidar do jardim para que elas venham até você. ”
(QUINTANA, Mário, 1994)
3
SUMMARY:
This work seeks to analyse the European data protection framework for
mobile health apps (mHealth). In addition, this paper will apply the suitable findings
on the Brazilian mHealth market. It is out of the scope of this paper other compliance
issues related to mHealth. Including topics such as compliance with medical devices
legislation, health agencies approval requirements, consumer protection law, and e-
commerce legislation.
Key word: data protection; data concerning health; Medical Apps (mHealth); GDPR;
Brazilian data protection.
4
LIST OF ABBREVIATIONS:
ANPD Autoridade Nacional de Proteção de Dados
ANVISA Agência Nacional de Vigilância Sanitária
CDC Código de Defesa do Consumidor
CE Covered Entity
DPIA Data Protection Impact Assessment
EC European Commission
ePHI electronic Protected Health Information
EU European Union
FDA Food and Drug Administration
GDPR General Data Protection Regulation
HHS Health and Human Services
HIPAA Health Insurance Portability and Accountability Act
IDEC Instituto de Defesa do Consumidor
IT Information Technology
LGPD Lei Geral de Proteção de Dados
mHealth Mobile Health App
OCR Office for Civil Rights
SUS Sistema Único de Saúde
USA United States of America
WHO World Health Organization
5
LIST OF CHARTS:
Figure 1:
Per capita cost in data breaches by industry sector (US$). Ponemon Institute, 2018.
Page 18……………………………………………………...…….……..……………….7
Figure 2:
Abnormal churn rates after data breaches by industry. Ponemon Institute, 2018.
Page 25………………………………………………………......……………………….8
Figure 3:
The average total cost of a data breach by country or region. (US$) Ponemon
Institute, 2018. Page 15……….………………………………………………...………27
Figure 4:
The average number of breached records by country or region. Ponemon Institute,
2018. Page 16…………………………………………..………………………………..28
6
TABLE OF CONTENTS:
1. Introduction........................................................................................................1
2. What is a Medical App (mHealth)……..............................................................3
2.1 mHealths with storage of personal data ...........................................................4
3. Risks of the mHealth.........................................................................................5
3.1 Inaccuracy…………………….............................................................................5
3.2 Users’ privacy.....................................................................................................6
3.3 Dealing with the Data Protection risk for mHealth..............................................8
4. Data Protection……………………………….......................................................9
4.1 Data Protection in the USA...............................................................................10
4.2 Data Protection in the European Union……………...........................................13
4.3 GDPR................................................................................................................14
4.4. Main Principles to Process Personal Data……………………………….………19
4.5. Types of data in light of the GDPR………………………………………………..21
5. GDPR and mHealth …………………………………………………......................23
6. Data Protection in Brazil…………………………………………………………….26
7. mHealth in Brazil………………………………………………………………….....28
7.1 Legal data protection issues related to mHealth in Brazil………………………..29
8. How the GDPR practices could help pharmaceutical companies in Brazil to
increase trust in medical apps……………………………………………….………30
9. Conclusion ……………………………………………………………………….…..33
10. Bibliography………………………………………………………………..….……35
1
1. Introduction:
Over the past decade, the global mobile phone revolution has inspired
many innovation projects and new trends among different areas and industries.
Together with the rapid growth in the use of mobile phone, the mobile applications
(apps) came to, literally, change the way that the society behaves and works. This
apps revolution would not be different in the healthcare and pharmaceutical areas.
The use of mobile applications for health matters (the so-called mHealth)
is already a reality and even the World Health Organization (WHO) released, in
2016, a checklist to promote the health innovation due mHealths. MHealth is an
emerging and rapidly developing field, which has the potential to play a part in the
transformation of healthcare and increase its quality and efficiency. The
Pharmaceutical Industry is already taking advantage of the mHealth since it is a low
cost platform that allows patients to control and manage their health and wellness.
Some numbers might be helpful to illustrate the fast development of the
use of apps in health care.
The use of mHealth by clinicians, patients, and others has grown
dramatically in the past years. According to a recent report from Juniper Research,
the mHealth market will reach more than 150 million users by 2020. A recent report
concluded that the global mHealth market was valued at USD 11.47 billion in 2014,
and is expected to reach USD 102.43 billion by 2022, growing at 32.5% between
2016 and 2022. (Zion Market Research, 2016).
In addition, according to the web page Research2guidance, by the end of
2018, 50% of an estimated 3.4 billion smartphone and tablet users will have
downloaded mHealth and nearly 100 million wearable remote patient monitoring
devices, such as continuous glucose monitors, are projected to ship through 2019
(ABI Research Inc, 2014).
It is possible to find many types of mHealths in the market. In 2017,
325,000 mHealth were available on Android and iOS apps stores.
(Research2guidance, 2017). The mHealth market has been segmented based on
therapeutics areas, for instance, diabetes, respiratory, mental and neurological
disorders, fitness & lifestyle, diets and etc.
The advent of the mHealth did not affect only the pharmaceutical industry
market, being able to bring even more money to their pockets. The mHealths have
a promising future in the mission of making the society’s health and lives better.
To illustrate how convenient and helpful the mHealth can be, some
projects should be mentioned:
2
As it is well-known, patients with chronic disease are onerous for any type
of healthcare system. The diabetic patients, for instance, have health complications
due their health condition. In addition, they constantly need to be concerned about
the time, type of food and amount of insulin that he should ingest. In this scenario, a
partnership between Medtronic and IBM Watson developed a diabetes mHealth to
predict low blood sugar. The patients will be able to know three hours in advance
that they are about to face low blood sugar levels. The app works as connected
system between the blood sugar measure device, the diet that the patient is following
and the amount of physical exercises he is going. (Medtronic and IBM Watson,
2016). This type of mHealth will be able to improve those patients’ life quality and to
reduce complications arising from the chronic infirmity.
Another innovation project that must the cited is the partnership between
Novartis and Google. The project promises (although the researches stopped for a
while) to deliver smart contact lenses that, connected to a mHealth, will be able to
monitor blood-sugar levels. (Labiotech, 2018)
Besides improving people’s health, the mHealth promises to help the
development of new drugs and heath treatments. The Swiss pharmaceutical
company Roche, for example, is developing a mHealth to monitor patients during
clinical trial of its Parkinson’s disease. (Fierce Medical Devices, 2015). This
technology will help the research companies to develop drugs in a faster, cheaper
and even in a more accurate way. The pharmaceuticals can use the mHealth as a
channel with the patients and construct an easier way to report possible adverse
effects. A direct channel using mHealth will reduce the time and costs for the
pharmacovigilance departments.
Nevertheless, as any newness, the mHelath can bring some issues,
concerns and challenges for its user and developers. There are still multiple adoption
barriers for mHealht, for example: regulatory, economic, structural, technological
and data protection.
The rapid development of the mHealth sector raises concerns about the
appropriate processing of the data collected through mHealths Therefore, this paper
will analyse the last above mentioned concern: the data protection issues related to
mHealth.
Data protection, now-a-days, is an extremely discussed topic as a result
of the latest data braches scandals and the promulgation of the General Data
Protection Regulation from the European Union, in May 2018. However, when it
comes to mHealth, the concern and duty of protecting the users’ right of privacy
become even more contentious.
3
Most of the mHealth deals with data concerning health, a sensitive type
of data, which requires more attention and security. Having your information stolen
or leakage is always unpleasant. When the person has the credit card stolen, for
example, there is just the need to cancel it and wait for another one. However, when
a person has his health data stolen, there is no possibility of getting it back, and the
person may face many harms after all. The risks of disclosing health information to
an unauthorized person will be deeply discussed in this work.
This paper will argue that mHealths must be designed in such a way that
the privacy of the end users is optimally protected and, for this purpose, different
areas must be involved in order to insure quality and security.
In addition to the mHealth global scenario, the mHealth market and legal
framework for data protection in Brazil will also be discussed.
Besides the personal motivation of the author, analysing the Brazilian
situation for medical apps is relevant for the pharmaceutical market itself. Brazil is
expected to be the seventh largest mHealth market in the world. (Vishwanath et al,
2016). This fact shows us the importance of the Brazilian market for the
pharmaceutical industry. In this regard, the data protection issue will demand lots of
effort from IT and data protection law specialists. In addition, taking into
consideration that the GDPR came into force and the Brazilian new general data
protection Bill is about to be enacted, the mHealths sooner or later will need to follow
strict legal data protection requirements, even in Brazil.
To conclude, this work seeks to provide legal guidance on mHealth and
data protection to pharmaceutical companies doing business in Brazil.
2. What is a Medical App (mHealth)
According to the World Health Organization (WHO), innovative
applications (Apps) used for medical and public health practice are called mHealth
(mobile Health). In addition, a mHealth is any software application created for or
used on a mobile device for medical or other health-related purposes. (Lewis
Lorchan, 2014).
The mHealth is an incredible tool that promises to change the way that
the health care system works. For example, the Boston Consulting Group published
a study in 2012 where the trials in the Nordic countries have shown that mHealth
could generate a 50-60% reduction in hospital nights and re-hospitalization for
patients with Chronic Obstructive Pulmonary Disease. In the same study, the Boston
Consulting Group concluded that mHealth could reduce the overall elderly care
expenditure by 25%.
4
The WHO listed some types of mHealth that are most common in the
market. The first category mentioned by the WHO is the mHealth that provides a
communication between individuals and health services, for instance: Health care
call centres or helplines that allow the patients to receive some health advice and
triage provided by trained personnel and pre-recorded messages.
A second category is the opposite way: the communication between
health services and individuals. Here we can find mHealth such as: treatment
adherence; those are mHealths that send reminder messages provided by health
services to patients aimed at achieving medication adherence. A common example
for this type of mHealth is the contraceptive pill reminder for women. Another way of
communication between health services and individuals can be health promotion
campaigns conducted using mobile devices to raise the awareness of a specific topic
for a target group.
The WHO still mentions the mobile telehealth, which consists in
consultation between health care practitioners or between practitioners and patients
using mobile devices (this practice is still not allowed in many countries). The access
to information and education for health care professionals is also indicated by the
WHO as being a type of mHealth, since this apps allow the physicians to check
literature, resources, databases and online educational
2.1 mHealths with storage of personal data
The last group is greatly important in light of this work since it is directly
connected to data collection. The mHealths framed in the class of health monitoring
and surveillance deal with a high amount of patients’ personal information. In this
category, we can find apps which monitors the patient’s routine. For example:
lifescan for patients with diabetes, remote heart monitoring and oxygen level remote
check. (Chouffani, 2011). In this kind of app, there is a substantial storage of
personal data, which will be discussed in the next chapters.
According to the European Commission, mHealth solutions can help
detecting the development of chronic conditions at an early stage. These apps work
based on self-assessment tools and remote diagnosis, and they share data with care
providers, what facilitate a timely intervention.
It is important to bear in mind that, apps for healthy living, such as
pregnancy and baby development, diet assistance, exercise and fitness and healthy
eating are also classified as mHealths. However, they will not play an important role
in this paper because they do not employ a significant amount of personal data.
5
MHealths have the potential to play a key role in transforming our lives for
better. However, now it is imperative to ensure that technology is safe and secure
for use. (European Commission, Green Paper on mobile Health ("mHealth"), 2014)
3. Risks of the mHealth
3.1 Inaccuracy
After comprehending the types of mHealths available in the market, it is
important to understand the risks that might arise from this type of app.
The first and most important risk of mHealths is for sure the possibility of
having patients using inaccurate mHealths.
“It is important that mobile medical apps used in health
care settings are accurate and reliable, especially as
health care professionals and patients may make
critical decisions based on information from an app”.
Lewis, 2014.
Unsafe mHealths can compromise patient’s health safety and are
potentially dangerous in clinical use. The lack of accuracy, according to Lewis, can
emerge from the fact that many app developers have little or no formal medical
training and do not ask for physician’s advice when they are developing the mHealth.
This kind of situation is a threat for the patient’s health and for this reason, many
mHealths need the approval from a health regulatory agency.
The American Agency Food and Drug Administration (FDA), for example,
regulates apps with more complex functions. FDA released a guidance document in
2013 ruling that mHealths that are intended to be used in diagnosing, mitigating,
treating, preventing, or curing a disease will be considered a medical device, and
therefore, will be subject to FDA’s scrutiny. The goal here is to evaluate and judge
the potential risk for the patient’s health.
As this paper will discuss the Brazilian market and the local laws related
to mHealths, it is relevant to mention that the regulatory agency of Brazil (ANVISA)
also requires an approval when the mHealth is similar to a medical device. However,
not just related to the Brazilian regulation but also in other parts of the globe, it is not
totally clear when a medical app becomes a formal medical device. This situation
means:
“… that many developers may not recognize that their
app requires formal regulation. As a result, the vast
majority of medical apps remain without any form of
regulation or safety check, and some of these may
present a patient safety or other risk.” Lewis, 2014.
6
Another factor that adds to the inaccuracy problem is that, according to
van Velsen, due the exponential growth of medical apps, is practically impossible to
assess each and every mHealth. The risk of medical inaccuracy is being treated with
attention by authorities, compromised developers and physicians.
3.2 Users’ privacy
The second main issue and risk that arises from mHealths is the
maintenance of the user’s privacy. The mHealths are platforms that will be fed with
data and more data owned by the user. Processing and storing sensitive medical
information will make the users/ patients’ data vulnerable to undesirable access or
changes in their medical records.
Unfortunately, data breaches of health data are not uncommon.
According to the Health Care Informatics, in 2017, there were 477 healthcare
breaches reported to the U.S. Department of Health and Human Services (HHS).
This fact affected a total of 5.579 million patient record. In addition, it was published
by Landi H., in the Health Care Informatics, that nearly 90% of healthcare
organizations have fallen victim to a data breach in 2016 and 2017, at an average
cost of a $2.2 million.
In July 2018, IBM Security and Ponemon Institute released the 2018 Cost
of Data Breach Study: a global overview. This worldwide study conducted interviews
with 2,200 IT, data protection, and compliance professionals from 477 different
companies that have experienced a data breach over the past 12 months.
This study came up with stunning findings. According to Ponemon
Institute and IBM, a single episode of data breach has an average total cost of $3.86
million. In addition, the global study determines the likelihood that an organization
will have one or more data breaches in the next two years: South Africa has the
highest probability of experiencing a data breach, while Germany has the lowest
probability of having a future data breach.
The same study conclude that some industries are more financially
affected when facing data breaches. Comparing the data breaches costs per capita,
it is easy to notice that heavily regulated industries such as healthcare and financial
organizations have a per capita data breach cost substantially higher than the overall
mean. This chart shows that data breaches costs in the healthcare and
pharmaceutical industries are quit high, because of the sensitiveness of the data that
these industries process.
7
Figure 1:
The leakage or modification of sensitive personal data is not only about
financial consequences. It can lead to severe harms to the user’s privacy and dignity,
including a hard time for the developers of the app. An extreme example would be
the situation when the employer learns that the person has a delicate health
condition, which the employee did not want the employer to know. This situation
could lead to an increase in the person’s health insurance costs or even an unlawful
dismissal. This example is a harsh case, since that would be a major violation.
However, it is important to bear in mind how sensitive and harmful incidents with
health data can be.
In addition, Njie C. in 2013, studied the 43 most popular health and fitness
apps (free and paid) from both a consumer and technical perspective. Based on
many factors he concluded that nearly three-fourths, or 72%, of the apps we
assessed presented medium (32%) to high (40%) risk regarding personal privacy.
Three main technical causes of privacy risks in mobile health and fitness apps were
identified as: unencrypted traffic, embedded advertisements and third-party analytics
services.
To conclude, He et al., analysed a list of 160 mHealths available in the
Goolgle Play store and observed that 63.6% of the sampled apps were sending
Per capita cost in data breaches by industry sector (US$). Ponemon Institute, 2018. Page 18
8
unencrypted data over the Internet and 81.8% were using third party storage and
hosting services such as the Amazon’s cloud services.
Furthermore, a data breach can lead to a reputational damage. The
Ponemon Institute’s study calculated the amount of customers who cut ties with the
service or company during a given time after a data breach incident, the churn rate.
Analysing the following chart, the churn rate is higher for health, financial and
pharmaceutical industries. Customers have high expectations for the protection of
their data in highly regulated industries. (Ponemon Institute and IBM, 2018)
Figure 2:
3.3 Dealing with the Data Protection risk for mHealth
The discussion about how safe the patients’ data will be treaded in
mHealths has two main elements.
The first aspect is the technological one; the systems that the apps
companies will develop should be designed in a way that data leakage can be avoid.
Poor privacy and security practices increase the vulnerability of patient information,
Abnormal churn rates after data breaches by industry. Ponemon Institute, 2018. Page 25
9
augmenting the risk of successful cyber-attack. The Ponemon Institute, 2018
identified the main causes of data breach: In 2017 it was 27% human error, 25%
system glitch and 48% malicious or criminal attack.
In this scenario, programmers and apps developers are focusing on new
technologies to minimize the leakage risk. A good example of new technology that
can help to prevent cyber-attack is the encryption of data and secure authentication
in remote servers. As it is an IT specific subject, this paper will not evaluate the
protection of the data from a technological perspective.
This work will assess the second aspect of the data protection related to
mHealth: the legal and ethical factors. The data privacy should be respected not only
because it is a legal fundamental right, but also because the market of mHeaths is
based on trust. The mHealths users should trust that their personal health
information is private and safe. In case of lack of trust, the users are not going to
disclose the personal information that the app needs to work properly. In the event
of breach of data security, the patient’s health can be harmed, and the companies
can face reputational and financial problems.
To illustrate the severity of the topic that this work will be discussing, an
innovative research, from January 2018 published by Papageorgiou et al. must the
cited. This study examined the security and privacy concerns in the top 20 mHelaths
available in the Google Paly market place. The outcomes are staggering. The
authors verified that 50% of the apps send data to third parties, without express
consent. These third parties are, for example: marketing related platforms that
provide mobile analytics or performance related data, and cloud based back-end
solutions used to configure applications’ functionalities. In this situation, we can see
that the lack of legal advice in getting an express consent to share health data can
bring severe legal and financial problems to the company.
The above studies demonstrate the problematic situation concerning data
protection that our society is facing with the breakthrough in mHealths. In order to
better understand how legislation and ethics codes can deal with this issue, it is
important to comprehend first the legal conception of Data Protection.
4. Data Protection
Trying to keep it brief, this paper will describe the legal definition of Data
Protection from three different perspectives. The first one will be the American set of
regulations that rules Data Protection in the USA. Subsequently, the European one,
where the new General Data Protection Regulation (GDPR) will be very much
explored. Finally, the legal framework and new situation of Data Protection from
Brazil, which will give bases to the final strategy in this work. The analyses of these
10
three legal backgrounds will be important to reach the conclusion and proposal from
this paper.
4. 1. Data Protection in the USA
Analysing the first legal system, in the USA there is no general rule about
Data Protection and the US Constitution does not explicitly mention privacy or data
protection. The Americans have a system of federal and state laws and regulations
that composes the Data Protection regime. Moreover, as Jolly, 2017 says:
“…there are many guidelines, developed by
governmental agencies and industry groups that do not
have the force of law, but are part of self-regulatory
guidelines and frameworks that are considered "best
practices". These self-regulatory frameworks have
accountability and enforcement components that are
increasingly being used as a tool for enforcement by
regulators.”
The American system works with different regulations related to Data
Protection and some of them apply to particular categories of information, such as
financial, electronic communications and health personal data. The Health Insurance
Portability and Accountability Act (HIPAA) (42 U.S.C. §1301 et seq.) is the Act that
regulates medical personal data. It applies to health care providers, data processors,
pharmacies and other entities that deal with medical information. In light of this work,
it is important to go deeper in the HIPAA.
As an overview, the Guide to Privacy and Security of Electronic Health
Information from the American Office of the National Coordinator for Health
Information Technology gives us a good picture of the HIPAA:
“…includes the Privacy Rule, which protects the privacy
of individually identifiable health information; the Security
Rule, which sets national standards for the security of
electronic Protected Health Information (ePHI); and the
Breach Notification Rule, which requires CEs to provide
notification following a breach of unsecured Protected
Health Information (PHI).” (Guide to Privacy and Security
of Electronic Health Information, 2015)
The HIPAA protected any type of individually identifiable health
information held or transmitted by a Covered Entity. Here, it is important to stress
that identifiable health information, is the information that is able to identify the
individual or there is a reasonable basis to believe it can be used to identify the
individual. This type of information is called “protected health information” under the
11
definition of HIPAA. As examples of protected health information, the Guide to
Privacy and Security of Electronic Health Information suggests:
i. The individual’s past, present, or future physical or mental health or
condition;
ii. The provision of health care to the individual;
iii. The past, present, or future payment for the provision of health care
to the individual.
As mentioned above, only the identifiable health information will be
subjected to this legislation. Classifying the type of information will be extremely
relevant to understand how the mHealths developers should treat the data that they
are going to receive. A better understanding of types of data and their adequate legal
treatment will be further discussed in light of the GDPR.
Although HIPAA is a regulation that came into force in 1996, and in that
point the mHealths even did not exist, it is easily notable that many mHealths might
handle protected health information according to HIPAA, once that the user will be
reporting his habits and lifestyle. However, it is not simple to know whether the
mHealth falls under the HIPAA scope. According to Greene A , 2011, to analyse if
the mHeakth will be subjected to the HIPAA, the developer show answers two
questions: i. Who will be using the application, and ii. What information will be on
the application?
The HIPAA sets that apps used by healthcare providers (doctors, clinics,
nursing homes, and pharmacies) will fall under its rules. That is why Greene A
mentions that mHealths do not apply to health care consumers. Answering only the
first question, it might seem that a common mHealth used by the patients is not
regulated by the HIPAA. Nevertheless, a mHeath is also subject to HIPAA if it
collects, stores, or transmits protected health information. It means that any mHealth
that contains data on a patient’s physical or mental conditions, healthcare services
(type, date), as well as past, present, or future payment for the provision of care will
fall under the HIPAA.
On the other hand, calories burned, steps taken, or distance covered and
proprietary metrics, such as the points awarded by the Nike Fuelband are also not
part of HIPAA. In addition, according to Yelina 2018:
“…the majority of medical apps you see on Google
Play and App Store don’t fall under HIPAA, as they’re
usually intended for a patient’s personal use. These
are apps for monitoring certain health aspects (weight,
pulse, or glucose levels) or those to follow the
12
medication schedule (unless this data is transmitted to a
health plan server).” (Yelina 2018
Going deeper into the HIPAA, the HIPAA Privacy Rule ((45 C.F.R. Parts
160 and 164) sets the standards for Privacy of Individually Identifiable Health
Information. This regulation rules, for example, that the Covered Entity must give
notice to the patients describing the ways in which the information will be used. The
notice must also describe individuals’ rights, including the right to complain to the
U.S. Department of Health and Human Services (HHS) and to the CE if they believe
their privacy rights have been violated.
In the USA, the data subjects have no right to request the deletion of their
data under data protection applicable laws, differently from what happened in Europe
with the promulgation of the GDPR. However, taking into consideration the
importance of protecting medical information, under the HIPAA, an individual can
request an inaccurate or incomplete information to be amended.
In case of violation of the HIPAA Privacy Rule, civil and criminal penalties
might be imposed. The Office for Civil Rights (OCR) is the law enforcement agency
responsible for enforcing the Privacy and Security Rules mainly based on complaint
for investigation. The OCR can also work together with the Department of Justice in
further analyse criminal cases.
In the web page of the U.S Department of Health and Human Service, it
is possible to find some case examples of violation of the HIPAA and the penalties
that were imposed. To illustrate how onerous penalties can be, it is worth to mention
the following cases:
Failure to protect the health records of millions of
people costs entity millions of dollars. 12/28/17 21st
Century Oncology, Inc. (21CO) has agreed to pay $2.3
million in lieu of potential civil money penalties to the U.S.
Department of Health and Human Services (HHS) Office
for Civil Rights (OCR) and adopt a comprehensive
corrective action plan to settle potential violations of the
Health Insurance Portability and Accountability Act
(HIPAA) Privacy and Security Rules. 21CO is a provider
of cancer care services and radiation oncology. With
their headquarters located in Fort Myers, Florida, 21CO
operates and manages 179 treatment centers, including
143 centers located in 17 states and 36 centers located
in seven countries in Latin America. 21CO filed for
Chapter 11 bankruptcy in May 2017 and obtained
approval from the bankruptcy court to enter into
13
settlement agreement. (Content created by Office for
Civil Rights (OCR). December 28, 2017)
The company CardioNet was fined in a high amount of money because
of the disclosure of protected health information:
$2.5 million settlement shows that not
understanding HIPAA requirements creates risk –
April 24, 2017. The U.S. Department of Health and
Human Services, Office for Civil Rights (OCR), has
announced a Health Insurance Portability and
Accountability Act of 1996 (HIPAA) settlement based on
the impermissible disclosure of unsecured electronic
protected health information (ePHI). CardioNet has
agreed to settle potential noncompliance with the HIPAA
Privacy and Security Rules by paying $2.5 million and
implementing a corrective action plan. (Content created
by Office for Civil Rights (OCR). April 24, 2017)
From a user/ individual perspective, besides the right to access the
information regulated in the HIPAA, the individual in the USA has the right to
complaint to the Office for Civil Rights (OCR) if observed any type of misuse in his
health records. In addition, HIPAA does not have a private cause of action, it means
that it is not possible for a patient to sue for a HIPAA violation. However, is possible
for patients to take legal action against healthcare providers and obtain damages for
violations of state laws. (HIPAA Journal, 2017)
In conclusion, the HIPAA, as other Data Protection regulations, is seemed
as a challenge that mHealth developers must overcome. In his article, Mcaskill
mentions an interview with David Whelan, chief business officer of a mHealth
developer company, when the interviewed referred to this challenge:
“The conflict is the competing priorities between HIPAA
requirements and making healthcare data measurable and
accessible via mobile technology. HIPAA is outdated in very
much the same way that intellectual property rights and
copyright law has been outdated,” Whelan said. “We’ve seen
this repeatedly over the past 10-15 years with the advent of
digital media. These guidelines were written for another time,
another era.” (David Whelan, for an interview to VentureBeat)
4. 2. Data Protection in the European Union
In comparison to the USA, privacy and data protection are explicitly
established at the constitutional level in Europe: (Kokott, 2013). The EU Charter 8 of
14
Fundamental Rights stipulates that EU citizens have the right to protection of their
personal data. This Charter rules that everyone has the right to the protection of
personal data concerning him or her, access to data which has been collected
concerning him or her, and the right to have it rectified.
From 1995 until May 2018 the European Union had the Data Protection
Directive as legal framework to protect the individual’s personal data. However, the
General Data Protection Regulation came into force in May 2018 and replaced the
mentioned Data Protection Directive. Making another parallel to the USA, GDPR
governs consumers’ private information, whilst the HIPAA, as already discussed, is
not related to the consumer’s information. Whereas American laws and regulations
tend to favor business over the consumer, the EU has always promoted a
“consumer-first” point of view. (Martech, 2018). GDPR gives more power to the user
to control, monitor, check and, if desired, delete any information pertaining to them.
4.3. GDPR
GDPR was an unprecedented general regulation about data protection in
the world. The EU Parliament put the highest levels of protection around personal
data. In general terms, the GDPR prohibits the process of personal data without
proper consent. In addition, the GDPR puts the data controller (companies) as the
liable party in cases of data breaches.
This regulation fits exactly the technological era that the world is facing.
The project came into life after the commission built for the project concludes that
more than 90% of Europeans said they wanted the same data protection rights
across the EU – and regardless of where their data is processed. (European
Commission, 2018)
Having a single law will facilitate business by streamlining rules for
companies in the digital market. GDPR also does away with the current
fragmentation and costly administrative burdens, leading to savings for businesses
of around €2.3 billion a year. (European Commission, 2018)
Aside from saving the companies some money in administrative costs, as
above mentioned, the GDPR will mainly protect the consumers using the following
provisions:
i) Extraterritoriality
According to the article 3 of the GDPR:
“This Regulation applies to the processing of personal
data in the context of the activities of an establishment
15
of a controller or a processor in the Union, regardless of
whether the processing takes place in the Union or not.”
GDPR provides protection to EU citizens no matter where their data are.
This means that any company, anywhere, that has a database that includes EU
citizens is bound by the GDPR rules.
ii) Strong penalties.
Article 83 of the General Data Protection Regulation provides details of
the tired fine system that GDPR applies:
In the first tier, lower fines will be giving when the non-compliance is
related to infringing the legislation. It will be used in cases of not integrating data
protection "by design and by default" into services, products and policies. Breaches
of controller or processor obligations will be fined will be fined based on the art. 83,
4)
“Art. 83 GDPR General Conditions for imposing
administrative fines
4) Infringements of the following provisions shall, in
accordance with paragraph 2, be subject to
administrative fines up to 10 000 000 EUR, or in the
case of an undertaking, up to 2 % of the total worldwide
annual turnover of the preceding financial year,
whichever is higher:”
On the other hand, the higher tier of fines will be reserved for the most
serious infringements. Cases of breaching basic principle for processing, including
conditions for consent, will be fined in the highest fine:
“5) Infringements of the following provisions shall, in
accordance with paragraph 2, be subject to
administrative fines up to 20 000 000 EUR, or in the case
of an undertaking, up to 4 % of the total worldwide annual
turnover of the preceding financial year, whichever is
higher:”
Considering all these numbers, we can easily conclude that the
companies will need to put a lot of effort to avoid and prevent any type of
unconformity to the GDPR. Businesses can expect any breach of the rules will have
a massive financial impact on their entire operation.
It is worth mentioning that, the behaviour of the organisation will be taken
into account when determining the value of the fine. This means that organisations
certainly have the opportunity to influence the reduction of any fines by acting to fully
16
comply with the Regulation and implement procedures to show good security
standards in front of the authorities.
iii) Simplified and strengthened consent from data subjects.
Under the GDPR, the consent must be giving through a clear, with not so
elaborate text and unambiguous way. The purpose for data processing should be
clearly expressed with simple language. In addition to that, according to the art. 7,
3) it must be easy to withdraw consent, just as it is to give it:
Art. 7 GDPR:
“3) The data subject shall have the right to withdraw his
or her consent at any time. 2The withdrawal of consent
shall not affect the lawfulness of processing based on
consent before its withdrawal. 3Prior to giving consent,
the data subject shall be informed thereof. 4It shall be
as easy to withdraw as to give consent.”
Another important point, including for mHealth, for each and every new
purpose of using the data, the company will need a new consent from the user.
iv) Mandatory breach notification. The GDPR provides a timeframe
from 72 hours to notify the authorities about a breach:
Art. 33 GDPR:
“1) In the case of a personal data breach, the controller
shall without undue delay and, where feasible, not later
than 72 hours after having become aware of it, notify
the personal data breach to the supervisory
authority competent in accordance with Article 55,
unless the personal data breach is unlikely to result in a
risk to the rights and freedoms of natural persons.
2Where the notification to the supervisory authority is not
made within 72 hours, it shall be accompanied by
reasons for the delay.”
It is important to note that if the notification is delayed and it is not made
within the 72-hour window, the GDPR requests that the controller provide reasonable
justification for that. Here it is worth to mention that this short time period is going to
be a challenge for the companies. The business will need to report the breach and
gather all the information to be specific with respect to which data was impacted and
how the issue will be addressed moving forward. A second difficulty in this regard,
will also be the fact that many breaches are discovered after months. This situation
17
will make even harder for the companies to recover all the information and report
them to the authorities in 72 hours.
v) Important consumer rights were highlighted.
As already mentioned, GDPR has a strong focus on protecting the data
subject person and rights. For instance, the users have the right to get copies of their
data and information on how it is being used. Under the GDPR, the right of access
by the data subject is specified in the article 15 of the GDPR:
Art. 15 GDPR:
“1) The data subject shall have the right to obtain from
the controller confirmation as to whether or not personal
data concerning him or her are being processed, and,
where that is the case, access to the personal data and
the following information:
3) The controller shall provide a copy of the personal
data undergoing processing…”
Another important right included in the GDPR is the right to be forgotten.
The Art. 17 stipulates that the data subject shall have the right to obtain from the
controller the erasure of personal data concerning him or her without undue delay
and the controller shall have the obligation to erase personal data without undue
delay. This determination will turn things technologically more complicated for the
companies. The obligation of erasing the data from just a data subject without undue
delay will for sure bring technical hindrances.
In light of this paper, it is worth to note that the paragraph 3 from art. 17
shows the situations when the user will not have the right to be forgotten. One of
those situations is in cases of scientific researches for purpose of statistics. In many
researches, the controller will receive health information, but will not have the
obligation to erasure the data, aiming not to harm the outcomes from the research.
The right to data portability provided in the art. 20 should also be
mentioned as an important consumer’s right.
Art. 20 GDPR:
“The data subject shall have the right to receive the
personal data concerning him or her, which he or she
has provided to a controller, in a structured, commonly
used and machine-readable format and have the right
to transmit those data to another controller without
hindrance from the controller to which the personal data
have been provided”
18
Again, we are in front of a difficult technical situation if the company’s
system was not designed to perform in this level of detail. This is the reason why the
GDPR requires processes to be built with data protection in mind, rather than treated
as an afterthought.
vi) Monitoring and supervision
The articles 37, 38 and 39 of the GDPR refer to an important innovation
brought by the GDPR. The obligation of establishing a Data Protection Office (DPO)
aims to have a body that can monitor compliance with the GDPR rules. The
controllers will need to designate a data protection officer based on professional
qualities and, in particular, expert knowledge of data protection law and practices.
Furthermore, the article 51 of the GDPR express the obligation that each
Member State has of creating a supervisory authority. The Member States shall
provide for one or more independent public authorities to be responsible for
monitoring the application of the GDPR.
Finally, the provision of article 35, of conducting a Data Protection Impact
Assessment (DPIA) prior to the processing of risky data, will give the users more
security. A DPIA must always be conducted when the processing could result in a
high risk to the rights and freedoms of natural persons. According to the European
Commision, National Data Protection Authorities, in cooperation with the European
Data Protection Board, may provide lists of cases where a DPIA would be required.
However, as far as we have in the European Commission webpage, only the
following cases should present a DPIA:
i) A systematic and extensive evaluation of the personal aspects of an
individual, including profiling;
ii) systematic monitoring of public areas on a large scale.
iii) Processing of sensitive data on a large scale. In light of this paper,
here is worth to mention that the preceding of sensitive data should be on a large
scale. A doctor processing personal data of his patients, for instance, will not require
the DPIA, since the processing by the doctors is not done on a large scale, in this
case, the number of patients is limited. On the other hand, when a pharmaceutical
company process health data from a high amount of diabetic patients, the DPIA will
clearly be needed.
The Code of Conduct for mHealth from the GDPR, in the its appendix,
brings the set of questions that should be answered when conducting a DPIA, and
be submitted to the commission analyses.
19
4.4. Main Principles to Process Personal Data:
Chapter two of the GDPR outlines seven principles that all the companies
should follow when processing, collecting, and storing individuals’ personal data
from the EU. These principles will play a great role in the analyses of how a
pharmaceutical company in Brazil should behave.
According to Irwin, 2018, the companies will need, obviously, to comply
with the principles and determination, but also to be able to show the authorities the
organization’s compliance practices. All companies will need to bear those principals
in mind prior and during the contraction of the mHealth, consequently, being in
compliance with those rules and principles will become easier in the long run.
The first principle that should be mentioned, is the purpose limitation. It
means that the companies are allowed to collect, process and use in general the
data for a specific purpose that was clearly explained and explicit in the consent.
This principle can be found in the article 5, 1, b from GDPR, as following:
Art. 5, 1, b GDPR:
“Collected for specified, explicit and legitimate purposes
and not further processed in a manner that is
incompatible with those purposes; further processing for
archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes shall,
in accordance with Article 89(1), not be considered to be
incompatible with the initial purposes (‘purpose
limitation’);”
It is relevant to observe, that a different treatment is giving to health data
used for scientific purposes. The GDPR gives more freedom in those cases and
permits the further processing for archiving purposes, even when it is not explicit in
the consent document.
The principle of lawfulness and fairness is one of the most important
principles when dealing with people’s data. It states that there must always be a
legitimate legal authorization for the processing. Here, the data collector has the
legal obligation to have a contractual relationship with the data subject. This basic
principal is relevant for both parties. The data subject will enter in this contract aware
of the methods reasons and why his data will be processed, and therefore, he will
give his consent. On the other hand, the data collector will have the evidence and
the legal protection of signed contract, in case that in the future, the data subject files
a claim against the collector.
20
The principle of transparency will be a challenge for many privacy policies
makers. In the market, it is easy to find length policies. It is hard to find a user who
reads it and really knows what he is agreeing with and signing. According to article
5., 1, a of the GDPR, the data subject must clearly know and understand why, how
and how long his personal data are being processed. It is important to mention that
the language must be clear and unambiguous. For this reason, the privacy polices
makers will need to pay a great attention on this and make sure that the text is not
too big or with too elaborate language.
The data minimisation principle says that a data can be used only in the
necessary amount needed to reach the processing purpose. Art. 5, 1, c rules that
the data should be adequate, relevant and limited to what is necessary in relation to
the purposes for which they are processed. Irwin, 2018 made a quite pertinent
observation. He says that this principal has two main benefits. The first benefit would
be that using just the necessary amount of data, in cases of breaches, the
unauthorised individual will only have access to a limited amount of data.
Additionally, data minimisation makes it easier to keep data accurate and up to date.
Accuracy is also an important characteristic for data protection. It is the
data subject’s right to have his information used in an accurate and updated way.
The art 5, 1, d, states that every reasonable step must be taken to ensure that
personal data are accurate. Misleading or incorrect data should be erased or rectified
and the controllers should use clear sources of personal data.
The storage limitation is another important principle described in the new
European data protection regulation. The GDPR states that the data controller is
allowed to keep the data only during the amount of time that it is strictly necessary
for the purpose. According to the art. 5,1,e, the data should be “kept in a form which
permits identification of data subjects for no longer than is necessary for the
purposes for which the personal data are processed”
To conclude, the principle of integrity and confidentiality provided by
article 5,1,f states that the data shall be processed in a manner that ensures
appropriate security of the personal data, including protection against unauthorised
or unlawful processing and against accidental loss, destruction or damage, using
appropriate technical or organisational measures.
The companies that process any type of data should always bear those
above mentioned principles in mind when building platforms and systems. Assuming
the general principles as real values of the companies, will help them to comply
easier with the specifics rules from the GDPR.
21
4.5. Types of data in light of the GDPR
In order to better understand the treatment that the GDPR and the
Brazilian Data Protection Regulation (deeper analyse about it in the next chapters)
will give for health data, it is important to review the types of data. The article 4 of
the GDPR gives us the key definitions to better comprehend the text and the data
protection environment.
The GDPR’s rules will only be applicable for Personal Data. Not personal
data, such as anonymous data and legal entity data will not fall under the GDPR
provisions.
Personal data is any data that is able to identify a person. According to
the GDPR, ‘Personal Data’ means any information relating to an identified or
identifiable natural person (‘data subject’). In other words, they are data that clearly
refer to a specific person. It might seem to be simple to recognize a personal data,
but, in fact, it is not that plain. According to Irwin (2018), in his article “What exactly
is personal data”, whether information is considered personal data often comes
down to the context in which data is collected.
In Irwin’s example, a company which asks the user to inform his
occupation will not be dealing with personal data because, most likely, many and
many others individuals will inform to have exactly the same occupation. It means
that that information will not be enough to identify someone. However, together with
other information, the piece of information about the occupation could be able to
make the company be able to link this information to an individual’s identity.
When we think about personal data, probably we think about name, e-
mail, address, picture and ID number, because these information can trace directly
a person. Nevertheless, even the name, for instance, is not always considered
personal data. When the collector has, for example, a “João da Silva” or “John Smith”
in his records, this information alone might not be defined as personal data, as many
different individuals can have those common names in the same data basis (unless
they were the only João da Silva or John Smith).
On the contrary, not having a person’s name does not mean that you
cannot identify one individual. It will all depend on the pieces of information that are
gathered and used as a whole.
As above explained, it can be difficult to identify whether certain
information meets the GDPR’s criteria of personal data. However, the Cloud services
company Boxcryptor gives us a list of information that could be considered personal
data, either on their own or in combination with other data:
22
i) Biographical information or current living situation, including dates of
birth, social Security numbers, phone numbers and email addresses.
ii) Workplace data and information about education, including salary, tax
information and student numbers.
iii) Private and subjective data, including religion, political opinions and
geo-tracking data.
iv) Health, sickness and genetics, including medical history, genetic data
and information about sick leave.
Health data, the subject of this work, falls under a subdivision of personal
data. Health data is considered sensitive data. Sensitive personal data is a special
category that must the treated with extra security. In this category, we can find
information such as criminal history, political opinions, religious or philosophical
beliefs, trade union membership, genetic data and data concerning health
According to the European Commission, “Data concerning health” is any
personal data related to the physical or mental health of an individual, including the
provision of health care services, which reveal information about his or her health
condition and status. The Recital 35 from the GDPR, differently from the old
Directive, brings some explicit examples of health data: a disease, disability, disease
risk, medical history, clinical treatment or the physiological or biomedical state of the
data subject independent of its source.
It is worth to stress that pure lifestyle data, for instance if they are raw
data on an individual’s habits and behaviour that do not directly relate to that
individual’s health, are not necessarily considered as data concerning health,
because it does not show the health condition of the person.
It is helpful to bring some examples and apply a more practical
perspective. In the draft of the Code of Conduct on privacy for mHealth, the
European Commission mentions two enlightening examples:
“E.g. an app allows a user to track whether she has taken
her prescribed medications and thus complies with the
advice provided by her doctor. This app processes
data concerning health, since the consumption of
medication is indicative of the health of an
individual.
E.g. an app tracks footsteps solely as a way of
measuring the users’ sports activities during a single
walk. The data is not stored by the app developer to
create a profile that evaluates the user’s physical fitness
23
or health condition, nor is it combined with other data.
This app does not process data concerning health,
since this is merely lifestyle data.” (European
Commission, draft of the Code of Conduct on privacy for
mHealth, 2018)
The GDPR requires the companies to implement security measures to
ensure the confidentiality for any type of personal data, but specially for health data.
The General Regulation cites pseudonymised, encrypted and anonymous data as
important alternatives to preserve the data security.
Pseudonymisation is the method of masking the data replacing the aspect
of the information that could identify the person by another information. This measure
helps to decrease the risk in cases of stolen device, for example. In this case, an
unauthorized person would have access to part of the information, being hard to
identify the natural person.
The GDPR also cites the encryption method as a good way to protect
data. In this case, the information will be transformed into an incomprehensible code
and will only be converted into the original text with the access of an authorized user.
Anonymous data is the situation where the system hides the data subject
in a way that the data owner is no longer identifiable through reasonable means.
After understanding the types of data, mostly the category of health data,
and some methods to protect data, this paper will finally analyse the data protection
requirements for mHealth under to the GDPR. It is important to stress that any kind
of personal data should be protect under the GDPR rules, however, the next
chapters will target the data concerning health in particular, as this is a the particular
data that the mHealth will, most of the times, process.
5. GDPR and mHealth
In 2014, the European Commission published a Green Paper on mHealth
and launched a public consultation, in which it invited the population to provide their
views about mHealth in the EU. The European Commission published in 2017 in its
webpage that the majority of the participants in the public consultation reported that
they do not trust mHealth apps due privacy concerns. They also considered that
having users' consent as well as strong privacy and security tools in place is a crucial
issue for mobile health apps.
Based on the Green Paper on mHealth, on the outcomes of the public
consultation and on the principles from the GDPR, the Europen Commission
launched a draft of a Code of Conduct on privacy for mobile health applications. It is
24
important to highlight, that according to the article 40 of the GDPR, the drawing of
such specific and tailored Code can contribute to the adherence of the GDPR.
“The Member States, the supervisory authorities, the
Board and the Commission shall encourage the
drawing up of codes of conduct intended to
contribute to the proper application of this
Regulation, taking account of the specific features of the
various processing sectors and the specific needs of
micro, small and medium-sized enterprises.” (Art.40,1
GDPR)
The Code of Conduct on privacy for mobile health applications seeks to
facilitate data protection compliance in mHealth and to promote good practices for
this new and relevant technology. The Code aims to achieve this goal by providing
specific and accessible guidance on how European data protection legislation
should be applied in relation to mHealth apps. The Code had a multistakeholders
characteristic when it was written. That is why the code address issues for the four
principal stakeholders: app developers, the data protection community, industry
associations, and of course the end users of the apps.
The Code of Conduct for mHealth is an excellent practical guidance for
apps developers and companies. It brings more details and relevant examples on
how app developers can integrate ‘privacy by design’ and ‘privacy by default’ into
their development processes. Complying with the Code is mandatory in the sense
that it brings the GDPR provisions for the mHealth world. However, applying for a
trust certificate based on the Code adherence is optional, but stroll recommended to
increase trust. In this sense, the Code provides useful recommendation in the field
of mHealth.
The first topic that the Code of Conduct addresses is the user’s consent.
This topic is not exclusive for data concerning health, but it has a substantial
relevance, since the user is going to consent the process of his health situation data.
MHealths will only comply with the Code of Conduct and receive the trust certificate
if they offer a clear and user-friendly explanation for the consent. The Code cites the
granular and contextual ways of giving consent as good options for a clear consent.
This method consists in asking and explaining how the data will be processed in
different step and moment. That will help the user to understand clearer the purpose
and manners of processing.
The right to withdraw the consent is also mentioned in the Code. The
Code rules that the users should be able to choose to delete their personal data
inside the app and have their data deleted when uninstalling the app. In cases of
25
uninstalling the app, the data do not need to be erased if the user consented the
company to keep with his information after deleting the app.
The already mentioned principle of purpose limitation received a more
mHeath oriented description. Processing the data should always be limited in the
extent that the user consented. The Code of Conduct brought an example of an app
that monitors blood sugar concentration levels to assist diabetes patients in
dispensing medication. The controller is not allowed to sell this information to
medication producers. Using the health data for a new purpose will request another
clear consent. There is also the possibility of using anonymised data when a second
purpose is wanted, but in this case, the user should be informed.
According to the Code, data minimization can also be reached using
simple measures, for instance:
“You should not store exact date of birth when a generic
age (or age bracket, such as age 25-35) is sufficient for
your app to function correctly.” (European Commission,
draft of the Code of Conduct on privacy for mHealth,
2018)
The mHealth should implement user friendly interfaces that facilitate the
exercise of consulting, correcting and excluding the data.
Another relevant fact that is mentioned in the Code is the use of
advertisements inside of the mHealth. If the controller is going to share the user’s
data to a third party to provide the suitable advertisement, the use of advertisements
must be clearly authorised by the user before the app is installed. If no data will be
shared, the user do not need to authorise it but must be able to exclude the ad.
Bid data is also an important issue when it comes to data concerning
health. Big data analytics for market research purposes, or communication of data
concerning health to insurance companies or employers, as well stressed in the
Code, is just allowed when the controller ask for an extra and explicit consent. (in
the case that this information was not communicate in the main purpose). However,
as already mentioned in this paper, processing of the data for scientific and historical
research purposes or statistical purposes as a secondary purposes might be allowed
if it follows the GDPR conditions.
The last topic indicated in the Code is the transfer of health data. The
transfer of the data to third parties is allowed when consented, however, the
controller must consider the physical locations where the data will be transferred. EU
data protection law has restrictions on transferring data to locations outside the EU.
In this case, according to the Code, the controller should choose countries which are
26
covered by an adequacy decision of the European Commission or provided
appropriate contractual guarantees through the European Commission’s Model
Contracts.
6. Data Protection in Brazil
In Brazil, the data protection is a constitutional right, which is an extension
of the privacy protection right, stated in the art. 5, X of the Brazilian Constitution. The
Code of Consumer’s Protection (CDC) and the Brazilian Civil Rights Framework for
the Internet (in Portuguese: Marco Civil da Internet, officially Law No 12.965) are the
two main regulation related to data protection. However, there are more than 40
different regulations addressing data protection issues. Unfortunately, the high
amount of legislations creates a legal insecurity environment and it is hard to identify
in all those rules, what type of data and individual are being protected. There are
some laws that are applicable for the public sections, whist some others with different
provisions will apply only to the private sector. The necessity of having a more clear
data protection is a reality in Brazil. (Pereira A, 2016)
Taking these facts into consideration, the Brazilian congress proposed in
2013 a draft for the first general data protection legislation in Brazil. At that point,
2013, there was a recent complaint that some American Intelligent Agency were
monitoring the Brazilians personal data. After a while, with the Facebook and
Cambridge Analytica scandal, the promulgation of the GDPR and the presidential
election in 2018, the Brazilian Congress decided to rush a bit with the process. At
this moment, both houses of the Brazil’s National Congress have passed the
General Data Protection Bill (LGPD). The Senate approved it on July 10th, 2018.
The bill is still waiting to be signed into law by the president. The LGPD is coming to
replace those more than 40 regulations related to data protection.
The Brazilian General Regulation Bill received many inputs from the
GDPR. The most important aspects from the text came from the UE. The obligation
of giving consent, extraterritoriality, definition of personal data, obligation of breach
notification, privacy impact assessment requirement and the provision of the creation
of a Data Protection Office follow the same principles and aspects from the GDPR.
However, the penalties can go from the prohibition of using data and to a fine up to
2% of the annual income, in a maximum of 50 million Reais (10 million Euros).
In addition, Brazil will also need to create a Supervisory authority, the
Autoridade Nacional de Proteção de Dados (ANPD). This authority will be linked to
the Ministry of Justice. Hopefully, this Supervisory authority will have a more
business and development – friendly approach, in the sense that the high fines would
be the last measures to be taken. According to Vainzof, 2018, before fining the
companies, this Supervisory authority should promote discussion, support,
cooperation, guidance, information and to encourage companies to share their
compliance programs.
27
The Brazilian General Data Protection Bill (LGPD) will be an important
tool to put Brazil in a higher level of data protection and boost the innovation and
international investment in the country.
At present, as Brazil does not have a Data Protection regulation yet,
therefore, different cases are punished applying different measures. The judge’s
decisions are based, mainly, on the consumer’s protection, Brazilian Civil Rights
Framework for the Internet, Civil Code and Constitution. However, the monitoring
and penalty’s system for data breaches in Brazil is still precarious.
To illustrate it, a recent data leakage case became famous in Brazil. A
famous e-commerce called Netshoes, due a cybernetic attack, exposed personal
data from 2 million clients. According to the Brazilian Public Prosecution, it was one
of the biggest data protection incident in Brazil. From now, the Public Prosecution is
only demanding the company to send notes to all the users to inform about the
leakage. Whether a Public Civil Action will be filed claiming for damages will depend
on the company’s behavior and there is no specific legal provision on that. (Revista
Veja, 2018)
It is possible to conclude that the lack of legal provision is the reason why
Brazil ranked as having the lowest costs in cases of data breaches. According to the
Ponemon Institute and IBM study of 2018, the USA has the highest costs after facing
a data breach case: $7.91 million. While Brazil had the lowest one: $1.24 million. As
the following chart shows:
Figure 3:
The average total cost of a data breach by country or region. (US$) Ponemon Institute, 2018 . Page 15
28
On the other hand, figure 4 indicates that Brazil ranked as top five of
places where you can find the highest amount of data breaches. In 2017, Brazil had
25,003 records of data stolen or leakeged some how:
Figure 4:
From a consumer’s perspective, these facts shows that in countries as
Brazil their data is more vulnerable once that the companies already know that the
financial impact will not be that high as it is in more regulated countries. Additionally,
Brazil has a high amount of data breach per year, where normally the costumer does
not even know. See the following:
In the Ponemon Institute’s study, Brazil ranks many times as being the
last one in investing money to avoid data breaches or to deal somehow with them.
Besides that, Brazil was the first in the ranking of the likelihood to have a second
data breach in the same company.
7. mHealth in Brazil
According to Vishwanath et al. Brazil was expected to be with a market
size of 0.7 billion USD, the seventh largest mHealth market in the world, in 2017.
To illustrate the potential of the Brazilian market in this sector, in
November, 2016 the Ministry of Health and the Ministry of Science and Technology
signed a cooperation agreement to stimulate the development of studies and new
The average number of breached records by country or region. Ponemon Institute, 2018. Page 16
29
technological solutions in the healthcare area. (Hummel, 2016). This agreement can
be an important tool to stimulate join ventures between private pharmaceutical
companies and public Brazilian entities, for instance, universities and public
institutes of health.
The mHealth itself can be an effective tool for the healthcare systems in
developing countries, as Brazil. According to the GSMA Global System for Mobile
Communications Association and PwC’s analysis, mHealth could enable an
additional 28.4 million people to have access to the healthcare system in Brazil,
without increasing the number of doctors. MHealths can play an important and
different role in Brazil, since most of the population do not have access to healthcare
system (the public system is not enough to meet the need of the population).
7.1 Legal data protection issues related to mHealth in Brazil
The problem concerning data protection for medical apps, as analysed in
the Green Paper on mHealth released by the European Commission, is a worldwide
problem. In March 2018, the Brazilian Institute for Consumer’s Protection (Instituto
de Defesa do Consumidor, Idec) evaluated six mHealth in the Brazilian market and
assessed the treatment that was giving to the user’s data. The research was based
on the Brazilian Civil Rights Framework for the Internet, once that the General
Regulation has not been promulgated yet.
In the six mHealths, it was verified that there is a big lack of transparency.
The apps were not clear about how and why the data would be processed, stored or
even if the data would be transferred to a third party. An even more worrying finding,
is that there is a gap between the provisions of the terms of use and the reality. This
situation demonstrates the necessity that the Brazilian society is facing of having a
General Data Protection Regulation.
In Brazil, the vulnerability of the data concerning health is higher than in
Europe because of the lack of care, legislation and inspection. An event, which
occurred in the begging of 2018, can clearly demonstrate the urgent necessity of
promulgation of the General Data Protection Bill.
A publication in January 2018, in one of the most well-known journals
from Brazil, Folha de São Paulo, affirms that a breach in the public health system’s
app (e-saúde from SUS, the Brazilian Unified Public Health System) caused the
exposure of the patients’ health data. The Brazilian Ministry of Health launched this
app in June of 2017 and since then health data from the Brazilian citizens could be
easily accessed. Including health data related to the President Michel Temer and
others politicians. The Ministry of Health admitted the breach and fixed the app
system in January 2018. During six months, anyone could check health data
belonging to others. The data breach revealed types of medicines that were used
and doctors’ appointments (including the specialization). Until now, the Brazilian
Public Prosecution did not mention any type of legal consequences that the Ministry
30
of Health could suffer emanating from this data breach. It seems that the impunity
will prevail.
At the present, a data breach victim in Brazil can claim for damages based
on the Consumer Protection Code, Civil Code and Criminal Code in some cases.
However, when analysing the case law in this regard, the victim will need to prove
that he had a material damage resulting from that breach. Moral damages are giving
just in extremes cases of harm to the individual’s dignity.
Additionally, there is no giving notice obligation in Brazil yet, what leads
to many situations where personal and sensitive data might being used by an
unauthorised person, and the data owner is not aware.
In addition to the above mentioned problems, there is no definition of
sensitive data in Brazil yet. None of those 40 legislation deals specifically with
sensitive data, including health data. This fact put the data concerning health in an
even more delicate situation. Fortunately, the draft of the LGPD, in its article 5, II
describes sensitive data in the same manner that GDPR describes. It shows that the
companies dealing with health data will be on the safe side if they apply the GDPR
while the LGPD does not get approved.
However, an important differentiation between the GDPR and the
Brazilian LGPD, is that while in the GDPR the consent for the processing of sensitive
data should be explicit, in the Brazilian Bill, the consent for sensitive data must be
specific and highlighted. (Mattos Filho Law Firm, presentation held on July 25th,
2018)
As it could be noticed, Brazil needs urgently the promulgation of the
LGPD. It will facilitate the application of the rules to all the companies and data
processors and give an additional protection to the costumers.
8. How the GDPR practices could help pharmaceutical companies in Brazil to
increase trust in medical apps
After analysing the European and the Brazilian scenarios for data
protection related to mHealths, it is time to apply the findings of this paper on the
reality of the pharmaceutical companies in Brazil.
From a stakeholder and business perspective, this paper will suggest
some measures and behaves that mHealth producers in Brazil should take into
consideration. The aim of this chapter is to provide a legal advice on the data
protection issue for mHealth.
A successful mHealth should convince, first of all, the users that their
health data is secured with that company. It is a hard working process, which should
be based on transparency and trustfulness. It is possible to notice that many
companies are losing customers because of the lack of trust in the field of data
31
protection (IBM Study,2018). Building trust and demonstrate that the company cares
about the data of its consumers is essential for the company’s reputation and to
avoid breaches.
Whether the Brazilian General Data Protection Bill, LGPD, will be
promulgated or not, it can be concluded from the draft of the LGPD, that the GDPR
and the LGPD follow the same principles and general rules. Because of that, even if
for any reason the LGPD does not get approved, and the pharmaceutical company
will not deal with data of EU citizen, it is strongly recommended to apply the GDPR
and the Code of Conduct for all the mHealth. In special, the mHealth storing and
processing data concerning health.
In addition, the combination of measures collected from the Code of
Conduct for mHealth based on the GDPR, the provisions of the HIPAA and the future
general data protection regulation in Brazil (LGPD) may help to create a solid way
of building trust in mHealth.
As this paper is assuming the shareholders perspective, it is important to
analyse the factors that most add and save cots in cases of data breach:
Figure 5:
Impact of 22 factors on the per capita cost of data breach. Ponemon Institute, 2018. Page 22
32
As we can see from the graphic, having an incident response team can
save US$ 14 per record. The faster a data breach can be identified and contained,
the lower the costs. The IBM Study indicates that companies that contained a breach
in less than 30 days saved over $1 million vs. those that took more than 30 days to
resolve.
However, it is not just about identifying and containing the breach, but
also about giving notice to the users. The GDPR says that the companies should
give notice in a timeframe of 72 hours. On the other hand, the LGPD states that the
notice should be giving in a reasonable period of time. The world “reasonable” is
subjective and may give room to discussion. To be in the safe side, pharmaceuticals
companies in Brazil should review their notice policies and be prepared to give notice
to the authority in 72 hours. If the gathering of the information became too difficult
and the authorities plead a delay in reporting, the company can argue about the
meaning of “reasonable” time.
Giving consent is another important factor that will demand much effort
from the external and internal legal counsels. The privacy policy makers should use
the text that will ask for consent as a way of motivating people to use more mHealths
and trust them. It is a good manner to proliferate the mHealth culture and to promote
the market.
When it comes to consent, the provisions of the LGPD should be applied.
The draft of the Brazilian Bill states that the consent for data concerning health
should be specific and highlighted, and not only explicit as GDPR rules. In any case,
health data’s consent in Brazil should receive a special treatment in the process of
writing the consent text. The GDPR’s Code of Conduct for mHealth cites the granular
and contextual ways of giving consent as good options for a clear consent. This
method consists in asking and explaining how the data will be processed in different
step and moment. That will help the user to understand clearer the purpose and
manners of processing. This type of giving consent should be the most suitable way
for the Brazilians. Brazilians do not like reading terms of use and using a clear and
ludic way should help them.
Here, it is important to stress that for each new purpose for example, the
portability of the data to other controllers, the company must require a brand new
consent.
Moreover, it will be important to ensure the continuous accuracy. The
companies will need to be able to prove the privacy background by design and
default. In this sense, showing transparency and compliance with data protection
rules and good practices is essential. While Brazil does not releases a Code of
Conduct of Data Protection for mHealth, the companies in Brazil will not be able to
have a trust certificate. However, adjusting the internal proceedings according to the
GDPR rules, will be helpful to show good practices and reduces penalties and fines,
in the case of breaches.
33
The Data Protection Impact Assessment, which is required in the Code of
Conduct for mHealth in cases of processing sensitive data on large scale, can also
be used in Brazil. Although, conducting a Data Protection Impact Assessment is not
mandatory in Brazil, this practice would be valuable. The companies should perform
an impact and risk assessment to build safer mHealths, both in legal and technical
ways. Some good business measures in demonstrating good data protection
practices would be: providing trainings about data protection for the employees,
review all the contracts with data processors and have an adequate Data Protection
Office.
In addition, the synergy between legal departments and IT will be
mandatory. This is the only way how new IT technology can be built, from the very
beginning, based on legal data protection principles.
As some examples of IT measures that could be taken to reduce data
protection risk, we could mention: (Mcaskill R, 2018):
i) Do not send e-mails to the user reporting some information that are
processed in the app. Many email systems do not have the ability to encrypt data.
ii) Do not use notifications in mHealth. Notifications can pop up even if a
phone is locked, and this violates the expectation of privacy according to the GDPR
principles.
In conclusion, while there is no Code of Conduct for mHealth in Brazil, it
is strongly recommended that the companies follow the European Code. As it was
seen in this chapter, a few differences between the GDPR and the LGPR will arise.
For sure, many questions will still come, as for example, the
constitutionality of the creation of the Brazilian data protection authority. However,
the pharmaceutical companies in Brazil should observe the next changes in the
Brazilian law and start getting prepared to the LGPD based on the GDPR.
In this regard, applying the European standards will bring the Brazilian
mHealth market to another level of international data protection certainty.
9. Conclusion
MHealths are the new technology that promises to change the way that
healthcare industry works. It is a powerful tool to improve people’s health and well-
being. As it was presented in this paper, the advantages of mHealths are many:
predicting a low blood sugar level for diabetics, monitoring the blood pressure and
avoid heart attacks, reminding the woman of taking her contraceptive pill, among
others. Moreover, mHealths have an incredible potential. The mHealth market is
expected to reach USD 102.43 billion by 2022. This fact shows why pharmaceutical
companies are increasingly investing in this technology.
34
However, mHealths still face different challenges for its successful
implementation. Due the high risks that mHealth can cause to its users and society,
mHealths deal with regulatory, technical and data protection barriers.
This work addressed specifically the data protection struggle. It was
noticed that there is a lot of skepticism about the data protection in mHealth. People
do not highly trust that their sensitive information, their health data, will be kept in
security if they inform it to the companies.
In this setting, the European Commission decided to release the Code of
Conduct of mHealth based on the principles of the GDPR. The GDPR itself was
already a great advent in the data protection of health data. It explains in good terms
the meaning of sensitive health data and how those information should be process
in light of the GDPR rules. However, showing how conscious the Europeans are, an
even more detailed Code for mHealth was realised. At this moment, there is not so
much information about data protection for mHealth. In this sense, the Code of
Conduct for mHealth is a practical and useful guidance for all the mHealth
developers.
Nevertheless, concerns about data protection in mHealth are not
restricted within the EU domain. For this reason, this paper approached the data
protection challenges for a mHealth in the Brazilian market. It was concludes that
the mHealth revolution that is being developing around the world, is only beginning
in Brazil. Studies show that Brazil is expected to be the seven largest mHealth
market in a soon future. This fact will for sure, invite many companies to invest in
mHealth in Brazil, when the companies and data protection lawyers should be
prepared.
Brazil is now waiting for the enactment of it General Data Protection Bill
(LGPD). The draft of this bill was analysed. It was verified that most of the provisions
and principles from the LGPD are pretty much the same as the GDPR. In this sense,
in the last chapter, the main recommendation for pharmaceutical companies in
Brazil, would be to follow the GDPR and Cond of Conduct principles, and they will
be already prepared when the LGPD comes into force.
Along the way, the main conclusion that the author took from this paper
is that mHealths should not be seen only as economic goods and potential. Mhealth
can help the medical science to save lives. Therefore, all the stakeholders connected
in this chain, should promote the trust and accuracy among mHealths.
35
10. Bibliography
A
ABI Research Inc. Foundations emerge for a revolution in remote patient monitoring.
2014Sep 4 [cited 2014 Sep 13]. Available at:
https://www.abiresearch.com/press/foundations-emerge-for-a-revolution-in-remote-
pati Accessed July 18, 2018
ANVISA. Agência Nacional de Vigilância Sanitária. Aplicativos para diagnósticos em
saúde em celulares. Available at: http://portal.anvisa.gov.br. Accessed July, 04,
2018
Araújo A. Lucena T. Bortolozzi F. Gonçalves S. Global challenges to the protection
of personal data from the perspective of European Union law. Published in Research
Gate. December 2016
B
Boston Consulting Group. The Socio-Economic Impact of Mobile Health, 2012
Boxcryptor. What is Personal Data? Simple Examples From Everyday Life.
Published on December 7, 2016. Available at:
https://www.boxcryptor.com/en/blog/post/what-is-personal-data-simple-examples/.
Accessed July 22, 2018
Buckman R. Evaluating mHealth companies and products in Brazil. May 2014.
Available at: https://saudebusiness.com/noticias/evaluating-mhealth-companies-
products-brazil/. Accessed 24 July, 2018
C
Chouffani, R. The different types of mobile healthcare Apps. 2011. Available at:
https://searchhealthit.techtarget.com/healthitexchange/meaningfulhealthcareinform
aticsblog/the-different-types-of-mobile-healthcare-apps/ Accessed July 16, 2018
D
E
Calder A. EU GDPR – A Pocket Guide. Publishers: ITGP. 10 Jan 2017
European Parliament - Directive 95/46/EC of the European Parliament and of the
Council of 24 October 1995 on the protection of individuals with regard to the
processing of personal data on the free movement of such data, 1995, Available at:
http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A31995L0046.
Accessed July 18, 2018
36
European Commission, Green Paper on on mobile Health ("mHealth"), Brussels,
April 10th, 2014
European Commiss. Guidance provided by the Article 29 Working Party in its letter
of 5 February 2015 and its related Annex. Available at.
http://ec.europa.eu/justice/data-
protection/article29/documentation/otherdocument/files/2015/20150205_letter_art2
9wp_ec_health_data_after_plenary_annex_en.pdf. Accssed July 23, 2018
F
FDA. Mobile medical applications: guidance for industry and Food and Drug
Administration staff. Available at:
www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/Guidance
Documents/UCM263366.pdf. Accessed July 05, 2018.
Fierce Medical Devices. Roche deploying smartphone app to monitor patients during
clinical trial of its Parkinson’s disease. 14.Aug.2015. Available at:
http://www.fiercemedicaldevices.com/story/roche-deploying-smartphone-app-
monitor-patients-during-clinical-trial-its-p/2015-08-14. Accessed 30 June, 2018
Folha de São Paulo. Brecha em aplicativo do SUS expôs informações de saúde até
de Temer. 26 jan 2018. Available at:
https://www1.folha.uol.com.br/cotidiano/2018/01/1953472-brecha-em-aplicativo-
do-sus-expos-informacoes-de-saude-ate-de-temer.shtml. Accessed 23 July, 2018
G
General Data Protection Regulation (GDPR). European Parliament (EU) 2016/679
Grand View Research. mHealth market analysis and segment forecasts to 2020.
2014 Feb [cited 2014 Sep 13]. Available at:
http://www.grandviewresearch.com/industry-analysis/mhealth-market. Accessed
July 05, 2018
Greene A. When HIPAA applies to mobile applications. MobiHealthNews. June 16,
2011
GSMA (Global System for Mobile Communications / PwC Report: Touching Lives
through Mobile Health: Assessment of the Global Market Opportunity. March 28,
2012
GSMA. (Global System for Mobile Communications). Socio-economic impact of
mHealth. An assessment report for Brazil and Mexico. June 2013
H
37
He D., Naveed M., Gunter C. Nahrstedt A., K., "Security concerns in Android mhealth
apps", Proc. AMIA Annu. Symp., pp. 645-654, 2014.
Health Information Technology for Economic and Clinical Health Act (HITECH Act)
HIPAA Journal. Can A Patient Sue for A HIPAA Violation?. Nov 7, 2017. Available
at: https://www.hipaajournal.com/sue-for-hipaa-violation/. Accessed July 05, 2018
Hordern V. The Final GDPR Text and What It Will Mean for Health Data. Hogan
Lovells privacy & information security news & trends. Edition of E-health Law &
Policy January 2016.
Hummel G. “Brazil eHealth – Overview, Trends & Opportunities”. Published by EMI
– eHealth Mentor Institute. São Paulo. November, 2016
I
Instituto Brasileiro de Defesa do Consumidor. (Idec). Aplicativos de consulta médica
colocam dados de consumidores em risco. 19 March 2018
Irwin L. The GDPR: Understanding the 6 data protection principles. Published on
31st January 2018. Available at: https://www.itgovernance.eu/blog/en/the-gdpr-
understanding-the-6-data-protection-principles. Accessed July 21, 2018
Irwin L. The GDPR: What exactly is personal data? Published on 7th February, 2018.
Available at: https://www.itgovernance.eu/blog/en/the-gdpr-what-exactly-is-
personal-data. Accesses July 21, 2018
J
Jolly I. Data protection in the United States: overview. 01 Jul 2017. Available at:
https://content.next.westlaw.com/Document/I02064fbd1cb611e38578f7ccc38dcbee
/View/FullText.html?contextData=(sc.Default)&transitionType=Default&firstPage=tr
ue&bhcp=1. Accessed July 19, 2018
Juniper Research Ltd mHealth Information Services to Reach More than 150M
Users by 2020, Juniper Research, 17.feb.2016. Available at
http://www.juniperresearch.com/press/press-releases/mhealth-information-
services-to-reach-more-than, Accessed July, 02, 2018
JusBrasil. Jurisprudência sobre vazamento de dados. Available at
https://www.jusbrasil.com.br/jurisprudencia/busca?q=FORNECIMENTO+DE+DAD
OS+PESSOAIS&p=2. Accessed 20 July, 2018
K
38
Kokott J. Sobotta C. The distinction between privacy and data protection in the
jurisprudence of the CJEU and the ECtHR. International Data Privacy Law,
Volume 3, Issue 4. Published: 15 September 2013
Kotz D: A threat taxonomy for mHealth privacy. Proceedings of the third international
conference on communication systems and networks: 4–8 January 2011;
Bangalore. Edited by: Crowcroft J, Manjunath D, Misra A. 2011, New York: IEEE
L
Labiotech. What Happened to the Plans for a Smart Contact Lens for Diabetics?,
Jan 2018. Available at: https://labiotech.eu/features/contact-lens-glucose-diabetes/.
Accessed 20 June, 2018
Landi H.Health Care Informatics. 2017 Breach Report: 477 Breaches, 5.6M Patient
Records Affected. January 23, 2018 Available at: https://www.healthcare-
informatics.com/news-item/cybersecurity/2017-breach-report-477-breaches-56m-
patient-records-affected Accessed July 02, 2018.
Lee Ventola, C. Mobile Devices and Apps for Health Care Professionals: Uses and
Benefits. 2014 May; 39(5): 356–364
Lewis Lorchan, T. mHealth and Mobile Medical Apps: A Framework to Assess Risk
and Promote Safer Use. J Med Internet Res. 2014 Sep; 16(9): e210.
M
Mattos Filho Law Firm, oral presentation held on 25 July, 2018
MartechToday Guide for the GDPR. Available at:
https://martechtoday.com/guide/gdpr-the-general-data-protection-regulation.
Accessed July 19, 2018
Mantovani, E Quinn P. mHealth and data protection – the letter and the spirit of
consent legal requirements. International Review of Law, Computers & Technology,
2013. DOI:10.1080/13600869.2013.801581
Mcaskill R. Is HIPAA the Biggest Challenge to mHealth Development? Available at:
https://mhealthintelligence.com/news/is-hipaa-the-biggest-challenge-to-mhealth-
development. Accessed July 19, 2018
Medtronic, IBM Watson reveal prototype of diabetes app to predict low blood sugar,
Field Medical Services, 07.jan.2016. Available at:
http://www.fiercemedicaldevices.com/story/medtronic-ibm-watson-reveal-
prototype-diabetes-app-predict-low-blood-sugar/2016-01-07. Accessed 23 June
2018
39
N
Njie C. M. L., "Technical analysis of the data practices and privacy risks of 43 popular
mobile health and fitness applications", 2013, Available at:
https://www.privacyrights.org/blog/privacy-rights-clearinghouse-releases-study-
mobile-health-and-fitness-apps-what-are-privacy. Accessed July 18, 2018
O
Office of the National Coordinator for Health Information Technology. Guide to
Privacy and Security of Electronic Health Information. Version 2.0. April 2015.
P
Papageorgiou A., Strigkos M., Politou E., Security and Privacy Analysis of Mobile
Health Applications: The Alarming State of Practice. Published in: IEEE Access (
Volume: 6 ). 29 January 2018
Pereira A. Big Data, e-health e «autodeterminação informativa»: a lei 67/98, a
jurisprudência e o regulamento 2016/679 (GDPR). Universidade de Coimbra. Jun,
2018
Petersen C., DeMuro P. Legal and Regulatory Considerations Associated with Use
of Patient-Generated Health Data from Social Media and Mobile Health (mHealth)
Devices. January 14, 2015
Ponemon Institute, 2018 Cost of a Data Breach Study: Benchmark research
sponsored by IBM Security Independently conducted by Ponemon Institute LLC.
Published in July 2018
Q
R
Research2guidance. Mobile health market report 2013–2017: the commercialization
of mHealth applications (vol.3). 2013Mar 4 [cited 2014 Sep 13]. Available
at: http://www.research2guidance.com/shop/index.php/downloadable/download/sa
mple/sample_id/262/. Accessed June, 23, 2018
Revista Veja. Netshoes avisará clientes por telefone sobre vazamento de dados.
Published on 27 April, 2018. Available at:
https://veja.abril.com.br/economia/netshoes-relata-vazamento-de-dados-de-
clientes-aos-eua/. Accessed 20 July, 2018
S
Special Eurobarometer 431: Data Protection Directorate-General for
Communication, 2015, Available at:
40
https://data.europa.eu/euodp/el/data/dataset/S2075_83_1_431_ENG. Accessed
June 22, 2018
T
Tam C, Sharma A. Mobile medical apps: to regulate or not to regulate? American
Pharmacists Association. December 2013. Available
at: http://www.pharmacist.com/mobile-medical-apps-regulate-or-not-regulate.
Accessed July 16, 2018
U
V
Vainzof R. Enfim, uma Lei Geral de Proteção de Dados. July 2018. Available at:
http://cio.com.br/gestao/2018/07/10/enfim-uma-lei-geral-de-protecao-de-dados/.
Accessed July 12, 2018
van Velsen, L. Why mobile health app overload drives us crazy, and how to restore
the sanity. BMC Med Inform Decis Mak. February, 2013
Vishwanath, S., Vaidya, K., Nawal, R., Kumar, A., Parthasarathy, S., & Verma, S.
(2012). Touching lives through mobile health: Assessment of the global market
opportunity. Bangalore (India): PricewaterhouseCoopers (PwC).
X
W
World Health Organization. mHealth: New horizons for health through mobile
technologies: second global survey on eHealth, 2011
World Health Organization. Global diffusion of eHealth: Making universal health
coverage achievable: third global survey on eHealth, 2015
World Health Organization. mHealth research checklist to improve quality,
accelerate adoption, iMedical Apps, 29 March .2016. Available at:
http://www.imedicalapps.com/2016/03/who-mera-mhealth-research-checklist/.
Accessed 01 July 2018
Y
Yelina Y. HIPAA and mHealth: Is Your App Covered? May 29, 2018. Available at:
https://www.hitechanswers.net/hipaa-and-mhealth-is-your-app-covered/ Accessed
June 19, 2018
Z
41
Zion Market Research. mHealth Market by Devices, by Stakeholder, by Service, by
Therapeutics and by Applications: Global Industry Perspective, Comprehensive
Analysis and Forecast, 2014 – 2022, USA, 2016
.